Spam: the dirty war

I confess that I underestimated the enemy rather badly. I underestimated both the enemy’s level of sophistication, and also the enemy’s level of brute malevolence. I always knew that spammers had no principals and no ethics, but up until recently, I had no idea that they could or would stoop this low, or that they would engage in quite this level of criminality. I guess that, naively, I just never thought hard enough about how much money was actually at stake (in the spamming trade) or what that might mean in terms or the determination of spammers to win at all costs.

Ron F. Guilmette announced that he was giving up the fight against spam in the face of massive Distribued Denial of Service (DDoS) attacks. This, in the wake of the attacks which forced Joe Jared off the net, is rather worrying.

<lj-cut> Ron maintained a list of open proxies. When you connect your home or company private network to the Intarweb, and mess up (or install something which is insecure by default), you can arrange matters so that anyone can use your proxy as a convenient way to make themselves anonymous, since their activity appears to originate from the proxy. Whether it’s spamming, or merely making a nuisance of yourself on talkers and the like, open proxies are favoured by asshats everywhere. Ron was also running a network of honeypots, servers which pretend to be open proxies but which are actually gathering the real addresses of those responsible for abuse.

Joe Jared was the main distributor of the SPEWS list, a controversial blacklist of ISPs who, in the view of the anonymous list maintainers, weren’t doing enough to get rid of their spammers.

The lists, so called DNS Blackhole Lists or DNSBLs, were available published using the DNS, the name service which turns domain names (like www.livejournal.com) into IP addresses (like 66.150.15.150). Most of the big unix mail servers, such as Sendmail or Exim, can use these sorts of lists to refuse connections, or to tag mail as suspect. Even if your server administrator isn’t using blacklists, home users can also make use of DNSBLs using James Farmer’s Spampal program.

Guilmette and Jared probably overextended themselves by running these services from DSL or cable connections. The big boys are getting DDoS’d but their lists are still being published (even if the website isn’t doing so well). There are other proxy lists out there. So, what’s the worry?

I suppose, like Ron Guilmette, I’m surprised at such outright criminality. It makes me wonder who’s next on the list of targets. DNSBLs make particularly popular targets, but what about distributors of spam filtering software, say? One could say that these are the acts of desperate individuals, running scared of anti-spam efforts, but possibly this is the end point of the evolutionary arms race against spammers: many of them have gone to the wall, but the ones who are left are nastier than your average spammer was a few years ago.

People on news.admin.net-abuse.email are already talking about peer-to-peer systems to make a big easy target into lots of small, hard to hit targets (but geeks love to talk about distributed systems and crypto, so who knows whether it’ll go anywhere). Meanwhile, the old mantra about how you shouldn’t fight abuse with abuse is sounding less and less convincing.

Leave a Reply

Your email address will not be published. Required fields are marked *