The metaphorical “arms race” between spammers and anti-spam companies became real last week: Blue Security, a software company that sends opt-out requests to spammers (via e-mail or through their Web sites) through its Blue Frog program became the target of a Distributed Denial of Service (DDoS) attack by a spam sender who objected to the tactic (supposedly a Russian with the handle “Pharmamaster”). With direct damage (Blue Security’s Web site went down, and the attack crippled Blue’s hosting company, Tucows) and collateral (LiveJournal, TypePad, and other blog hosts went offline when Blue tried to move to another blog service hosted by SixApart), Blue Security threw in the towel.
Blue Frog framed its methods as legally sanctioned by the CAN SPAM Act of 2004 (at least in the U.S.). I’m not sure that filling out Web forms repeatedly as an opt-out tactic fits within the parameters of the law, but set that aside for a moment. (Discussions of Blue Frog tend to bring out the zealots who love the software – see this discussion on John Levine’s site as an example.) I’m concerned about two things. First, the attack by Pharmamaster went after the Domain Name System (DNS), the application that translates human-friendly URLs (such as cyber.law.harvard.edu) into computer-friendly Internet Protocol addresses (such as 192.168.1.1). The DNS is a good target because it’s relatively fragile, particularly if the DNS server in question is not properly secured / configured. This is Jonathan Zittrain’s worry in his Generativity paper: the Internet is effectively hostage to the worst angels of our nature. If Pharmamaster decides to try to take down the DNS more widely, we could be in trouble. The typical responses by techies to this concern is to point to the misconfiguration as the problem: if we tweaked BIND properly, or set up firewalls / anti-spyware software on our PCs, we’d take care of DDoS attacks, botnets, and so forth. This is right, but it’s not an answer, in the same way that campaigns to bolster handwashing never really wipe out the common cold. The complexity of software and the speed with which exploits spread guarantees that the odds are always against the defenders in this game.
Second, I think Blue Frog had a great insight – they just went about it the wrong way. The key to spam, at least in its current incarnation, is money. The economics of e-mail messaging let spammers make a profit even with a miniscule response rate. I believe the best method is to go after that money. Blue Frog tried to do this by identifying the Web site(s) advertised in spam, and using their order forms to opt out of messages. I’ve proposed a more radical solution: parse the sites that are spamvertised and block them at the ISP level. A more sophisticated version of this tactic would evaluate the type of site in the spam and re-direct users who request it to a legitimate Web page in the same category (sites might pay for this privilege, which would support this methodology). To illustrate: America Online is hit with a wave of “low interest rate mortgage” spam that points users to mortgage.foo.com. While AOL does its best to filter out these messages, it also sets its routers to redirect traffic seeking mortgage.foo.com to Countrywide, or another legitimate mortgage lender willing to pay AOL for the traffic. This has three benefits: users get the service they want (someone who clicks on a link in a mortgage message has some interest in that product) with less risk of fraud, the spammer loses revenue (Countrywide effectively diverts their potential customers to its site), and AOL can make some dough by selling the opportunity for that redirect.
I’ve gone into depth on this idea in a paper. What do you think?