Paul Graham: Filters that Fight Back

Mortimer.CA writes "Paul Graham is back with another article about combating spam. It's entitled Filters that Fight Back: 'One intriguing idea is to literally fight back: to make filters disable spammers' servers by automatically following all the links in each incoming email. We may be driven to this in order to achieve accurate filtering anyway. Why wait?' One danger is someone doing a DDoS by sending fake spam."

And now

[CptChipJew]

And now thanks to links posted to Slashdot, Paul Graham is being DDoS'd =)

Re:And now

[Adam9]

I don't think Yahoo will mind too much.

traceroute to paulgraham.com (216.136.224.156), 30 hops max, 40 byte packets ...
14 vl48.bas2-m.sc5.yahoo.com (66.163.160.214) 99.528 ms 98.349 ms 99.528 ms
15 alteon4.128.sc5.yahoo.com (216.136.128.6) 98.575 ms 98.687 ms 98.377 ms

Re:And now

[Zeinfeld]

And now thanks to links posted to Slashdot, Paul Graham is being DDoS'd =)

Which illustrates the problems that you get when people who have little or no security experience try to do security.

The problem with hackback schemes of all types is that they always end up having unexpected effects. The basic problem is that when people design a hackback scheme they never consider what happens when someone sets out to abuse it. They assume that the only change to the environment is their hackback scheme.

A few months ago Paul though Bayesean filtering was the one true solution. The only problem was that people who have spent years working on the techniques he described never achieved results anywhere close to the ones he claims.

Paul Graham's scheme is not as damaging as some others because the amplifier effect is limited. The message sender only gets five or ten messages created for each spam sent. But even that could make a profitable scheme for someone trying to get their site promoted in a 'most visited list'. If they have pay per view adverts they can rake in quite a few bucks - as much as a cent for every spam sent. Far from discouraging spam this scheme would create a new incentive.

BTW the guy who said 'there is no fake spam' is right depending on the definition you use. If you use the definition 'unwanted email sent indiscriminately' then he is pretty much right. If on the other hand you define spam as 'that which our filters decide is spam'... (I kid you not, folk do try to get that type of definition accepted). The exception would be satires like 'make penis fast'.

There are similar problems with the folks running blacklists, they think that they understand everything there is about spam but don't realize that the systems they set up can be and will be gamed. Every partisan political mailing list of every stripe that has a significant number of readers gets blacklisted from time to time as people sign up for the list in order to be able to report it as spamming.

Try to explain to either group that there is a problem and they get majorly defensive. You get accused of wanting to help the spammers, etc. etc. When people start getting defensive like that in response to fair questions you are in big trouble.

The way to deal with spam is to treat it as a security problem. We deal with security problems using access control - authentication and authorization. We need to start with robust authentication mechanisms that hold ISPs responsible for the messages sent from their domain. These need to be accompanied by robust authorization mechanisms that allow recipients to judge whether the sender is honest.

Re:And now

[Gruturo]

A few months ago Paul though Bayesean filtering was the one true solution. The only problem was that people who have spent years working on the techniques he described never achieved results anywhere close to the ones he claims.

Your mileage may vary. Mine is excellent, for example. I've been using a Naive Bayesian filter, POPFile, for a while now, and I'm at 99.74 accuracy with 11564 classified messages and 29 errors. (For the record, 15 spams filtered thru and a few friends jokes, honestly looking a bit like spam, got filtered out. Not a single work mail got lost).

While I might agree that auto-reacting DDOS filters could turn into a pretty ugly beast when someone really clever finds a way to abuse them, I wouldn't be that critic of Paul Graham's work. He came out with a hell of an idea a few months ago, and this one could be even better with a few safeguards and adjustments in place. I suggest he has a word with bittorrent's Bram Cohen, who might know a thing or two about distributed computing, coordinated network efforts and protocol resistance to tampering and abuse.

I fully agree about the failure of many antispam efforts: For one, realtime blacklist have been outsmarted and bent against their purpose by brighter spammers with an evil sense of irony, but some techniques do work, and given his track record I'd be inclined to give this guy a chance to show what he's up to.

And, though I agree that a real, final solution to the problem might involve adoption of a new mail transfer protocol to supplant SMTP, which makes too many assumptions of goodwill, I don't see that coming anytime soon, so we'd better have a look around and see what can be done to improve the current situation.

Re:And now

[KevMar]

If the spam site gets paid on views, the advertisers are expecting a percentage to click on adds. If every site is visited, but the links on the site are not clicked (or links that do not leave the domain) the click percentage will go down and advertisers will pay the sites even less. also, the increased banwidth bill will add cost.

We would have to strip out any identifying code in the urls to prevent added spam from email validation

Re:And now

A few months ago Paul though Bayesean filtering was the one true solution. The only problem was that people who have spent years working on the techniques he described never achieved results anywhere close to the ones he claims.

I don't know where you get this idea. I know plenty of filter hackers who get results so much better than me that I'm kind of embarrassed.

I still think Bayesian filtering works. (My current filtering rate is around 99.8%.) But that only stops me from seeing the spams. This is something to attach to it, to cause the spams to stop being sent. But the brain of the whole system is still a Bayesian filter.

The message sender only gets five or ten messages created for each spam sent.

Go back and read the article. It's about http requests, not sending mail.

Re:And now

[Zeinfeld]

>>The message sender only gets five or ten messages created for each spam sent.
Go back and read the article. It's about http requests, not sending mail.

Oh, I totally get the fact you are sending out http requests. The fact the message is HTTP rather than SMTP is not relevant as far as I am concerned. The original HTTP spec used the term messages for requests and responses. I really can't remember what we did in the RFC.

The amplifier effect is just the same, for each message in there could be five messages out. The main advantage to the spammer though is laundering the IP address so that their web site hits appear to come from 10,000 distinct views rather than the same view.

I don't know where you get this idea. I know plenty of filter hackers who get results so much better than me that I'm kind of embarrassed.

Getting that sort of result on their own mail is one thing, getting that result on a representative corpus of user emails is a very different matter.

Geek mail is much easier to spam filter than naive user's mail. They tend to be far more aggressive in the features they use. They are also the targets of the spammers, geeks being a minority. So the vocabulary chosen by spammers tends to be much closer.

My real concern is not whether a filter is 99.8 or 95% efficient at detecting spam, its the false positive rate that is the problem. 1% false positives is a big problem, even 0.5% is a serious problem. The other big problem is the sheer cost of CPU cycles. Imagine a room the size of a football field filled with 100 equipment racks. Processing the legitimate mail only requires one of those racks, the rest are for dealling with spam. Each processing step adds cost. Bayesian filtering is only one part of the solution.

I agree about going after the spammers, but litigation and law enforcement are far more likely to be effective than hackback.

What we need to do in addition is to change the mail protocols so that we can know that a message that purports to come from a particular source is authentic. At least 50% of the spam sent claims a false sender address. The tricks that spam senders use to hide from litigation are a very robust spamdicator that almost never gives a false positive.

Re:And now

[Zeinfeld]

For one, realtime blacklist have been outsmarted and bent against their purpose by brighter spammers with an evil sense of irony, but some techniques do work, and given his track record I'd be inclined to give this guy a chance to show what he's up to.

I am failry sure that at least one of the blacklists will turn out to be run by a spammer.

The spammer could turn off listings for his own spam sources when it suited him. He could also blacklist his competitor's machines.

Re:And now

[mdinowitz]

There's an additional issue here. What of mailing lists which go out to huge amounts of people and include such things as unsubscribe urls in the header or footer. My server is already overloaded with the lists I run as is. Having even 1% of those who get mail from it pining it for content can run into tens of thousands of extra hits a day for no constructive reason.
In addition, if the advertising view scheme you mention goes into effect, it will drive advertising off the web even further than it is now.
The article is interesting, but....

Re:And now

[mdinowitz]

And here's the evil that can come from this. A spam message with a link that says "by pressing this link, you signify that you wish to opt into our mailings". The spam filter automatically visits the link and boom, you've opted into God knows what.
I can think of a TON of things that would be good for. or bad for as the case may be.

Re:And now

[Metrol]

If on the other hand you define spam as 'that which our filters decide is spam'... (I kid you not, folk do try to get that type of definition accepted). The exception would be satires like 'make penis fast'.

Here's a pretty good example of why you don't let automated filtering run the whole show. Too much of the ham gets caught as spam.

We need to start with robust authentication mechanisms that hold ISPs responsible for the messages sent from their domain.

The real problem here is how do you hold servers running in Taiwan or Singapore to account for mail flooding into the US or European markets? Shut out entire nations?

Re:And now

[BrokenHalo]

I don't know what credentials this Paul Graham has, but I believe common sense might not be one of them.

Given that a lot of the URLs in spam mail are tokens to inform the spammer's server that your email address is a valid hit, it seems to me that the only result of following all the URLS would be more spam.

Also, he forgets that many people do not have permanent broadband connections, and may take hours or days to fire up their email client. Any "pounding" of the spammer's server is going to be puny indeed.

noooooooo

[Tirel]

this idea is just as bad as "email tax". remember: WHEN YOU GAZE INTO THE ABYSS, THE ABYSS ALSO GAZES INTO YOU? I prefer SPEWS even if they get occasional bad press.

Re:noooooooo

[anthonyrcalgary]

My objection is that it would tell the spammer that your e-mail address is live, and it would screw up stuff like mailing lists that have URLs to click to confirm you want to be on the list.

I have no problem with loading the page in and of itself. They've sent you the URL, they're soliciting a visit.

Re:noooooooo

[mikiN]

... it would screw up stuff like mailing lists that have URLs to click to confirm you want to be on the list.

Simple problem, simple solution: mailing lists should use something like

Please <a href="mailto:listowner@some.domain?subject=confirm -#confirmationkey">confirm</a>your subscription.

Please don't let the 'clickability factor' of an http URL (1 click) versus a plain old mailto (2 or more clicks to send) get in the way of privacy protection. I suppose that when you have just subscribed to a mailing list you are interested in more than just the confirmation message, so you have some clicks to spare

-
Never send a machine to do a human's job.

response to the lister's comment

[ih8apple]

In response to the comment: "One danger is someone doing a DDoS by sending fake spam"

From the article notes: "[5] The best way to protect against abuse might be to have the central authority whitelist every site by default, and then, by whatever protocol, take certain sites off. Because you can look at the sites before taking them off the whitelist, there is little danger of people abusing this system to attack an innocent site."

Re:response to the lister's comment

From the article notes: "[5] The best way to protect against abuse might be to have the central authority whitelist every site by default, and then, by whatever protocol, take certain sites off. Because you can look at the sites before taking them off the whitelist, there is little danger of people abusing this system to attack an innocent site."

I have a problem with a "central authority" deciding what is and what is not a spam-related URL. Blacklisting mail servers has proven effective only to a degree, and is certainly not failsafe. Do we really want blacklisted URLs too?

It's also interesting that someone, such as Paul Graham, interested in "solving" the spam problem via technology would suggest that this authority "look" at the site before taking it off the whitelist.

I see this anti-spam tactic as rife with potential for abuse.

Re:response to the lister's comment

Exactly. The beauty of this idea, is that it's not really a cooridnated attack. It's just a reasonable responce to an e-mail. If they send the mail, you can certainly follow each link once. If you have a "central authority", then you have a consiracy to attack these spammers. You're giving them someone to sue, or worse.

Re:response to the lister's comment

[anthony_dipierro]

If they send the mail, you can certainly follow each link once.

Umm, the problem is if someone else sent the mail.

Re:response to the lister's comment

This idea of "attacking" spammers has always intregued me, but I've run across many innocent people who's email address was in the "replyto" field of the spam getting hammered by bounced emails. This is commonly referred to as a "joe job".

I'm only at liberty to say that a certain famous hacker is soon to release an awsome spammer tool that can certainly jam ths spam back in the face of the spammer.

It's common knowledge that the first "received" line in a message is the REAL IP address the mail traveled through before it hit your mailbox.

In most cases, this is the SMTP server's IP address, so therefore it is possible to establish a connection to this server (using socket level connection protocol).

Although I'm told this feature won't be in the release version, but pre-alpha testing has revealed some really cool things it's capable of.

First, it tries to connect through port 25 (SMTP), and sends a pre-composed message to an assumed account of "postmaster", then "root", then "hostmaster", then "abuse". each of these suspected users are then checked to see if mailboxes exist for them. if so, a pretty nasty "cease and desist" letter would be sent to this box.

On some ocassions, the spammer was actually supid enough to reply to this message, and was rather freaked out we tracked them down. It gave me a wonderful opportunity to feed his stupid head with all sorts of bullshit about how we can track them down and to spread the word to all his other spammer friends about the existance of this tool (strike fear the mind of these bozo spammers). This particular individual was just some bozo that reponded to a spam about an amazing "work at home" offer, paid his $39 and got his spam kit.

In about 10 - 15% of the cases, this is usually the spammer's spam proxy server. Most of which are in China or Brazil. They are easy to identiy as most don't have a reverse DNS, or are determined to be bogus.

Here is where it gets really interesting... This IP is then scanned for vulnerabilities, and in most cases, one is found. It then installs a nasty bit of code that halts the machine's ability to send spam. Of course this is highly illegal, but the way this program is written, anyone could write a simple script to do this.

Other interesting things I've seen it do, is to issue a "honeypot" address. With a little bit of "sendmail" scripting, it's possible to allow a user like "fred@mydomain.com" issue an email address like "fred8765@mydomain.com", which would strip of the numbers.

In earlier experiments, we started to opt out of every spam we got. Not caring if our Email address might wind up in every "tom dick and harry" spammer's mailing list. First we would opt out using our normal address, then opt out again using the honeypot address.

The results were amazing.... In just 9 hours, we started getting spam into our honeypot addresses. A simple database lookup revealed that when we opted out of the "mortgage" spam, instead of opting us out, it just added us to their mailing list. BUSTED!

And amazingly enough, they had the audacity to include a "privacy policy" that promised they wouldn't sell or release our Email address..... LIERS!!!

Legal action is pending, and with "deposition before supena" we are able to get the ISPs to release all their logs, and we nailed them.

As soon as this amazing tool is released, spamming, the way we know it today, is going to cost the spammers a huge amount of money.

In just 2 weeks of use of this program, an amazing reduction of spam was realized, and in fact it even made a dent in the whole internet as a whole. Imagine of everyone could use this tool. Hopefully that day will soon arrive. Because of it's detailed reporting ability, it is very selective in how it arranges reports, and ISP's are very pleased to be getting such detailed reports, and are much more likely to act on them because they are so rich in useful infor

Re:response to the lister's comment

[swillden]

The best way to protect against abuse might be to have the central authority whitelist every site by default, and then, by whatever protocol, take certain sites off. Because you can look at the sites before taking them off the whitelist, there is little danger of people abusing this system to attack an innocent site.

Eh? This sounds like nothing more than the most inefficient way possible to represent a blacklist. What's the difference between a whitelist that includes everything except a few blacklisted sites and a blacklist?

Following links validates your address

[PeekabooCaribou]

If I load an image or a link from spam, it's possible that a spammer could be validating my e-mail address for future sale, or perhaps increased spamming since he knows someone is actually reading the message. For example, http://server.foo/image.gif?id=ab0a98df12j3 could be unique to the spam that was sent to me. If any user-agent accesses that URL, the spammer knows that my e-mail is active and I'm reading his junk. I don't know if they actually do this in practice, but I'm wont to load HTML messages because of it.

Re:Following links validates your address

[hankaholic]

I've been thinking for a while about maybe having a Slashbox that displays images included in spam in a 1x1 pixel box.

Every load of Slashdot would hit spammers' servers.

Re:Following links validates your address

[koehn]

Actually, the opposite would happen: since all links in all spams get hit, this technique would make putting UIDs into URLs worthless for the purpose of authenticating users.

Spammers would need another mechanism to attempt to authenticate who reads their messages. I like it.

What do you think about downloading IMG tags? It would hurt the server's bandwidth, but it would hurt my mail server's bandwidth, too. Maybe use one of the many open proxies out there instead, kill their bandwidth, maybe close the open proxy... ooh, that's evil! I really like it!

If there were a sig here, would you read it?

Re:Following links validates your address

[Paradise+Pete]

I'm wont to load HTML messages because of it.

Wont means you're disposed, or likely, to do something. If I read your (insightful) post correctly, I take it you're hesitant to do so.

Re:Following links validates your address

[stevens]

Actually, the opposite would happen: since all links in all spams get hit, this technique would make putting UIDs into URLs worthless for the purpose of authenticating users.

I don't think so. All links in all spams wouldn't get hit.

• Mail that got swallowed or bounced undevlierable wouldn't follow the links.
• Mail that went to non-punishing email clients (like companies who are afraid of liability when DDOSing sites) wouldn't hit the URL.

And there are many reasons not to punish. I would, but I've got fast ADSL and lots of bits per month to spend. But if I were on metered dialup in the UK where I get charged every second I'm on the line, I wouldn't want my spamfilter to take six minutes downloading mail because it's punishing spammers.

Here's an idea: Can't the filter strip the path-part of the URL and just hit the root URL on the server? It punishes the same machine (unless it's a complex reverse-proxy setup, where it only punishes the proxy, but that's probably good enough).

E.g., if the URL is http://spammer.com/offer_5/unique_id_123123i765, then we just hit http://spammer.com/.

Re:Following links validates your address

[rgmoore]

Actually, the opposite would happen: since all links in all spams get hit, this technique would make putting UIDs into URLs worthless for the purpose of authenticating users.

But it's not there to authenticate a user; it's just there to authenticate that the email address is actually live rather than a bogus one like nobody@example.invalid. Spammers already use this trick, including uniquely coded urls into each email to track which users actually open the mail, and autoresponding is a possible problem.

Mr. Graham actually suggests that auto-following could be beneficial to everyone. He argues that spammers would start putting working unsubscribe links in their spam as a way of filtering out spam filters with the autorespond feature and cutting their bandwidth bills. I'm not so sure that this would really work. For one thing, the fact that many spammers already encourage people to download a link in the form of an invisible gif to track live email addresses suggests that the bandwidth problem might be less of an issue than he thinks. Equally important, a lot of spamming is done by contract spammers, not directly by the people being advertized, and I'm not convinced that the contract spammers would really care that much about their clients' web-sites being hammered.

Re:Following links validates your address

[onallama]

For example, http://server.foo/image.gif?id=ab0a98df12j3 could be unique to the spam that was sent to me. If any user-agent accesses that URL, the spammer knows that my e-mail is active and I'm reading his junk. I don't know if they actually do this in practice, but I'm wont to load HTML messages because of it.

Huh? You're inclined to load HTML messages to verify your address for spammers?

Re:Following links validates your address

[imsabbel]

Even worse, lets imagine the program isnt perfect and someone finds an exploid.
Wanna install backdoor?
Just mass email spam with a link to an infected site....

Re:Following links validates your address

I think you're missing the point. Anything that reaches your mail server is treated the same - it wouldn't be done by mail readers. And I don't think there's a DDOS issue - you read a line a few times for each mail they sent.

Re:Following links validates your address

I can definately PROVE this is so. But we can use this to our advantage. FIRST, make a "cookies" in your browser and fill it with your honeypot addresses, and name the cookies "email", "email1", "email2", etc.

Spammers web sites look for a cookies called "email", so give them your favorite honeypot address or some throwaway "hotmail" address.

Then, start replying like crazy to opt out addreses, and fill the spammer's mailing list with thousands of these bogus addresses.

Re:Following links validates your address

[LordKronos]

That's not going to work. All you are going to do would be to needlessly DOS www.geocities.com without any particular spammers site being identified. Geocities would have no way to identify which site is the spammer's, and their hourly bandwidth would never get used up, and thus would still be available for those who click on the links.

Also, consider that spammers could move the identifier to the other end of the url. Just have *.spammer.com or www.*.spammer.com resolve to the same site, and start putting the identifiers in the domain. They could even use random dictionary words as the identifiers to make it more difficult to pick out. The only way to combat that would be to have a system that compares the URLs from several spams and figures out which parts of the URLs changed per user.

Re:Following links validates your address

[darkov]

But it's not there to authenticate a user; it's just there to authenticate that the email address is actually live rather than a bogus one like nobody@example.invalid

I think an email address or user is the same thing. And it would have the same effect, since all emails would be responded to regardless of if they hit a valid email address or not. The spammer would get results saying everyone they sent a mail to read their mail.

autoresponding is a possible problem.

That would just be more of the same, treated the same way as the original mail, making the spammer's problem worse.

I'm not so sure that this would really work. For one thing, the fact that many spammers already encourage people to download a link in the form of an invisible gif to track live email addresses suggests that the bandwidth problem might be less of an issue than he thinks.

Not so, very few people respond (a small fraction of a percent), so their bandwisth is low.

Equally important, a lot of spamming is done by contract spammers, not directly by the people being advertized, and I'm not convinced that the contract spammers would really care that much about their clients' web-sites being hammered.

And how long do you think that contract smapper would stay in work if their clients' servers get hammered? You kill thier source of income you kill the spammer.

Re:Following links validates your address

[Tokerat]

I dunno if it was beer or being from an Engrish speaking origin, but I believe he meant (emphasis mine):

I won't load HTML messages because of it.

Re:Following links validates your address

[sketerpot]

Just mentally replace "wont" with "loath", and you'll have something stylistically identical that makes sense. Cheers.

Re:Following links validates your address

[big-magic]

I believe the next version of Mozilla mail client (actually Mozilla Thunderbird) will sanitize the html of messages that are classified as junk. That will prevent such address verification schemes from working. If you remove the junk classification from a message, the html will start working again.

Over time, hopefully this will reduce the number of spam messages you get, since the spammers will have no verification that is was a real email address.

Re:Following links validates your address

[splattertrousers]

E.g., if the URL is http://spammer.com/offer_5/unique_id_123123i765, then we just hit http://spammer.com/

What if it's http://unique_id_123123i765.spammer.com/?

Re:Following links validates your address

[stevens]

I think you're missing the point. Anything that reaches your mail server is treated the same - it wouldn't be done by mail readers.

But that's not the way we run Bayesian filtering. It's done by the client, for his own mail, not at the server. Bayesian filtering relies on feedback from a user.

Re:Following links validates your address

[stevens]

E.g., if the URL is http://spammer.com/offer_5/unique_id_123123i765, then we just hit http://spammer.com/

What if it's http://unique_id_123123i765.spammer.com/?

Well, you've got me there. I don't have a solution to the problem of verifying your email address.

I also don't know how to prevent spammers from making a DOS on any box they like by sending out 1 million spams with an innocent URL.

And setting up a centrally-kept whitelist will have any of the problems associated with centrally kept lists like ORBS and RBL. What gets on the list? What comes off? Who checks?

It seems to me this idea will not fly.

Re:Following links validates your address

[Pharmboy]

they DO do this, very easily. i have checked links and found my own email address, exactly as you state, which is easy to parse from logs as verified addresses. this is why i set squirrelmail for text only (the default) and changed my Yahoo email account to not show images or html.

Re:Following links validates your address

[Jeremi]

If I load an image or a link from spam, it's possible that a spammer could be validating my e-mail address for future sale, or perhaps increased spamming since he knows someone is actually reading the message

Except that once many people have the auto-URL'ing filters, this would no longer be true. The spammer wouldn't be able to tell if you were responding to his email or if it was just your filter checking for spamminess and automatically throwing the email away afterwards. (Presumably 99.9% the hits he got would be the latter)

Re:Following links validates your address

[rgmoore]

I think an email address or user is the same thing.

But they're not the same. There are zillions of possible valid email addresses out there, but not every one has an actual recipient available to read the messages. For instance, there are about 200 billion possible usernames that contain exactly 8 letters. If you send messages to every username from aaaaaaaa@aol.com to zzzzzzzz@aol.com, most of them will be bounced or dropped harmlessly because there's no mailbox corresponding to that name. Some of them, though, will be valid usernames and will be sent to the appropriate user (assuming, of course, that AOL doesn't filter them as spam).

For a spammer, knowing which of those addresses reach a real recipient and which ones get dropped is valuable information. There are some spammers who try variants of this approach, sending meaningless spams to huge numbers of guessed addresses and hoping to find out which ones are live by waiting for the mail agent to pick up their coded 1x1 gif and show that the recipient exists. If you give each real user a program that autofetches all of the urls in each spam, this will effectively notify the spammer that the address actually has a mailbox attached and somebody is receiving the mail. Far from the effect that Mr. Graham suggests, that spammers would stop sending to those addresses, it would actually alert spammers that the address is real, when silently deleting the message would leave them thinking that it wasn't real.

Of course a really clever spammer would include two links, one that would normally be fetched automatically (like an image) and one that would only be fetched by a program that mindlessly followed each possible link in the message (like a link with no clickable area). Messages that retrieved the image but not the hidden link would be classified as live, while those that retrieved both would be viewed as automated responses and uninteresting. The problem is that the address harvesters probably don't care. They're harvesting addresses to sell them to somebody else, so they just want the largest possible list of verified email addresses, and don't particularly care whether they're likely to respond.

Re:Following links validates your address

[anthonyrcalgary]

I had about a fivefold increase in spam once when I accidently let an image load.

Re:Following links validates your address

[Ioldanach]

I don't think so. All links in all spams wouldn't get hit. * Mail that got swallowed or bounced undevlierable wouldn't follow the links. * Mail that went to non-punishing email clients (like companies who are afraid of liability when DDOSing sites) wouldn't hit the URL.

I'm just brainstorming here, but what about an intelligent mailserver which loads to /dev/null all links in all e-mails that are to unrecognised users, and all links in e-mails that are to recognised users that agree to it in a TOS? If several large ISP's started doing this, then the bandwidth would get used up in no time as a spammer sends out a new bulk e-mail.

I'd just love for spammers to find out every recipient at geocities and yahoo read their message mere seconds after it was sent.

Re:Following links validates your address

[TomDLux]

Very true, but it's trivial to have your defense program trim down the URL.

If the URL is http://www.f*%&-me.com/ident?id=Peekaboo, just visit the root. If that takes you to geocities.com, the account will be wiped out soon enough. Very soon, hosted web pages will included a clause making the users liable for bandwidth. It wouldn't take a host long to dedermine which page is responsible for the sudden 10000000% increase in traffic, and their legal budget will be bigger than that of most people they host.

Some spammers would love this.

[www.sorehands.com]

In the situation where the spammer gets paid by hit, the spammer would be rich overnight. But, then the customer might see somthing a little fishy, then start asking questions.

Re:Some spammers would love this.

[xyvimur]

And another super-smart spam sending mechanism will be developed to bypass defences. And another group of people will think a perfect method to defence against it, and so on, and so on.

Re:Some spammers would love this.

[GiMP]

Exactly. Someone mod the parent up :)

Dangerous from a legal perspective

[hardaker]

What about phrases like "by clicking on this link you agree to let us call your house" kind of things (where the link containers a token for identification purposes). Having a filter auto-follow links could be really dangerous then.

The interesting thing is how the courts would end up viewing auto-clicks vs manual clicks. I'd bet that if a user set up a filter then it would be effectively view as the user doing the clicking...

Re:Dangerous from a legal perspective

[xyvimur]

``"by clicking on this link you agree to let us call your house" kind of things (where the link containers a token for identification purposes). Having a filter auto-follow links could be really dangerous then''

So it would be necessary to make changes in the law to forbid `auto-agreeing' techniques. And we will have one less problem.

Re:Dangerous from a legal perspective

What about phrases like "by clicking on this link you agree to let us call your house" kind of things (where the link containers a token for identification purposes). Having a filter auto-follow links could be really dangerous then.

Many companies (eg, Google) will be in a lot of trouble if an automated web crawler can enter into binding agreements on their behalf.

Re:Dangerous from a legal perspective

[hardaker]

yeah, but its how slow the law changes that should scare you.

Plus you know the law would be written like "A computer user must manually actively active a link for a legal binding to have an effect; All computers must enforce digital rights management"

which not only allows for click-through-licensing but ties on a second hidden agenda (pick your topic). Everyone will think the first sentence would do what they wanted and not care about the rest. Hmm... sounds like I'm kind of bitter about the current state of the legal system.

Re:Dangerous from a legal perspective

So it would be necessary to make changes in the law to forbid `auto-agreeing' techniques. And we will have one less problem.

You can't legal be bound to a contract you didn't see or didn't even know existed. The law's not that stupid.

Re:Dangerous from a legal perspective

[AnotherBlackHat]

What about phrases like "by clicking on this link you agree to let us call your house" kind of things

By reading this message you agree to give me $50.

Re:Dangerous from a legal perspective

[Zeinfeld]

``"by clicking on this link you agree to let us call your house" kind of things (where the link containers a token for identification purposes). Having a filter auto-follow links could be really dangerous then''

This was anticipated in the Web Specs which since 1992 have clearly said that clicking on a GET link creates no form of binding contract.

In any case any contract formed in that manner would be a contract of adhesion and invalid.

If it were otherwise Google would be entering into all sorts of contracts with its web crawler.

Re:Dangerous from a legal perspective

[AntiOrganic]

I really need a program that just clicks "I Agree" to every EULA. Voila! No more contract!

Re:Dangerous from a legal perspective

[Jerf]

What about phrases like "by clicking on this link you agree to let us call your house" kind of things (where the link containers a token for identification purposes). Having a filter auto-follow links could be really dangerous then.

As eff'ed up as the legal system may be now, as wrong as many of the standard provisions of a EULA may be, contracts remain an agreement between two people and/or corporations; a computer's automated agreement can not be considered binding, or all hell breaks loose, legally speaking. Hacking other people's computers is already bad enough, the legal system will not stand for that also meaning that the hacker can impose binding contracts on you, without your knowlege, by making your "computer" agree to things.

Before anybody posts any kind of cynical "Oh but those wacky politicians will stoop to anything..."... no, no they won't. This would hurt them every bit as much as us, probably more so because this kind of thing is damaging in proportion to the legal power you have, rather then the inversely proportional they prefer. "They" are not out to explicitly hurt "us" so much as they are out to help "them".

Re:Dangerous from a legal perspective

[NaDrew]

By reading this message you agree to give me $50.

Aw crap. Uh. Okay, where do I send the check?

Re:Dangerous from a legal perspective

[gargleblast]

Naturally it would be an honour to oblige. Please send your bank account details and I will arrange the financial transfer immediately. Sincerest regards, His Excellency The Very Reverend Hon. Chief Magistrate of Nigeria, Busta Dagin

Re:Dangerous from a legal perspective

[Snaller]

This was anticipated in the Web Specs which since 1992 have clearly said that clicking on a GET link creates no form of binding contract.

Ahh, but did all the companies click on the "Agree" button on that page?

We're going mobile!

[Superfreaker]

/.ing moves from the web, right into your own mailbox! All the fun of crushing someone elses website without all of the work of clicking those tiresome links.

Note to self: Move web site off of modded GameBoy running apache.

Stupidest idea ever

[DemoLiter]

Which means : 1. receiver of the spam will waste even more bandwidth 2. spammer may verify accounts by posting links like http://bla.com/bla.php?stupid@email.com 3. Already said : DDoS attacks initiated via spam

Re:Stupidest idea ever

[iamroot]

1 is not really a problem unless you pay-per-gig. For me, it means a few megs of extra network usage per day, an additional 0.1% or so on average. For my ISP it means a worthwhile sacrifice to discourage the amount of spam coming through.

2 isn't really a problem. It means that A) Its STILL going to be blocked, B) Goodie! More spammers my server can hammer away at, and C) I'm already on their list ANYWAY. Its about as likely to hit an honest "remove" link as a dishonest one. Plus, with enough people using this, verify links would be worthless.

3 is the only real problem here. Granted, why would the script kiddies do this to DDoS for only a while when you can just 0wn(via autorooter) a few hundred boxen and do a real DDoS attack?

horrid legal thought

[BobTheLawyer]

a deliberate denial of service attack is illegal whether the victim is an innocent website or an evil spammer. There is no internet equivalent of lawful self defence.

If a spammed website is brought down by a method such as this, it wouldn't altogether surprise me if they sued the maker of the software responsible. Matters would be complicated if, as they might, they deny responsibility for the original spam e-mail.

(This is the case in the UK, I'd guess the position will be similar in the US but IANAAL (I Am Not An American Lawyer))

On the other hand, the "scan the spamvertised website for its content" sounds a great technical approach.

Re:horrid legal thought

[Todd+Knarr]

Why would it be illegal? The spammer put the links in the e-mail, obviously intending people to follow them (especially if they make reference to something being available at the linked site in the rest of the text). If far too many people follow the links and the site is brought down, how is that any more unlawful than Slashdot linking to a site in a story and the sudden burst of traffic bringing that site down?

I think the idea's dangerous for another reason, though. As noted, a spammer could easily include links to sites he doesn't like and let the traffic spike take them down.

Re:horrid legal thought

As noted, a spammer could easily include links to sites he doesn't like and let the traffic spike take them down.

If the aim is to use up the spammers bandwidth, the links should only be followed if the email has already been classified as spam. If the aim is to assist in the classification of border-line emails then the links should only be followed if the email has not been classified as ham with a probability over a certain preset threshhold.

Re:horrid legal thought

[SeanTobin]

a deliberate denial of service attack is illegal whether the victim is an innocent website or an evil spammer. There is no internet equivalent of lawful self defence.

Just do what the /\w{2}AA/i does - change the semantics. We aren't ddosing them, we are localy cacheing the website for future viewing.... And possibly checking for updates every 2 seconds (heck, even internet explorer can do that!)

Re:horrid legal thought

This is not a DOS attack. It just one person following all the links in every email he gets. He's not hitting the link over and over again. If they didn't want him to access the server, they shouldn't send the link. There's no way anyone in the legal system would call this illegal or even wrong.

Re:horrid legal thought

" a deliberate denial of service attack is illegal "

Show me this law in Mexico, because I would like to see it. Oh I forgot, you idiot americans think your laws apply to the while fucking world.

Re:horrid legal thought

[hankaholic]

I see no problem here. This is similar to having a secretary presort my mail before presenting it to me.

If somebody sends me a piece of mail, and my secretary sees something which may be of interest, she may call the sender to determine whether the piece of mail is truly of interest or not.

Whether she determines that the mail is of interest to me or not, in sending the mail the advertiser invited me or an agent working on my behalf to investigate what they have to offer.

If the secretary, assistant, or spam filter determines that the offer is not worth my time, then I probably don't want to spend my time with it. However, if an agent acting on my behalf decides that the product or service offered does not meet my interests or needs, then I owe the advertiser nothing -- they extended an offer and invited me to learn more.

An automated agent working on my behalf in corner cases[1] where it cannot otherwise determine whether an item might be of interest is no more responsible for the advertisers' resources than the secretary who calls an 800 number to investigate a product offer.

[1] As described in the article, I might add. The article suggests that parsing pages referred to in the email may lead to a more accurate rating.

Re:horrid legal thought

[sketerpot]

Ah, but this isn't a deliberate DoS attack! This is just visiting links in emails to get some information about the email itself. And if the site goes down due to bandwidth spikes? Just a convenient side effect, like the slashdot effect going into "righteous wrath" mode.

Re:horrid legal thought

[jpetts]

If a spammed website is brought down by a method such as this, it wouldn't altogether surprise me if they sued the maker of the software responsible.

Yet *another* upside: make sure that the auto-linker uses IE!!!

Re:horrid legal thought

[rsmith-mac]

Think of it this way, a website is like a 1-800 number; you pay for the number, you pay every time someone uses it, and you have a finite number of people you can serve at once. Now, some people have reccomended dial-spamming SCO's 800 number, which is borderline illegal, since you're tying up their system, preventing real customers from contacting them, and costing them money at the same time; something that's sure to get law enforcement's attention sooner or later.

The difference with the /. effect is that everyone who visits is a customer in a certain sense; they visited the site because they're interested in something that's on the site. This is the difference between going to the site for the "utility" provided by the site's content, and simply going to a site so that someone else can't.

While SCO and spammers are on the same level morally as far as I'm concerned, if you DDoS their site, you're doing the same thing as tying up someone's 800 number; and that's just something that's "not cool" and quite possibly not legal.

Re:horrid legal thought

[WWWWolf]

The spammer put the links in the e-mail, obviously intending people to follow them

Yeah, but what stops spammers from obscuring their URL into machine-unreadable format, and providing innocent URLs in machine-readable format?

Example: "See our CEO hauled into prison, live Realvideo broadcast on http://www.cnn.com/! Order our herbal nigerian make-money-fast penis-extending hardcore porn video from dubya dubya dubya dot clever spammer tech dot com!"

Users already obscure their mail addresses and seem to have no problems understanding them. What would stop spammers from doing that too? They already try...

Re:horrid legal thought

[|<amikaze]

The kind of users that respond to spam usually aren't the type that obscure their email addresses like that...

Re:horrid legal thought

[Todd+Knarr]

Right, except for one thing. If a couple hundred people each dial that 800 number 100,000 times each, the courts would probably find that illegal. But, if each of the 100,000,000 recipients of an advertisement called that 800 number once, you'd get the same result but the courts would almost certainly rule that there was nothing illegal going on. Whether the people were interested in buying anything or not, no one of them did anything even unreasonable. Even if they simply want to complain about the advertisement, that's a reasonable use of the advertised number.

Even if you called repeatedly, you could probably get away with it. "Your Honor, the advertisement said to call that number for more information, so I did. All I could get was a busy signal, so I tried again twice a day for the next week just trying to get the information they said I could get at that number. If they didn't want me calling for more information, why did they say to call for more information? And it's not like I hit the redial button every 5 seconds, surely one attempt in the morning and one in the evening isn't that unreasonable?"

Re:horrid legal thought

[ikkonoishi]

Then even better. If they obscure the links then people won't be willing to go through the trouble of clicking them.

Re:horrid legal thought

[Electrum]

Yeah, but what stops spammers from obscuring their URL into machine-unreadable format, and providing innocent URLs in machine-readable format?

Because most people who buy things from spam are not computer literate enough to go to the site. If it doesn't have a clickable link, it's not going to produce results.

Re:horrid legal thought

Heh. Your laws don't even apply in Mexico.

Re:horrid legal thought

[J2000_ca]

I'm pretty sure any Judge would find not guilty because the spammer is causing the DDoS not the maker of the program who never intend for this to happen.

Re:horrid legal thought

[TomDLux]

The spam email is an invitation to visit their web site

Re:horrid legal thought

[blibbleblobble]

"a deliberate denial of service attack is illegal whether the victim is an innocent website or an evil spammer."

How is mass-mailing through open proxies not DDOS?

Re:horrid legal thought

[BobTheLawyer]

abusing open proxies is certainly illegal (in the UK anyhow) but nobody seems to have the balls/ability/motivation to do anything about it.

This doesn't change the fact that launching a DDOS against a spammer is also illegal.

There is no doctrine of self defence for electronic attacks. If someone attacks you and you kill them in self defence, then you can plead self defence. If someone attacks your computer and you attack theirs in return, then you have no defence.

Re:horrid legal thought

[sipy]

Even better -

The spammer could include a link that is not visible, (or at least obscured), knowing that only a link-harvester would ever follow it. Any source IP that followed the obscured link would be denoted as a 'bot, and any IP that didn't would be identified as a human being responding to the spam.

Not good when your attempts to mess up the spammer helps them figure out the real users from the 'bots (IMHO).

No such thing

[Crazieeman]

I think everyone would agree with me that there is no 'fake' spam.

Re:No such thing

[wavecoder]

there is no 'fake' spam

Not true; several times I have received spams so carefully put together that they looked like they came from one of my addresses. For example, I used to have an address like me@school.edu; it's been inactive for some time, but once in a while I'll get a message claiming to be from that address, complete with perfectly spoofed headers. Tricky, but entirely possible.

Re:No such thing

[xyvimur]

Few minutes ago I received `something'. Its probably a spam - from some Foobar Inc. (in headers).
Well it came from Taiwan and is written with very strange letters - for sure none looks like `V1agra' or even `Viagra'. I can't tell from what is written inside whether it could possibly be real or fake spam.

Re:No such thing

[BrookHarty]

This fake spam is getting worse, at work people are actually using major companies we work with. Also since i work for a telco, domains that I dont filter, nortel, lucent, nokia, ericsson are not detected as spam.

The biggest single spam I get, Nigerian scam, at least 3 day, out of maybe 5 spam emails.

At home, buy.com seems to be popular with spammers. Amazon, and ebay too. Ebay is bad, because of the way people track and cant filter email on ebay, dont want to loose a sale.

BTW, I cut spam down at home by using a mandrake linux box with fetchmail,spammassassin, imap/pop3 with Thunderbird. And a bunch of filters in Thunderbird. About 92% success in detecting spam, and moving it to another folder.

Re:No such thing

I have received spams so carefully put together that they looked like they came from one of my addresses.

That would just be spam, with fake header information. It would not be fake spam. It's real spam.

Re:No such thing

[thynk]

"there is no 'fake' spam"

I guess that depends on how you define fake. Faked headers and email addresses? Sure, that's the norm.

OTOH - if you mean faked spam to mean that the spammer works for company A and actually includes a link to company B in their spam to get them in trouble/DDOS/Annoy them - this type of fake spam I've never seen.

This is stupid!

[MoogMan]

Seems a bit retarded to at least double the bandwidth drain from spam. Its bad enough as it is. This is *not* a viable solution, unless the spammers happened to be one hop away...

Re:This is stupid!

[rabbar]

Actually it's quite clever. The spammers website would quickly have it's bandwidth consumed to the point where most automated accesses to it would timeout without actually consuming more than minimal bandwidth. It's an automated, legal denial of service attack on not only the spammer but also on the ISP that hosts the spammer.

Automated slashdotting of spammers

[rabbar]

I like the idea, anything that drives up the cost of sending spam above the value derived from spamming is a good thing. I'd also like to see some automated poisoning of things like mortgage solicitations. This type of spam is really intended to simply get your name, address and phone number which are then sold to mortgage brokers for further solicitation. The mortgage brokers pay $10-50 for these lists of name, if the lists were filled with automated junk information the value to the mortgage brokers would quickly drop to zero and this type of spam would drop to zero.

Re:Automated slashdotting of spammers

[eugene+ts+wong]

The mortgage brokers pay $10-50 for these lists of name, if the lists were filled with automated junk information the value to the mortgage brokers would quickly drop to zero and this type of spam would drop to zero.

Why would it have to be junk information? I suppose that there are legal ramifications, but they should try to get it as real looking as possible, so that when the mortgage companies follow up on the lead, time is wasted, & the company gets a bad name. Think about what kind of a reputation they would get if they identified themselves & kept looking for people that weren't there. In short, the only thing that has to be real is the phone number.

Autowhitelists

[sheriff_p]

Whitelists already exist to a degree - if the email is in razor, and you've marked it as spam, then it's been checked as a human, using a trust network, to be spam. Simply follow links if the spam is also in razor...

And that is why we spammers...

... bounce the connections through proxies and attach fake return paths. I guess this would punish people who don't (don't know how to) close their proxies to the outside world.

I suppose you would burn the amateur spammers that run cots spam software off their AOL connections.

Re:And that is why we spammers...

[Trick]

Would that be such a bad thing? A big part of the reason spammers have the success they do is because there are a *lot* of people out there with misconfigured proxies. If the only bad result of a filter was that a few "innocent" people who don't know what they're doing, and made things easier for spammers, got DOSsed, I'd have no problem with that at all.

I'd rather see a distributed tool

[FuckMeter]

I have to admit looping fetch/wget in a few cases where I was repeatedly and persistently spammed by some sites. They did invite me to visit, after all, and the spam didn't ask me to limit my browsing to 1 hit. I've daydreamed a few times about a distributed "spam spider" where thousands of people run a client which sits in the background, fetching spamvertised websites. The client would retrieve a fresh list of sites to visit every hour or so.

The only hole in the idea is finding a trusted, centralized moderator (or moderators) to control the list of spamvertised sites. The RBL model has shown repeatedly that the individuals in charge of such lists will occasionally use them to further a personal vendetta of some sort. But with the right person at the helm, someone who receives a lot of spam and can identify real spam from joe-jobs, it might just be possible to maintain a rolling database of sites promoted in spam.

--
Rate Naked People! at Fuck Meter! (Not work-safe)

are we forgetting..

[KReilly]

the exploits.. I mean, couldn't this have potentially bad side effects if a new exploit comes out?

This is a GREAT idea. one more point though

[DRWHOISME]

Might be some legal problems disabling their server. But who really cares ?Not the gov. Not me.

Needs Critical Mass, but how do you tame it?

[globalar]

"We should try to ensure that this is only done to suspected spams"

I am not sure that is 100% possible. In light of that reality, this might just punish any server, not necessarily attached directly to the spammer. For example, if I wanted to shutdown a site, couldn't I spam a million inboxes with that site's address?

I could see this solution, when mismanaged, merely creating lots of extra, meaningless traffic as well.

I am all for doing something to inconvenience spam, but it seems that the most effective solutions always come at a direct cost to everyone. For example, I have read about adding a small CPU penalty calculation for every email sent. This new solution isnt quite as distributed - it adds traffic to networks and places loads on servers, but its still a penalty.

I guess the real challenge is finding a way to penalize the spammers and no one else. Good thoughts, and honestly if my client supported a "punish mode," I think I would be tempted to use it with the same careless sense I apply delete.

Re:Needs Critical Mass, but how do you tame it?

[jpetts]

I am not sure that is 100% possible. In light of that reality, this might just punish any server, not necessarily attached directly to the spammer. For example, if I wanted to shutdown a site, couldn't I spam a million inboxes with that site's address?

I could see this solution, when mismanaged, merely creating lots of extra, meaningless traffic as well.

Yes, it does offer another means of initiating a DDOS attack on somebody you don't like, but it's not as though there aren't enough of those avaialble already. It's just another arrow in the script kiddies' quiver. However, it does offer a DDOS against spammers that they CAN'T AVOID with their current business model. So, yes, there is a potential downside, but, as we say in England, it does what is says on the can...

Comparison of Bayesian spam filters

[kreide33]

I recently switched from a keyword-based spam filter to a bayesian filter. However, there exists several bayesian filter projects and the choice of which to use is not obvious. Therefore, I decided to do an actual test and write up my findings in a review so others can benefit as well. Read it and find out how to win the War on spam.

Re:Comparison of Bayesian spam filters

[__past__]

I always wondered how Graham felt about the hundreds of Bayesian filters written after he published his article. After all it was supposed to be a killer feature of a webmail system he (together with others, of course) writes to demo his Arc language.

Then again, he's probably still insanely rich from the ViaWeb (a.k.a Yahoo! Store) deal, and doesn't really have to care about lost business advantage much. Becoming a millionaire to be able to concentrate on hacking seems to be a good career plan :-)

Re:Comparison of Bayesian spam filters

[Tony+Hoyle]

Try running them over a longer period of time.. I was running 2000-2500 emails a day through the one in SpamAssassin, and what I found is that over time they become very poor indicators of spam, since the spams are constantly changing, but the database is monolithic - after you've got 50,000 spams in the database and a new 'spammy' word turns up (eg. vi@gra) then it's only 1/50,000 as effective as when there's one email in the database... you'll need hundreds or even thousands of instances of the word before it'll be recognised as spammy. Also bayes poisoning is now so commmonplace that their effectiveness is cut drastically (I wouldn't rely on one as my sole filter) - I was getting 'obvious' spams marked as '0% probability of spam' by bayes, because the spammer had stuck a bunch of shakespeare in the bottom - this then gave SA a huge negative score and allowed the spam through even though it was in razor, orbs, etc.

Re:Comparison of Bayesian spam filters

[sketerpot]

I'm guessing, based on the fact that he wrote A Plan for Spam, that he's happy. After all, when (I'm an optimist, and happy!) we solve the spam problem for all but a few suckers, he'll get the advantage of being able to say that he helped. Plus, having something you wrote cited over and over again and called "seminal" has got to be one big ego boost.

Re:Comparison of Bayesian spam filters

[asteinberg]

I've always wondered how Paul Graham has managed to get so much hype built up about his work. The idea of using Bayesian filters to classify spam had been around about 5 years prior to his "A Plan For Spam" - check out, for example, this paper by Mehran Sahami (a very cool guy who works here at Stanford as well as at Google) from 1998: http://citeseer.nj.nec.com/sahami98bayesian.html (and if you search around on Citeseer you'll undoubtedly find many other papers on spam classifying from even earlier, though not all use Naive Bayes).

Mathematically, Graham's version of Naive Bayes is pretty weak - look at the original A Plan for Spam, he chooses all kinds of random numbers based purely on trial and error, rather than backing them up with mathematical reasoning:

I want to bias the probabilities slightly to avoid false positives, and by trial and error I've found that a good way to do it is to double all the numbers in good. This helps to distinguish between words that occasionally do occur in legitimate email and words that almost never do. I only consider words that occur more than five times in total (actually, because of the doubling, occurring three times in nonspam mail would be enough). And then there is the question of what probability to assign to words that occur in one corpus but not the other. Again by trial and error I chose .01 and .99. There may be room for tuning here, but as the corpus grows such tuning will happen automatically anyway.

That's just one paragraph, stuff like that is all over the paper. There are many more logical ways to bias the classifier away from false-positives, which I'm not sure if it's worth getting into. Having spent the summer implementing many different variations on spam filtering, I can say confidently that Graham's variation is definitely far from the best.

Re:Comparison of Bayesian spam filters

[big-magic]

At this point, the operational experience we have with Bayesian filters is only a few months. I believe as we get more experience with Bayesian filters, these type of issues will be pretty easy to fix.

One thing to remember is although Bayesian filters are pretty new to the anti-spam battle, Bayesian classification has been an active area of research for a long time. Many of these issues have been encountered and fixed in many other research projects using Bayesian classification. The problem is that much of the published work is highly mathematical. So, it will take some time for people with the necessary mathematical background to dig out the techniques we need. But, it will happen.

Re:Comparison of Bayesian spam filters

I always wondered how Duda and Hart [1] feel about Paul "I hate reading research papers" [2] Graham claiming their algorithm as his own novel invention. In fact, his algorithm isn't any different from the algorithm made use of by Pantel in SpamCop [3].

In the machine learning and information retrieval communities, the naive Bayes algorithm is usually used as a baseline for which other learning algorithms are compared. It seldom wins.

The only thing that the algorithm has going for it is that the (almost always incorrect) naive Bayes assumption makes estimating probabilities very easy and that the probability tables can be incrementally updated.

Graham mentions in his talk at The Spam Conference that he found it interesting that naive Bayes was mentioned and then forgotten about. He suggests that it is because of their poor results.

But, in "A Plan for Spam," he rants and raves about how good his Bayesian filter is and how it gets "no false positives." It's the same algorithm as used before. How can this happen, that he gets perfect results when everyone before him does not?

Graham is guilty of vapour. Aside from his utter lack of any sort of reproducible evaluation scheme, he manually edits his probability tables (whitelisting on his postal code, for example) to over-fit it to his training data.

As far as unsubstantiated claims are concerned, I'm very disappointed with the open source community. If a company like Microsoft were to have made claims about a product like this, there would be such a fury (Please note [4] that they did not), but when an open source developer does it everyone blindly jumps on the bandwagon and does not think to question his results.

I've been very disappointed in the open source community as a whole because of issues like public in-fighting (XFree86 and OpenBSD immediately come to mind) and this trend towards bandwagon jumping.

[1] Duda, R. O. & P. E. Hart. Pattern Classification and Scene Analysis. New York: John Wiley & Sons. 1973.

[2] Paul Graham. Better Bayesian Filtering. In Proceedings of the 2003 Spam Conference. Boston, Massachusets. 2003.

[3] Patrick Pantel, Dekang Lin. SpamCop: A Spam Classification & Organization Program. In Learning for Text Categorization: Papers from the 1998 Workshop. Madison, Wisconsin. 1998.

[4] Mehran Sahami, Susan Dumais, David Heckerman, Eric Horvitz. A Bayesian Approach to Filtering Junk E-Mail. In AAAI Workshop on Learning for Text Categorization. Madison, Wisconsin. 1998.

Re:Comparison of Bayesian spam filters

[William+Tanksley]

SpamAssassin is nice, but it's not very clever in its Bayesian filter. DSPAM is much smarter; in particular, it automatically ages its corpus, thus keeping you up to date.

And for the Shakespeare poisoning -- I have a hard time seeing how that would work. I don't use Spamassassin, but for my emails Shakespeare is relatively rare; almost 100% of the words in it would be never-seen-before (neutral), and thus wouldn't show up at all on the spam calculations.

-Billy

Filter web-pages through bayesian filterss

[flux]

How about using the bayesian algorithms we have today and apply them to the referred web pages? I'm sure they would have plenty of good material for the filters to detect.. Plus this would propably be more effective with spam that effectively is only an url.

Secondly, I don't call this any kind of DDoS, even though it might seem such to spammers (is slashdotting a DDoS?). If anyone sends me a mail with an url, chances are they _want_ me to check it out. If my system fetches the pages and stores them to a cache, I'm doing exactly what the sender wants. (Mailing lists may be a problem though.)

Thirdly, does it really hurt you to let spammers know that your address is valid? Chances are the address will receive spam nevertheless..

Re:Filter web-pages through bayesian filterss

[hankaholic]

How about using the bayesian algorithms we have today and apply them to the referred web pages?

You mean doing exactly what is described in the article?

If the spam is waiting on the site, why not have filters go look at what's there? You could apply the filtering algorithm pretty much unchanged to the contents of the site

Dammit, people. Sure, there are stupid people out there, and many of them post at times. But if you're going to moderate, PLEASE read the article yourself!

Here's to hoping M2 does its job in this case.

Re:Filter web-pages through bayesian filterss

[flux]

Well, I did actually read the article but apparently I failed to read that one paragraph. I would've expected the article to concentrate more on that..

Re:Filter web-pages through bayesian filterss

[hankaholic]

Yeah, the article didn't make a huge deal out of the idea of conditionally checking borderline cases instead of all cases.

I was in quite a sore mood yesterday as well -- new jobs are stressful, and I was in quite a funk. ;-)

another approach

[mwilliamson]

I think this approach would be rather simple to implement

1. Copyright my gnupg/pgp public key and write a EULA outlining its use. Here is where I'd explicitly disallow unsolicited advertisement.
2. Have procmail or some other filter direct all non-pgp mail to /dev/null
3. If someone sucessfully sends me encrypted email having violating the EULA of my gnupg/pgp key, pursue legal action against them.
4. Enjoy my spammless mailspool

There are other fringe benefits...the overhead encrypting to a large number of keys would certainly slow a spammer's throughput down. Also, this would encourage the use of widespread secure email.

Re:another approach

[GigsVT]

To make this work, it'd have to be automatic, such as a central database of PGP keys that could be automatically used just by checking a box when you send email to someone.

Re:another approach

[RPoet]

Except for a work to be considered protected by copyright laws, the creation of the work must have involved some kind of creative process. "Works" that can be mass generated, such as public key pairs, could never be copyright protected.

Re:another approach

[hankaholic]

I'm assuming you don't subscribe to any mailing lists, or get important email from cron or any other automated tasks.

Go ahead and try to get the court to enforce a license agreement on a PGP key. If you can afford the legal fees, it'll just reestablish my faith in America as the land where even idiots can end up with more money than they know what to do with.

Re:another approach

[mwilliamson]

But I have provided some of the enthropy used in the generation of my public key. I can recall having to type some keystrokes or move the mouse about in order to generate some randomness to seed the pseudo-random number generator.

Re:another approach

[mwilliamson]

I agree it would have to be made as simple to use as possible to make it accessable to the average internet user. A central database of PGP keys already exists. http://pgp.mit.edu/ should qualify. There are also plenty of gnugp/pgp plugins for most popular email clients.

Having said all this, I don't think it's necessarly a bad thing that sending qualified email take a bit more thought.

Re:another approach

[mwilliamson]

I can write procmail rules such that stuff from listservs, certain domains, or certain subjects get through. Procmail is a great tool for doing this sort of thing.

Remember, this is the land where the mear act of opening some plastic wrap constitutes acceptance of an EULA. I agree, this is insane, but this insanity should not just be a tool of big corporations. We too should attempt to use it to our behoove.

Re:another approach

[hankaholic]

Remember, this is the land where the mear act of opening some plastic wrap constitutes acceptance of an EULA.

Again, convince a judge of that, and I'll be convinced. And it's "mere".

We too should attempt to use it to our behoove.

Ummm...

From Merriam-Webster:
Main Entry: behoove
Pronunciation: bi-'huv
Function: verb
Inflected Form(s): behooved; behooving
Etymology: Middle English behoven, from Old English behOfian, from behOf
Date: before 12th century
transitive senses : to be necessary, proper, or advantageous for <it behooves us to go>
intransitive senses : to be necessary, fit, or proper

Thanks for enforcing my point regarding litigious fools with too much money.

I've used procmail, yes, but we're talking about a general-purpose solution with the goal of reducing the chances that people will find it profitable to send spam.

If you want to run off about using litigation to get back at spammers, you'd be better off trying to convince us that attempts to get around spamassassin or other filtering software is a violation of anti-circumvention laws.

Of course, it still doesn't get at the root cause, and while it may make you feel better to pretend that you have the resources to hire sufficient legal counsel to make such an argument in court, you're doing nothing to solve the root problem -- that of spam in general.

Re:another approach

[autopr0n]

Copyright my gnupg/pgp public key and write a EULA outlining its use. Here is where I'd explicitly disallow unsolicited advertisement.

Incidentaly, this comment also has a EULA. By reading it you must send me $50,000.

You can paypal me at wsmith at autopr0n dot com. Thanks.

Re:another approach

[mwilliamson]

The difference in what I propose is that a user reads the EULA (or is given the opportunity to do so) and then makes a decision to take action or not. I suppose I'd have to add the actual EULA as some sort of header in the pgp key, or possibly serve the key out only via 'click-wrap' which, although disturbing as it is, is legal in the USA.

However, IANAL, but I know a few.

Re:another approach

[mwilliamson]

Everything else aside, requiring pgp encryption for email acceptance would slow down the rate a spammer can send at.

Oh, and by the way,

"Webster's Revised Unabridged Dictionary (1913)"
Behoove Be*hoove", n.
Advantage; behoof. Obs.

It shall not be to his behoove. --Gower.

Re:another approach

[hankaholic]

...and slow down the rate of legitimate mailings as well.

The point is not to throw out the baby with the bathwater -- to avoid encumbering normal communications while imposing the largest possible burden on spammers.

So what's to keep spammers from generating a new set of keys for each spam run? They sign a message, then mass-mail it. Remember, we're discussing a solution to reduce spam overall, not just keep it from YOUR inbox. I suppose you'd support forcing Grandma to go have people sign her PGP key on Bingo Night?

Come up with a truly easy-to-use solution to requiring PGP/GPG encryption (including making it automatic for Grandma), then I'll entertain the idea of requiring certain things of the users. Until then, just saying "Require PGP!" does nothing but make you look like you haven't considered the problem on a widespread scale (read: on a scale large enough to benefit others, not just you and the "elite few") and are just trolling.

And for the final word on "behoove", you quote a 1913 dictionary, which apparently marked the usage as obsolete at the time. Go fuck yourself -- you're about one step away from arguing that because Shakespeare used a certain turn of phrase it must have a place in modern English.

Re:another approach

[mwilliamson]

I will not stoop to your level. You have shown your own true colors to the rest of /.

End of thread.

Re:another approach

However, IANAL, but I know a few.

Poor bastard

Re:another approach

[hankaholic]

OoooooOOooooOOOooooOOoooo. I'm *almost* impressed.

I'd be even more, um, almost impressed if you made an attempt to address the obvious flaws in your argument, especially the idea that spammers could just fire off a new set of keys, and the fact that the average grandmother won't be able to use PGP without assistance.

I know, it's easier to pretend that you're offended that I said "fuck", because after all, the word "fuck" makes little kids do heroin.

Re:This is a GREAT idea. one more point though

[rabbar]

The "disabling" of their servers isn't thru any malicious act but the simple result of many people having set up their computers to automatically explore the website of any URL's sent to them in an email. As the article points out, one of the dangers would be the use of this in a malicious denial of service attack engineered by sending out a spam message which includes URLs on the targeted system. For example, sending out a penis enlargement spam that includes a Microsoft URL.

Do they really care?

[eddy]

My hotmail account gets relentlessly spammed even though I _never_ follow any links from spam or let it load any images. Even before Hotmail introduced the "don't load inline images" feature I always disabled javascript + images before opening any suspected spam.

Basically, can it get worse? They never seem to remove inactive accounts anyway.

I have a domain registered which I've owned for three years, and it's still getting spam for accounts related to the previous owner of said domain. My mailer says "no such account" over and over and over again.

Spammers don't care whether the account exists, is inactive, filtered or whatever. They try to spam it anyway.

Re:Do they really care?

You can have a domain/subdomain with no A records or MX records and they will keep trying. You can also have nothing but blackhole MXs - hosts that don't exist, but are on routable networks. I've had a domain since 1994, and it was in one of the above states for about 2-3 years.

Last month I put a real MX record in there and pointed it at box that's running a mail server. Sure enough, the spam flows continuously. It's not just the "make up random shit and put @aol.com" idiots either - the big outfits with permanent networks and domains are mailing it too.

I've taught my mail server to quarantine any host that attempts to mail my long-dead domain, so having it go to a routable address is actually useful again. Every attempt they make ruins another open proxy or relay for every other spammer that may find it later.

You might consider using those "never valid/previous owner" accounts as spam traps. Anything coming to them now is obviously worthless, so why not make them suffer for trying?

Re:Do they really care?

Oh man! DUDE! You can do some really nasty things if you have control over your DNS...

Point your MX record to a honeypot SMTP server.... Spammers will find it just like flies on shit. If you build it, they WILL come, in droves...

Of course you would program your honeypot to log everything with additional tracking information, then use that to get even closer to finding out who the spammers are.

Are you kidding??

[amjohns]

This is brilliant. It costs the spammers little bandwidth to send out SMTP messages. But if we start downloading their graphics-rich webpages, and reloading repeatedly, we'll drive their bandwidth through the roof.

The point is not the user's bandwidth, this is really a DDOS, but since the spammer's asked for it (literally, not just figuratively), it's OK.

Re:Are you kidding??

[sketerpot]

This also provides incentives for spammers to provide a link to an unsubscribe page that works, preferably (for everyone, including the spammer) to a page that unsubscribes you for just visiting it. That way, only the users clueless or stupid enough to be unprotected will get repeat spam, and the bit bandwidth problem will go away. Hooray!

Re:Are you kidding??

[polymath69]

This also provides incentives for spammers to provide a link to an unsubscribe page that works[...]

Maybe. But I don't see where they get a disincentive to also add that email to a list of addresses not to sell to other nasty clueless spamming scum. Any given spammer is just in it for the money, not his reputation among other spammers. If an automated remove from one list reduces his bandwidth costs, but he can sell it to other spammers as a confirmed valid address, then from the spam victim's point of view, the spam just keeps increasing, even though the sources keep changing.

As an aside, the thing that most scares me lately is some mortgage spam I've been getting which has all my personal information embedded in the URLs. Name, address, zip code, personal code numbers... how they got all this I don't know. But I really wouldn't want an automated system to click on one of those links and confirm that I'm receiving all their s*it. I get like 5 a day just from this one group. How many times could I possibly refinance?

Oh, and this is kind of funny... they are asking me to get a great new mortgage rate on my P.O. box. Where'd I leave my cluebat?

Re:Are you kidding??

[sketerpot]

Maybe. But I don't see where they get a disincentive to also add that email to a list of addresses not to sell to other nasty clueless spamming scum.

I still like the idea of some spamming sucm getting the dirty end of the stick, and polluting GURANTEED!!! address pools should make living in their own collective filth a little more squalid for spammers. I think that's a worthy goal.

As an aside, the thing that most scares me lately is some mortgage spam I've been getting which has all my personal information embedded in the URLs. Name, address, zip code, personal code numbers... how they got all this I don't know. But I really wouldn't want an automated system to click on one of those links and confirm that I'm receiving all their s*it. I get like 5 a day just from this one group. How many times could I possibly refinance?

Wow. That's pretty amazing. Methinks something incredibly crooked is going on, assuming that you weren't gullable enough to give that info away to some unscrupulous web site. Any web site that asks for that stuff when they don't need it deserves a pack of lies. And if asking you to refinance once doesn't work, well, just try again! Patience is cheap with computers; surely those uncooperati) will come around.

As for the mortgage on your P.O. box---maybe that particular spammer is getting so many loads of bricks delivered by business reply mail that he/she needs to get a mortgage, and wants help paying it off. :-)

I'm 1337

[MoeMoe]

One danger is someone doing a DDoS by sending fake spam

I'm sorry but spoof's dont usually work to well on me... I'm 2 1337 to be fooled.

Seriously though, if you just take a little more time to look into the header contents of that "penis enlargement" ad, you might find a pretty new IP addy to "play with" *cough* BO2K *cough* or atleast the real route that this spam took to get to you, just follow the yellow brick road back up to Mr. 12 extra inches and... well, you decide your own punishment for 'em ;)

Besides, it's not like you need that ad... do you?

Wrong!

[amjohns]

While the net effect is DDOS-like, we're only doing EXACTLY WHAT THE SPAMMERS WANT! They asked us to visit their webpages, so we did. This is 100% legal, and no court (or jury at least) would see otherwise.

But you've got to watch out for unique tracking images so as not to validate your email address.

Re:Wrong!

[BobTheLawyer]

intent is everything. If you create software which is intended to have the effect of a denial of service attack then you will likely suffer the legal consequences of that.

Re:noooooooo - you did not read the article...

[HermanAB]

since the main point is for the filter to follow the link, in order to analyze the text at the destination page and decide using that, whether the message is spam.

This way, very short spams, that consists only of a link and little else, which currently slip through a Baysean filter, will also be detected as spam.

It is easy to prevent the leaking of personal information, so a properly written antispam program will not cause you to receive more spam.

Fight Back by creating useless data

[AmericanInKiev]

According to latest article smap works for big business, which pays $20 dollars per "interested" party for Home Loans for example.

Solution: ruin the market by creating bots to answer spam?

The Bot creates email addresses which when spammed, reply by clicking, then auto-fill the corresponding web site. This would ensure Banks a steady supply of dead end leads at $20 a pop. It won't take long for them go back to cold calls.

AIK

What if the server is hijacked?

[nseward]

Say some spammer hijacks someones server without them knowing? Then their server will be brought down with this back lash of email. This is targeting the wrong person in that case.

Also, aren't spammers hijacking personal computers as well? I read about viruses used by spammers to open up peoples computers to act as relays.
That means a defensless persons computer will get a ton of email back them.

I like the idea this person has, it just seems like there is too much collateral damage that could happen.

Re:What if the server is hijacked?

Say some spammer hijacks someones server without them knowing? Then their server will be brought down with this back lash of email.

But the owner of that server SHOULD take it down and do something about the spam: all the gestalt would be doing is lending them a hand. There are nightmare scenarios where cure could be far worse than the disease, but such systems should not be gaping so wide as to support hackers installing spam software.

Re:What if the server is hijacked?

[realdpk]

You're right - people are failing to administer their machines properly and are getting them hijacked. Regardless of who actually did it, the computer is a problem, and should be taken offline (preferably by the ISP, but most ISPs will never do this).

The right people would be targeted, but not ALL of the right people.

Re:What if the server is hijacked?

Say some spammer hijacks someones server without them knowing? Then their server will be brought down with this back lash of email.

Good. Only the spammer wants the hijacked server to stay up. The victom needs to know something is wrong, before something really bad happens.

This is targeting the wrong person in that case.

I see nothing wrong with targeting people who support spam, intentionally or otherwise. Being negligent doesn't leave you with many legal or moral rights. If you have a server, you are responsible for protecting it from all abuse.

Re:What if the server is hijacked?

[Abm0raz]

I understand your point, but I do disagree with it. I would think that most hijackings are the end user's "fault" (notice the quotes). By "fault" I mean one of the following general cases:
1. They are running open proxies (intentionally or not)
2. They have not patched their systems from known security holes
3. They have contracted a virus, worm, or trojan by basically being not smart

I know this is kinda like saying "It's your fault you got robbed cause you don't lock your doors," but there is some amount of common sense that needs to be applied. I see the "collateral damage" done in a system like this as a potential good service. People being abused from any of the 3 things I listed will know quite quickly that there is something wrong with their system. The grind to a halt of there services will lead them to patching, fixing, or cleaning their systems, thereby eliminating one more conduits for spam. By eliminating these unsuspecting middle men, we put the onus back on the spammers.

This may sound a lot like vigilantism or mob rule, but as I hear on here all the time, "The internet should be policed by it's users and not the government." Paul has given a viable weapon to help combat spam here and hit the spammers where it hurts ... where they make their money. His original Plan for Spam Bayesian filter was good, but not great, then he improved on it with the advanced filter. Now it is one of the most popular and successful spam defenses around. I am looking forward to when he refines this click flooding technique. I feel that a man of his brilliance will be successful in this battle against UBE/UCE.

-Ab

ps. If you read this Paul ... Thank You.

Re:What if the server is hijacked?

[jafiwam]

No more vigilantism than quarantining the kindergarten kid that gets scarlet fever. Sure it sucks to miss a lot of school and catch up later, but then having the whole class do the same is worse.

Sometimes the public good weighs on the conveneience of others, the wheelchair ramp outside the business might be costly, but its the right thing to do.

Closing up and otherwise paying attention to the devices one sticks on the internet should be no different.

Re:What if the server is hijacked?

[eugene+ts+wong]

I know this is kinda like saying "It's your fault you got robbed cause you don't lock your doors," but there is some amount of common sense that needs to be applied.

I agree. I view the Internet as a gated city. If you leave your doors open, & someone comes in & robs me, then you are to blame as well. Obviously, we're not going to raise a stink when something happens for the 1st time, & it is a new concept; but something should be done eventually.

The interesting thing is that the maintainer of the open proxy or whatever, should find that after repairs, he should also have less spam. So bringing this to his attention should improve his life directly as well.

Fake Spam??

[GeekZilla]

"One danger is someone doing a DDoS by sending fake spam"

Isn't fake Spam uh...Spam?

Isn't that like saying "I want you to separate the flammable material from the inflammable."

Re:Fake Spam??

I guess by "fake spam," they mean spam designed to appear to offer products and services from some website the sender wants to nuke. I can see it now. "Enlarge your XP overnight! go to www.microsoft.com"

Thoughts on active countermeasures and relays...

[atcroft]

Just finished reading the section of the article that was headed as "Filters that fight back." I think that the biggest issues that keep such an approach from working are fundamental features of the e-mail infrastructure itself: 1) the lack of verification, and 2) the store-and-forward and replicative nature of email itself.

In other systems I am aware of in which active countermeasures may appear (such as firewalls, and tcpwrappers), the adversary can be established with reasonable certainty in most cases; however, because the From and Reply-To addresses can be (and often are) forged and most owners of relaying machines are unaware they are misconfigured, it seems doubtful countermeasures would work at that step. If one uses the URLs, as suggested in the article, it is not guaranteed that the "million" emails sent out will hit the next server along their path at a particular time, so it seems doubtful you can guarantee a massive traffic burst at once. Indeed, what may be seen instead is incremental bursts of traffic at the delivery retry intervals of various mailserver software.

Other questions also arise, such as: 1) how much additional load will a mailserver experience from hitting the links; 2) what additional security issues are introduced in doing so (what if, for instance, the code to do this results in a security vulnerability); 3) how can it be done in such a way that DDOS attacks against innocent victims can be avoided; and 4) how can you get enough people to both upgrade their systems and cooperate in a useful way to do this. Issues 1 and 2 are probably obvious questions to ask-issues 3 and 4, however, I believe suffer from the same weaknesses as some of the current BL schemes. Also, some localities have legal codes which prohibit the interruption of legitimate access to a system, and the server in this case definitely has a way to track back to you at that point, which potentially make participants vulnerable to legal or civil actions.

While I admire Mr. Graham and his efforts in the spam-wars, and find it an intriguing idea, I do not think this approach will truly be successful until changes are made to the underpinning email system that may reduce some of the issues mentioned, but hopefully will themselves make an impact on the issue without being too onerous to prevent wide-spread adoption.

The people who PAY spammers would not

[The+Monster]

In the situation where the spammer gets paid by hit, the spammer would be rich overnight. But, then the customer might see somthing a little fishy, then start asking questions.

So you're saying that the long-term effect would be to destroy the spammers' business model?

Looking for a downside to this plan . . . still looking . . . Nope. I can't see one.

Re:The people who PAY spammers would not

[schon]

the long-term effect would be to destroy the spammers' business model?

Uhh, WHAT?

The spammers business model is "use email to steal as much money from everyone as possible." It has no "long term".

Spammers don't care about keeping their customers happy, so attempting to use this to destroy their business by making their customers unhappy is doomed to failure.

Looking for a downside to this plan . . . still looking . . . Nope. I can't see one.

Then you're not looking hard enough.. this will encourage spammers, because they'll get more 'hits', and be able to verify which email addresses are valid and which aren't.

Re:The people who PAY spammers would not

[FuckMeter]

Spammers don't care about keeping their customers happy, so attempting to use this to destroy their business by making their customers unhappy is doomed to failure.

I think the post you replied to, as well as its parent, were speaking of pay-per-click schemes. The original parent meant "customer" as in the person who hires the spammer, not the person who buys the products.

A fair portion of the spam I get seems to promote pay-per-click programs, especially the porn spam. Spammer signs up as an "affiliate" of a porn site, sends out ten million emails, might generate 10,000 hits, each of which are probably paying half a cent. He gets a check from the porn site owner (or its processing company) for 50 bucks.

Now suppose instead of generating 10,000 legitimate click-throughs from spam recipients, that mailing to 10 million addresses generated 5 million click-throughs from filterbots. The porn site operator sees some guy sending 5 million hits out of nowhere, and none of those hits are converting into signups. Do you think he's really going to cut the spammer a check for $25,000? No, he's going to boot the spammer out of his affiliate program, and the spammer isn't going to get paid.

The same holds true for the mainstream side. Let's say ABC WidgetCo hires a spammer to drive some sales. The spammer sends out 10 million emails promoting abcwidgetco.com. Filterbots happily fetch abcwidgetco.com 5 million times over the course of a day or two. ABC WidgetCo's website dies for a few hours due to the overwhelming load, and their hosting bill for the month skyrockets, yet none of that turned into sales. Do you think they're going to pay the spammer if they haven't already? Even if they prepaid, do you think they're ever going to hire a spammer again?

The idea is to make spamming either costly or at least unprofitable. Even if the spammer doesn't wind up paying out-of-pocket, he won't be able to make anything from pay-per-click or pay-per-hit models, either. Right now a lot of spammers probably slip under the radar of spam and cheat detection in these types of programs, but filterbots would make it obvious to the sponsors that they had a spammer on their hands.

leet Skr1pt K1dd13

I bet the leet Skr1pt K1dd13 would use this feature to slashdot competitors and other noobs...

Okay, what aboit this idea.

Have your filter parse the message in real time, as the server is receiving it. Reduce bandwidth allocated to the sender exponentially with the probability of the message being spam, and remember it for future messages. But don't make it too slow or the sender will simply drop the connection. Increase the bandwidth if some amount of time passes without spam being sent. The only problem is getting everybody to do it.

Interesting side-effect

[leetrum]

An interesting side effect of this strategy would be that it would be harder to track comissions based on per-click (instead of per-sale) for the sites employing spammers, thus limiting their income to people who buy (which can gernerally be a better comission anyway, but not offered by all these seedy companies).

Dangerous Precident

[MrEnigma]

The only problem I can see with this...is it would be really easy for anybody to send out a DDOS attack now.

Just get some spam software, throw your friends server name in the email, and everybodies computer helps out in taking it down.

Sure it sounds ok, but i'm sure there are ways around this, staggering types of emails that are sent etc.

John's PopFile software works almost perfect right now, granted it's a client side application, and this is looking to take care of the problem....

Getting Even

You saw that piece on MSNBC about how spammers are lead agencies doing the dirty work of big business? In the story they replied to spam and suddenly got calls from 'reputable financial institutions.' The "lead agencies" get something like $12 for each lead from these big companies, and 0.1% of spammees do reply (d'oh). If you flooded their URL/forms/whatever with bogus enquires they wouldn't see da wheet for da chaff! Suddenly those spam addresses would get expense if they couldnt get a single response.

DDoS with IFRAMEs

[The+Famous+Brett+Wat]

The problems with spam-based DDoS are bad enough already. Many HTML mail readers honour IFRAME tags, so if you want to DDoS someone, then just combine a Joe Job (fake their identity, advertise their site) with an HTML mail that contains N IFRAMEs, each set to be one pixel high and refer to a large page on the victim's site. Anyone who reads the spam in an uncautious HTML-capable mail client (of which there are still way too many) will subsequently attempt to fetch the specified page N times, unless you're lucky with intermediate caching proxies or the user hitting the stop button.

Such an attack on Nutters.org forced me to stop doing my own hosting on a DSL line, since it got utterly swamped and cost way too much in bandwidth. Amusingly, it has forced me into using a much cheaper and higher bandwidth service -- one where such attacks are no longer my problem. The rules of the game have changed for me, though: I no longer consider it viable to host a website on a low-bandwidth leaf node like a single DSL, even where normal usage would make it seem acceptable, since it makes you a sitting duck for this kind of attack. I still can't imagine why anyone would want to target Nutters.org; being small and unworthy of attack doesn't seem to be a good defense anymore.

Re:DDoS with IFRAMEs

I like the smooth, pastel, CSS, Google-like look of your site.

Easy to digest. thanks.

Re:DDoS with IFRAMEs

But I want to see a flash splash page, and a cool DHTML dropdown menu, and dozens upon dozens of tiny little gifs and jpegs to bloat the page up to respectable levels.

Everyone knows that feature-rich is professional, while simple is amateur!

Re:DDoS with IFRAMEs

[Tony+Hoyle]

Boy, you must have expensive DSL... The cheapest offsite host I can find with a reasonable bandwidth limit (I shift 18GB/mo.. I'd want 50GB cap + 30GB disk space + ssh before I'd even think of it) costs over 10 times the cost of a DSL line.

Re:DDoS with IFRAMEs

What is a "nutters?" Some kind of venereal disease?

Re:DDoS with IFRAMEs

[The+Famous+Brett+Wat]

Boy, you must have expensive DSL.

I'm from Australia. At the time, a DSL connection with permanent IP cost AU$0.15 per megabyte (AU$150 per gigabyte). A DDoS could get very pricey very quickly.

Bandwidth

[Have+Blue]

I thought the primary complaint against spam was that it uses too much bandwidth. Wouldn't this proposal waste even MORE bandwidth per spam?

Re:Bandwidth

[jordie]

Perhaps in the short-term. In the long term, spammers would stop including links in their e-mails.

Re:Bandwidth

[anthony_dipierro]

Only if everyone did it. Which, the same could be said for just not responding to the spam.

Re:Bandwidth

[sketerpot]

And replace them with what? "Get via gra somewhere, but were not going to tell you where. Our name is bob .com! Un5ub scribe by going to... umm... forget it. Call 1-800-EAT-SHIT for more inf0mationses"

Or would they obscure the URLs like some people obscure their email addresses? The more hoops you have to go through to get your FR33 H0T BANDAGE PIKZZE, the less likely you are to actually be suckered by the spam. This cuts most deeply into the ranks of stupid people, who are the main target demographic for spam.

Re:Bandwidth

[SoLoatWork]

I don't think this would cause more traffic on mail servers.

Paul's good at this stuff, but this is no good...

[wavecoder]

The way I see it, these are the beefs people have:

• Multiplies bandwidth exponentially, automatically. Big corporations, especially, would be hacked off by this, and it has the added downside of slowing whole sections of the net (imagine what happens when a college dorm gets hit and 800 little bots go check out the site 57 times...).
• Accidental DDoS on good sites - yes, Victoria, spam can be spoofed VERY convincingly.
• Accidental DDoS on good sites (2) - if you've ever maintained a mailing list of more than 20 people, you know that, eventually, some idiot complains he/she got spammed, even if they double-opted in. I've been accused of spamming when I was quoted 2/3 of the way into someone else's (double opt-in) message! I know great sites that are blacklisted, out of human stupidity, alone.
• Accidental DDoS on good hosts - imagine the impact on any shared host, or even some virtual hosts, when one bad client mails 5 million spams - before they could react, they could be taken offline!
• Bad programmers (gasp!) - yes, those exist, and some of these filters could really go haywire and start thrashing all sorts of sites.
• Lawyers - IANAL, but I shudder to think what happens the first time Microsoft or Big Blue sues some programmer, because an abused copy of their software took them down for an hour! (What is the M$ site worth, per hour? Too much, for sure.) Granted, the suit should go the other way, but that's another topic.
• Abuse of ISPs - you'd be amazed how many ISPs will pull the plug on paying accounts for even innocent behavior (like sending 1,000 messages on a DSL account in under an hour, even if it's a business and all the messages are unique). This could get a lot of folks kicked offline.

There are probably others... My thought is this - build a really good, Bayesian, SBPH filter like CRM114, and incorporate a "grab questionable sites" option for the "spams of the future," then filter that page as though it were spam. That'll get us all up into the 99.9% range (the noise), and spammers will eventually either (a) go out of business, or (b) only be able to get their messages to the few people that think they're worthwhile, anyway.

My $.02.

-Ed

Similar approach

A similar approach would be to get thousands of real people to respond to their spam and pretend to be interested and then lead them along with a few messages asking questions and then they always decide that they're not interested. A spammer or company would have to have the time and personnel to handle large numbers of phony customers in order to deal with the few that are really willing to send them money.

It's an effective distributed denial of service attack that would make a spammer's world a nightmare.

Re:Similar approach

[wavecoder]

Assuming you're able to initiate this kind of active counter-attack (i.e., talk thousands, or even hundreds, of folks into participating)... how many times do you think it'll work? Do that many people really have nothing better to do? I get 200+ spams a day; replying to every one with any kind of inquiry, no matter how basic, would take hours. Now, come up with a plugin or macro for some mail program or filter that will classify a message and send one of several pre-built responses, and you might be on to something. Still, though, many of the spams I get have invalid reply addresses and little or no way to contact the spammer from the site. More often than not, your options are eat your spam and be quiet about it or simply buy whatever junk is being sold. No dialog, no flexibility.

-Ed

Re:noooooooo - you did not read the article...

"It is easy to prevent the leaking of personal information, so a properly written antispam program will not cause you to receive more spam. "

How? Not every ID has to look like an ID to your regexp....

<a href=http://hermanab.spammer.com>Feh Fiddle</a>

Mod up parent

Nice observation! Yes, it will cause a breakdown in their revenue model. :D

Confirmed opt-in mailing lists.

[SSpade]

Has anyone considered what this will really do? It'll have next to no impact on spammers.

However, lots and lots of legitimate opt-in mailing lists are following best practices by requiring a closed-loop opt-in with a magic cookie to prevent forged signups.

How do they work? Well, usually you follow a URL containing a magic cookie in a challenge email to confirm you want to sign up for the mailing list. Oops.

(For added brokenness, combine this with the other flawed anti-spam fad-du-jour, challenge/response).

Re:Confirmed opt-in mailing lists.

[hankaholic]

Yes, it has been considered. Chances are a reasonably trained corpus will contain enough to not tag such messages as potential spam.

Only messages which were neither definitely legit or definitely spam would have their links traced.

Re:Confirmed opt-in mailing lists.

[mikeswi]

Take that a step further. Most newsletters (and yes, spam also) have a link to click to automatically remove the recipient from the mailing list. Anyone running these filters will end up removing themselves from newsletters they have subscribed to.

What am I supposed to do for my own newsletter? Remove the unsubscribe option? Wait... doesn't that make me a spammer if I do that?

Another idea

[skinfitz]

Why not just have the filter reply to the sending address with it's own randomly generated addy and auto drop those messages that use fake addresses that bounce? This could be done within seconds in most cases. The only issues here would be storage of the spam and how long you wait. It could be done by "keeping the spammer on the line" during the SMTP transfer also causing the transmission of spam to be delayed.
Could it work?

Re:Another idea

[hankaholic]

Could it work?

Define "work".

What you're proposing is that you send a message in response to every message you receive. Furthermore, you're suggesting that the message you send in response have an invalid (random) return address.

How is this a good idea?

Okay, say machine scott@b.com is sending to larry@a.com. Assume that all machines are running your "callback" software.

B connects to A. A holds the connection open, as you proposed, and sends a message to scott@b.com, with a forged header so that it looks as though it came from "random1928@c.com".

Okay, B has a pending connection to A. A has an open connection to B, and B tries to deliver the mail to C.

So the user scott@b.com has now gotten spam from random1928@c.com. The operator of c.com isn't happy, because it looks like he's sending spam. The guy at b.com isn't happy, because for every message he sends to a.com ends up in a spam for him.

If the sites involved had catchall aliases (which would accept mail to any address at that domain), the number of connections would increase continually, and nothing would ever actually be confirmed, until a connection or DNS lookup failed somewhere, in which case every pending connection would fail.

SMTP already includes a command for address verification -- it's called VRFY. Most sites shut it off, though, because instead of spamming tons of random addresses, one could just VRFY tons of random addresses. This would make spammers' jobs easier -- they would be able to ensure that each address to which they send mail represents an actual mailbox.

Getting back to your suggestion, though -- this is a truly bad idea. Try it on paper if you don't believe me. Assume that most or all of the hosts are running the software which you propose. Keep in mind that you may suggest inserting headers so that servers can communicate to each other and keep track of which messages are in response to other messages, but headers can (and are!) forged.

Re:Another idea

[ignoramus]

and auto drop those messages that use fake addresses that bounce? [...] Could it work?

No. Russian spammers have been abusing our domain for a month now, faking their from addresses so we get all the bounces. Your suggestion would only force them to use some poor schmuck's real address - causing the bounces to actually land in someones mailbox.

Re:Another idea

[skinfitz]

What you're proposing is that you send a message in response to every message you receive. Furthermore, you're suggesting that the message you send in response have an invalid (random) return address.

Not invalid, randomly generated throwaway address. Perhaps use the supplied email address from the sender. For example - take the last spam sender I received a message from - "VividVideo2003@popstar.com". So mail comes in, relay holds the connection open while a mail from "VividVideo2003(at)popstar.com@mydomain.com" is sent back. It bounces back to the address (valid address). Connection logged and dropped. Temp mail address deleted.

The problem is going to be that they will start using forged valid addresses.

Re:Another idea

[hankaholic]

And when the spammers set up a catchall alias that routes to /dev/null?

Oh, look, you've done nothing to stop spam, and annoyed people who send you legitimate mail.

Also, many spammers already are using forged addresses. Many will set the sender address to one of the recipients. As former tech support, I used to take many calls from people who were convinced that somebody had "hacked [their] account" because they got spam with their own address listed as the sender.

Holding connections open will also increase server load, and you haven't gotten past the fact that attempting to automatically send mail to people who email you will piss them off.

Forging sender information is nothing new, and the disadvantages of your proposed system will likely outweight the advantages by far, as it rewards spammers who forge information and causes additional frustration to those who email you.

Paul Graham's solutions attempt to reduce the chances that a given unwanted message will show up in your mailbox. By making smaller the chance that a given recipient will see a given message, the solutions proposed attempt to undermine the economics of spamming.

The best your proposal will do is cause message delivery to take longer -- but it will do so in a way that will slow your servers and cause unnecessary collateral damage by causing increased load on others' machines.

When you can come up with a system which will cause fewer messages to be viewed by uninterested people without causing superfluous messages to be sent (as you propose) or cause more extra load to be imposed upon innocents than on those doing the spamming, write up an article and submit it to Slashdot.

Any spam "solution" has to consider a two factors:

Who is burdened? The system you suggest will send more unwanted mail to senders of legitimate communications. This system imposes an unavoidable burden upon everyone, as opposed to spam, which only currently burdens the recipient (ISP, user, etc.).

Is it easy to circumvent? Were the system you suggest put into wide distribution, spammers could forge headers quite easily, or even set up a catch-all alias at their own site which would accept mail.

It looks like in your case, the problem is worse than the solution.

Re:Another idea

[skinfitz]

And when the spammers set up a catchall alias that routes to /dev/null?

To do that they would have to be using a legit domain.

Oh, look, you've done nothing to stop spam, and annoyed people who send you legitimate mail.

You mean apart from force them to use valid return addresses?

Also, many spammers already are using forged addresses. Many will set the sender address to one of the recipients.

I know. In fact I mentioned this in the comment you replied to.

Holding connections open will also increase server load,

So what? It's what servers are there for. Oh dear the server load increased but we get less spam so who cares? I dont see that many people complaining about the incresed server load that SpamAssasin causes.

and you haven't gotten past the fact that attempting to automatically send mail to people who email you will piss them off.

I don't think it will at all. So what you receive an email the first time you email someone (obviously you would use a white list after the first few emails).

Forging sender information is nothing new, and the disadvantages of your proposed system will likely outweight the advantages by far, as it rewards spammers who forge information and causes additional frustration to those who email you.

As mentioned before, and in my previous comment, I am well aware of this. However it could be used in conjunction with other methods.

Paul Graham's solutions attempt to reduce the chances that a given unwanted message will show up in your mailbox. By making smaller the chance that a given recipient will see a given message, the solutions proposed attempt to undermine the economics of spamming.

I think his idea is interesting, however how long is it before servers are immune to this type of DDoS?

The best your proposal will do is cause message delivery to take longer -- but it will do so in a way that will slow your servers and cause unnecessary collateral damage by causing increased load on others' machines.

No, the best thing is it forces the use of a valid return address. Obviously this will be vulnerable to address spoofing initially but it would mean the spammers have to do more work. Surely the ability to spoof addresses however is the real problem with spam.

When you can come up with a system which will cause fewer messages to be viewed by uninterested people without causing superfluous messages to be sent (as you propose) or cause more extra load to be imposed upon innocents than on those doing the spamming, write up an article and submit it to Slashdot.

And when you can sound less patronising, perhaps you should go work tech support again.

Any spam "solution" has to consider a two factors: Who is burdened? The system you suggest will send more unwanted mail to senders of legitimate communications. This system imposes an unavoidable burden upon everyone, as opposed to spam, which only currently burdens the recipient (ISP, user, etc.). Is it easy to circumvent? Were the system you suggest put into wide distribution, spammers could forge headers quite easily,

No. Any spam solution only has one factor to consider: Does it reduce spam? That's it. Years ago SpamAssasin would not have been practical for many people as the processing overhead would have been silly for the average user however in these days where any organisation can afford another box to be used just to run SA it makes sense.

or even set up a catch-all alias at their own site which would accept mail.

...thus using a valid domain that you could report.

It looks like in your case, the problem is worse than the solution.

Well excuse fucking me for trying.

Too many people do not put forward ideas because they are afraid of being patronised or shot down by other people. I'm a fan of the evolution of ide

Re:Another idea

[hankaholic]

Good work. I guess I was in a bit of a bad mood yesterday, eh?

Random thoughts -- if I had more time to spare, I'd spend more time on organization.

You suggest that servers will, at a later date, become "immune" to heavy load, whether it be by caching, tons of RAM and CPU cycles, or whatever. I can agree with that, especially since most of them will be serving static images.

The problem as I see it isn't server load, but bandwidth. A hosting service may be okay with hosting spammers, but when their upstream bandwidth costs increase heavily, they will either have to charge more or stop hosting spammers, both of which make it harder to profitably spam.

You say that a spam solution has to consider only one factor: does it reduce spam?

My response to that is that if you are burdening the user, they will switch to less cumbersome forms of communication, such as instant messaging. In that case, you're moving the problem to another domain, not eliminating it.

If circumvention is simple, such as putting the recipient's address in the "From" line, then it will not stop spam either.

Do you disagree with either of the previous paragraphs? I feel that both factors are highly important when considering any spam solution.

If it is not simple to use and hard to circumvent, it will not stop spam, period.

Have you worked technical support? It's an interesting experience, and will probably teach you nothing in terms of technical knowledge. However, it does teach you what people want and expect. Most people don't want to know ANYTHING about how their system actually works. They want doggedly simple, and that's about it. So, any solution to spam has to consider that somebody's mother needs to be able to use it without knowing that keys are involved, much less signing and generating them.

You mentioned that spammers could forge headers, which is a *huge* problem with many attempts at automatic blacklisting or whitelisting at the moment. However, you didn't address any solutions to the problem.

Of course suggestions can be useful. However, unless you've addressed the problems of not burdening the user and preventing circumvention, you're honestly probably not saying anything that's already been said. There are a host of spam solutions out there, but very few of them offer both features in a way that can be used on a scale large enough to make it harder to send spam.

collateral damage? Not really

[swordgeek]

I've seen a few posts about the possibility of collateral damage--deliberately targetting someone else's server as the target of an auto-DDOS. Someone also mentioned hijacking a server, and then bringing it down.

The thing is, it's no easier to do it with this proposed system than anything that's currently available. In this case you have to download (buy?!) a copy of spamming software, get a list, and then run a DDOS that's actually traceable back to you. Good plan? Not by my thinking.

Now the nice thing about this is that it will end up costing an inordinate amount of money for the spammer, take down their servers, and really piss off their ISP. (Watch the pink contracts dissappear!) This is a fairly drastic measure that might actually get rid of many spammers for good.

Basically, it's either this or a crowbar to the head.

Re:collateral damage? Not really

You're obviously not thinking very hard Einstein. Please read the other posts about the threat of DDOS and other manipulations before opening your mouth. Thank you.

Do it on the server, not on the client

[Graabein]

This is a great idea, but you need to do it on the server, not (just) on the client.

How's about as a plugin to SpamAssassin? Scan the icoming email as usual. If it's determined that it's unlikely to be legit, pass it on to the URL scanner. Auto-whitelist hotmail.com and other common URL taglines etc. Follow each of the other URLs in the message.

Optional: If, after scanning the URLs, the pages linked to are determined not to contain spam, pass the message back to SpamAssassin flagged as clean and for delivery to the intended recipient.

Re:Thoughts on active countermeasures and relays..

You, sir, did not read the article.

Just don't get spam

It sounds foolish, but you can just not get spam in the first place. I personally have three email accounts. The first is only for personal / work email. The next is for newsletters and memberships and the last is for junk. By separating them and being careful, you can get rid of spam by not getting it in the first place.

My first two accounts never get spam. The other one gets some, but I don't use it for anything, so its not an issue

Re:Just don't get spam

[xyvimur]

OK, that's a strategy - but it requires being careful. Imagine one time you by accident enter wrong email when writing something - and you can end with described system being screwed up.

To be honest I do the same :)

I dunno, I think I like the old fashioned way...

[twoslice]

of dealing with spammers and other nefarious miscreants has its merits.

I am not talking tar and feathers or lynch mob scenarios (the merits of which cannot be denied though). I am in favour of the high-tech "put the spammers address and personal info on Slashdot" old fashioned way. It seems to work best as the targetted spammer was really steamed...

Problems with whitelisting and strikeback

[The+Famous+Brett+Wat]

Rule zero of spam: spam is theft (of other people's time and facilities). The trend, as anti-spam techniques get smarter, is for spammers to engage in more theft to offset their increasing costs.

We've already seen viruses doing the rounds which act as open proxies for spammers and/or reverse proxies to hide the spammer's real websites. If these intermediate reverse proxies act as caching proxies, then the spammer is insulated from bandwidth costs by offloading them onto unwitting third parties. Steal enough bandwidth from enough innocent third parties, and you have your own private Akamai of sorts -- somewhat DDoS-proof. The spammer's URLs can change constantly thanks to the whack-a-mole dynamics of the reverse proxies, so the only workable approach will be to scan every incoming URL, thus leaving the system open to abuse as a DDoS tool. That is, unless this whole "whitelist" approach somehow manages to keep up with a white mark for every known-good site on the 'net. I don't see how that would work in practice.

Choosing A Bayesian Filter

[Goo.cc]

Bayesian Filters are cool but I don't see how anyone can thoughtfully choose between them. From my searching on Google, there has been no comparative accuracy testing of Bayesian Filters at all and I refuse to believe that they are all equally effective in identifying spam.

So with no information to guide their choice how can people effectively decide between Bogofilter, CRM114, DSpam, SpamBayes, POPFile, and other Bayesian Filters.

Re:Choosing A Bayesian Filter

[wavecoder]

First of all, these are not apples to apples. Popfile is a multi-purpose classifier; CRM114 is a multi-purpose filter; the others are sole-purpose filters, to my knowledge. So, it depends on:

1. whether you have more than one use (spam filtering) for it,
2. how much of a geek you are (do you really want to have to compile it yourself, or does that give you thrills?),
3. OS - this determines more than you might expect,
4. the stats that are out there (there's little doubt that CRM114 is the best at what it does, but there are plenty of others in the very high 90's)

Besides, the more the merrier - the more algorithms out there and the more spam corpi that exist, the harder it is to get ANY spam through.

-Ed

Sorry, bad idea

[mikeswi]

When my newsletter (confirmed Opt-in for the NANAE people who may be reading) goes out every Tuesday and 8,000 people open it, how am I supposed to deal with these filters DDoSing my site? For that matter, how do I deal with these filters attacking my site when some other newsletter links to it? What do I do when I piss off Ronnie Scelson and he links to every individual page on my site and spams 100,000,000 people with them?

Links are more likely to be found in legitimate email than in spam. We're going to whitelist every single existing domain on Earth, and then remove the bad ones? Do you have any idea how large that list would be and how long it would take to download it to compare with the domains found linked in an email?

Let's say this idea becomes used widely. It will be used as a weapon by the spammers themselves.

1.) Pay-per-click links sent in mass mailings. Spammer gets paid for every link clicked. I'm sure some of the advertisers will get wise, but there will be plenty who just sign the checks without looking deeper.

2.) Ronnie Scelson or Alan Ralsky get pissed at someone who owns a web site (SPEWS perhaps), and send the address to several hundred million people.

For the ISP sysadmins reading, you think it's bad when 20,000 spams land on your mail server? How are you going to like it when each of those 20,000 spams produce 3 or 4 (or 30 or 40) HTTP requests?

Sorry, bad idea. I can't see how the idea of "attack filters" does anything but discredit the whole idea, especially after thousands of perfectly innocent web sites are knocked offline by the sort of malicious software being advocating, or when spammers inevitably abuse it.

Re:Sorry, bad idea

[Grmdzo]

Any email which is treated to this type of response (i.e., downloading the spamvertized web pages) needs to be classified as spam, or at least possible spam. How you detect the good emails will vary: filter, whitelist, magic 8 ball, for different users and different products. But those known or suspected good emails should not be subjected to having all their links downloaded.

The newsletters I subscribe to, up to and including the 200,000+ subscriber ones, don't look anything like my spam. Unless your newsletter is easily confused with spam, you should only be subjected to automated page hits while your subscribers are training their filters.

Driving the pay-per-clicked links numbers up, though automatic page loads, passes the cost of spam back to the (direct or indirect) source of that spam. The whole problem of spam exists because the costs associated with it are not borne by the spammer, but by the spamee.

ISPs will be less inclined to tolerate spamvertised sites when the impact is shifted from their abuse desk to their bandwidth bills, unless the spammer site pays for the increased traffic. Think traffic in proportion to the number of spams sent, vs the number of responders as seen in a previous article: Following the Spam Trail

When the spammer's profits disappear, so will the spam.

Re:Sorry, bad idea

[sketerpot]

When my newsletter (confirmed Opt-in for the NANAE people who may be reading) goes out every Tuesday and 8,000 people open it, how am I supposed to deal with these filters DDoSing my site?

Presumably, you would make your newsletter less spammish, so that 8000 email filters don't classify it as spam or unsure and DDoS/check your site.

For that matter, how do I deal with these filters attacking my site when some other newsletter links to it?

Again, this will only be applied to messages that have been classified as spam by the fairly accurate filters that Paul Graham talks about. Just hope you don't get linked to by any non opt-in "newsletters".

What do I do when I piss off Ronnie Scelson and he links to every individual page on my site and spams 100,000,000 people with them?

In the meantime, what do you do if you piss off someone who sends out 100000000 emails containing every individual page on your site in an HTML IFRAME element? Or repeatedly includes pictures on your server in the email?

For the ISP sysadmins reading, you think it's bad when 20,000 spams land on your mail server? How are you going to like it when each of those 20,000 spams produce 3 or 4 (or 30 or 40) HTTP requests?

You'll mutter about those crazy users and bill them for the bandwidth they use. Or I suppose you could flip out and kill people.

I can't see how the idea of "attack filters" does anything but discredit the whole idea

You mean the idea of "attack filters"?

Re:Sorry, bad idea

[mikeswi]

Presumably, you would make your newsletter less spammish, so that 8000 email filters don't classify it as spam or unsure and DDoS/check your site.

Sorry, but I'm not censoring myself to compensate for the failure of someone else's software. I don't go on about mortages or viagra, but it's HTML, it does have one ad (which pays for my site's hosting bill), and it tends to be fairly long. Spam filters regularly misidentify it as spam.

My newsletter does not look spammish, spam tries to look newsletterish (is that a word?) to get around the filters.

For that matter, how do I deal with these filters attacking my site when some other newsletter links to it?

Again, this will only be applied to messages that have been classified as spam by the fairly accurate filters that Paul Graham talks about.

Correct me if I've misunderstood the article, but I thought the whole point (well maybe half the point) in fetching the page was to examine the contents of the page to see if it looked like spam? If it's not checking the page, then how will it know the difference?

Just hope you don't get linked to by any non opt-in "newsletters".

Sorry, that is unacceptable. My site is fairly well-known on the internet and receives a lot of attention. I shouldn't be forced to fend off a DDoS attack because someone links me.

What do I do when I piss off Ronnie Scelson and he links to every individual page on my site and spams 100,000,000 people with them?

In the meantime, what do you do if you piss off someone who sends out 100000000 emails containing every individual page on your site in an HTML IFRAME element? Or repeatedly includes pictures on your server in the email?

Good point.

I can't see how the idea of "attack filters" does anything but discredit the whole idea

You mean the idea of "attack filters"?

Sorry. Bad grammar there.

I meant it will discredit any software that participates in these attacks when innocent web sites are brought down.

Re:Sorry, bad idea

[mckyj57]

When my newsletter (confirmed Opt-in for the NANAE people who may be reading) goes out every Tuesday and 8,000 people open it, how am I supposed to deal with these filters DDoSing my site?

Duh...don't put HTML in your email?

Re:Sorry, bad idea

[sketerpot]

First off, I'd like to apologize for being in flame mode in my original post. Oops. But now to the points:

Sorry, but I'm not censoring myself to compensate for the failure of someone else's software. I don't go on about mortages or viagra, but it's HTML, it does have one ad (which pays for my site's hosting bill), and it tends to be fairly long. Spam filters regularly misidentify it as spam.

Bummer. But surely your newsletter has some topic(s) that would be able to identify it through word frequency? In a statistical filter, I haven't had any problems with newsletters or mailing list postings getting filtered. But yes, it would be irresponsible to use this with a filter that regularly blocks innocent newsletters and such.

Correct me if I've misunderstood the article, but I thought the whole point (well maybe half the point) in fetching the page was to examine the contents of the page to see if it looked like spam? If it's not checking the page, then how will it know the difference?

You've got three categories of email based on just word frequency in the email itself: normal, spam, and unsure. If you just wanted to increase accuracy, you'd only follow links in the unsure emails, which would catch the "stealth spams" that Paul Graham talks about. If you're angry abd out to hurt spammers, you'd follow links in the emails definitely classified as spam already. The impact should be minimal on nonspam emails. Still, it's probably safer to use this only on unsure emails. Unsure is a difficult category to get into with regularity, so that should make it harder to do the sort of intentional DDoS you talked about.

Sorry, that is unacceptable. My site is fairly well-known on the internet and receives a lot of attention. I shouldn't be forced to fend off a DDoS attack because someone links me.

You have a point there. Only following links in spams and unsures should help, and limiting it to unsures should help more, but I suppose that if someone really tries hard, they could DDoS your site. I've never really liked the idea of whitelisting, but I suppose that it would be useful in your case, especially if your web site could be automatically scanned by a number of statistical website classifiers automatically. Still, the more I think about it, the more I think it would be best to limit link visiting to unsures.

As for the IFRAME and image thing, such emails could be deleted by a filter before you even see them, but there are still a lot of people without filters who will inadvertantly view emails before deleting them (i.e. clicking on a message to select it for deletion views it also). I'm just surprised that with all the worry about this being used to evil ends, I haven't heard of people exploiting existing problems with HTML email implementations.

By the way, what newsletter are we talking about here? I tried to get to your website, but I failed.

Re:Sorry, bad idea

[mikeswi]

The newsletter is http://www.spywareinfo.net. The site itself is http://www.spywareinfo.com.

How about just pinging the host in the URL?

I agree: http is a bit too complex for a ping-back. The spammer could be validating which e-mails got received; the spammer could be selling ads and getting paid by the click.

How about something simpler:extract the IP address from the box and just blast N simple packets at it, where N=1000 or so. Ignore all the crap in the e-mail except for the host address.

I see two more problems. First, you don't want te fight-back filter to take down ftp.gnu.org because of a legitimate message from gcc-announce. And second, the filter network is a DDOS waiting to happen, no matter what you do.

This is spectacularly stupid.

[edunbar93]

Any program that does something this dangerous automatically, even to people that deserve it, is a BAD idea.

This is the sort of thing that needs human supervision because bugs, user input, and solar flares may cause the program to act differently than you think it should. Any sysadmin who's made programs that would affect thousands of users automatically knows this. There will be a percentage - no matter how small - that the program will affect negatively, and that tiny percentage will be very, very pissed off.

You should be exceptionally careful about where you point your Massive Hose of Death because after all, to err is human, but to really fuck things up requires a recursive algorithm working at 2 billion cycles per second.

It's also ocurred to me that you'd be hurting yourself just as bad bandwidth wise anyway. We all complain about how much of our mail is spam, and how much bandwidth it wastes, but to DDOS them would waste hundreds of times more, not only for you but every provider that carries the traffic.

A better idea.

[AeiwiMaster]

I think a better idea is to use
Exim SpamAssassin at SMTP time

This method don't use your bandwidth downloading urls,
and slow down the spammers connection.

I would like to see what happen when
the mayor distributions start shipping
with something like this as the default option.

Re:A better idea.

[CoolVibe]

Although I like the idea, I have one gripe at SpamAssassin. It is way to resource hungry to process every incoming mail for my taste. At my mail site, mail gets screened by dnsbls and greylisting first, then mimdefang weeds the junk out (like html in attachements) and only _then_ does spamassassin get a cut of the action.

Oh, and I never open html mail as html, always in the text/plain view. 99% of all html mail I get is spam anyway.

How about an Open Abuse Protocol

[bigattichouse]

Messages conforming to abusive practice would cause the server to send an OAP message back to the spamming provider... so a million outgoing messages would result in a million INCOMING messages on the specified abuse protocol port.. in effect you DOS yourself.

How fitting

Didn't he invent Hines ketchup too?

Hines 57.

Don't just do something, stand there!

[asackett]

I suspect that a thorough analysis of the proposed scheme would conclude that it could not work if it were widely adopted. It's silly to create a system in which a relatively small, expected but undesired input triggers a relatively large burden on network resources.

Oh, wait... that's called a distributed denial of service attack. Someone already thought it up!

Too much BS

[cnb]

Why should someone make lish a whitelist?

Correct, but misses the point

[FuckMeter]

The idea isn't to bring down or overload the hosts sending or relaying the spam. The idea is to hit the spamvertised website, the one being promoted inside the email message. There are two advantages to this:

1) The spamvertised site may suffer a Slashdot-like effect, making it unreachable to potential suckers clicking through on the spam

2) The spammer, or whoever's hosting them, is going to see his or her bandwidth bill jump

It's a dual-pronged approach, with both prongs aimed directly at the spammers' wallets. First you try to make them lose some orders, then you try to drive up their hosting costs. Sales go down while expenses go up. At some point, the break-even point is driven below the line of diminishing returns, and the cost of spamming rises from practically zero to something prohibitive.

Re:Correct, but misses the point

[thynk]

I thus mod you +1 because you RTFA. Thank you.

Re:Correct, but misses the point

I thus mod you +1 because you RTFA. Thank you.

Then you went and posted to the same thread and negated the +1. But thanks for the thought :)

Re:Correct, but misses the point

[thynk]

Nope, ran out of mod points on Friday, so that was my own little mod scheme. My own mod system has 3 catagories. +1 you RTFA, +1 on topic (this is /. after all) and -1 WTF are you talking about?

Re:Correct, but misses the point

[vidarh]

So, if I work for company A and don't like company B, I can e-mail out 10 million messages purporting to be advertizing company B's website in the sleasiest way possible, and company B will be hit with thousands of compaints and a massive bandwidth bill.

I've worked for a mail provider, and we regularly had cases where spammers had done things like this, including one really nasty case where a spammer hit back at an anti-spammer by mailing out millions of ads for child porn giving the full contact details of the anti-spammer. Within hours, he had 30.000 complaints in his mailbox, and had had to disconnect his phone and get the police involved because he feared for his security. A few million machines running up his bandwidth bill to something he couldn't ever pay off would have been a nice icing on the cake for the spammer he was trying to expose, I guess...

The problem is that you CAN NOT EVER ASSUME that the site advertised, or the address in the From: or Reply-To: fields etc. are in any way related to the spammer, because you don't know the motivation for the spam. You need to spend time checking and double checking that you're going after the right person or you WILL end up going after innocent bystanders, and if you cause them realy problems (like in the above mentioned case) or financial losses, you can safely assume that somebody WILL sue you, and sooner or later someone WILL win.

Human attention, not bandwidth

No. The primary problem with spam is that it is assault on the user's attenton.

Telemarketing calls don't cost the recipient an money, but they are a similar assault on my attention.

It's about human attention, not machine resources.

New Spamming Technique : Trickle Spam.

[androse]

I'm all for the idea, and as a matter of fact, I suggested it a couple of months ago.

If individual spam victims start repetitively downloading the spammers website, this could bring the spammer to change the way he sends spam from the current big bang technique to a small continuous trickle technique. The spammer would send a single spam over several weeks, in stead of a few hours. He would parallelize the process.

I see two possible counter-attacks to this :

• content-based blacklisting (like Vilpul Razor, etc), i.e a central database of links that are currently being used in spam.
• high aggressivity from the victims : if everyone loads the URI 50, 100, or 300 times, then the "trickle method" would probably fail. You should of course change the HTTP User Agent string for each request, and randomize the timing to stop any filtering on the web server.

Feel the rage !

"Click here to remove"

One small problem: For the miniscule amount of legitimate mass mailings, almost all contain a working "click here to remove me" link.

As tempting as it may be...

[KC7GR]

...Fighting abuse with more abuse probably will not solve anything, and could also get you in trouble with your own ISP, if a spammer hits you hard enough to cause the fake E-mail addresses they put into their spam enough problems.

This is a bad idea, IMO. Stick with blocklisting. Once things get to the point where the spammers are all on what amounts to an intranet, and they're doing nothing but spamming each other, they'll get the idea.

Re:As tempting as it may be...

[Grmdzo]

When a spammer provides a web address in his message, that is an explicit solicitation to me to visit his site. There is nothing illegal or abusive about doing what the spammer wants. He has no say or control over how I go about visiting that site.

Easy to get around

[Avumede]

The spammer can simply parcel out each individual type of spam over a period of time. So, instead of:

Day 1: Send spam A to 1 million addresses
Day 2: Send spam B to 1 million addresses
Day 3: Send spam C to 1 million addresses

They would

Day 1: Send spam A to 333,333 addresses, send spam B to 333,333 addresses, send spam C to 333,333 addresses
Day 2: Repeat
Day 3: Repeat

Obviously, they would draw this out over more than 3 days, but you get the idea.

Oh, great...

If it can be claimed that Spam is slowly killing the Internet, here's a way to speed up the process. Clog the backbone and every choke point with junk packets from all the servers in the world trying to crush each other.

We'd better all start raising pigeons.

whats allowing spam

[gilbertzcorner]

I think what is allowing spam, pornography, stupid internet pop-up ads that say my computer isnt optimized, even though I am running linux :). Its us, the IT people who run the internet and they are comming onto our turf.

Hear! hear!

And so the Slashdot Effect could be put to good use. Good idea! Only one problem. How do you gather those images?

Re:Hear! hear!

[cpeterso]

maybe they don't have to be real image files on the spammer's server. Maybe forcing the spammer's server to generate 404s is adequate to slashdot it..?

Re:Hear! hear!

[hankaholic]

A 404 would cause load on their servers, but pulling actual images would rob their bandwidth as well.

Avoid URL validation - lie to them

[Tool+Man]

I like the idea of whacking the spammers' bandwidth, but I'm not really keen on validating the email address the bastards have reached.

So, why not follow the links, but change the parameter values? It's all something which we'd do programmatically anyway, so subtle variations in the value portion would still incur the expense of processing the input, even if it fails. Keep the path component of the URL, and the parameter names used, so it gets as far as possible before blowing chunks.

So many security holes...

[anthony_dipierro]

It's not just DDOS that is the problem (in fact DDOS is actually the main feature). A naive implementation would pass along the GET data. So you could use this method to anonymously submit form data. Want to stuff an online ballot? Send out a spam linking to http://whatever/poll.foo?bar. Depending on how poorly written the sites are, you could even use this to do more sophisticated things, like sign up for 10,000 accounts at a certain website.

Re:So many security holes...

[Tony+Hoyle]

The first spam you'll get on this system will just read:

"Click here if you agree to accept unsolicited mail from us. "

They then have on record an acceptance of their terms, which they can show to their ISP if you complain.

Re:So many security holes...

[anthony_dipierro]

But you didn't click there.

Re:Fight Back by creating useless data

[jafiwam]

Yup. Someone was posting about something called "FormFucker" which puts bogus, but seemingly real information in forms. So there is a tool out there to do that already.

Note, that this type of activity is just as legal as the RIAA or MadonnaWhore putting out fake MP3s.

[I work with banks as clients, and they sure are dumb about technology stuff most of the time, but they figure out when something hurts them financially pretty darned quick. I'd estimate the mortgage lead business would go away in less than 6 months if what the parent poster was proposing was actually implemented on a widespread basis.]

Of course, I doubt the leads pay as much as $20 a pop.... a few cents maybe....

Re:Paul's good at this stuff, but this is no good.

Accidental DDoS on good sites - yes, Victoria, spam can be spoofed VERY convincingly.

Victoria? I think you mean Virginia. And it's very sexist to condescend to a female like that. It's the equivalent of saying, "yes, you dumb bitch, I AM right, and you're wrong."

+1 Insightful

[eugene+ts+wong]

If the only bad result of a filter was that a few "innocent" people who don't know what they're doing, and made things easier for spammers, got DOSsed, I'd have no problem with that at all.

I agree. Anything that puts responsibility on the people who ought to know better is a good thing.

Good idea still...

[Arcturax]

After all, this would hurt the clowns who hired the spammers in the first place! That is one thing that people keep missing. They bitch about spammers, but they don't seem to mention the people who actually create the problem by hiring the spammers in the first place. Crushing their servers or at least making their bandwidth costs so bad that they would probably never dig out from the debt would take away incentive to do this kind of thing. But yes, sadly, this would open up a DDOS hole as well. Maybe a better way would be to set up a program which sits in the background and checks a central site for known spam company links and the software would load the URL maybe 3 times each day. If you had enough people do that, it would really hurt these bastards. Probably result in a legal challenge though. But anyway, this at least warrents discussion for now, but a way needs to be found to protect the innocent and make it so that the spammers and their host companies can't find a central site to sue.

dangerous

[Jesus+IS+the+Devil]

This is a very dangerous and stupid idea. It won't be long until black hats figure out a way to exploit this technique and send out a major DDOS attack on someone they don't like.

Re:Thoughts on active countermeasures and relays..

[hankaholic]

Answers:

1. If this caught on in a big way, almost certainly less load than spam imposes on its own, assuming that this was run on the servers. However, since Bayesian filters are best left to the individual to personalize to their own specific preferences, the load would likely be distributed across the clients (such as Mozilla), as opposed to the servers.
   
   Graham did mention users with broadband connections, implying that this would be something that the client would pull down.
   
   
2. Fetching an HTTP request and parsing the returned text really has no more security risks than automatically parsing text which is sent to you via email. As long as the software is designed sensibly, there shouldn't be any additional security problems.
   
   
3. This is difficult to say, but one benefit of the proposed system is that it only loads pages linked from messages which are not obvious in their classification. What is questionable in one person's inbox may not be questionable in another's. This reduces the chance that a concocted email will create such a DDOS attack -- it would have to be created in such a way as to be tagged as "possibly, but not definitely, spam" by many different programs given the unique corpora of those running the software.
   
   
4. This is really the big issue -- making sure that an implementation is widespread enough to make a real difference in the habits of spammers and the networks which support them. Reaching this critical mass may take a while, but the point of the article is that by also parsing the links in the email, you get a better idea of how relevent the message may or may not be.
   
   In other words, you get a more accurate filter which takes into account more than the message itself -- it also considers the content which the message is trying to put across.
   

SETI@HOME ?

[axxackall]

I think that some sort of SETI approach can be used:

1. your filter recognizes the spam and gets URLs from it;
2. all such URLs are gathered in the central authority and statistically verified (how many filters have claimed the same site);
3. only the most often claimed sites are left in the list, while more rarely claimed sites are considered as claimed by mistake or by the anti-filter attack;
4. people willing to help to fight spam download the screensaver aka SETI@HOME, working at your CPU and net idle time;
5. the screensaver downloads the fresh list of sites to be fought back along with a centrally generated schedule;
6. the filter actually attacks back at the scheduled time points (if it's still the idlle time for client PC), not massively from the individual PC (so it doesn't look suspicious for the individual client *AND* it doesn't create any peak bandwidth problem for the attacker);
7. the spammer's web site is /.ed;

All problems I see resolvable:

• a schedule must be smart to avoid a local bandwidth problem, but still flood the spammer, but with many such screensavers even a smooth atack will be not very smooth when it's multiplied to millions;
• a central authority can be a subject for a counter-attack as well (will it start cyber-wars?), but if the central authority will really decentralized (p2p, SETI, other techs) that it should not be a problem;
• spammers may use some sort of logging, but what can they do with it?
• to avoid if someone will organize the fake claim in order to /. the innocent site, statistics should help - only really massively claimed sites will be counted;

The main idea of the spam is to send email massively on a very low cost. So if the attack will be also very massive, it will increase their cost of operation and at least some of them will go out of business.

Any attmpts of spammers to go through filters will not work, as you can manually submit the spam claim to (what is its name? NOSPAM@HOME?) the central authority. If the amount of such claims will be big enough, then the claimed sites will be included.

Re:SETI@HOME ?

[Pieroxy]

all this is a neat idea, but there is still a couple of problems unresolved:

1. There is a small company that I dislike. What prevents me from hacking their ip address and send shitload of spam in their name?
2. automatic or manual retaliation comes back to making justice yourself which is inherently illegal (at least in the us).

Re:SETI@HOME ?

[CaptainZapp]

automatic or manual retaliation comes back to making justice yourself which is inherently illegal (at least in the us).

Well, since the spammer invites you to click on an URL, what's the exact problem when every damn last receiver of the message actually connects to the server? I don't think that the law distinguishes between a manual click and a couple of automated lookups. In essence those jerks would be ddosing themselves.

Actually I think it's a really cool idea, provided that some of the issues can be sorted out.

Re:SETI@HOME ?

[Pieroxy]

Well, giving that you do that with the intent of DDoSing their website, I find it hard for you to tell me that this is just a normal click.

If I kill someone in the street that was threatening me with a gun, I'm certinly not guilty of anything. If I just kill him because he was looking at my GF, I am. You see? The context and intention of my actions make the same action (Here killing someone) illegal or not.

I'm sure I could build a search angine that would suck every link in all my emails, and then every link in the linked website to give me an "automatic summary" of the linked site. That would be legal.

But the minute I'm downloading your program, It is not a fair use anymore, because I'm going to willingully help bringing their site down for the heck of it. And who decides if they are guilty? I think it should be the legal system, not a bunch of nerds/statisticians/analysts...

Re:SETI@HOME ?

[Dread_ed]

It seems to me that we have a kind of evolutionary track being blazed in the networks.

One side percieves an attack and develops a defense. The other sees that defense as an attack and changes it's behavior and methods to counteract the attack. This holds true for crackers, pirates, and spammers and their counterparts of software companies/programmers, media companies, and ISP's, mailhosts, and ultimately end users.

The problem with this is escalation ie.: each side considering progressively more desperate and intrusive/harmful ways of accomplishing their goals. Because of this even the "good guys" entertain ideas that they shouldn't, like remotely disabling others systems, trying to circumvent due process (ie. Verizon customer lists), cripling media, closed-box arcitecture, licenses that infringe on rights of fair use, etc.

Compound the escalation with intelligence on both sides being driven by profit and self betterment (a somewhat higher drive than profit if you ask the psychiatrists) and you have quite a volitile and competetive atmosphere.

The question then arises, how do you sucessfully combat a foe that has use of all the same tools that you do, but none of the ethical or idealogical restraints? Unfortunately, history has little in the way of help in this category, as it is filled with examples of how the weak and morally destitute control and eventually destroy the strong/ethical.

If you think of this as an evolutionary process, some ideas begin to take shape.

What if we assume that the escalation is no longer the symptom but the problem itself.

One possible approach is to take a holiday from escalation, or more colorfully, quit trying to put bandaids on the punctured aorta because they just get shot across the room after each heartbeat, meanwhile the patient is still dying! In other words, the attempts to fix the problem are just stopgaps that make the enemy stronger and more resistant. Therefore, we remove the resistance. This in turn will hopefully dull the edges on the opposition, as they have no stone of conflict to constantly sharpen themselves on.

Then, after a sufficiently mind-numbing period of tranquility has expired, attack the newly weakened and complacent enemy with redoubled efforts. Hopefully, the opposition will be so devastated that they cannot recover.

The only problem with this soultion is that it can be used by either side.

Antoher idea comes to mind based upon the evolutionary model. Changes in the food chain at the lowes levels have the greatest impact. Now, in this model we consider the entire conflict including the escalation to be a symptom of the current structure

As everyone knows, the internet was designed without serious consideration being given to the security measures we now require. As a result, we see the climate of increased government regulation, corporate backlash, and end user disilusionment and exploitation. If we abdicate the ability to rectify these problems ourselves they will be resolved in a closed boardroom, or in a court with little understanding of the technical issues and a heavy hand that is unmindful of the repercussions.

Maybe a change at the lowest level of the food chain is exactly is what is required. I have seen it proposed before, but is anyone seriously considering changing the communication protocols of the internet with a mind for eliminating the problems at hand?

Maybe the open source type approach applied to this problem could lead to some wonderful results?

The benefits would include an insiders view of the problems at hand plus the technical expertise (and access!!)to actually impliment the changes.

It would be great to see what the /. community has to say about this idea. What changes would you make? How, technically, could it be done?

Re:SETI@HOME ?

[William+Tanksley]

Well, giving that you do that with the intent of DDoSing their website, I find it hard for you to tell me that this is just a normal click.

I'm not sure that the intent is to DDoS. The basic intent is to gather more information about the email with the purpose of determining whether it's interesting to read.

A DDoS will only happen if the URL was deliberately publicised to more people than the server can handle. Admittedly, this is possible.

-Billy

Re:SETI@HOME ?

[Pieroxy]

Well, from the original post, I read "the spammer's web site is /.ed", "a counter-attack as well (will it start cyber-wars?)" and "but still flood the spammer", that led me to think the idea was to to bring the site down on purpose...

Somewhat confusing.

Re:SETI@HOME ?

[William+Tanksley]

Your reading skills aren't misleading you -- some people are picturing this as a way to get poetic justice. But in reality, this doesn't deliver justice; it simply delivers more information to the targets of the advertisement.

The "justice" only comes if the sender of the advertisement wasn't capable of serving as many people as he advertised directly to -- and that's certainly not an encroachment on our part.

I can think of a nice way for spammers to get around this antispam AND avoid server overload at the same time. The worst load this can ever cause on your server would appear soon after you send out the spam; therefore, just put a dummy webpage up using a superlight static page server. The dummy can be completely innocent-looking, of course, which would further help the spam make it into even protected mailboxes. Let a few minutes pass, possibly watching web traffic; once it tapers off a little, put up the real page. Your polite proxy may cost you one or two real customers, but odds are your ad targets aren't watching their email accts precisely when you sent the message anyhow.

-Billy

Re:SETI@HOME ?

[Pieroxy]

Well, basically, your are being hypocritical, right?

You just build something that is "harmless" in some kind of parallel reality and pretend you don't know anything about this "strange" side effect that we call DDoS, while in fact it is the primary goal of the whole system.

Could work, but I'm not sure. You need a very kind and friendly judge to be on your side if this matter ever goes to court.

Re:SETI@HOME ?

[William+Tanksley]

No, I'm building something with a specific purpose: to scan emails sent to *my* box to determine whether they're worth *my* time. In the process I visit links in the emails provided allegedly for the purpose of providing the information I'll need to make that decision. I'll then run a Bayesian filter over that text, using MY processor time. (This is in the original proposal.)

None of this is in any faint way illegal, immoral, or possible to construe as such.

Now, there are some people who have so much against spammers that they're willing to twist this a lot. I suspect that anyone fetching the same page multiple times, or throwing away the results of a fetch without analysing it, or sharing clock information in order to synchronise fetches will be vulnerable to charges of deliberate DDoSing -- but those activities are THEMSELVES attempted denials of service, in effect acts of violence regardless of their target.

I will admit, though, that I do share Paul Allen's expectation that even proper, polite usage of his system will hammer spammers hard, and harder the spammier they are. I shed no tears for that; they're stealing small amounts of resources from everyone, and everyone who uses this will be asking them to devote a *tiny* amount of resources to confirming their validity. If they have even the tiniest bit of honesty, they've prepared a server that can handle the people they're advertising to, so this system will cost them nothing.

-Billy

Re:SETI@HOME ?

[Pieroxy]

Ok, sorry about all the fuss, but that seems pretty darn interesting. Even by re-reading the original post I don't understand that... But my english sucks so my bad...

Can you send me a copy once you have something running ? I definitely want to be a part of this!!

Bad idea, but might be improved

[Animats]

The good idea there is to filter spam based on what it links to. SpamCop already does some of this, and reports the spamvertised site to its ISP or upstream provider. This is reasonably effective. It also identifies black-hat ISPs that host sites referenced in much spam.

auto following links -> spread worms

[frenetic3]

i think a more potentially dangerous outcome is that this could become a vehicle for worms to spread;

lots of vulnerabilities have been discovered (in IE, etc) in the past that run arbitrary code when you visit a web page.

so, if we have all these [identical] email clients set to automatically follow links and that there's some kind of known buffer overrun within the html parsing code (or if they use the IE rendering engine and some similar vulnerability has been discovered) then if a malicious link is sent then all of these clients will follow it and get compromised. (witness the paranoia now in most email clients which disable javascript, attachments, etc by default).

at that point, if tons of machines are compromised, they could be turned into open proxies or could turn around and forward the email to everyone in their address book, etc.

yes, this might sound like a farfetched scenario, but i think even if this case didn't happen, the obvious counter for spammers is to distribute the web load over a bunch of compromised open proxies or something or to throw up temporary web pages on random web hosts until they get shut down.

the bottom line is that in the end the pain of this countermeasure will be simply passed onto innocent third parties.

furthermore, it's unlikely that any major mail client will include this feature by default (outlook or eudora) since there's so much room for abuse, and the whole idea relies on a critical mass of users to actually have an effect.

-fren

The ISP pays

[Mustang+Matt]

For some ISPs it's no big deal to slam the spammers they host, but for any ISP that unknowingly or unwillingly gives access to a spammer. They should have enough time to shut them down before having their network destroyed.

punish AOL?

I got a spam today that apparently was a unique screen name for an aol account, that was for me alone as a spam target. They were harvesting my email address from a web page. So, if you hit the root URL, you are taking on AOL itself. Doubt that would hurt much.

I use Pegasus mail, and just nuke all the unwanted headers, allowing only good email to remain on the pop3 server. I can view all the headers, and double clicking on one reveals all the data, so I know where the spam comes from. Then I have Pegasus mark all those for deletion, and then Pegasus does that.

I'm starting to put my email address on web pages with a _remove_this_ in the middle, to confuse the harvesters.

Anyone know of a linux mail application that can do what Pegasus Mail (for windows) does? I need it, as I log in linux as a user account and think that is more secure than windows.

Totally bad idea

[mabu]

One of the worst sins of the spammer is the theft of bandwidth and other parties resources. The idea of launching a DDOS against a spamvertised site compounds that problem even further.

I have a better idea. Write a program that sends a letter to your local District Attorney, FBI office and the FTC every time you get spam that asks them when they're going to do their job?

Order now !

[pb9494]

Order your penis enlargement pills now at SCO ! They're only 699$. If you bought pills from other companies, you still have to pay because your penis contains SCO patented technology.

Bayesian filters

[dtfinch]

It seems like the need for other anti-spam techniques will decrease as these become more popular. Things like ip banning or automated server hacking just hurt more non-spammers.

I installed a free one called K9 (though I donated $20 to the author), and over my last 573 emails (392 spam) it has only made one mistake, making it over 99.8% accurate after its initial training (141 messages). I've only been using it for a few weeks. It's about a 60k download and is very flexible and well behaved. The downside is that it's closed source and built for win32. I don't know if it works under Wine.

The one spam that got through was disguised a typical personal message, except that it was offering a business relationship and contained a personalized image link to determine if I viewed the message.

I tried Mozilla's built in bayesian filter for a few months. It had about 90% accuracy, even though I corrected every single mistake it made. Something's not working there, so probably shouldn't be used to judge the accuracy bayesian filters in general.

I've tried PopFile as well. It seems to have good accuracy, but it's like swatting a fly with a sledgehammer. It's like a full fledged anti-spam server and is best installed on a dedicated server but is not well suited for multi-user environments, and it'd not easy to correct old mistakes or rebuild the word database. It does have the benefit of being cross platform though, and it supports multiple buckets, not just spam and not spam.

Spamassassin + wget + SpamCop

[Jens]

My solution (except wget so far):

• Filter all incoming mail using spam assassin . The rules are reasonably exact. Mail which is declared SPAM doesn't reach my inbox.
• Automatically report spam that exceeds SA score 7.5 to spamcop .

So far, I've only had one problem, and that was a stupid abuse@ department auto-reply which quoted the entire SPAM (thus got re-filtered by Spamassassin, re-submitted to Spamcop, triggered the same auto-reply, etc etc yadda yadda).

This procedure could well be extended to filter all URLs out of the spam and auto-wget them.

If anybody wants the spamasassin+spamcop scripts, mail me. It's a hack though (uses maildrop, qmail, perl, etc).

My quick spam filter.

I no longer receive spam in my INBOX although I quickly filter through false positives in my SPAM mail folder. How? I put in a rule to move all mail containing "http://" to a SPAM folder. Now all I need is a procmail or similar rule to reply to senders requesting they reformat their email to avoid this substring (I can cut and paste a URL into my browser easily so there's no need to preface with this token). It' simple and it works and I can scan through the SPAM folder when I feel like it and quickly spot false positives. It might not be for all but it's worth considering.

Stupidest comment ever.

Gee whiz. I guess no one writing a filterbot program to follow links would do anything like say check the followed link for the very email address it was performing the filtering function for. Programmers writing anti-spam programs are so dumb they'd never think to do anything so glaringly self-obvious like that. That'd take someone like oh maybe a genuine certifiable genius physicist-rocket-scientist-recombinant-DNA-enginee r-type-person to figure out. Someone who can merely write a Bayesian filter would never think to do it.

Re:noooooooo - you did not read the article...

[Nogami_Saeko]

They don't seem to slip past on my end (POPFile).

Besides tagging messages as spam for having enough spam-keywords, it also (seems?) to tag incoming messages as "not spam" based on words that only appear in personal communications - when the messages come in. I think some of the other spam-killers also will nab messages which only contain a link, or a minimal amount of non-content.

POPFile has cracked the 98% classification accuracy mark on my system and is continuing to increase.

I never see spam anymore - it has ceased to be a problem for me (at least so far).

N.

Re:This is a GREAT idea. one more point though

[thynk]

As the article points out, one of the dangers would be the use of this in a malicious denial of service attack engineered by sending out a spam message which includes URLs on the targeted system. For example, sending out a penis enlargement spam that includes a Microsoft URL.

Hey, now that might be a long term plus. While the spammers won't have much legal recourse for everyone loading the links they send, using this system to DDOS someone probably would not be viewed lightly in the eyes of the law. Where the effect of this program might cause some network problems, that's not it's goal - using spam to DDOS someone has no real defense.

No Lisp?

[GnuVince]

An article by Paul Graham, and he doesn't mention the word Lisp even once? Must not be a terribly good one :)

Re:No Lisp?

Cheer up, there were 13 pairs of parenthesis in the article.

another suggested anti-spam method works quite wel

[RouterSlayer]

I've been using a slightly altered method for years, and been talking about it in mailing lists, various groups, etc, but no one seems to pay attention, even though it works really really well-
take your spam, filter through it for all domains and IPs, and dump them into two sorted lists. one for domains, one for IPs.
the IPs get routed to the bitbucket, and the domains get added to your own personal RBL-type list. Or you can do the RBL type thing with both, whatever turns your crank.

what I do is take the IPs, make them /24s (class-c's) and route them to the bitbucket. No more spam from that entire net, ever. I have over 29000 class-c's blocked right now.

yes, I heard all the whiners complain about blocking legit addresses/domains. That's what a whitelist precheck is for. and duplicates are easily eliminated when the lists are kept sorted.
and to make sure legit addresses dont stay blocked, if someone complains they get added to a "do not block" list, but only individual IPs usually ever end up there. That is, you may miss one piece of mail to one user, but never again.

for over 2 years now I've been doing this, and it works well, in conjunction with bayesian filters.
and I've seen every possible method talked about for eons, and the topic keeps coming up again, the same old crap retried over and over again. You do this at the ISP, like I have, and it works wonders.

bayesian is good, filters are good, but this method is much better. and the RBL type lists of your own domains/IPs are at least 10 times faster than the route to bitbucket method, and only affect mail, not ftp, web, etc...

try it, you'll like it, and your spam will eventually drop to almost nothing.

Personally there should be a place where ISPs and others share these lists. But no one does that. and that is a shame, because it'd be an incredible resource. Someone needs to setup a site to do this, I was going to but no one seemed to care...

Follow unsubscribe links?

That would be exciting... legitimate newsletters with a "click here to unsubscribe" would be really out of luck when mail servers automatically unsubscribed everyone...

Fight fire... by adding fire?

[quacking+duck]

Given that so many people, even corporate execs, are stupid enough to order stuff from spammers, why not use this fact to our advantage?

Send out "white hat" spam, which for all intents and purposes looks like real (ie "black hat") spam. Except clicking on the link takes you to any number of webpages that basically say "are you so f***ing stupid you actually believe pills can make your penis/breasts/whatever larger?"

Adjust content to suit type of spam. Include disgusting images if the type of spam you're emulating is adult-oriented (pr0n, enlargements, etc), something else entirely if you're "selling" mortgages or similarly benign wares (ie no goatse.cx-type images if you're "selling".

And to cap it off, if viewers are so enraged at what they see, the page will have a feedback link. The link will either be a known spammer's email so they receive their venting instead of their money, or link to yet another anti-spam site.

Geeks and filters will automatically block this stuff out, so there's no harm done to us, aside from having to filter out even more spam.

But with any luck, if enough of these anti-spam spams get sent out that people start associating spam messages with informative, insulting or disgusting websites, they'll learn to stop clicking on those damn links, stop buying their bullshit products, the spam model becomes unprofitable, and spam is reduced to a saner level or eliminated entirely.

Legal implications? No better and no worse than black hat spammers.

Comments?

Re:Fight fire... by adding fire?

[eugene+ts+wong]

If I got email like that, I would just delete it, but I would have to sort through it with whatever technology/technique that I use.

The people that are purchasing stuff are the 1s who are new to the Internet. I don't see how your ideas would reach them in time to put a stop to spam. There are new people on the Internet every day. You'd have to target those people, not us. Your idea punishes the wrong people.

Re:Fight fire... by adding fire?

[quacking+duck]

The point was to educate newbies, by employing the same methods as the spammers themselves to spread white-hat spam. If white hat spam attack is proactive enough such that they're the VERY FIRST spam newbies receive, and lessens the chance they'll click spam links in the future, then what's a little bit more inconvenience to savvy users?

Hence the parent title--to stop the spread of a wildfire they'll sometimes "backburn", or start another fire to create a firebreak, so when the wildfire reaches it they burn each other out, halting the fire in its tracks.

White hat spam could even include some marker or signature to identify it as such, so any half-decent filter would automatically delete 100% of white hat spam. Not just dumping it to a junk mailbox for double-checking. Deleted outright.

Anyone savvy enough to set up their filter to do this already knows not to click on spam links. Anyone who ISN'T will still have to deal with it, but that's the idea--make them understand why that's a problem, take action, and don't click on spam, right?

Re:Fight fire... by adding fire?

[eugene+ts+wong]

Based on what you said, I'll just assume that there is no way of identifying newbies, or it is besides the point. All I know is that I'm fairly aware of what kind of spam is out there, & I try to avoid it. Even if I could avoid it, I'd still like to make sure that I don't have to deal with any of your white spam, even @ the server level.

But instead of arguing, maybe an idea to help you along, would be better.

Why don't you approach a few email providers [ie: Yahoo!; Hotmail; etc.], & suggest to them that they provide a link in supper large letters @ the top of each page saying, "Click here if you are using email for the 1st time!!!". After clicking the link, the the page reloads, the link never to reappear again, & a bunch of fake spam mysteriously appears in their inbox. Experienced users could select all of it & delete it, before reading it.

Another approach is to just have the fake spam sent to every new inbox. @ the top will be the standard welcoming email, that also explains spam. Underneath it will be about 24 fake spams to catch their attention. If the user doesn't read the welcome email, & he is new to email, he will probably open them up, since they are addressed to him. If he opens any of them up, he will see the standard sales pitches seen in standard spams. If he clicks on any of the links, then he will be directed to an anti-spam site.

To really reinforce the issue, some of the fake spam should contain some scantily clad women in somewhat sensual poses; nothing graphic, so as to not offend completely.

Finally!!!

[FyRE666]

I've been saying this for ages! If only a few thousand people would start "visiting" spamvertised sites over and over again we could cause serious damage to their "business model". If the scum had to pay for several hundred gigs of bandwidth with no sales every time they ran out a batch of spam they might think twice next time (probably not, seeing as they're brainless scum themselves, but still we can hope).

Or they could say...

[eugene+ts+wong]

Your Honor, the advertisement said to call that number for more information, so I did.

Or they could say something like, "Your Honour, the advertisement said to call that number for more information, so I called to see if I could get more information than I got from the 1st call. The advertisement gave no rules about how often we are allowed to call, nor did it give any information about how much more information the 1-800 number would give.".

How a spammer could fight back...

[rekoil]

The only real hole in this that I can think of is that a spammer could "discourage" the use of this by including a buried link to a large file that each client would then have to download, such as a trailer off of Apple's Quicktime site. If you're running this on any sort of centralized server, this would probably kill your own bandwidth, as you're suddenly downloading a multi-megabyte file multiple times, but Akamai's network probably wouldn't even sweat it.

This could be counteracted by the whitelisting function that Graham mentions, however.

Just installed a-s-k

[Snefru2]

More and more spam got through the Spamassassin filter I used. This weekend I installed the Active Spam Killer (see a-s-k) and uninstalled the Spamassassin. I believe that the filter approach used by the Spamassassin and friends is a fight one cannot win in the end.

come up with another purpose

[Heisenbug]

Let's say I have an email autoloader. I often receive lots of wonderful links from my amusing coworkers. Instead of following all those links manually, I simply drag the emails into my new autoloader tool, and it preloads all the links for me. Sometimes I get around to checking the contents, and sometimes not, but they're always there if I need them.

My email autoloader is even scriptable -- it can select emails to autoload by quite a complicated set of rules, instead of my having to manually select them each time. I then don't even have to read "Hey! Check out this funny flash site!" -- the email is automatically deleted, and the site is preloaded for my convenience.

Now isn't that nice and convenient (and legal)?

You should submit this idea.

[eugene+ts+wong]

If you wrote up a web page about it, then submit a story, then you'd probably get more attention that your idea deserves.

Re:noooooooo - you did not read the article...

I use SpamProbe, which has about 99.5% accuracy. For instance, I received 174 spams today, 1 legit message and 1 spam slipped past the filter to my inbox - a picture spam - my mail server has a HTML trap which disables picture tags, so what I get is a blank e-mail.

The reason Spamprobe is better than most other filters, is because it counts not only single words, but also word pairs. To make up for the tremendous increase in computational load, it uses BerkleyDB as a backend.

Re:Paul's good at this stuff, but this is no good.

[wavecoder]

On the first count, you're right, it's Virginia. Oops. On the second, don't you know the reference? We're not talking about the entire female half of the species, here, but a little girl! (in the original context, of course, which is the only context that counts). Find something better to do...

Mission Critical requirements:

[puntloos]

Let's see here..

- MODERATION. This is the key thing. Same as with the slashdot effect, you can't blame a 'posse' for sending on URL's for whichever reasons and effectively 'attacking' the site in question. Legit non-spam sites can't really prosecute I don't think, but it's wrong, so we need dependable humans to check each and every link, and/or make a (slashdot type) moderation thing that will review and moderate up real spam links to 'Engage, mr. Sulu' level.

- EASE OF USE. It needs to be easy to install

- LEGAL ISSUES. If you use a 'distributed client' I think it shouldn't send stuff to /dev/null since then it has no defendable purpose other than 'DDoS' which can cause badly informed people to think it's evil per definition and sue. On the other hand if you call it 'advertisement collection tool', make it cache say a day worth of.. and make a sparse system to actually view what's been collected..(like a local cache browser)
Also I don't think spammers can 'sue' us since they sent the email to us (keyword is 'unsollicited') which makes the mail and its contents our property.

The primary problem really is how to get a dependable, defendable list of attack candidates without actually hiring 10 people to sort through all the spam each day. (unless someone rich cares to donate to the cause? :) )

Heres an idea

[atcurtis]

When using a FreeBSD box with IPFW as the external MTA, when it receives SPAM, blacklist that IP addresss by configuring the packet filter to drop 50+% of the data packets (but allow the connection to setup ok).

That should tie up their spam servers a bit...

mod parent way up

Very good points.

No

[autopr0n]

A 1x1 gif image is smaller then most server's 404 error msgs.

Re:No

[hankaholic]

I wasn't referring to a 1x1 gif, just displaying an image in a 1x1 box, causing the browser to consume resources without affecting the page display significantly.

Re:No

[g.zero]

Aren't you forgetting that some people are on a 56k connection? Forcing their browser to download the images would increase the loading time for them. It might not make much difference to those on a DSL connection or better, but when you only get 5k/s it could hurt.

Re:No

[hankaholic]

I see you're logged in. That means that you can choose which Slashboxes to display -- and which to exclude.

I am forgetting nothing of the sort. I suggested a Slashbox which would cause images loaded by spam to also be loaded with the Slashdot home page.

Either you didn't read my original comment, or you had no idea that you could configure your display of the Slashdot homepage.

If the latter is true, click here, learn something, and have a nice day.

If the former is true, go fuck yourself. If you need some material to get it up, check out autopr0n's homepage.

Re:No

...but it's still larger than the content being served by autopr0n.com.

Actualy

[autopr0n]

A lot of spammers actualy will remove you if you click the 'remove' link, since no one ever does. Or so I've heard.

Well

[autopr0n]

I don't really see the point of doing something if your average slashdotter can see a way past this easily, and can figure out a way to make it do even worse things to the network.

We should be looking for spam solutions that a) don't have a huge obvious negative impact and b) even if exploited still 'help'.

I'm convinced that Bayesian filters, Reverse MX, and sender verification will pretty much kill all spam these days.

OpenBSD's spamd tarpit

[ninjaz]

OpenBSD comes with a program called spamd, which, when a spammer is sent there, will respond to the effect of "temporary failure, keep that in your queue" -- after several minutes of displaying the message very slowly, character-by-character. The idea is that the spammer wastes several minutes per occurrence, and if a relay is used, it gets bogged down retrying "temporary failures".

Daneil Hartmeier (the guy who started OpenBSD's pf firewall) has an explanation of how this can be used in conjuction with filters such as spamassassin. Using this method, each time you get a spam, the spammer gets blacklisted to be directed to spamd the next time. It's documented at http://www.benzedrine.cx/relaydb.html -

Until, after several attempts, wasting both his queue space and socket handles for several days, he gives up. The resources I have to waste to do this are minimal.

If the sender is badly configured, an uncooperative recipient might actually delay his entire queue handling for several minutes each time he connects to the tarpit. And many spammers use badly configured open relays.

no

[autopr0n]

because you can fake the email's origin.

P2P Analogy

[prozac79]

Isn't this what some congressman is trying to get passed for P2P networks? He thinks that it is perfectly acceptable for copyright holders to hack P2P networks and bring down machines that are suspected of having illegally obtained copyrighted material. Now we propose this for spam and suddenly this is a good thing? I know, nobody likes spammers, but that can't be the foundation to allowing people to hack other's systems. If filters were allowed to strike back at spammers, that would give the RIAA and MPAA all the ammo they need to lobby for new laws that allow disabling people's service. As many people have said in other posts, it sets a very slippery slope that will probably have consequences beyond what we initially invision, not just for email, but for anything that someone does over the internet that is "unwanted".

And because....

[EmagGeek]

.... the links sent in spams are generally tailored to be able to identify someone following a link to an individual spam that was sent, these "attack back" filters would only serve to verify that the email address the spammer spammed is valid, thereby increasing (incredibly) the amount of spam that address received.

The resulting positive feedback created by automatically telling all spammers that your address is good can only cause more trouble for networks. You'll quickly find that the amount of spam you receive is unmanageable because every spammer on the planet will quickly learn that your email address opens and responds to every piece of spam it receives.

Re:And because....

[dotgain]

Not necessarily.
The "uniqueness" in these urls is usually at the end as a string of hex digits or some such, and could usually be easily popped out of the string while still presenting a valid enough url on the server to hit it, make it read in a script or something gernerally annoying for it.

I think it could _just_ work if enough care is taken. Having had said that, I don't think it'll work.

**NO ONE** pays per click

[autopr0n]

Look around, try to find someone, anyone who pays per click anymore. No one does. Everyone pays by commision because pay-per-click schemes are way to easy to defraud.

This sounds similar to hash cash

[mec]

"Hash cash" works like this: the recipient forces the sender to burn some configurable amount of CPU time before accepting a message for receipt. The recipient does this by giving the sender a problem which is hard to solve, but easy to verify the solution for.

This fight-back filter sounds similar. The fight-back filter imposes some configurable amount of load on sites extracted from the message. At least, that's what it does when everything works properly.

I'm not an expert at these things, but I like hash cash better. With hash cash, the recipient imposes the cost on the actual machine that's trying to send mail. With a fight-back filter, the recipient visits some other machines which are selected by the spammer and under the control of the spammer. That opens the door for security holes.

The disadvantage of hash cash is that it may require a SMTP protocol change to be effective.

Sounds a lot like an old idea...

[jemfinch]

Making spammers pay for each spam they send? Sounds a lot like Daniel Bernstein's Internet Mail 2000 recommendation, except that this idea has far more potential for abuse. As much as I like Paul Graham's innovative ideas, this one is definitely both late on the scene and inferior to IM2000.

Jeremy

Slashdot Fights Back

[CHaN_316]

Well, one way to easily DDOS spammers is to use slashdot as an offensive weapon against spammers. Open a slashdot section called spammers. Each day we could have a list of daily spammers, similar to daily news stories. The effect, the target site gets slashdotted. (Huzzah) In theory, we won't have to worry about targeting an incorrect site as slashdot admins would verify that the target site is infact a spammer site.

Re:Slashdot Fights Back

[dotgain]

In theory, we won't have to worry about targeting an incorrect site as slashdot admins would verify that the target site is infact a spammer site.

With the same level of enthusiasm they verify the details of, erm, other things on the front page I wonder?

Fight Open Relays!

[Jman314]

Use (and support) the Open Relay Database. These people maintain a free service to blacklist mail from open relays. I can't attest for the service myself, but I've heard good things about it.

Everything helps in fighting the war on spam.

Re:Fight Open Relays!

I am sacrificing some of my infinite anonymous karma in the hope someone will at least give him an 'Interesting'

RE: Filters that Fight Back

[Tacoguy]

Spam fighting, it seems to me has 2 fronts. What to do when you get on the lists and how did you get there to begin with. Having made numeous web sites thru the years it has become clear to me that these spammers are largely harvesting addys thru mail-to links on web pages. A number of techniques can be utilized to prevent such activity. 2 of my favs are the use of ASCII characters in the actual addy and the use of Javascript to mask the addy. Once you are "in their hooks" there seems little you can do so it seems best to me to not get there in the first place. Best Jeff

Even Better...

[Lodragandraoidh]

A better solution, in my mind, is to design an encrypted access control system for email - such that I give unique public keys to people I want to receive email from. "Public key" is really a misnomer - each person would have a unique public key that is theirs only - my email system would manage users based on the public key they have been assigned. All email to me would be encrypted using these public keys, and decrypted using the private keys I keep on my system.

The beauty of this is twofold:

1. No more unsolicited email - anything that is not properly encrypted with one of my public keys is dropped in the bit bucket.

2. If someone I previously trusted abuses the system - or if their public key is compromised, I can cut them off: simply remove their public key from the list.

The best way to hit the spammers is in the pocketbook; if their spam doesn't get through to an audience, then they get no money - and spamming will simply dry up. A widespread public-private/private key system would make it impossible to get spam into anyone's mailbox.

The drawback is that you will need to establish connections with people in other venues than email - which might not be a bad idea anyway.

Re:Even Better...

[Lodragandraoidh]

I just wanted to add:

I think of email more akin to UPS or FEDEX than snailmail.

Packages are carefully wrapped and sent (semi-expensively) from door to door. 99% of the shipment are the result of both parties previously agreeing to the transaction. When was the last time you received unsolicited packages from UPS?

We need a similar system for our electronic 'packages' to break the spammers.

Re:Even Better...

[dotgain]

The beauty of this is twofold:

1. No more unsolicited email - anything that is not properly encrypted with one of my public keys is dropped in the bit bucket...

...including prospective employers, clients etc. And those who didn't read your three page pdf on how to actually encrypt the message with their key etc.

Is your mom 1337 enough to get hold of you?

Re:Even Better...

[krray]

And with UPS it costs $$$ the send packages all over. Of course you don't get unsolicated packages. Heck, in most cases YOU are probably paying for shipping when you get something bought shipped to you.

It costs so little to waste so many people times and pass off the cost. Ooh, I just got one to one of my HOSTMASTER accounts for one of the domains. Absolutely RUDE.

Oops, I have to go to the washroom. Some many domains will be responding to that lovely drivel:
while (1)
wget -a /dev/null http://shrinkback@www.mtgde1s.com/Collins-Dr561/in dex.htm
end

(pass some of the cost BACK, distributed across my accessable bandwidth which appears to be more than they have :)

Anyway, my solution has certainly blocked legit email from somewhat rouge ISP's -- and cost many a ISP a customer. Pick an IP, any IP and it's subnet is blocked once a spam comes in. Permanently blackholed until there is a need to whitelist a IP. At that time it's verified to be a ISP's mail server and not a dialup, etc. Add in other tricks of harvesting IP's and it [spam] became a moot point quickly. Frankly I just don't see it, except in the daily log report. :)

To the HOSTMASTER. And no, I didn't see it. I heard a submarine sound. It's sinking...
wget -a /dev/null http://shrinkback@www.mtgde1s.com/Collins-Dr561/in dex.htm

Bada-Bing!

Automatic attacks are a bad idea

[cait56]

Having a "filter fight back" is a polite way of saying that you have trained attack software.

Software has bugs. If you have trained attack software, it will have bugs. Which means eventually it will attack an innocent site.

Ultimately this is a bad idea for the same reasons that automated home defenses are a bad idea. It's very easy to say that the intruder has earned the automated response, but then you get the nitty gritty issue of whether your automated system can distinquish between a burglar and a fireman.

The same issues apply in identifying Spam. How will your software, which will make mistakes, distinquish between the real source of Spam and a clever header that is making it look like someone else is the source? I don't care how good your algorithm is. It's coded by humans, so it will make mistakes. Unlike a human making a mistake manually, however, it will pounce at very high speeds.

Education, Law Enforcement, etc.

[naubol]

I am a huge proponent of the death penalty for spammers (this is really a joke, I'd settle for just removing their digits so they can't type.) With that being said I would love to find a way to shutdown spam. Here's how I think it has to be done. 1) Education. Educate your mother who buys from spam emails that even though she's getting a discount (or perceived discount) that she's doing so at the detriment of people's time and wasting bandwidth. Explain why bandwidth is important. Bottom line, don't reply, don't buy, and don't encourage spamming. Education stops the motive, and the loss of motive will stop the crime. I would be interested in seeing the trends in terms of how often people respond to spam and if that level of response degrades per user as those users become more net-savvy and gain more experience. 2) Law enforcement and legistlation. I would prefer it if everyone could sue a spammer. Obviously this has to be more carefully thought out because anyone who uses the cc field in an email might be considered a spammer, but I still think that action should be taken quickly and decisively. Possibly an organized investigative body to discover who spammers really are and then to build up incriminating evidence. Then of course to sue their ass out of existence in class action lawsuits with the money going to pay for more investigative work. Also, a heavy against companies. "We know you are utilizing spammers and we don't appreciate it. You have been blacklisted" or some other various things. But what it all amounts to is : money. Control the money, control the problem. And I feel education and law enforcement are some of the few clear ways to do that. Everyone else has basically mentioned in other posts my problems with the method of DoS'ing spam hosts. N

Distributed Department of Defense

[TomDLux]

This is something I've been considering since Graham's Bayesian Filter article appeared last autumn.

Whether it's Spam Assassin or Bayesian filters, conventional defense mechanisms attempt to prevent spam from getting through. If IBM or AOL succeed, the savings are significant, both in terms of employees'/subscribers' time, network bandwidth, hard drive storage, etc. But for individuals, the effect is purely local. One person stops receiving spam, after the first few.

Unfortunately, there is no effect on the spammers. The majority of people are unprotected, so visit the web site, buuy the product, etc. What do they care whether Paul Graham visits their site or not?

What is needed is to inflict a penalty on the spammer for sending the spam. One ideda which has been passed about is intrroducing a low fee for email. Your first 10,000 messages each month are free, but after that each one costs a penny, nickel, dime. Ordinary users won't be affected, only those attempting to send millions of emails. But what about corporations? Obviously, IBM, GM, AT&T send many emails. So this method stops those who try to send 5000000 messages through a user account, but what about someone who has their own corporation? For that matter, what about AOL? AOL users send more than 10000 messages, between them. Yes,I know, none of us care about AOL, but still.

Now a spam message is an invitation to visit a web site. They WANT you to go to their website. They're not going to make a sale over email, but if you see their pr0n for yourself, you might sign up. So the solution is for everyone to visit their web site. Since you are so interested in their product, you want your software to fetch their website every hour, so you will know quickly when any changes occur. Suddenly, sending spam has a cost: web site bandwidth.

Some people might object to the spammer being paid for 'pay-per-view' banners, but there is a simple defense against that. Just set your software to only fetch same-site images and includes. Of course you want to fetch more than the tiny frameset .... you need to fetch the large images, maybe even the same-site linked pages. On the other hand, few people pay much for banners which do not provide click-through. It won't take many days of a million clicks an hour to convince the remainder to change their policy.

The big risk, in my opinion, is people spamming out a URL to mount a DDoS attack, slashdotting someone they don't like. My solution is a combination of Google and Gnutella. Check your peers for copies of the web site. If it is not available, or if your peers cannot agree on the size or checksum of the page, or if a random number returns a wrong value, go check on what Google, Yahoo, Altavista or the Way Back machine have to say about the site. Of course, these sites may not be totally delighted to offer a portion of their bandwidth to protecting the internet, but life is hard. If a couple of these sites disagree on what the page looks like, or the random nunmber is still rolling snake-eyes, visit the page itself. This way, the load on Joe's Shoe Repair is limited to a forgivable level.

Once a page, or a few alternate pages are obtained, the user needs to examine them, to determine whether to co-operate with the email by visiting the web site, every day, every hour, every ten minutes.

If the page obtained from the web site is different from the archived copy, user interaction is required. The possibility remains that we are visiting an innocent web site which has been mis-represented. On the other hand, what about web sites that strive to protect themselves by having insignificant varying components. Banner ads rotate, for example, so not fetching those improves comparability. if included components change, while a major portion remains unchanged, we are still dealing with the same web site. If minor text segments change, but the bulk is constant, we can continue downloading on a regular basis. How about if the site changes grgadually

Re:Distributed Department of Defense

[TomDLux]

The other factor I intended to mention is the cost to ISPs.

Every time you make a spammer serve a gigabyte of web page, ISPs and Internet BackBone servers have to transport that bandwidth.

Earthlink, Rogers, etc. would love to eliminate the 50% of email which is spam ( last year 15%, next year 87% ). But are they willing to increase their http bandwidth by 25% as part of the solution?

Re:auto following links - spread worms

[jazir1979]

The point is to simply follow the link, not to parse or render the recieved HTML.

But yes, the idea is daft as many people have already pointed out.

Re:auto following links - spread worms

[TomDLux]

You don't have IE download the web page. The page is downloaded by a program/script in C, C++, java, Perl, Python, Ruby which does not attempt to interpret the page, but simply scans it for includes and images from the same web site. The program is presented to the user as a rough text/image thumbnail. If it is spam, no need to view it through IE; if it is not spam, no need to view it through IE.

Fake order forms

[JSR+$FDED]

How about something more subtle and less prone to being abused:

Find out on the spammer's site where the order form is and fill it with bogus information

?

This would hit the spammer where it really hurts: they can't afford ignoring the order forms but it will cost them a lot to process them. Hopefully it will make the act of spamming much less interesting financially.

NOSPAM@HOME !

[axxackall]

Let me think:

There is a small company that I dislike. What prevents me from hacking their ip address and send shitload of spam in their name?

In my opinion it is posible to have a statistical analasys that would be capable to distinguish it unless you organize a really big attacke. On the other hand, a central (even if it's distributed) autority may help to gather a witness evidence against your unfair anti-competitive practice, which would be rather difficult if such NOSPAM@HOME project would not exist.

automatic or manual retaliation comes back to making justice yourself which is inherently illegal (at least in the us).

What makes it illigal? It is a statistical research project. Volonteers help to gather a statistical database of originally filtered emails. The central (and distributed) authority asks volonteer to help to gather the rest of information, namely the responsivity of a seller's web site, based on a pre-estimated schedule. BTW, the result of stitistical analysis can be peacefully used to consult the seller web site admin how to improve the site responsivity. Most likely the only advise would be so far: "shut your spam down and your site traffic will come back to normal".

I am actually ready to stand out in the court and say: "Well. the targetted company sends their marketing materials with only 5% of chance that the reader wants to read it. We study the responsivity of the targetted site by creating the traffic to the site where only 5% of actual requests are wanted by the business of the site's owners. How our 5% are different from their 5%? If what we do is illegal than what they do is illegal as well. But what we are doing is the non-profit research when only a very small group of people may dislike it, while what they are doing is a for-profit compaign when millions of innocent people dislike it."

Re:NOSPAM@HOME !

[Pieroxy]

What makes it illigal? It is a statistical research project.

Well, go ahead and read it again. Point 7 sound more like a counter-attack than a statistical research project.

The statistical part is fine with me, and I think with the law. The retaliation part is obviously illegal. You can't just bring a website down for the heck of bringing it down.

Of course, IANAL.

Re:NOSPAM@HOME !

[axxackall]

Formally I don't want to bring the site down. Instead I continue the statistical research and want to see the correlation between our http requests and the response time. Seems innocent to me.

Re:NOSPAM@HOME !

[Pieroxy]

Well, from the original post, I read "the spammer's web site is /.ed", "a counter-attack as well (will it start cyber-wars?)" and "but still flood the spammer", that led me to think you wanted to bring the site down...

Somewhat confusing.

Re:NOSPAM@HOME !

[axxackall]

In the original post I explained why we should do it (we should do it to shut the spammer down). Later I explained what we would be doing as I would explain it in the court (we do a statistical research project studiing how typical spammers are ready to get hits from all, or the same amount of, inviters they are invited).

On a second thought, millions of mailboxes are *FLOODED* with a spam inviting to visit a spammer's site, then what's wrong if the visitors will come to the site in a same *FLOODING* way? They have used the flood to invite - they have got the flood back, what's wrong with that? Somehow I don't belive that the spammer have any chances to win in the court against those who spam back.

Re:NOSPAM@HOME !

[Pieroxy]

Ok, I see your point. The only flaw is that flooding the spammer does doesn't bring any mailbox to its knee (not intentionnally nor even as a predictable side effect) while in your system, you use this great number as an excuse to flood their website. There is no excuse for that, not even your statistical project.

At best, your explanation will sound hypocritical to a judge.

I can picture you in front of the judge:
You You know, I'm just sending a couple of HTTP requests to these guys for every email, that's all.
The Judge How many emails is there?
You A lot.
The Judge To your knowledge, could this practice potentially harm their server (even temporarily)
You Hmmm ... Yes
The Judge Ok, stop it.
You Yes your honor.

Re:NOSPAM@HOME !

[axxackall]

You You know, I'm just sending a couple of HTTP requests to these guys for every email, that's all.
The Judge How many emails is there?
You A lot.
The Judge To your knowledge, could this practice potentially harm their server (even temporarily)
You Hmmm ... Yes
The Judge Ok, stop it.
You Yes your honor.

Me ... I can do that, but with one condition.
The Judge What is that?
Me They should stop sending their unsolcitited emails to me.
The Judge Why they should?
Me Because it harms my mailserver, it wastes my time to filter it and it spends my bandwidth.
The Judge OK, they should stop sending their spam to everyone from where they do not want receive http requests.

Read the article about spammers tricks...

which was on /. some days ago? Remember that the whole url thing can be tricked by using JavaScript: just add a link like <a href="#" onClick="swapURL()">spam!</a>. Some JavaScript would change href and take you there when you click it, so you wouldnt easily find a target for retaliation.