Login/New-Account | Search | Submit a Story! | Greplaw!??
- About
- Discussions
- Messages
- Topics
- Authors

- Preferences
- Older Stuff
- Past Polls
- Submit Story

This site is a production of the Berkman Center for Internet & Society. Please email if you have questions, contributions, or ideas about improving this site.

F & F


Open Season on Spammers
posted by scubacuda on Saturday August 30, @12:12AM
from the Roger's-soapbox dept.
News Our current e-mail system is heavily biased in favor of spammers. While blacklists, graylists, whitelists, challenge-response, Bayesian filters, and adaptive blocking all prevent spam, users have virtually no leverage in stopping spammers from abusing their known good e-mail address. A bounty on spammers has the potential to level the playing field for everyone by radically shifting the economics of spam, without hurting legitimate bulk senders. (Click through to read rest of editorial)

Spam Fighting

To track down the origin of an e-mail, you must perform a whois/rwhois, nslookup/dig, forward/reverse DNS check, and traceroute on the IPs and domains of the mail servers in the full e-mail header. Spammers hide their identities by spoofing or obfuscating this info (hexadecimal IPs, fake reverse DNSes, deobfuscated URLs, redirect pages [often “throw away” pages on Anglefire or GeoCities], and JavaScript encoded relay pages). Spammers also change IP addresses and ISPs frequently, send smaller batches and single sends, falsify the sender's e-mail and server received: lines, add random characters, and exploit proxy servers and open relays. When you finally report the spammer to the appropriate abuse desk, the spammer has either been kicked off, changed ISPs, or (worse) is allowed to continue spamming.

While SpamCop automates spam tracking and reporting, spammers still have the upper hand. Users who don’t fully understand headers might send an e-mail to every address that SpamCop recommends, making admins of non-offending domains more likely to ignore SpamCop reports in the future. SpamCop can only submit open relays for testing and check to see if mail originated from blacklisted domains; it can’t actually prevent mail from coming from them in the future.

A well-thought out bounty system would:

  • Encourage Spam Reporting: Users tend not to know how or where to report spam. Bounties could give end users get a monetary reward for tracking down spammers. Those who didn't have time could pass it off to someone else who'd properly follow up on it.
  • Shift Cost on Spammers: It only takes 1 in 100,000 to reply for a spamming to pay off. End users (not spammers!) pay for spam in lost time, cost of buying spam filters, poor ISPs, or lost e-mail account. Making spammers pay the cost of catching them radically changes the economics of spam.
  • Give Spammers Due process: accused spammers would get due process, rather than having vigilantes blacklist them, DDoS, or “pull a Ralsky” (oh, the irony!).
  • Lessen Collateral Damage. If network admins felt that they had a way to properly shutdown spammers, perhaps they could then move beyond the RBLs that adversely affect legitimate users.
  • Improve ISP response: If each spam report represented money to the ISP, continued hosting of spammers would be less appealing than collecting a bounty. Should the ISP not care about abuse on their networks, surely their network admins would. Many ISPs might even have potential spammers post bond before being allowed to send out mail..
  • Alleviate Prosecutors’ Time. If end users and bounty hunters did all of the gumshoe work, then prosecutors’ time could be used more efficiently.
  • Make the US Spammer Free: One benefit to forcing spammers to move to other spam-friendly jurisdictions (say, the Caribbean) is that we make sure that those in US jurisdiction don’t export spam. Network admins could set up filters giving priority to mail originating in the US and countries with decent anti-spam laws.
Creative Bounty Hunter Tools

It’s not difficult to imagine the tools bounty hunters would create if bounties were legalized. Imagine hitting a "report spam" button on your e-mail client. Hitting that button would report the spam to a bounty hunter, who would then track down the spammer. Once the bounty hunter got the money, s/he'd credit your PayPal account. Some might create spam honeypots to track spam to specific hosts running e-mail harvesters. And others might even create bots that automatically respond to spammers. (Judging by real correspondence to Nigerian scammers, could these scammers even tell the difference between a scammee and, say, an ALICE or Eliza bot?) Spammers could find the market on their identities frightening close to their current market on our live e-mail addresses.

Techies would soon make a game of hunting down spammers, joining anti-spam clans and tallying up spam “frags.” (Not a stretch, considering how much time is spent on projects such as SETI, Distributed.net, The Nigerian Spam Scam Contest, and NoMoreAOLcds.com) Spammers, eager to make a quick buck, might even start entrapping and turning on each other. ISPs might consider giving free service to those who took the time to track down spammers.

A bounty system could fund a larger centralized spammer database, which might help improve some of the limitations of Stanford Law Professor Larry Lessig proposed $10,000 bounty on spammers (of which he has wagered his job). A centralized database would allow us to select those who did more than $10,000 worth of damage—those who use real e-mail addresses (possibly yours?) as their reply-to, repeat offenders, and those who willingly sell the e-mail addresses of those asking to be removed. Once we selected the worst offenders, we could prosecute them differently.

Simple things such as submitting class assignments, ordering groceries, writing checks, and paying bills via e-mail should not be exclusive to those who can afford good ISPs and/or client plugins. As e-mail becomes an integral part of our lives, it becomes increasingly imperative that we make available anti-spam solutions to everyone. Bounties point us in that direction, without catching legitimate users in the crossfire.

This editorial was written by Roger E. Rustad, Jr. (scubacudaNO&SPAMiname*com) Other GrepLaw contributors no doubt have very different opinions on the best way to fight spam.

Sexually Explicit Spam a Liability? | Wendy Seltzer on the EFF, Chilling Effects and Opera  >


GrepLaw Login


[ Create a new account ]

Related Links
  • Linux
  • News.com
  • Slashdot
  • whois
  • rwhois
  • nslookup
  • dig
  • forward
  • reverse
  • DNS
  • traceroute
  • IP
  • domains
  • mail servers
  • full
  • e-mail
  • Spammers hide
  • obfuscating
  • this info
  • fake reverse DNS
  • deobfuscated
  • URL
  • “throw away” pages
  • JavaScript encoded
  • report the spammer
  • SpamCop
  • submit open relays for testing
  • blacklist
  • Cost
  • 1 in 100,000
  • economics
  • of
  • spam
  • DDoS
  • pull a Ralsky
  • oh, the irony
  • beyond the RBLs
  • adversely affect legitimate users
  • export spam
  • PayPal
  • spam honeypots
  • e-mail harvesters
  • real correspondence to Nigerian scammers
  • Eliza
  • frags
  • SETI
  • Distributed.net
  • The Nigerian Spam Scam Contest
  • NoMoreAOLcds.com
  • bounty on spammers
  • wagered his job
  • those who use real e-mail addresses
  • repeat offenders
  • blacklists
  • graylists
  • whitelists
  • challenge-response
  • Bayesian
  • prevent spam
  • More on News
  • Also by scubacuda
  • This discussion has been archived. No new comments can be posted.
    Open Season on Spammers | Login/Create an Account | Top | 9 comments | Search Discussion
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    Spamhaus.org and "SPAM GANGS" (Score:2)
    by Seth Finkelstein ({sethf} {at} {sethf.com}) on Saturday August 30, @01:34PM (#1091)
    User #31 Info | http://sethf.com/

    Just look at spamhaus.org [spamhaus.org] and their list of "spam gangs", aka Register of Known Spam Operations [spamhaus.org]

    "ROKSO collates information and evidence on known hard-line spam operations that have been thrown off a minimum of 3 consecutive Internet Service Providers for serious spam offenses."

    People know who the big-time spammers are. Finding them has never been the bottleneck problem.

    - Seth Finkelstein [sethf.com]

    Re:Spamhaus.org and "SPAM GANGS" (Score:0)
    by Anonymous Coward on Saturday August 30, @03:25PM (#1092)
    True, but no current solution has teeth.

    There is one ISP near me whose abuse desk I've called several times re: a particular spammer. The guy at the abuse desk just sighed and said, "I'll report this, but the decision to kick them off is up to my superiors. These people bring in too much money."

    A bounty system make less attractive the idea of providing haven for spammers. If the ISP sits on abuse complains, surely the grunts working the abuse desk will jump on it.

    Re:Spamhaus.org and "SPAM GANGS" (Score:0)
    by Anonymous Coward on Saturday August 30, @03:31PM (#1093)
    What is the bottleneck problem then?
    Bottleneck. "spam gangs", theft-of-services (Score:2)
    by Seth Finkelstein ({sethf} {at} {sethf.com}) on Saturday August 30, @04:07PM (#1095)
    User #31 Info | http://sethf.com/
    Here's the bottleneck:

    "Paying a bounty" is functionally the same as "fining the spammer".

    All the above has done, is to say, at heart
    "Let's ASSUME we can instantly fine a spammer $10,000."

    Great. If we could do that instant fine, there wouldn't be a problem. But the legal system tends not to work that way. That's the bottleneck.

    Remember, again, people know where the big-time spammers are. There's already the central registry at Spamhaus.org [spamhaus.org], the ROKSO [spamhaus.org].

    In fact, this is a cause of some of the broad ISP blacklisting. When a big-time spammer moves ISPs, the word goes out - spammer on the move, pre-emptively blacklist that new ISP if possible, before the spam starts, because likely it will.

    The problem is on the law side (convicting them), not the technical side (finding them).

    I believe we have to start treating these "spam-gangs" as literally, thieves. That's what they are. They hijack ISP's connections for profit. If unauthorized reception of cable or satellite programs is a bona-fide criminal offense, which can get indeed land people in jail, professional spammers should be treated as doing large-scale theft-of-service.

    Otherwise, civil lawsuits are just a cost of doing business for scammers.

    - Seth Finkelstein [sethf.com]

    Re:Bottleneck. "spam gangs", theft-of-services (Score:1)
    by scubacuda (reversethis-{moc.emani} {ta} {aducabucs}) on Saturday August 30, @06:09PM (#1096)
    User #483 Info | http://www.greplaw.org/
    Good points on the bottlenecks being legal, not technical.

    As long as civil suits are the price of doing business, we'll always have spam. Like the previous AC said, none of the current solutions have teeth. The sad reality is that you can complain all you want, but until the users at an ISP complain about being blacklisted, nothing happens to the spammers on that ISP.

    So, Seth, what's your solution? Should the government intervene? Or should we just rely on technical solutions?

    There are a thousand forms of subversion, but few can equal the convenience and immediacy of a cream pie. Noel Godin

    Re:Bottleneck. "spam gangs", theft-of-services (Score:2)
    by Seth Finkelstein ({sethf} {at} {sethf.com}) on Saturday August 30, @06:46PM (#1097)
    User #31 Info | http://sethf.com/
    So, Seth, what's your solution? Should the government intervene? Or should we just rely on technical solutions?

    Yes, the government should intervene, in my view. Though I don't think that intervene is the best word - "prosecute" is better. That is, I believe professional spammers should be thought of as no different from anyone else who commits theft of services, for commercial purposes, on a grand scale. The fact that they are stealing resources to send electronic advertisements is no more a free speech matter than someone misappropriating time on a printing press in order to print physical advertisements.

    Now, someone who runs off a few extra copies of a garage-sale ad on an office copy machine can be distinguished as de minimis. But running a full-scale business off someone else's printer is a criminal offense, even if they don't have perfect security on the machine.

    - Seth Finkelstein [sethf.com]

    Re:Bottleneck. "spam gangs", theft-of-services (Score:1)
    by sdb on Sunday August 31, @10:08AM (#1102)
    User #682 Info | http://cba.okstate.edu/~stephbd
    The problem with this is, as someone just mentioned, that the spamers are paying the ISP, and thus are not stealing from the one entity that can control their activities. As such, they are "paying for their copies." Given todays ISP peering system, the ISP gets to pocket most of that cash, and does not have any incentive to boot off the spammer. Regulation might work, if only to force the spammers offshore, but it will not lower the volume substantially.Stephen Barnes
    Re:Bottleneck. "spam gangs", theft-of-services (Score:2)
    by Seth Finkelstein ({sethf} {at} {sethf.com}) on Sunday August 31, @12:24PM (#1103)
    User #31 Info | http://sethf.com/
    See this article, discussing Barry Shein and ISP "The World":
    Spam Is 'A Thousand Times More Horrible Than You Can Imagine' [internetweek.com]

    At one point, The World was under attack by 200 servers simultaneously "spewing the same spam at us," Shein said. "Little guys with scripts don't break into 200-plus servers and use them to spew at you. It seems like it's beyond what spammers are likely to be making on this stuff." Sophisticated stealth techniques and coordinating multiple servers seem to Shein to be beyond the resources of small spam businesses.

    Right. Beyond the resources of small spam businesses. But what about large spam businesses? That much? Terrifying.

    The hosting ISP is being paid to look the other way while the theft-of-services is done on other ISPs. This is no different from landlords who get paid to have their premises used as the base of operations for theft rings.

    And you're right, as long as it's profitable, it won't stop. That's why it has to be criminal, without fooling around.

    - Seth Finkelstein [sethf.com]

    Note broad blacklisting == spammers known (Score:2)
    by Seth Finkelstein ({sethf} {at} {sethf.com}) on Saturday August 30, @06:54PM (#1098)
    User #31 Info | http://sethf.com/
    Let me stress again - the broad blacklisting arises directly, intrinsically, from the fact that people know where the "spam-gangs" are.

    That broad blacklisting isn't done out of the same reasons as censorware [sethf.com]. Rather, it is done as either a pre-emptive strike, or deliberate pressure tactic, take your pick of rationales.

    But the people who play this game know exactly what they are doing.

    - Seth Finkelstein [sethf.com]

    Humanity has the stars in its future, and that future is too important to be lost under the burden of juvenile folly and ignorant superstition. - Isaac Asimov

    [ home | contribute story | older articles | past polls | faq | authors | preferences ]