Spam Fighting
To track down the origin of an e-mail, you must perform a whois/rwhois,
nslookup/dig, forward/reverse DNS
check, and traceroute
on the IPs
and domains
of the mail servers
in the full e-mail header. Spammers
hide their identities by spoofing or
obfuscating this
info (hexadecimal IPs, fake
reverse DNSes, deobfuscated
URLs, redirect pages [often
“throw away”
pages on Anglefire or GeoCities], and JavaScript encoded relay
pages). Spammers also change IP addresses and ISPs frequently, send smaller
batches and single sends, falsify the sender's e-mail and server received: lines,
add random characters, and exploit proxy servers and open relays. When you finally
report the spammer to
the appropriate abuse desk, the spammer has either been kicked off, changed
ISPs, or (worse) is allowed to continue spamming.
While SpamCop automates spam tracking
and reporting, spammers still have the upper hand. Users who don’t fully
understand headers might send an e-mail to every address that SpamCop recommends,
making admins of non-offending domains more likely to ignore SpamCop reports
in the future. SpamCop can only submit open relays for testing
and check to see if mail originated from blacklisted
domains; it can’t actually prevent mail from coming from them in the future.
A well-thought out bounty system would:
- Encourage Spam Reporting: Users tend not to know how or where to
report spam. Bounties could give end users get a monetary reward for tracking
down spammers. Those who didn't have time could pass it off to someone else
who'd properly follow up on it.
- Shift Cost
on Spammers: It only takes 1
in 100,000 to reply for a spamming to pay off. End users (not spammers!)
pay for spam in lost time, cost of buying spam filters, poor ISPs, or lost
e-mail account. Making spammers pay the cost of catching them radically changes
the economics
of spam.
- Give Spammers Due process: accused spammers would get due process,
rather than having vigilantes blacklist them, DDoS,
or “pull
a Ralsky” (oh, the
irony!).
- Lessen Collateral Damage. If network admins felt that they had
a way to properly shutdown spammers, perhaps they could then move beyond
the RBLs that adversely
affect legitimate users.
- Improve ISP response: If each spam report represented money to the
ISP, continued hosting of spammers would be less appealing than collecting
a bounty. Should the ISP not care about abuse on their networks, surely their
network admins would. Many ISPs might even have potential spammers post bond
before being allowed to send out mail..
- Alleviate Prosecutors’ Time. If end users and bounty hunters did
all of the gumshoe work, then prosecutors’ time could be used more efficiently.
- Make the US Spammer Free: One benefit to forcing spammers to move
to other spam-friendly jurisdictions (say, the Caribbean) is that we make
sure that those in US jurisdiction don’t export
spam. Network admins could set up filters giving priority to mail originating in the US and countries with decent anti-spam laws.
Creative Bounty Hunter Tools
It’s not difficult to imagine the tools bounty hunters would create if bounties
were legalized. Imagine hitting a "report spam" button on your e-mail
client. Hitting that button would report the spam to a bounty hunter, who would
then track down the spammer. Once the bounty hunter got the money, s/he'd credit
your PayPal account. Some might create
spam
honeypots to track spam to specific hosts running e-mail
harvesters. And others might even create bots that automatically respond
to spammers. (Judging by real
correspondence to Nigerian scammers, could these scammers even tell the
difference between a scammee and, say, an ALICE
or Eliza bot?)
Spammers could find the market on their identities frightening close
to their current market on our live e-mail addresses.
Techies would soon make a game of hunting down spammers, joining anti-spam
clans and tallying up spam “frags.”
(Not a stretch, considering how much time is spent on projects such as SETI, Distributed.net,
The Nigerian
Spam Scam Contest, and NoMoreAOLcds.com)
Spammers, eager to make a quick buck, might even start entrapping and turning
on each other. ISPs might consider giving free service to those who took the
time to track down spammers.
A bounty system could fund a larger centralized spammer database, which might
help improve some of the limitations of Stanford Law Professor Larry Lessig
proposed $10,000 bounty on
spammers (of which he has wagered
his job). A centralized database would allow us to select those who did
more than $10,000 worth of damage—those who use real
e-mail addresses (possibly yours?) as their reply-to, repeat offenders, and those
who willingly sell the e-mail addresses of those asking to be removed. Once
we selected the worst offenders, we could prosecute them differently.
Simple things such as submitting class assignments, ordering groceries, writing
checks, and paying bills via e-mail should not be exclusive to those who can
afford good ISPs and/or client plugins. As e-mail becomes an integral part of
our lives, it becomes increasingly imperative that we make available anti-spam
solutions to everyone. Bounties point us in that direction, without catching legitimate users in the crossfire.
This editorial was written by Roger E. Rustad, Jr. (scubacudaNO&SPAMiname*com) Other GrepLaw contributors no doubt have very different opinions on the best way to fight spam.
|