Slashdot Mirror

← Back to Stories (view on slashdot.org)

Paul Graham: Filters that Fight Back

Posted by michael on from the auto-DDOS dept.

Mortimer.CA writes "Paul Graham is back with another article about combating spam. It's entitled Filters that Fight Back: 'One intriguing idea is to literally fight back: to make filters disable spammers' servers by automatically following all the links in each incoming email. We may be driven to this in order to achieve accurate filtering anyway. Why wait?' One danger is someone doing a DDoS by sending fake spam."

13 of 328 comments (clear)

  1. Following links validates your address by PeekabooCaribou · · Score: 5, Interesting

    If I load an image or a link from spam, it's possible that a spammer could be validating my e-mail address for future sale, or perhaps increased spamming since he knows someone is actually reading the message. For example, http://server.foo/image.gif?id=ab0a98df12j3 could be unique to the spam that was sent to me. If any user-agent accesses that URL, the spammer knows that my e-mail is active and I'm reading his junk. I don't know if they actually do this in practice, but I'm wont to load HTML messages because of it.

    --
    "I'll say it again for the logic-impaired." -- Larry Wall.
    1. Re:Following links validates your address by hankaholic · · Score: 5, Interesting

      I've been thinking for a while about maybe having a Slashbox that displays images included in spam in a 1x1 pixel box.

      Every load of Slashdot would hit spammers' servers.

      --
      Somebody get that guy an ambulance!
    2. Re:Following links validates your address by koehn · · Score: 4, Interesting

      Actually, the opposite would happen: since all links in all spams get hit, this technique would make putting UIDs into URLs worthless for the purpose of authenticating users.

      Spammers would need another mechanism to attempt to authenticate who reads their messages. I like it.

      What do you think about downloading IMG tags? It would hurt the server's bandwidth, but it would hurt my mail server's bandwidth, too. Maybe use one of the many open proxies out there instead, kill their bandwidth, maybe close the open proxy... ooh, that's evil! I really like it!

      If there were a sig here, would you read it?

  2. horrid legal thought by BobTheLawyer · · Score: 4, Interesting

    a deliberate denial of service attack is illegal whether the victim is an innocent website or an evil spammer. There is no internet equivalent of lawful self defence.

    If a spammed website is brought down by a method such as this, it wouldn't altogether surprise me if they sued the maker of the software responsible. Matters would be complicated if, as they might, they deny responsibility for the original spam e-mail.

    (This is the case in the UK, I'd guess the position will be similar in the US but IANAAL (I Am Not An American Lawyer))

    On the other hand, the "scan the spamvertised website for its content" sounds a great technical approach.

  3. This is stupid! by MoogMan · · Score: 4, Interesting

    Seems a bit retarded to at least double the bandwidth drain from spam. Its bad enough as it is. This is *not* a viable solution, unless the spammers happened to be one hop away...

  4. Needs Critical Mass, but how do you tame it? by globalar · · Score: 3, Interesting

    "We should try to ensure that this is only done to suspected spams"

    I am not sure that is 100% possible. In light of that reality, this might just punish any server, not necessarily attached directly to the spammer. For example, if I wanted to shutdown a site, couldn't I spam a million inboxes with that site's address?

    I could see this solution, when mismanaged, merely creating lots of extra, meaningless traffic as well.

    I am all for doing something to inconvenience spam, but it seems that the most effective solutions always come at a direct cost to everyone. For example, I have read about adding a small CPU penalty calculation for every email sent. This new solution isnt quite as distributed - it adds traffic to networks and places loads on servers, but its still a penalty.

    I guess the real challenge is finding a way to penalize the spammers and no one else. Good thoughts, and honestly if my client supported a "punish mode," I think I would be tempted to use it with the same careless sense I apply delete.

  5. Filter web-pages through bayesian filterss by flux · · Score: 5, Interesting

    How about using the bayesian algorithms we have today and apply them to the referred web pages? I'm sure they would have plenty of good material for the filters to detect.. Plus this would propably be more effective with spam that effectively is only an url.

    Secondly, I don't call this any kind of DDoS, even though it might seem such to spammers (is slashdotting a DDoS?). If anyone sends me a mail with an url, chances are they _want_ me to check it out. If my system fetches the pages and stores them to a cache, I'm doing exactly what the sender wants. (Mailing lists may be a problem though.)

    Thirdly, does it really hurt you to let spammers know that your address is valid? Chances are the address will receive spam nevertheless..

  6. another approach by mwilliamson · · Score: 3, Interesting
    I think this approach would be rather simple to implement

    1. Copyright my gnupg/pgp public key and write a EULA outlining its use. Here is where I'd explicitly disallow unsolicited advertisement.
    2. Have procmail or some other filter direct all non-pgp mail to /dev/null
    3. If someone sucessfully sends me encrypted email having violating the EULA of my gnupg/pgp key, pursue legal action against them.
    4. Enjoy my spammless mailspool

    There are other fringe benefits...the overhead encrypting to a large number of keys would certainly slow a spammer's throughput down. Also, this would encourage the use of widespread secure email.

  7. The people who PAY spammers would not by The+Monster · · Score: 5, Interesting
    In the situation where the spammer gets paid by hit, the spammer would be rich overnight. But, then the customer might see somthing a little fishy, then start asking questions.
    So you're saying that the long-term effect would be to destroy the spammers' business model?

    Looking for a downside to this plan . . . still looking . . . Nope. I can't see one.

    --

    [100% ISO 646 Compliant]
    SVM, ERGO MONSTRO.

  8. Interesting side-effect by leetrum · · Score: 3, Interesting

    An interesting side effect of this strategy would be that it would be harder to track comissions based on per-click (instead of per-sale) for the sites employing spammers, thus limiting their income to people who buy (which can gernerally be a better comission anyway, but not offered by all these seedy companies).

  9. SETI@HOME ? by axxackall · · Score: 5, Interesting
    I think that some sort of SETI approach can be used:
    1. your filter recognizes the spam and gets URLs from it;
    2. all such URLs are gathered in the central authority and statistically verified (how many filters have claimed the same site);
    3. only the most often claimed sites are left in the list, while more rarely claimed sites are considered as claimed by mistake or by the anti-filter attack;
    4. people willing to help to fight spam download the screensaver aka SETI@HOME, working at your CPU and net idle time;
    5. the screensaver downloads the fresh list of sites to be fought back along with a centrally generated schedule;
    6. the filter actually attacks back at the scheduled time points (if it's still the idlle time for client PC), not massively from the individual PC (so it doesn't look suspicious for the individual client *AND* it doesn't create any peak bandwidth problem for the attacker);
    7. the spammer's web site is /.ed;
    All problems I see resolvable:
    • a schedule must be smart to avoid a local bandwidth problem, but still flood the spammer, but with many such screensavers even a smooth atack will be not very smooth when it's multiplied to millions;
    • a central authority can be a subject for a counter-attack as well (will it start cyber-wars?), but if the central authority will really decentralized (p2p, SETI, other techs) that it should not be a problem;
    • spammers may use some sort of logging, but what can they do with it?
    • to avoid if someone will organize the fake claim in order to /. the innocent site, statistics should help - only really massively claimed sites will be counted;

    The main idea of the spam is to send email massively on a very low cost. So if the attack will be also very massive, it will increase their cost of operation and at least some of them will go out of business.

    Any attmpts of spammers to go through filters will not work, as you can manually submit the spam claim to (what is its name? NOSPAM@HOME?) the central authority. If the amount of such claims will be big enough, then the claimed sites will be included.

    --

    Less is more !
  10. Fight fire... by adding fire? by quacking+duck · · Score: 3, Interesting
    Given that so many people, even corporate execs, are stupid enough to order stuff from spammers, why not use this fact to our advantage?

    Send out "white hat" spam, which for all intents and purposes looks like real (ie "black hat") spam. Except clicking on the link takes you to any number of webpages that basically say "are you so f***ing stupid you actually believe pills can make your penis/breasts/whatever larger?"

    Adjust content to suit type of spam. Include disgusting images if the type of spam you're emulating is adult-oriented (pr0n, enlargements, etc), something else entirely if you're "selling" mortgages or similarly benign wares (ie no goatse.cx-type images if you're "selling".

    And to cap it off, if viewers are so enraged at what they see, the page will have a feedback link. The link will either be a known spammer's email so they receive their venting instead of their money, or link to yet another anti-spam site.

    Geeks and filters will automatically block this stuff out, so there's no harm done to us, aside from having to filter out even more spam.

    But with any luck, if enough of these anti-spam spams get sent out that people start associating spam messages with informative, insulting or disgusting websites, they'll learn to stop clicking on those damn links, stop buying their bullshit products, the spam model becomes unprofitable, and spam is reduced to a saner level or eliminated entirely.

    Legal implications? No better and no worse than black hat spammers.

    Comments?

  11. RE: Filters that Fight Back by Tacoguy · · Score: 3, Interesting

    Spam fighting, it seems to me has 2 fronts. What to do when you get on the lists and how did you get there to begin with. Having made numeous web sites thru the years it has become clear to me that these spammers are largely harvesting addys thru mail-to links on web pages. A number of techniques can be utilized to prevent such activity. 2 of my favs are the use of ASCII characters in the actual addy and the use of Javascript to mask the addy. Once you are "in their hooks" there seems little you can do so it seems best to me to not get there in the first place. Best Jeff