ezekiel's chariot - 張敦楷 (pjammer) wrote,
ezekiel's chariot - 張敦楷
pjammer

  • Mood:
  • Music:

SpamJammer - Fighting UCE through DDOS?

Spam has been on my mind of late; for whatever reason, my daily volume of Viagra/Mortgages/HGH/porn solicitations quadrupled in the last few months, and from talking with friends with webmail accounts, I am not alone in noticing the escalation - both in volume and in deviousness. One of my favorite online essayist Disenchanted lays out the fundamental cost-shifting problem of UCE (Unsolicted Commercial Email):

There's an episode of the Twilight Zone (during its late 80s color resurrection) that has a couple open their door one morning to find a small wooden box waiting for them, and mounted on top of the box was a big red button covered by a removable transparent dome. A little while later they get a call from a gentleman who informs them that upon pressing the button they will get 1 million dollars instantly, and someone they don't know will die. The couple are struck with a horrible dilemma (not to mention a fiendish experiment in user interface design).

In my line of business I'm occasionally asked by a weathered customer “why do I keep getting all this spam?” and I've borrowed a metaphor from this Twilight Zone episode to explain: imagine you had a box with a button embedded in it, and every time you pressed that button you pissed-off ten thousand people who you don't know, but you were guaranteed at least one paying customer. Some ethical businessmen would get rid of that box, or lock it up and throw away the key, or put it in a safe and hold themselves never to touch it unless they were desperate.

But some people, for whatever reasons they have, will sit with the box in their lap and press the damn button again and again and again and again. That's spam. You press the button to send a mass mailing, and for every 10,000 people who mutter under their breath and delete it—and perhaps even swear never to do business with you—you'll get at least one paying customer.
- Someone You Don't Know, by Disenchanted

Up until about three years ago, spammers routinely offered 1-800 numbers in their promotional message, and as as a cranky subversive, I felt duty-bound to call these inbox trespassers on their nickel and torture the telemarketers who pick up. Ultimately, the collective backlash (and toll charges) connected with offering toll-free numbers drove UCE senders to drop 800-numbers, and instead send 'fill out this form for more information' URLs as a means to insulate themselves from direct contact with angry recipients.

But just as email users have gotten more savvy (most people no longer believe the 'unsubscribe here' link, recognizing they are largely ruses to confirm that an email address is active) so too have the senders; my inbox is now filled with subject lines that have deliberately-misspelled words designed to slip past filters (i.e. 'VI4GRA') and IP-address-only destination URLs (i.e. http://4.38.98.147).

Dig a bit further, and you'll find a shadow world of forged headers, phantom-forwarding telephone numbers and dummy websites, all designed to find that one-in-ten-thousand sucker willing to give financial information in response to a UCE, while dodging the wrath of the remaining recipients. Indeed, a search for 'Bulletproof Hosting' show us just how far things have gone: Tecom's FAQ explains to aspiring spammers step-by-step instructions on how to fraudulently hijack free web-hosting services for 'throwaway' accounts, so they can switch from one provider to another as they get caught violating each provider's TOS.

We will host your domain name and redirect all your web traffic to any web address of your choice, using our special URL cloaking technique. Your domain name will always be displayed in the top URL address bar, so any web surfers won't see the actual “forwarded to” web address in their browsers. We will never shut you down, no matter how many complaints we receive!

Ever sent a complaint upstream to the hosting company of a spam-promoted site, and witness the site still operational months after your message? Now you know why.

The root problem of spam-fighting is that it is a reactive game; whitelists, filters, blocklists all consume resources on the recipient end, while spammer faces only the one-time fixed costs of an up-front investment and nearly-zero marginal costs to repeatedly invade your inbox.

But what if we can raise the costs related to spamming and obliterate the profitability of the spammer - drown out the money made from that one sucker with a deluge of bandwidth charges? What we can inflict on every UCE senders what Dave Barry did to telemarketers?

Currently, the business model of the spammer is to send out a million emails, get 500 visitors to his site, and find five buying customers. Lather, rinse, repeat. What if we can subvert that model and drown every site he puts up with a million hits from non-buyers (forcing him to eat the related bandwidth costs) to acquire the same five buying customers?

As a non-programmer, I can only describe it in general terms - but to those of you who read this journal who are savvy about these things - how difficult would it be to write a web script/executable that goes through my junk-mail box, extracts all the spam-promoted URLs, and just ping all of them every 30 seconds as long as I am connected to the internet? Perhaps embed the program in a screen-saver, and encourage everyone to use it - quietly giving spammers exactly what they're asking for (traffic!) good and hard - effectively using DDOS to obliterate the profitability of UCE?

What would be the weaknesses of such a program - and what can we anticipate spammers do in response?

Random thoughts on a Monday night ... but now, the bed beckons.
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 26 comments