Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Spam

Paul Graham: Filters that Fight Back 328

Posted by michael from the auto-DDOS dept.
Mortimer.CA writes "Paul Graham is back with another article about combating spam. It's entitled Filters that Fight Back: 'One intriguing idea is to literally fight back: to make filters disable spammers' servers by automatically following all the links in each incoming email. We may be driven to this in order to achieve accurate filtering anyway. Why wait?' One danger is someone doing a DDoS by sending fake spam."
This discussion has been archived. No new comments can be posted.

Paul Graham: Filters that Fight Back More

Paul Graham: Filters that Fight Back

Comments Filter:

  • And now (Score:3, Funny)

    by CptChipJew ( 301983 ) * <michaelmiller@@@gmail...com> on Sunday August 10, 2003 @12:09PM (#6660034) Journal
    And now thanks to links posted to Slashdot, Paul Graham is being DDoS'd =)

    • Re:And now (Score:3, Insightful)

      by Adam9 ( 93947 )
      I don't think Yahoo will mind too much.

      traceroute to paulgraham.com (216.136.224.156), 30 hops max, 40 byte packets ...
      14 vl48.bas2-m.sc5.yahoo.com (66.163.160.214) 99.528 ms 98.349 ms 99.528 ms
      15 alteon4.128.sc5.yahoo.com (216.136.128.6) 98.575 ms 98.687 ms 98.377 ms

    • Re:And now (Score:5, Insightful)

      by Zeinfeld ( 263942 ) on Sunday August 10, 2003 @02:59PM (#6660838) Homepage
      And now thanks to links posted to Slashdot, Paul Graham is being DDoS'd =)

      Which illustrates the problems that you get when people who have little or no security experience try to do security.

      The problem with hackback schemes of all types is that they always end up having unexpected effects. The basic problem is that when people design a hackback scheme they never consider what happens when someone sets out to abuse it. They assume that the only change to the environment is their hackback scheme.

      A few months ago Paul though Bayesean filtering was the one true solution. The only problem was that people who have spent years working on the techniques he described never achieved results anywhere close to the ones he claims.

      Paul Graham's scheme is not as damaging as some others because the amplifier effect is limited. The message sender only gets five or ten messages created for each spam sent. But even that could make a profitable scheme for someone trying to get their site promoted in a 'most visited list'. If they have pay per view adverts they can rake in quite a few bucks - as much as a cent for every spam sent. Far from discouraging spam this scheme would create a new incentive.

      BTW the guy who said 'there is no fake spam' is right depending on the definition you use. If you use the definition 'unwanted email sent indiscriminately' then he is pretty much right. If on the other hand you define spam as 'that which our filters decide is spam'... (I kid you not, folk do try to get that type of definition accepted). The exception would be satires like 'make penis fast'.

      There are similar problems with the folks running blacklists, they think that they understand everything there is about spam but don't realize that the systems they set up can be and will be gamed. Every partisan political mailing list of every stripe that has a significant number of readers gets blacklisted from time to time as people sign up for the list in order to be able to report it as spamming.

      Try to explain to either group that there is a problem and they get majorly defensive. You get accused of wanting to help the spammers, etc. etc. When people start getting defensive like that in response to fair questions you are in big trouble.

      The way to deal with spam is to treat it as a security problem. We deal with security problems using access control - authentication and authorization. We need to start with robust authentication mechanisms that hold ISPs responsible for the messages sent from their domain. These need to be accompanied by robust authorization mechanisms that allow recipients to judge whether the sender is honest.

      • Re:And now (Score:3, Insightful)

        by Gruturo ( 141223 ) *
        A few months ago Paul though Bayesean filtering was the one true solution. The only problem was that people who have spent years working on the techniques he described never achieved results anywhere close to the ones he claims.

        Your mileage may vary. Mine is excellent, for example. I've been using a Naive Bayesian filter, POPFile [sourceforge.net], for a while now, and I'm at 99.74 accuracy with 11564 classified messages and 29 errors. (For the record, 15 spams filtered thru and a few friends jokes, honestly looking a bit

      • Re:And now (Score:3, Insightful)

        by KevMar ( 471257 )
        If the spam site gets paid on views, the advertisers are expecting a percentage to click on adds. If every site is visited, but the links on the site are not clicked (or links that do not leave the domain) the click percentage will go down and advertisers will pay the sites even less. also, the increased banwidth bill will add cost.

        We would have to strip out any identifying code in the urls to prevent added spam from email validation

  • response to the lister's comment (Score:5, Informative)

    by ih8apple ( 607271 ) on Sunday August 10, 2003 @12:11PM (#6660046)
    In response to the comment: "One danger is someone doing a DDoS by sending fake spam"

    From the article notes: "[5] The best way to protect against abuse might be to have the central authority whitelist every site by default, and then, by whatever protocol, take certain sites off. Because you can look at the sites before taking them off the whitelist, there is little danger of people abusing this system to attack an innocent site."
    • Rule zero of spam: spam is theft (of other people's time and facilities). The trend, as anti-spam techniques get smarter, is for spammers to engage in more theft to offset their increasing costs.

      We've already seen viruses doing the rounds which act as open proxies for spammers and/or reverse proxies to hide the spammer's real websites. If these intermediate reverse proxies act as caching proxies, then the spammer is insulated from bandwidth costs by offloading them onto unwitting third parties. Steal enoug

    • SETI@HOME ? (Score:5, Interesting)

      by axxackall ( 579006 ) on Sunday August 10, 2003 @02:32PM (#6660712) Homepage Journal
      I think that some sort of SETI approach can be used:
      1. your filter recognizes the spam and gets URLs from it;
      2. all such URLs are gathered in the central authority and statistically verified (how many filters have claimed the same site);
      3. only the most often claimed sites are left in the list, while more rarely claimed sites are considered as claimed by mistake or by the anti-filter attack;
      4. people willing to help to fight spam download the screensaver aka SETI@HOME, working at your CPU and net idle time;
      5. the screensaver downloads the fresh list of sites to be fought back along with a centrally generated schedule;
      6. the filter actually attacks back at the scheduled time points (if it's still the idlle time for client PC), not massively from the individual PC (so it doesn't look suspicious for the individual client *AND* it doesn't create any peak bandwidth problem for the attacker);
      7. the spammer's web site is /.ed;
      All problems I see resolvable:
      • a schedule must be smart to avoid a local bandwidth problem, but still flood the spammer, but with many such screensavers even a smooth atack will be not very smooth when it's multiplied to millions;
      • a central authority can be a subject for a counter-attack as well (will it start cyber-wars?), but if the central authority will really decentralized (p2p, SETI, other techs) that it should not be a problem;
      • spammers may use some sort of logging, but what can they do with it?
      • to avoid if someone will organize the fake claim in order to /. the innocent site, statistics should help - only really massively claimed sites will be counted;

      The main idea of the spam is to send email massively on a very low cost. So if the attack will be also very massive, it will increase their cost of operation and at least some of them will go out of business.

      Any attmpts of spammers to go through filters will not work, as you can manually submit the spam claim to (what is its name? NOSPAM@HOME?) the central authority. If the amount of such claims will be big enough, then the claimed sites will be included.

      • Re:SETI@HOME ? (Score:3, Insightful)

        by Pieroxy ( 222434 )
        all this is a neat idea, but there is still a couple of problems unresolved:

        1. There is a small company that I dislike. What prevents me from hacking their ip address and send shitload of spam in their name?
        2. automatic or manual retaliation comes back to making justice yourself which is inherently illegal (at least in the us).

        • NOSPAM@HOME ! (Score:3, Insightful)

          by axxackall ( 579006 )
          Let me think:

          There is a small company that I dislike. What prevents me from hacking their ip address and send shitload of spam in their name?

          In my opinion it is posible to have a statistical analasys that would be capable to distinguish it unless you organize a really big attacke. On the other hand, a central (even if it's distributed) autority may help to gather a witness evidence against your unfair anti-competitive practice, which would be rather difficult if such NOSPAM@HOME project would not exist.

  • Following links validates your address (Score:5, Interesting)

    by PeekabooCaribou ( 544905 ) <slashdot@bwerp.net> on Sunday August 10, 2003 @12:12PM (#6660054) Homepage Journal
    If I load an image or a link from spam, it's possible that a spammer could be validating my e-mail address for future sale, or perhaps increased spamming since he knows someone is actually reading the message. For example, http://server.foo/image.gif?id=ab0a98df12j3 could be unique to the spam that was sent to me. If any user-agent accesses that URL, the spammer knows that my e-mail is active and I'm reading his junk. I don't know if they actually do this in practice, but I'm wont to load HTML messages because of it.

    • Re:Following links validates your address (Score:5, Interesting)

      by hankaholic ( 32239 ) on Sunday August 10, 2003 @12:16PM (#6660070)
      I've been thinking for a while about maybe having a Slashbox that displays images included in spam in a 1x1 pixel box.

      Every load of Slashdot would hit spammers' servers.

    • Re:Following links validates your address (Score:4, Interesting)

      by koehn ( 575405 ) * on Sunday August 10, 2003 @12:27PM (#6660122)
      Actually, the opposite would happen: since all links in all spams get hit, this technique would make putting UIDs into URLs worthless for the purpose of authenticating users.

      Spammers would need another mechanism to attempt to authenticate who reads their messages. I like it.

      What do you think about downloading IMG tags? It would hurt the server's bandwidth, but it would hurt my mail server's bandwidth, too. Maybe use one of the many open proxies out there instead, kill their bandwidth, maybe close the open proxy... ooh, that's evil! I really like it!

      If there were a sig here, would you read it?

      • Actually, the opposite would happen: since all links in all spams get hit, this technique would make putting UIDs into URLs worthless for the purpose of authenticating users.

        I don't think so. All links in all spams wouldn't get hit.

        • Mail that got swallowed or bounced undevlierable wouldn't follow the links.
        • Mail that went to non-punishing email clients (like companies who are afraid of liability when DDOSing sites) wouldn't hit the URL.

        And there are many reasons not to punish. I would, but I've got

        • Re:Following links validates your address (Score:5, Insightful)

          by LordKronos ( 470910 ) on Sunday August 10, 2003 @02:29PM (#6660699)
          That's not going to work. All you are going to do would be to needlessly DOS www.geocities.com without any particular spammers site being identified. Geocities would have no way to identify which site is the spammer's, and their hourly bandwidth would never get used up, and thus would still be available for those who click on the links.

          Also, consider that spammers could move the identifier to the other end of the url. Just have *.spammer.com or www.*.spammer.com resolve to the same site, and start putting the identifiers in the domain. They could even use random dictionary words as the identifiers to make it more difficult to pick out. The only way to combat that would be to have a system that compares the URLs from several spams and figures out which parts of the URLs changed per user.

      • Actually, the opposite would happen: since all links in all spams get hit, this technique would make putting UIDs into URLs worthless for the purpose of authenticating users.

        But it's not there to authenticate a user; it's just there to authenticate that the email address is actually live rather than a bogus one like nobody@example.invalid. Spammers already use this trick, including uniquely coded urls into each email to track which users actually open the mail, and autoresponding is a possible problem.

    • Do they really care? (Score:3, Informative)

      by eddy ( 18759 )

      My hotmail account gets relentlessly spammed even though I _never_ follow any links from spam or let it load any images. Even before Hotmail introduced the "don't load inline images" feature I always disabled javascript + images before opening any suspected spam.

      Basically, can it get worse? They never seem to remove inactive accounts anyway.

      I have a domain registered which I've owned for three years, and it's still getting spam for accounts related to the previous owner of said domain. My mailer says "n

      • Re:Do they really care? (Score:5, Informative)

        by Anonymous Coward on Sunday August 10, 2003 @12:40PM (#6660185)
        You can have a domain/subdomain with no A records or MX records and they will keep trying. You can also have nothing but blackhole MXs - hosts that don't exist, but are on routable networks. I've had a domain since 1994, and it was in one of the above states for about 2-3 years.

        Last month I put a real MX record in there and pointed it at box that's running a mail server. Sure enough, the spam flows continuously. It's not just the "make up random shit and put @aol.com" idiots either - the big outfits with permanent networks and domains are mailing it too.

        I've taught my mail server to quarantine any host that attempts to mail my long-dead domain, so having it go to a routable address is actually useful again. Every attempt they make ruins another open proxy or relay for every other spammer that may find it later.

        You might consider using those "never valid/previous owner" accounts as spam traps. Anything coming to them now is obviously worthless, so why not make them suffer for trying?
    • I'm wont to load HTML messages because of it.

      Wont means you're disposed, or likely, to do something. If I read your (insightful) post correctly, I take it you're hesitant to do so.

  • Some spammers would love this. (Score:3, Insightful)

    by www.sorehands.com ( 142825 ) on Sunday August 10, 2003 @12:13PM (#6660055) Homepage
    In the situation where the spammer gets paid by hit, the spammer would be rich overnight. But, then the customer might see somthing a little fishy, then start asking questions.
    • And another super-smart spam sending mechanism will be developed to bypass defences. And another group of people will think a perfect method to defence against it, and so on, and so on.
    • Exactly. Someone mod the parent up :)

    • The people who PAY spammers would not (Score:5, Interesting)

      by The Monster ( 227884 ) on Sunday August 10, 2003 @12:45PM (#6660201) Homepage
      In the situation where the spammer gets paid by hit, the spammer would be rich overnight. But, then the customer might see somthing a little fishy, then start asking questions.
      So you're saying that the long-term effect would be to destroy the spammers' business model?

      Looking for a downside to this plan . . . still looking . . . Nope. I can't see one.

      • the long-term effect would be to destroy the spammers' business model?

        Uhh, WHAT?

        The spammers business model is "use email to steal as much money from everyone as possible." It has no "long term".

        Spammers don't care about keeping their customers happy, so attempting to use this to destroy their business by making their customers unhappy is doomed to failure.

        Looking for a downside to this plan . . . still looking . . . Nope. I can't see one.

        Then you're not looking hard enough.. this will encourage sp

        • Spammers don't care about keeping their customers happy, so attempting to use this to destroy their business by making their customers unhappy is doomed to failure.

          I think the post you replied to, as well as its parent, were speaking of pay-per-click schemes. The original parent meant "customer" as in the person who hires the spammer, not the person who buys the products.

          A fair portion of the spam I get seems to promote pay-per-click programs, especially the porn spam. Spammer signs up as an "affiliate" of

  • Dangerous from a legal perspective (Score:5, Insightful)

    by hardaker ( 32597 ) on Sunday August 10, 2003 @12:15PM (#6660066) Homepage
    What about phrases like "by clicking on this link you agree to let us call your house" kind of things (where the link containers a token for identification purposes). Having a filter auto-follow links could be really dangerous then.

    The interesting thing is how the courts would end up viewing auto-clicks vs manual clicks. I'd bet that if a user set up a filter then it would be effectively view as the user doing the clicking...

    • ``"by clicking on this link you agree to let us call your house" kind of things (where the link containers a token for identification purposes). Having a filter auto-follow links could be really dangerous then''

      So it would be necessary to make changes in the law to forbid `auto-agreeing' techniques. And we will have one less problem.
      • yeah, but its how slow the law changes that should scare you.

        Plus you know the law would be written like "A computer user must manually actively active a link for a legal binding to have an effect; All computers must enforce digital rights management"

        which not only allows for click-through-licensing but ties on a second hidden agenda (pick your topic). Everyone will think the first sentence would do what they wanted and not care about the rest. Hmm... sounds like I'm kind of bitter about the current

      • ``"by clicking on this link you agree to let us call your house" kind of things (where the link containers a token for identification purposes). Having a filter auto-follow links could be really dangerous then''

        This was anticipated in the Web Specs which since 1992 have clearly said that clicking on a GET link creates no form of binding contract.

        In any case any contract formed in that manner would be a contract of adhesion and invalid.

        If it were otherwise Google would be entering into all sorts of con


    • What about phrases like "by clicking on this link you agree to let us call your house" kind of things


      By reading this message you agree to give me $50.

  • We're going mobile! (Score:5, Funny)

    by Superfreaker ( 581067 ) on Sunday August 10, 2003 @12:15PM (#6660067) Homepage Journal
    /.ing moves from the web, right into your own mailbox! All the fun of crushing someone elses website without all of the work of clicking those tiresome links.

    Note to self: Move web site off of modded GameBoy running apache.

  • horrid legal thought (Score:4, Interesting)

    by BobTheLawyer ( 692026 ) on Sunday August 10, 2003 @12:18PM (#6660076)
    a deliberate denial of service attack is illegal whether the victim is an innocent website or an evil spammer. There is no internet equivalent of lawful self defence.

    If a spammed website is brought down by a method such as this, it wouldn't altogether surprise me if they sued the maker of the software responsible. Matters would be complicated if, as they might, they deny responsibility for the original spam e-mail.

    (This is the case in the UK, I'd guess the position will be similar in the US but IANAAL (I Am Not An American Lawyer))

    On the other hand, the "scan the spamvertised website for its content" sounds a great technical approach.

    • Re:horrid legal thought (Score:5, Insightful)

      by Todd Knarr ( 15451 ) on Sunday August 10, 2003 @12:24PM (#6660113) Homepage

      Why would it be illegal? The spammer put the links in the e-mail, obviously intending people to follow them (especially if they make reference to something being available at the linked site in the rest of the text). If far too many people follow the links and the site is brought down, how is that any more unlawful than Slashdot linking to a site in a story and the sudden burst of traffic bringing that site down?

      I think the idea's dangerous for another reason, though. As noted, a spammer could easily include links to sites he doesn't like and let the traffic spike take them down.

      • Think of it this way, a website is like a 1-800 number; you pay for the number, you pay every time someone uses it, and you have a finite number of people you can serve at once. Now, some people have reccomended dial-spamming SCO's 800 number, which is borderline illegal, since you're tying up their system, preventing real customers from contacting them, and costing them money at the same time; something that's sure to get law enforcement's attention sooner or later.

        The difference with the /. effect is tha

        • Right, except for one thing. If a couple hundred people each dial that 800 number 100,000 times each, the courts would probably find that illegal. But, if each of the 100,000,000 recipients of an advertisement called that 800 number once, you'd get the same result but the courts would almost certainly rule that there was nothing illegal going on. Whether the people were interested in buying anything or not, no one of them did anything even unreasonable. Even if they simply want to complain about the adverti

    • Wrong! (Score:2, Insightful)

      by amjohns ( 29330 )
      While the net effect is DDOS-like, we're only doing EXACTLY WHAT THE SPAMMERS WANT! They asked us to visit their webpages, so we did. This is 100% legal, and no court (or jury at least) would see otherwise.

      But you've got to watch out for unique tracking images so as not to validate your email address.
    • a deliberate denial of service attack is illegal whether the victim is an innocent website or an evil spammer. There is no internet equivalent of lawful self defence.
      Just do what the /\w{2}AA/i does - change the semantics. We aren't ddosing them, we are localy cacheing the website for future viewing.... And possibly checking for updates every 2 seconds (heck, even internet explorer can do that!)
    • I see no problem here. This is similar to having a secretary presort my mail before presenting it to me.

      If somebody sends me a piece of mail, and my secretary sees something which may be of interest, she may call the sender to determine whether the piece of mail is truly of interest or not.

      Whether she determines that the mail is of interest to me or not, in sending the mail the advertiser invited me or an agent working on my behalf to investigate what they have to offer.

      If the secretary, assistant, or sp
    • Ah, but this isn't a deliberate DoS attack! This is just visiting links in emails to get some information about the email itself. And if the site goes down due to bandwidth spikes? Just a convenient side effect, like the slashdot effect going into "righteous wrath" mode.
    • If a spammed website is brought down by a method such as this, it wouldn't altogether surprise me if they sued the maker of the software responsible.

      Yet *another* upside: make sure that the auto-linker uses IE!!!

  • This is stupid! (Score:4, Interesting)

    by MoogMan ( 442253 ) on Sunday August 10, 2003 @12:18PM (#6660078)
    Seems a bit retarded to at least double the bandwidth drain from spam. Its bad enough as it is. This is *not* a viable solution, unless the spammers happened to be one hop away...

    • Re:This is stupid! (Score:3, Insightful)

      by rabbar ( 694056 )
      Actually it's quite clever. The spammers website would quickly have it's bandwidth consumed to the point where most automated accesses to it would timeout without actually consuming more than minimal bandwidth. It's an automated, legal denial of service attack on not only the spammer but also on the ISP that hosts the spammer.
    • This is brilliant. It costs the spammers little bandwidth to send out SMTP messages. But if we start downloading their graphics-rich webpages, and reloading repeatedly, we'll drive their bandwidth through the roof.

      The point is not the user's bandwidth, this is really a DDOS, but since the spammer's asked for it (literally, not just figuratively), it's OK.
      • This also provides incentives for spammers to provide a link to an unsubscribe page that works, preferably (for everyone, including the spammer) to a page that unsubscribes you for just visiting it. That way, only the users clueless or stupid enough to be unprotected will get repeat spam, and the bit bandwidth problem will go away. Hooray!
  • I like the idea, anything that drives up the cost of sending spam above the value derived from spamming is a good thing. I'd also like to see some automated poisoning of things like mortgage solicitations. This type of spam is really intended to simply get your name, address and phone number which are then sold to mortgage brokers for further solicitation. The mortgage brokers pay $10-50 for these lists of name, if the lists were filled with automated junk information the value to the mortgage brokers wo
  • Whitelists already exist to a degree - if the email is in razor, and you've marked it as spam, then it's been checked as a human, using a trust network, to be spam. Simply follow links if the spam is also in razor...

  • Needs Critical Mass, but how do you tame it? (Score:3, Interesting)

    by globalar ( 669767 ) on Sunday August 10, 2003 @12:26PM (#6660121) Homepage
    "We should try to ensure that this is only done to suspected spams"

    I am not sure that is 100% possible. In light of that reality, this might just punish any server, not necessarily attached directly to the spammer. For example, if I wanted to shutdown a site, couldn't I spam a million inboxes with that site's address?

    I could see this solution, when mismanaged, merely creating lots of extra, meaningless traffic as well.

    I am all for doing something to inconvenience spam, but it seems that the most effective solutions always come at a direct cost to everyone. For example, I have read about adding a small CPU penalty calculation for every email sent. This new solution isnt quite as distributed - it adds traffic to networks and places loads on servers, but its still a penalty.

    I guess the real challenge is finding a way to penalize the spammers and no one else. Good thoughts, and honestly if my client supported a "punish mode," I think I would be tempted to use it with the same careless sense I apply delete.
    • I am not sure that is 100% possible. In light of that reality, this might just punish any server, not necessarily attached directly to the spammer. For example, if I wanted to shutdown a site, couldn't I spam a million inboxes with that site's address?

      I could see this solution, when mismanaged, merely creating lots of extra, meaningless traffic as well.

      Yes, it does offer another means of initiating a DDOS attack on somebody you don't like, but it's not as though there aren't enough of those avaialble al

  • Comparison of Bayesian spam filters (Score:5, Informative)

    by kreide33 ( 41337 ) on Sunday August 10, 2003 @12:27PM (#6660124) Homepage
    I recently switched from a keyword-based spam filter to a bayesian filter. However, there exists several bayesian filter projects and the choice of which to use is not obvious. Therefore, I decided to do an actual test and write up my findings in a review so others can benefit as well. Read it [dataparty.no] and find out how to win the War on spam.

    • Re:Comparison of Bayesian spam filters (Score:5, Insightful)

      by __past__ ( 542467 ) on Sunday August 10, 2003 @12:38PM (#6660176)
      I always wondered how Graham felt about the hundreds of Bayesian filters written after he published his article. After all it was supposed to be a killer feature of a webmail system he (together with others, of course) writes to demo his Arc [paulgraham.com] language.

      Then again, he's probably still insanely rich from the ViaWeb (a.k.a Yahoo! Store) deal, and doesn't really have to care about lost business advantage much. Becoming a millionaire to be able to concentrate on hacking seems to be a good career plan :-)

      • I've always wondered how Paul Graham has managed to get so much hype built up about his work. The idea of using Bayesian filters to classify spam had been around about 5 years prior to his "A Plan For Spam" - check out, for example, this paper by Mehran Sahami (a very cool guy who works here at Stanford as well as at Google) from 1998: http://citeseer.nj.nec.com/sahami98bayesian.html [nec.com] (and if you search around on Citeseer you'll undoubtedly find many other papers on spam classifying from even earlier, thoug

  • Filter web-pages through bayesian filterss (Score:5, Interesting)

    by flux ( 5274 ) on Sunday August 10, 2003 @12:28PM (#6660134) Homepage
    How about using the bayesian algorithms we have today and apply them to the referred web pages? I'm sure they would have plenty of good material for the filters to detect.. Plus this would propably be more effective with spam that effectively is only an url.

    Secondly, I don't call this any kind of DDoS, even though it might seem such to spammers (is slashdotting a DDoS?). If anyone sends me a mail with an url, chances are they _want_ me to check it out. If my system fetches the pages and stores them to a cache, I'm doing exactly what the sender wants. (Mailing lists may be a problem though.)

    Thirdly, does it really hurt you to let spammers know that your address is valid? Chances are the address will receive spam nevertheless..

    • How about using the bayesian algorithms we have today and apply them to the referred web pages?

      You mean doing exactly what is described in the article?

      If the spam is waiting on the site, why not have filters go look at what's there? You could apply the filtering algorithm pretty much unchanged to the contents of the site

      Dammit, people. Sure, there are stupid people out there, and many of them post at times. But if you're going to moderate, PLEASE read the article yourself!

      Here's to hoping M2 does its job i

  • another approach (Score:3, Interesting)

    by mwilliamson ( 672411 ) on Sunday August 10, 2003 @12:29PM (#6660141) Homepage Journal
    I think this approach would be rather simple to implement

    1. Copyright my gnupg/pgp public key and write a EULA outlining its use. Here is where I'd explicitly disallow unsolicited advertisement.
    2. Have procmail or some other filter direct all non-pgp mail to /dev/null
    3. If someone sucessfully sends me encrypted email having violating the EULA of my gnupg/pgp key, pursue legal action against them.
    4. Enjoy my spammless mailspool

    There are other fringe benefits...the overhead encrypting to a large number of keys would certainly slow a spammer's throughput down. Also, this would encourage the use of widespread secure email.

    • Except for a work to be considered protected by copyright laws, the creation of the work must have involved some kind of creative process. "Works" that can be mass generated, such as public key pairs, could never be copyright protected.
    • I'm assuming you don't subscribe to any mailing lists, or get important email from cron or any other automated tasks.

      Go ahead and try to get the court to enforce a license agreement on a PGP key. If you can afford the legal fees, it'll just reestablish my faith in America as the land where even idiots can end up with more money than they know what to do with.

  • I'm 1337 (Score:5, Funny)

    by MoeMoe ( 659154 ) on Sunday August 10, 2003 @12:31PM (#6660151)
    One danger is someone doing a DDoS by sending fake spam

    I'm sorry but spoof's dont usually work to well on me... I'm 2 1337 to be fooled.

    Seriously though, if you just take a little more time to look into the header contents of that "penis enlargement" ad, you might find a pretty new IP addy to "play with" *cough* BO2K *cough* or atleast the real route that this spam took to get to you, just follow the yellow brick road back up to Mr. 12 extra inches and... well, you decide your own punishment for 'em ;)

    Besides, it's not like you need that ad... do you?

  • Fake Spam?? (Score:2, Funny)

    by GeekZilla ( 398185 )
    "One danger is someone doing a DDoS by sending fake spam"

    Isn't fake Spam uh...Spam?

    Isn't that like saying "I want you to separate the flammable material from the inflammable."

  • Thoughts on active countermeasures and relays... (Score:5, Insightful)

    by atcroft ( 123896 ) on Sunday August 10, 2003 @12:41PM (#6660188)
    Just finished reading the section of the article that was headed as "Filters that fight back." I think that the biggest issues that keep such an approach from working are fundamental features of the e-mail infrastructure itself: 1) the lack of verification, and 2) the store-and-forward and replicative nature of email itself.

    In other systems I am aware of in which active countermeasures may appear (such as firewalls, and tcpwrappers), the adversary can be established with reasonable certainty in most cases; however, because the From and Reply-To addresses can be (and often are) forged and most owners of relaying machines are unaware they are misconfigured, it seems doubtful countermeasures would work at that step. If one uses the URLs, as suggested in the article, it is not guaranteed that the "million" emails sent out will hit the next server along their path at a particular time, so it seems doubtful you can guarantee a massive traffic burst at once. Indeed, what may be seen instead is incremental bursts of traffic at the delivery retry intervals of various mailserver software.

    Other questions also arise, such as: 1) how much additional load will a mailserver experience from hitting the links; 2) what additional security issues are introduced in doing so (what if, for instance, the code to do this results in a security vulnerability); 3) how can it be done in such a way that DDOS attacks against innocent victims can be avoided; and 4) how can you get enough people to both upgrade their systems and cooperate in a useful way to do this. Issues 1 and 2 are probably obvious questions to ask-issues 3 and 4, however, I believe suffer from the same weaknesses as some of the current BL schemes. Also, some localities have legal codes which prohibit the interruption of legitimate access to a system, and the server in this case definitely has a way to track back to you at that point, which potentially make participants vulnerable to legal or civil actions.

    While I admire Mr. Graham and his efforts in the spam-wars, and find it an intriguing idea, I do not think this approach will truly be successful until changes are made to the underpinning email system that may reduce some of the issues mentioned, but hopefully will themselves make an impact on the issue without being too onerous to prevent wide-spread adoption.
    • Answers:
      1. If this caught on in a big way, almost certainly less load than spam imposes on its own, assuming that this was run on the servers. However, since Bayesian filters are best left to the individual to personalize to their own specific preferences, the load would likely be distributed across the clients (such as Mozilla), as opposed to the servers.

        Graham did mention users with broadband connections, implying that this would be something that the client would pull down.
      2. Fetching an HTTP request and

  • Interesting side-effect (Score:3, Interesting)

    by leetrum ( 627303 ) on Sunday August 10, 2003 @12:46PM (#6660207)
    An interesting side effect of this strategy would be that it would be harder to track comissions based on per-click (instead of per-sale) for the sites employing spammers, thus limiting their income to people who buy (which can gernerally be a better comission anyway, but not offered by all these seedy companies).

  • DDoS with IFRAMEs (Score:5, Informative)

    by The Famous Brett Wat ( 12688 ) on Sunday August 10, 2003 @12:50PM (#6660220) Homepage Journal
    The problems with spam-based DDoS are bad enough already. Many HTML mail readers honour IFRAME tags, so if you want to DDoS someone, then just combine a Joe Job (fake their identity, advertise their site) with an HTML mail that contains N IFRAMEs, each set to be one pixel high and refer to a large page on the victim's site. Anyone who reads the spam in an uncautious HTML-capable mail client (of which there are still way too many) will subsequently attempt to fetch the specified page N times, unless you're lucky with intermediate caching proxies or the user hitting the stop button.

    Such an attack on Nutters.org forced me to stop doing my own hosting on a DSL line, since it got utterly swamped and cost way too much in bandwidth. Amusingly, it has forced me into using a much cheaper and higher bandwidth service -- one where such attacks are no longer my problem. The rules of the game have changed for me, though: I no longer consider it viable to host a website on a low-bandwidth leaf node like a single DSL, even where normal usage would make it seem acceptable, since it makes you a sitting duck for this kind of attack. I still can't imagine why anyone would want to target Nutters.org; being small and unworthy of attack doesn't seem to be a good defense anymore.

  • Bandwidth (Score:4, Insightful)

    by Have Blue ( 616 ) on Sunday August 10, 2003 @12:51PM (#6660223) Homepage
    I thought the primary complaint against spam was that it uses too much bandwidth. Wouldn't this proposal waste even MORE bandwidth per spam?

  • Paul's good at this stuff, but this is no good... (Score:5, Insightful)

    by wavecoder ( 695422 ) on Sunday August 10, 2003 @12:52PM (#6660231) Homepage Journal
    The way I see it, these are the beefs people have:
    • Multiplies bandwidth exponentially, automatically. Big corporations, especially, would be hacked off by this, and it has the added downside of slowing whole sections of the net (imagine what happens when a college dorm gets hit and 800 little bots go check out the site 57 times...).
    • Accidental DDoS on good sites - yes, Victoria, spam can be spoofed VERY convincingly.
    • Accidental DDoS on good sites (2) - if you've ever maintained a mailing list of more than 20 people, you know that, eventually, some idiot complains he/she got spammed, even if they double-opted in. I've been accused of spamming when I was quoted 2/3 of the way into someone else's (double opt-in) message! I know great sites that are blacklisted, out of human stupidity, alone.
    • Accidental DDoS on good hosts - imagine the impact on any shared host, or even some virtual hosts, when one bad client mails 5 million spams - before they could react, they could be taken offline!
    • Bad programmers (gasp!) - yes, those exist, and some of these filters could really go haywire and start thrashing all sorts of sites.
    • Lawyers - IANAL, but I shudder to think what happens the first time Microsoft or Big Blue sues some programmer, because an abused copy of their software took them down for an hour! (What is the M$ site worth, per hour? Too much, for sure.) Granted, the suit should go the other way, but that's another topic.
    • Abuse of ISPs - you'd be amazed how many ISPs will pull the plug on paying accounts for even innocent behavior (like sending 1,000 messages on a DSL account in under an hour, even if it's a business and all the messages are unique). This could get a lot of folks kicked offline.
    There are probably others... My thought is this - build a really good, Bayesian, SBPH filter like CRM114 [sourceforge.net], and incorporate a "grab questionable sites" option for the "spams of the future," then filter that page as though it were spam. That'll get us all up into the 99.9% range (the noise), and spammers will eventually either (a) go out of business, or (b) only be able to get their messages to the few people that think they're worthwhile, anyway.

    My $.02.

    -Ed

  • Confirmed opt-in mailing lists. (Score:4, Insightful)

    by SSpade ( 549608 ) on Sunday August 10, 2003 @12:56PM (#6660246) Homepage

    Has anyone considered what this will really do? It'll have next to no impact on spammers.

    However, lots and lots of legitimate opt-in mailing lists are following best practices by requiring a closed-loop opt-in with a magic cookie to prevent forged signups.

    How do they work? Well, usually you follow a URL containing a magic cookie in a challenge email to confirm you want to sign up for the mailing list. Oops.

    (For added brokenness, combine this with the other flawed anti-spam fad-du-jour, challenge/response).

  • Another idea (Score:3, Interesting)

    by skinfitz ( 564041 ) on Sunday August 10, 2003 @12:59PM (#6660262) Journal
    Why not just have the filter reply to the sending address with it's own randomly generated addy and auto drop those messages that use fake addresses that bounce? This could be done within seconds in most cases. The only issues here would be storage of the spam and how long you wait. It could be done by "keeping the spammer on the line" during the SMTP transfer also causing the transmission of spam to be delayed.
    Could it work?

    • Re:Another idea (Score:3, Informative)

      by hankaholic ( 32239 )

      Could it work?

      Define "work".

      What you're proposing is that you send a message in response to every message you receive. Furthermore, you're suggesting that the message you send in response have an invalid (random) return address.

      How is this a good idea?

      Okay, say machine scott@b.com is sending to larry@a.com. Assume that all machines are running your "callback" software.

      B connects to A. A holds the connection open, as you proposed, and sends a message to scott@b.com, with a forged header so that it looks

  • collateral damage? Not really (Score:3, Interesting)

    by swordgeek ( 112599 ) on Sunday August 10, 2003 @01:00PM (#6660266) Journal
    I've seen a few posts about the possibility of collateral damage--deliberately targetting someone else's server as the target of an auto-DDOS. Someone also mentioned hijacking a server, and then bringing it down.

    The thing is, it's no easier to do it with this proposed system than anything that's currently available. In this case you have to download (buy?!) a copy of spamming software, get a list, and then run a DDOS that's actually traceable back to you. Good plan? Not by my thinking.

    Now the nice thing about this is that it will end up costing an inordinate amount of money for the spammer, take down their servers, and really piss off their ISP. (Watch the pink contracts dissappear!) This is a fairly drastic measure that might actually get rid of many spammers for good.

    Basically, it's either this or a crowbar to the head.
  • This is a great idea, but you need to do it on the server, not (just) on the client.

    How's about as a plugin to SpamAssassin? Scan the icoming email as usual. If it's determined that it's unlikely to be legit, pass it on to the URL scanner. Auto-whitelist hotmail.com and other common URL taglines etc. Follow each of the other URLs in the message.

    Optional: If, after scanning the URLs, the pages linked to are determined not to contain spam, pass the message back to SpamAssassin flagged as clean and for deliv
  • of dealing with spammers and other nefarious miscreants has its merits.

    I am not talking tar and feathers or lynch mob scenarios (the merits of which cannot be denied though). I am in favour of the high-tech "put the spammers address and personal info on Slashdot" old fashioned way. It seems to work best as the targetted spammer was really steamed...

  • Sorry, bad idea (Score:5, Insightful)

    by mikeswi ( 658619 ) on Sunday August 10, 2003 @01:20PM (#6660355) Homepage Journal

    When my newsletter (confirmed Opt-in for the NANAE people who may be reading) goes out every Tuesday and 8,000 people open it, how am I supposed to deal with these filters DDoSing my site? For that matter, how do I deal with these filters attacking my site when some other newsletter links to it? What do I do when I piss off Ronnie Scelson and he links to every individual page on my site and spams 100,000,000 people with them?

    Links are more likely to be found in legitimate email than in spam. We're going to whitelist every single existing domain on Earth, and then remove the bad ones? Do you have any idea how large that list would be and how long it would take to download it to compare with the domains found linked in an email?

    Let's say this idea becomes used widely. It will be used as a weapon by the spammers themselves.

    1.) Pay-per-click links sent in mass mailings. Spammer gets paid for every link clicked. I'm sure some of the advertisers will get wise, but there will be plenty who just sign the checks without looking deeper.

    2.) Ronnie Scelson or Alan Ralsky get pissed at someone who owns a web site (SPEWS perhaps), and send the address to several hundred million people.

    For the ISP sysadmins reading, you think it's bad when 20,000 spams land on your mail server? How are you going to like it when each of those 20,000 spams produce 3 or 4 (or 30 or 40) HTTP requests?

    Sorry, bad idea. I can't see how the idea of "attack filters" does anything but discredit the whole idea, especially after thousands of perfectly innocent web sites are knocked offline by the sort of malicious software being advocating, or when spammers inevitably abuse it.

  • This is spectacularly stupid. (Score:5, Insightful)

    by edunbar93 ( 141167 ) on Sunday August 10, 2003 @01:22PM (#6660365)
    Any program that does something this dangerous automatically, even to people that deserve it, is a BAD idea.

    This is the sort of thing that needs human supervision because bugs, user input, and solar flares may cause the program to act differently than you think it should. Any sysadmin who's made programs that would affect thousands of users automatically knows this. There will be a percentage - no matter how small - that the program will affect negatively, and that tiny percentage will be very, very pissed off.

    You should be exceptionally careful about where you point your Massive Hose of Death because after all, to err is human, but to really fuck things up requires a recursive algorithm working at 2 billion cycles per second.

    It's also ocurred to me that you'd be hurting yourself just as bad bandwidth wise anyway. We all complain about how much of our mail is spam, and how much bandwidth it wastes, but to DDOS them would waste hundreds of times more, not only for you but every provider that carries the traffic.
  • I think a better idea is to use
    Exim SpamAssassin at SMTP time [merlins.org]

    This method don't use your bandwidth downloading urls,
    and slow down the spammers connection.

    I would like to see what happen when
    the mayor distributions start shipping
    with something like this as the default option.
  • Messages conforming to abusive practice would cause the server to send an OAP message back to the spamming provider... so a million outgoing messages would result in a million INCOMING messages on the specified abuse protocol port.. in effect you DOS yourself.

  • Don't just do something, stand there! (Score:3, Insightful)

    by asackett ( 161377 ) on Sunday August 10, 2003 @01:29PM (#6660412) Homepage

    I suspect that a thorough analysis of the proposed scheme would conclude that it could not work if it were widely adopted. It's silly to create a system in which a relatively small, expected but undesired input triggers a relatively large burden on network resources.

    Oh, wait... that's called a distributed denial of service attack. Someone already thought it up!

  • New Spamming Technique : Trickle Spam. (Score:5, Informative)

    by androse ( 59759 ) on Sunday August 10, 2003 @01:34PM (#6660439) Homepage

    I'm all for the idea, and as a matter of fact, I suggested it [slashdot.org] a couple of months ago.

    If individual spam victims start repetitively downloading the spammers website, this could bring the spammer to change the way he sends spam from the current big bang technique to a small continuous trickle technique. The spammer would send a single spam over several weeks, in stead of a few hours. He would parallelize the process.

    I see two possible counter-attacks to this :

    • content-based blacklisting (like Vilpul Razor, etc), i.e a central database of links that are currently being used in spam.
    • high aggressivity from the victims : if everyone loads the URI 50, 100, or 300 times, then the "trickle method" would probably fail. You should of course change the HTTP User Agent string for each request, and randomize the timing to stop any filtering on the web server.

    Feel the rage !

  • As tempting as it may be... (Score:3, Insightful)

    by KC7GR ( 473279 ) on Sunday August 10, 2003 @01:42PM (#6660470) Homepage Journal
    ...Fighting abuse with more abuse probably will not solve anything, and could also get you in trouble with your own ISP, if a spammer hits you hard enough to cause the fake E-mail addresses they put into their spam enough problems.

    This is a bad idea, IMO. Stick with blocklisting. Once things get to the point where the spammers are all on what amounts to an intranet, and they're doing nothing but spamming each other, they'll get the idea.

  • The spammer can simply parcel out each individual type of spam over a period of time. So, instead of:

    Day 1: Send spam A to 1 million addresses
    Day 2: Send spam B to 1 million addresses
    Day 3: Send spam C to 1 million addresses

    They would

    Day 1: Send spam A to 333,333 addresses, send spam B to 333,333 addresses, send spam C to 333,333 addresses
    Day 2: Repeat
    Day 3: Repeat

    Obviously, they would draw this out over more than 3 days, but you get the idea.
  • I like the idea of whacking the spammers' bandwidth, but I'm not really keen on validating the email address the bastards have reached.

    So, why not follow the links, but change the parameter values? It's all something which we'd do programmatically anyway, so subtle variations in the value portion would still incur the expense of processing the input, even if it fails. Keep the path component of the URL, and the parameter names used, so it gets as far as possible before blowing chunks.

  • So many security holes... (Score:3, Insightful)

    by anthony_dipierro ( 543308 ) on Sunday August 10, 2003 @02:16PM (#6660627) Journal

    It's not just DDOS that is the problem (in fact DDOS is actually the main feature). A naive implementation would pass along the GET data. So you could use this method to anonymously submit form data. Want to stuff an online ballot? Send out a spam linking to http://whatever/poll.foo?bar. Depending on how poorly written the sites are, you could even use this to do more sophisticated things, like sign up for 10,000 accounts at a certain website.

  • Bad idea, but might be improved (Score:3, Interesting)

    by Animats ( 122034 ) on Sunday August 10, 2003 @02:37PM (#6660743) Homepage
    The good idea there is to filter spam based on what it links to. SpamCop already does some of this, and reports the spamvertised site to its ISP or upstream provider. This is reasonably effective. It also identifies black-hat ISPs that host sites referenced in much spam.

  • auto following links -> spread worms (Score:3, Insightful)

    by frenetic3 ( 166950 ) <houston&alum,mit,edu> on Sunday August 10, 2003 @02:43PM (#6660765) Homepage Journal
    i think a more potentially dangerous outcome is that this could become a vehicle for worms to spread;

    lots of vulnerabilities have been discovered (in IE, etc) in the past that run arbitrary code when you visit a web page.

    so, if we have all these [identical] email clients set to automatically follow links and that there's some kind of known buffer overrun within the html parsing code (or if they use the IE rendering engine and some similar vulnerability has been discovered) then if a malicious link is sent then all of these clients will follow it and get compromised. (witness the paranoia now in most email clients which disable javascript, attachments, etc by default).

    at that point, if tons of machines are compromised, they could be turned into open proxies or could turn around and forward the email to everyone in their address book, etc.

    yes, this might sound like a farfetched scenario, but i think even if this case didn't happen, the obvious counter for spammers is to distribute the web load over a bunch of compromised open proxies or something or to throw up temporary web pages on random web hosts until they get shut down.

    the bottom line is that in the end the pain of this countermeasure will be simply passed onto innocent third parties.

    furthermore, it's unlikely that any major mail client will include this feature by default (outlook or eudora) since there's so much room for abuse, and the whole idea relies on a critical mass of users to actually have an effect.

    -fren

  • Bayesian filters (Score:3, Informative)

    by dtfinch ( 661405 ) * on Sunday August 10, 2003 @02:52PM (#6660805) Journal
    It seems like the need for other anti-spam techniques will decrease as these become more popular. Things like ip banning or automated server hacking just hurt more non-spammers.

    I installed a free one called K9 (though I donated $20 to the author), and over my last 573 emails (392 spam) it has only made one mistake, making it over 99.8% accurate after its initial training (141 messages). I've only been using it for a few weeks. It's about a 60k download and is very flexible and well behaved. The downside is that it's closed source and built for win32. I don't know if it works under Wine.

    The one spam that got through was disguised a typical personal message, except that it was offering a business relationship and contained a personalized image link to determine if I viewed the message.

    I tried Mozilla's built in bayesian filter for a few months. It had about 90% accuracy, even though I corrected every single mistake it made. Something's not working there, so probably shouldn't be used to judge the accuracy bayesian filters in general.

    I've tried PopFile as well. It seems to have good accuracy, but it's like swatting a fly with a sledgehammer. It's like a full fledged anti-spam server and is best installed on a dedicated server but is not well suited for multi-user environments, and it'd not easy to correct old mistakes or rebuild the word database. It does have the benefit of being cross platform though, and it supports multiple buckets, not just spam and not spam.

  • Fight fire... by adding fire? (Score:3, Interesting)

    by quacking duck ( 607555 ) on Sunday August 10, 2003 @03:27PM (#6660971)
    Given that so many people, even corporate execs, are stupid enough to order stuff from spammers [slashdot.org], why not use this fact to our advantage?

    Send out "white hat" spam, which for all intents and purposes looks like real (ie "black hat") spam. Except clicking on the link takes you to any number of webpages that basically say "are you so f***ing stupid you actually believe pills can make your penis/breasts/whatever larger?"

    Adjust content to suit type of spam. Include disgusting images if the type of spam you're emulating is adult-oriented (pr0n, enlargements, etc), something else entirely if you're "selling" mortgages or similarly benign wares (ie no goatse.cx-type images if you're "selling".

    And to cap it off, if viewers are so enraged at what they see, the page will have a feedback link. The link will either be a known spammer's email so they receive their venting instead of their money, or link to yet another anti-spam site.

    Geeks and filters will automatically block this stuff out, so there's no harm done to us, aside from having to filter out even more spam.

    But with any luck, if enough of these anti-spam spams get sent out that people start associating spam messages with informative, insulting or disgusting websites, they'll learn to stop clicking on those damn links, stop buying their bullshit products, the spam model becomes unprofitable, and spam is reduced to a saner level or eliminated entirely.

    Legal implications? No better and no worse than black hat spammers.

    Comments?

  • Sounds a lot like an old idea... (Score:3, Interesting)

    by jemfinch ( 94833 ) on Sunday August 10, 2003 @05:52PM (#6661669) Homepage
    Making spammers pay for each spam they send? Sounds a lot like Daniel Bernstein's Internet Mail 2000 [cr.yp.to] recommendation, except that this idea has far more potential for abuse. As much as I like Paul Graham's innovative ideas, this one is definitely both late on the scene and inferior to IM2000.

    Jeremy

  • RE: Filters that Fight Back (Score:3, Interesting)

    by Tacoguy ( 676855 ) on Sunday August 10, 2003 @06:27PM (#6661795)
    Spam fighting, it seems to me has 2 fronts. What to do when you get on the lists and how did you get there to begin with. Having made numeous web sites thru the years it has become clear to me that these spammers are largely harvesting addys thru mail-to links on web pages. A number of techniques can be utilized to prevent such activity. 2 of my favs are the use of ASCII characters in the actual addy and the use of Javascript to mask the addy. Once you are "in their hooks" there seems little you can do so it seems best to me to not get there in the first place. Best Jeff

  • Automatic attacks are a bad idea (Score:3, Insightful)

    by cait56 ( 677299 ) on Sunday August 10, 2003 @08:02PM (#6662138) Homepage

    Having a "filter fight back" is a polite way of saying that you have trained attack software.

    Software has bugs. If you have trained attack software, it will have bugs. Which means eventually it will attack an innocent site.

    Ultimately this is a bad idea for the same reasons that automated home defenses are a bad idea. It's very easy to say that the intruder has earned the automated response, but then you get the nitty gritty issue of whether your automated system can distinquish between a burglar and a fireman.

    The same issues apply in identifying Spam. How will your software, which will make mistakes, distinquish between the real source of Spam and a clever header that is making it look like someone else is the source? I don't care how good your algorithm is. It's coded by humans, so it will make mistakes. Unlike a human making a mistake manually, however, it will pounce at very high speeds.

Slashdot Top Deals

The trouble with being punctual is that nobody's there to appreciate it. -- Franklin P. Jones

Close