While doing some research for my upcoming PhD project, I went through some of the articles on
Paul Graham’s web site. He is the person who first suggested using bayesian networks for spam detection and thus is responsible for one of the major breakthroughs in spam fighting - one that we still use with much success today.
For “fighting back” at spam, he also suggested “
Filters that Fight Back”, i.e. filters that automatically retrieve spamvertised URLs in order to increase resource consumption on spammers’ infrastructures. Even from its original 2003 perspective, this approach seems a bit flawed to me since I can’t imagine a way to avoid “joe jobs” hitting innocent targets and other collateral. Essentially, what he is proposing is dDoS, with all the fallout. For instance, spammers regularly use (and did use in the past) sites like blogspot.com, live.com and hacked forums to advertise their v|4gr4 and consorts. Although from a very orthodox point of view, this abuse makes Microsoft (and whoever owns blogspot) spam hosters, they are essentially as much victims of such behavior as the spam recipients.
However, my actual point is a different one. When Paul wrote the article, spam bot nets like Storm, Kraken et al. didn’t exist in the form that exists today. Nowadays, if your spam filtering host (or your actual MUA) retrieves a spamvertised URL, it does a HTTP GET to an owned client machine whose owneder does not even know about that. Thus, the owner (i.e., the “spam hoster”) becomes your target. By slowing down their network connection, you make him a victim of the spam that his own machine sent.
Now comes the question: Isn’t this still a legitimate approach? Could mass retrieval of botnet-advertised spam web sites still make a difference? In our days of flat-fee internet access, the offender (i.e. the person with the hacked+spamming client machine) does not have monetary losses by massed HTTP requests to their web server. But their upstream ISP will have. Would the additional traffic caused by massively downloading spamvertised web sites be sufficient to make ISPs cry wolf and cut off offending end users? After all, they don’t give a rat’s ass about the outgoing SMTP traffic, and most hardly care about incoming complaints.
Even if dial-up ISPs are not willing to cut off offenders, would the affected end users notice a difference? Would their net connection become so slow that they’d start to investigate? I would imagine that as soon as your machine is a botnet slave, your QoS goes to the dumps anyway, but then I never was one of these slaves so I don’t have any firsthand knowledge.
What do you think? Is this a valid approach? Is it a legitimate one? Is it a feasible one? And: Will it make any difference?
