Slashdot Mirror
The Life of a Spammer
An anonymous reader writes "The Atlanta Journal-Constitution ran an interesting article today about the life of a "small time" spammer. It is interesting to note that even a religiously zealous grandmother can mire our inboxes with junk." That's Flo Fox, of Slidell, LA.
You know, I've been thinking a bit. Spam is becoming a real problem and it's only a matter of time before email itself becomes nearly useless due to the massive amounts of spam. Something has to be done and it has to be done soon in order for it to still be effective enough. Stopping spam itself when it's en-route is not an option, as it will only lead to an arms race between spammer/virus writers and hackers/AV corps. Killing the bandwidth of the computers that send spam isn't an option either as it involves (D)DoSing, which is rather illegal. Killing the spammers themselves, as satisfying and tempting as it may be, is not an option either. Remember, even a spammer is someone's father/mother and/or son/daughter.
Maybe, MAYBE we have a chance by sicking the BSA on them. Yes, the Business Software Alliance, the same people who use some sort of legalized extortion and raid small businesses that "fail to comply" to their rather variable demands. Think about it, most small time spammers are technological idiots who use home computers. Do you really think every spammer who has 10 PCs churning out email has valid licenses for Windows? Maybe a few, but loads don't. And even if they do, MS licensing is so horrid that whatever the heck you did, you're bound to violate at least 3 licenses anyways, excluding other licenses like the spam software itself. This is how we might go after a few small-time spammers. And hey, it actually makes the BSA people do something useful as well! Maybe an idea?
Hate me!
SMTP was designed to be a robust mail protocol in an environment in which trust was perfectly reasonable. The environment changed, the protocol was retained. Fine - but then you have to do something about the lost appropriateness of trust. Some things have been done - they've been inadequate. That's not the fault of SMTP or of the designers.
It isn't just SMTP that is abused: open proxy abuse is a big contributor to the spam problem. There, again, trust is inappropriate - but still exists. Spammers take advantage of other system and human vulnerabilities to set up spam zombie servers. Too much inappropriate trust yet again.
Some basic human behavior needs to change - and the ISPs should be in the lead. They aren't. The security experts might be in the lead. They aren't. Many security experts appear to believe that securing a small fraction of systems and bitching about all the rest is adeqaute. Well, take a look - is it? Few security experts do anything towards identifying and stopping the abusers who constantly search the internet for vulnerabilites. It's like a city is plagued by burglars and the security experts simply make sure the doors and windows of their buildings can't be forced. They could put in cameras to get pictures of the burglars when they try the window - but instead merely complain about those who don't secure their windows. Of course in this case it's spam, not burglary, and the abuse commited on the other guy's system can hit the security experts own system, in the form of spam. If the security expert would help rid the community of the abusers then the abuse would be reduced. The security expert would rather point fingers at others and hurl blame than do what he himself could do beyond excluding just one form of abuse. Some expert - he doesn't even look to see how allowing the abusers to continue hurts him.
Who is better placed than an ISP to watch for attempted proxy port abuse? What ISP do you know of that watches? Recent actual experience by someone who did watch showed that many spammers commit the abuse form their own IPs. Watch for the abuse and you find the spammers' IPs (so much for the much-vaunted "anonymity" of the spammers.) The spammers aren't that particularly clever: it's mostly that those who could act don't.