Filters That Fight Back

Tom Anderson tanderso at oac-design.com
Tue Sep 2 01:11:21 CEST 2003 

Paul,

If you wait until you've identified a spammer as "chronic", then it may
be too late to punish the vast majority of them.  As you said yourself
in your article, it would be necessary to identify the spammer
relatively early lest they move on to another host.  Punishing the dumb
morons who stay on a single host for a long time will only serve to make
a more resistant strain of spammer -- those that move around alot.  This
will not hurt the spammers, only the blacklists which have been
effective at blocking some of them.

You also mention that Amazon is better at keeping spammers out of its
affiliate programs.  If this is true, it is only because they must have
full-time staff dedicated to answering spam complaints and taking action
against those affiliates that violated their terms.  Smaller merchants
certainly could not afford this even if they really wanted to.  You
would effectively put them out of business.  That's like cutting off
your nose to get rid of a pimple.

Perhaps a more effective means of punishment would simply be a bounced
mail.  Few online merchants offer their affiliates email addresses on
their own servers.  The spammers thus must find their own means of
sending.  Assuming they are running their own server on a lenient ISP,
as is most certainly the case with the "opt-in" bunch, bouncing all
spams would provide the bandwidth and processing drain which you are
looking for.  If they are sending via an open relay, you may not have
too much effect on the spammer, but you may be able to force the open
relay to tighten up or close down.  If the spammer is on a virtual host
or email hosting service, their account will be terminated quickly.

The main problem with this method is effectively deciphering mangled
headers and sending the bounce to the appropriate address rather than
some patsy whose been the victim of masquerading... that would just
cause additional problems.  The other problem is that by responding that
the email was bounced as a spam, you give spammers the feedback which
might enable them to get around the filters.  However, with Bayesian
filtering, I wouldn't count on that being much of a problem in the end. 
Also, you could include a punishment payload on the bounce consisting of
anything from a large graphic or document to a virus, thus compounding
their bandwidth and processing load, and maybe even shutting down their
system.  Obviously, anything deliberately malicious would be legally
addressable even for a spammer, so virii might not be the best idea.  A
large Word (because it's inefficient) document citing personal concerns,
legal analysis, technical issues, etc., relating to the sending of spam
would be quite justifiable though.  The spammer may send out a million
10k emails, but get back a million 1M emails.  That would certainly
hurt.

Moreover, just in case you accidentally got a false positive from your
mail filter, a simple explanation at the top of the bounce stating that
the email could not be delivered because it resembled a spam would be
good insurance against missing important emails.  The sender could
simply write another email (or call, heaven forbid) if they really
needed to get in contact.  If you don't send a bounce, then they might
think you are just ignoring them if you don't catch it in your spam
folder.  And regular Joes getting an occasional 1M email is nothing to
be concerned about.  For instance, if your filter bounced this mail and
you never responded, I'd think you're a jerk and quit reading your
articles ;)  And if I'd found out that you never even saw it after I
spent a half-hour writing it, I'd be really pissed.  Alternatively,
receiving notice that it was bounced would give me an opportunity to
send it again, but in a more innocuous format.

In conclusion, I think that punishing spammers can be a good idea, but
attacking the spamvertized website would be the wrong way about it.  The
better tack would be to punish the spammers more directly using the same
vehicle which they are abusing.  The only concern would be ensuring that
the sending mechanism is sufficiently intelligent to send the bounce to
the appropriate address.  There is open-source software in existance
(eg. SpamCop) which I believe can effectively do this.  It's just a
matter of packaging the code together with filters such as Bogofilter.

Sincerely,

Tom Anderson
Order amid Chaos, Inc.
http://oac-design.com

cc: Bogofilter Mailing List


On Mon, 2003-09-01 at 08:38, Paul Graham wrote:
> I think the guys running the blacklist would have to have
> a philosophy of only blacklisting chronic spammers.  Amazon
> must be tough on such things, because you never do see
> such spams.  Gevalia, on the other hand, deliberately turns
> a blind eye to the actions of its "affiliates."  The really
> high volume spammers run the site as well as sending the spam.
> Repeat, high-volume spam seem a safe criterion for pounding
> the site promoted in it.  --pg
> 
> --Tom wrote:
> > Paul,
> > 
> > I just read your article.  I thought about implementing just such a 
> > punishment device.  Unfortunately, you're exactly right about needing an 
> > intelligent "moderator" to form a blacklist.  Not only intelligent, but 
> > very diligent, informed, and objective.  Otherwise perhaps innocent 
> > sites that are spamvertized by deviant affiliates are unjustly punished. 
> >   For eg., I could sign up as an affiliate of amazon.com and spam a 
> > million people with a link to amazon.com with my affiliate ID.  If 0.05% 
> > of people respond and buy a $10 book, I've made $5000.  Ok, so 
> > amazon.com makes a lot of money too, but do they deserve to be pounded 
> > by angry spam victims even though their policy is to try not to have 
> > anything to do with spam?  And meanwhile I get off without a scratch 
> > while the victims think they've punished me?  Clearly this wouldn't be 
> > such a foolproof anti-spam device as you've estimated in your article. 
> > Most of the spammers would find a way to dodge the "branch", and it 
> > would smack the relatively innocent online merchant behind him.
> > 
> > Sincerely,
> > 
> > Tom Anderson
> > Order amid Chaos, Inc.
> > tanderso at oac-design.com
> > 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.bogofilter.org/pipermail/bogofilter/attachments/20030901/6224be06/attachment.sig>

More information about the Bogofilter mailing list