Spam, Frogs, and the State of the Net
The metaphorical “arms race” between spammers and anti-spam companies became real last week: Blue Security, a software company that sends opt-out requests to spammers (via e-mail or through their Web sites) through its Blue Frog program became the target of a Distributed Denial of Service (DDoS) attack by a spam sender who objected to the tactic (supposedly a Russian with the handle “Pharmamaster”). With direct damage (Blue Security’s Web site went down, and the attack crippled Blue’s hosting company, Tucows) and collateral (LiveJournal, TypePad, and other blog hosts went offline when Blue tried to move to another blog service hosted by SixApart), Blue Security threw in the towel.
Blue Frog framed its methods as legally sanctioned by the CAN SPAM Act of 2004 (at least in the U.S.). I’m not sure that filling out Web forms repeatedly as an opt-out tactic fits within the parameters of the law, but set that aside for a moment. (Discussions of Blue Frog tend to bring out the zealots who love the software – see this discussion on John Levine’s site as an example.) I’m concerned about two things. First, the attack by Pharmamaster went after the Domain Name System (DNS), the application that translates human-friendly URLs (such as cyber.law.harvard.edu) into computer-friendly Internet Protocol addresses (such as 192.168.1.1). The DNS is a good target because it’s relatively fragile, particularly if the DNS server in question is not properly secured / configured. This is Jonathan Zittrain’s worry in his Generativity paper: the Internet is effectively hostage to the worst angels of our nature. If Pharmamaster decides to try to take down the DNS more widely, we could be in trouble. The typical responses by techies to this concern is to point to the misconfiguration as the problem: if we tweaked BIND properly, or set up firewalls / anti-spyware software on our PCs, we’d take care of DDoS attacks, botnets, and so forth. This is right, but it’s not an answer, in the same way that campaigns to bolster handwashing never really wipe out the common cold. The complexity of software and the speed with which exploits spread guarantees that the odds are always against the defenders in this game.
Second, I think Blue Frog had a great insight – they just went about it the wrong way. The key to spam, at least in its current incarnation, is money. The economics of e-mail messaging let spammers make a profit even with a miniscule response rate. I believe the best method is to go after that money. Blue Frog tried to do this by identifying the Web site(s) advertised in spam, and using their order forms to opt out of messages. I’ve proposed a more radical solution: parse the sites that are spamvertised and block them at the ISP level. A more sophisticated version of this tactic would evaluate the type of site in the spam and re-direct users who request it to a legitimate Web page in the same category (sites might pay for this privilege, which would support this methodology). To illustrate: America Online is hit with a wave of “low interest rate mortgage” spam that points users to mortgage.foo.com. While AOL does its best to filter out these messages, it also sets its routers to redirect traffic seeking mortgage.foo.com to Countrywide, or another legitimate mortgage lender willing to pay AOL for the traffic. This has three benefits: users get the service they want (someone who clicks on a link in a mortgage message has some interest in that product) with less risk of fraud, the spammer loses revenue (Countrywide effectively diverts their potential customers to its site), and AOL can make some dough by selling the opportunity for that redirect.
I’ve gone into depth on this idea in a paper. What do you think?
Filed under: Intermediaries, Software, Spam
I really like the tactic you propose, but it raises in my mind a question. The question (which may be addressed in your paper) is whether this tactic will lead to a cyclic pattern of spam.
That is, say isp.com sees a flood of spam to its users advertizing mortgage.foo.com and, as suggested, redirects traffic to mortgage.bar.com, which is known not to use spammers and pays for this privileged position. Subsequently, mortgage.foo.com loses the return it used to get from using spammers and stops hiring them. Over time, mortgage spamming drops to a negligible level. This is your contention, if I read you correctly.
Now that the level of spam has dropped, mortgage.bar.com isn’t really getting any business forwarded its way, so it’s not efficient to pay for this (no longer so) privileged position. Once nobody’s paying for that position, what’s to stop mortgage.foo.com from starting to hire spammers again? And around the cycle we go.
Good question. It’s certainly a risk as you frame the situation. The question in that scenario is the lag time: how long does it take the ISP to detect that foo.com has begun mortgage spam and to redirect those requests, and is that temporal period sufficient for foo.com to earn enough revenue to make the tactic worthwhile? As ISP gets better at detection, this should become less of a problem, but it’s still an arms race.
My suspicion is that, in practice, this risk is mitigated by the fact that spam generally falls into categories: Viagra, “body part enhancement”, singles, porn, etc. Thus, aggregating different spam senders (advertisers) by category helps reduce this problem: some spamvertisers give up, but others enter the field. By extension, your logic would apply in two sets of circumstances. First, an entire category becomes unprofitable for spam: diversion of mortgage offers gets sufficiently good that it’s not worth anyone’s time to spamvertise, bar.com stops paying ISP, and the opportunity opens again. (This might be worse if spammers try test messages on old, abandoned subjects to see if they’ll work.) Second, a new category becomes profitable: people suddenly begin responding to spam offering monkey lawnmowers (hat tip to Sunday’s episode of The Simpsons), forcing ISPs to detect this new spam pattern, find a credible monkey lawnmower vendor, and begin redirection. This is absolutely a problem, but at least it’s one of a smaller magnitude.
Does this strike you as right? Thanks!
Funny thing. I was looking for ‘mortgage’ information and happened upon your piece here about BlueFrog.
I was one, presumably of many, who decided to end my BF membership after getting a growing volume of anti-BF emails from anonymous sender/s. Like you, I thought the BF response to spam was of merit. Pity it failed. Maybe someone else will find a better implementation one day, but even then I will be slow to enroll. I’ll need to see a handful of positive endorsements from users who’ve run it for a good while without incident.
Okay – nothing more than a mention of mortgage on this page but I’m glad I found you anyway.
This is all fair and well, but one big problem arises with many of the proposed ways of stoping spam. If a spammer wants to damage the reputation of another site, they could promote that site to cause them a problem, and naturally rise to the top.
Spamming the main DNS servers I hear is a federal offense, which would not be one which would go overlooked. Also it would not be something that even Pharmaster would want to do.
One point to consider is the primary one of net netrality. If people overstep the mark where the internet gets policed by either corporate entities saying they are protecting the internet or government organizations imposing limits, there will be such situations.