Paul Graham: Filters that Fight Back

Mortimer.CA writes "Paul Graham is back with another article about combating spam. It's entitled Filters that Fight Back: 'One intriguing idea is to literally fight back: to make filters disable spammers' servers by automatically following all the links in each incoming email. We may be driven to this in order to achieve accurate filtering anyway. Why wait?' One danger is someone doing a DDoS by sending fake spam."

Following links validates your address

[PeekabooCaribou]

If I load an image or a link from spam, it's possible that a spammer could be validating my e-mail address for future sale, or perhaps increased spamming since he knows someone is actually reading the message. For example, http://server.foo/image.gif?id=ab0a98df12j3 could be unique to the spam that was sent to me. If any user-agent accesses that URL, the spammer knows that my e-mail is active and I'm reading his junk. I don't know if they actually do this in practice, but I'm wont to load HTML messages because of it.

Re:Following links validates your address

[hankaholic]

I've been thinking for a while about maybe having a Slashbox that displays images included in spam in a 1x1 pixel box.

Every load of Slashdot would hit spammers' servers.

Re:Following links validates your address

[koehn]

Actually, the opposite would happen: since all links in all spams get hit, this technique would make putting UIDs into URLs worthless for the purpose of authenticating users.

Spammers would need another mechanism to attempt to authenticate who reads their messages. I like it.

What do you think about downloading IMG tags? It would hurt the server's bandwidth, but it would hurt my mail server's bandwidth, too. Maybe use one of the many open proxies out there instead, kill their bandwidth, maybe close the open proxy... ooh, that's evil! I really like it!

If there were a sig here, would you read it?

horrid legal thought

[BobTheLawyer]

a deliberate denial of service attack is illegal whether the victim is an innocent website or an evil spammer. There is no internet equivalent of lawful self defence.

If a spammed website is brought down by a method such as this, it wouldn't altogether surprise me if they sued the maker of the software responsible. Matters would be complicated if, as they might, they deny responsibility for the original spam e-mail.

(This is the case in the UK, I'd guess the position will be similar in the US but IANAAL (I Am Not An American Lawyer))

On the other hand, the "scan the spamvertised website for its content" sounds a great technical approach.

This is stupid!

[MoogMan]

Seems a bit retarded to at least double the bandwidth drain from spam. Its bad enough as it is. This is *not* a viable solution, unless the spammers happened to be one hop away...

Filter web-pages through bayesian filterss

[flux]

How about using the bayesian algorithms we have today and apply them to the referred web pages? I'm sure they would have plenty of good material for the filters to detect.. Plus this would propably be more effective with spam that effectively is only an url.

Secondly, I don't call this any kind of DDoS, even though it might seem such to spammers (is slashdotting a DDoS?). If anyone sends me a mail with an url, chances are they _want_ me to check it out. If my system fetches the pages and stores them to a cache, I'm doing exactly what the sender wants. (Mailing lists may be a problem though.)

Thirdly, does it really hurt you to let spammers know that your address is valid? Chances are the address will receive spam nevertheless..

The people who PAY spammers would not

[The+Monster]

In the situation where the spammer gets paid by hit, the spammer would be rich overnight. But, then the customer might see somthing a little fishy, then start asking questions.

So you're saying that the long-term effect would be to destroy the spammers' business model?

Looking for a downside to this plan . . . still looking . . . Nope. I can't see one.

SETI@HOME ?

[axxackall]

I think that some sort of SETI approach can be used:

1. your filter recognizes the spam and gets URLs from it;
2. all such URLs are gathered in the central authority and statistically verified (how many filters have claimed the same site);
3. only the most often claimed sites are left in the list, while more rarely claimed sites are considered as claimed by mistake or by the anti-filter attack;
4. people willing to help to fight spam download the screensaver aka SETI@HOME, working at your CPU and net idle time;
5. the screensaver downloads the fresh list of sites to be fought back along with a centrally generated schedule;
6. the filter actually attacks back at the scheduled time points (if it's still the idlle time for client PC), not massively from the individual PC (so it doesn't look suspicious for the individual client *AND* it doesn't create any peak bandwidth problem for the attacker);
7. the spammer's web site is /.ed;

All problems I see resolvable:

• a schedule must be smart to avoid a local bandwidth problem, but still flood the spammer, but with many such screensavers even a smooth atack will be not very smooth when it's multiplied to millions;
• a central authority can be a subject for a counter-attack as well (will it start cyber-wars?), but if the central authority will really decentralized (p2p, SETI, other techs) that it should not be a problem;
• spammers may use some sort of logging, but what can they do with it?
• to avoid if someone will organize the fake claim in order to /. the innocent site, statistics should help - only really massively claimed sites will be counted;

The main idea of the spam is to send email massively on a very low cost. So if the attack will be also very massive, it will increase their cost of operation and at least some of them will go out of business.

Any attmpts of spammers to go through filters will not work, as you can manually submit the spam claim to (what is its name? NOSPAM@HOME?) the central authority. If the amount of such claims will be big enough, then the claimed sites will be included.