On F-Secure's website, I read an aticle about a website called http://spamorham.org . This site invites visitors to view messages and label them as spam or legitimate email. This information is supposedly used for research in differentiating spam. I applaud any effort in eradicating spam. Filtering is good. However, it doesn't go nearly far enough. Filter software maintainers have to continue to work to keep up with the techniques spammers use to bypass the filters. Knowing the URL's that are advertised by spam and filtering out these URL's is a pretty good way of using filters. But as long as there is profit in spamming people, there will be spam.
By increasing the monetary cost of spamming, it's possible to significantly or totally reduce the profit in spam.
Spam is sent out and spammers make money by having people pay for items or services. For people to make payments, they have to have a place to make the payment. This is the weakest point for spammers. By knowing where payments are made, people can either filter messages that contain a link to this payment place, or they can write retalitory programs that complain instead of sending a payment.
Many claim the latter approach is equivalent to a denial of service attack. But I disagree for two reasons:
1. The spam invited the recipient to visit the site (or other venue). This is what the retaliatory program does. Complaints sent to the site use its computing resources as well as bandwidth, which are paid for by the spammer. The goal is to make complaints heard, not to shut down web sites.
2. If the retaliatory program is written or configured so only one complaint is sent for each spam received, then the program will comply with CANSPAM, which allows complaints. In fact spammers must include unsubscribe information in their messages to allow for people to opt out of receiving messages.
Until people have begun to take offensive (retaliatory) action against spammers, the number of spam to legitimate email message have only continued to increase.
First came the spam vampires (these keep requesting same pages from spamvertised sites and can be considered a denial of service) which sought to decrease profits of spammers by increasing bandwidth costs. Then came, "Make Love Not Spam."
This was one of the first offensive attempts made by a large company to take back our in-boxes. Other companies tried retaliating against spammers as well. One company even tried to flood computers that were sending spam with so much data that they were forced to slow down. That approach is similar to one man taking on an entire army by himself.
Recently, a very innovative program was put out by a company named Blue Security. The program, called, Blue Frog, was downloaded onto many computers. These computers took instructions from a central computer and acted as a cyber army by submitting complaints to spamvertised web sites en masse.
Blue Frog was a giant step in the right direction. However, it had the same weakness as the spammers. Blue Security's program relied on a single point from which to obtain instructions.
First, spammers tried to block Blue Security's website. When that tactic was overcome, spammers mounted an offensive and attacked the Blue Security network with such great numbers that not only was Blue Security's site brought down, but hundreds of others as well. Blue security tried pointing their website to other ip addresses so that they could continue to provide information to the public, but the onslaught was so great that that finally failed as well.
We can win the war against spam. However, we have to realise several things:
1. Our numbers are smaller than theirs. I'm not talking about people, but rather computers. Spammers have the control of millions of computers that they can call upon when the occasion arises. We have the computers that people willingly use in the fight against spammers.
2. Their numbers are conscripted where ours for the most part are volunteer. Most of use who have anti-spammer programs on our computers have knowingly installed the programs. Most of the computers controlled by spammers have been commandeered. These are the computers infected with spyware, viruses, worms, trojans, and other malware. These computer may even be owned by our family members.
3. When it comes to computers, most people are still plain stupid or lazy. This isn't meant to be an insult. I know of many people who've been repeatedly warned about opening email attachments, downloading programs from untrusted sources, and violating many other common sense security rules. There are others who know they have security problems with their computers and/or know that their anti-virus databases are out of date, but they do nothing to remedy the situation. I'm talking about people who just don't take the time to make changes that are necessary for even basic security on their machine. Most of these people are the "It won't happen to me crowd."
4. Most people don't have, or aren't willing to spend, a lot of time fighting spammers. Many will take the time to forward or move an email to a place if they think this will be acted on, but they won't keep a browser open to a spam vampire site. Many of these people ran the Blue Frog program that Blue Security put out. The Blue Frog program was effective, and that is why spammers decided to counter attack.
Here comes the p2p cavalry
BUT ------ new program is under development as we speak. I know about it because I'm part of the development team. This new program addresses each of the four issues above:
1. Since spammers have larger numbers than we do, we must build our numbers up, be mobile and not be targetted. This is what the new anti-spammer program intends to do. The development team intends for the program to complain to only a very minimal number of spamvertised web sites. This is being done so that the program can be downloaded by a large number of people, and yet be perceived as actually doing something to go after spammers. The program will get its instructions and updates from p2p networks. This is being done so there'll be many, many spread-out targets rather than one or a few central targets to attack.
2. Since the development team has ethics, it wants to make sure the computer owner installs the program intentionally. There'll be no backdoor or worm distribution methods. Any that do show up are the work of those who want to derail the war effort. The development team will be working with a public relations professional in order to recruit willing volunteers for installing the program. The program will even offer peace to email spammers if they'll simply put in a header, " X-Advertisement: uce " If this header is included in a spam email, our program won't go after any host advertised. A header such as this will make it trivial to filter out unwanted spam.
3. We don't want those who still have no clue or could care less about computer security to install our program. Our program installed on the computers of these people may become contaminated with malicious software. If our program becomes associated with malicious software, it will only hurt our cause. If someone is too stupid not to open unexpected attachments or is too lazy to update their computer when it's known to be vulnerable to take over, they should just stand at the sidelines and root for us or get smarter, or do what it takes to get their computer security under control before even thinking about running our program.
4. With the exception of dropping email or complaints into a special folder, there'll be little action required by users to run our program. The program will periodically checked for updates from other peers and send any updated instruction to other peers. The complaint instruction file will be cryptographically signed so it'llbe extremely difficult to substitute a malicious instruction file. The updates will be released from different locations and peers each time a new file is released. This will prevent spammers from tracking down or shutting down the origin of the files.
This is all the information that I can provide about the program for the moment. The projected beta release date of the program is sometime in late July or early August. About a third of the code is already written, and the team is working furiously trying to complete the other two thirds.
There's a need for secrecy because spammers aren't the most moral people on the planet and can be pretty ruthless. Many are also involved in organized crime. We don't want to see our efforts derailed before they even have a chance to get off the ground. When the program is released, it'll be open source so anyone who wants to can see how it works and help to improve it.
