« new release 20050516 | Main | Phishing Scams Force UK Banks to Delay Some Transfers »
May 17, 2005
Yet Another Stupid "Make Spammers Pay" Scheme
Apparently, not only do journalists not pay any attention to ideas that have been proposed numerous times in the past, or how and why they've been shown to be completely unrealistic, but they also report them as "novel" when proposed (again) by yet another professor, as in the case of this professor from the Boston University School of Management, who proposes that spammers pay you for the time and energy they already steal.
Why anyone thinks this is a practicable idea is beyond most people with any experience of spammers' tactics, who have seen for years that they have no intention of paying for what they can steal. And yet, the idea keeps getting proposed, by Microsoft, by IronPort, by many others. The article does, at least, mention these schemes, so perhaps the above criticism of the journalist is unwarranted, but the basic idea - that somehow spammers will accept an economic burden in order to even the balance in what is now essentially a theft of service at best - is still unworkable, unlikely to succeed, and mere mental masturbation by people who should know better.
On the other hand, sendmail 8.13 has a feature called "greet_pause" which has been remarkably effective here against the worst of the zombies (and, unfortunately, against several broken mail server implementations, which we have had to whitelist). By waiting for a specified amount of time before issuing the SMTP "greeting", and rejecting mail delivery attempts from servers that do not wait for the greeting before trying to spew forth their abuse, in direct violation of the relevant RFC, we've seen the burden of blocking shift from our own local tactics to the greet_pause feature. The tactic now accounts for over 40% on average of rejected inbound mail delivery attempts here, more than three times what the DNSBLs are blocking. Surely, the spammers will adapt, so this is merely a temporary lull, but it's an incredibly effective one for all that.
Unfortunately, we implemented greet_pause here at around the same time that a certain group of spammers decided to launch a German-language spam run (spewing right-wing, nativist invective) via the latest Sober virus infestations, and a different group of spammers decided to use one of our domains in a joe job, so even though we're dealing with less direct spam thanks to greet_pause, we're dealing with a massive rise in outscatter.
Somehow, the idea that the criminals in either case will somehow agree to be "bonded" in a way that compensates me and my users here for the resources they're already quite content to steal, the potential damage to the reputation of the domain being forged in the joe job, or that somehow it will charge the admins responsible for the several thousand mail servers so badly misconfigured that they redirect bounces from spam they've already accepted (instead of rejecting during the SMTP conversation) to us, the innocent victims, is laughably insufficient and lacks a real-world perspective on the matter. if they're already thieves, why would they suddenly reform in a way that exposes them to massive liabilities? How would a bonding scheme announced in the US somehow apply to criminals in Russia?
The sad, but obvious, answer is it can't.
The primary stumbling block is that the infrastructure needed to support micropayments for spam is non-trivial and implementing it so that established players don't feel threatened or ignored won't be easy.
No, the primary "stumbling block" is that such schemes rely on a fantasy in which the entire Internet, or at least the entire mail system, is re-architected to allow for it. While it may be fun to suggest that if gravity were only 5% less powerful, we could fly, it doesn't change the fact that gravity isn't likely to change in response to our wishes.
Posted by schampeo at May 17, 2005 2:12 PM