Fight Spam With Spam

David Black has a crazy idea that just might work. Accenture’s senior manager of security technology thinks the best way to cut down on spam is to spam back.

PDF DownloadIt’s certainly an idea worth trying, if only because nothing else seems capable of stopping the scourge of unsolicited e-mail that tries to hawk everything from home loans to anatomical enhancements.

The cost to U.S. companies is probably billions of dollars a year. Matthew Henry, an advanced technology architect at Greenville, S.C.-based capacitor maker KEMET Corp., says spam makes up between 12% and 20% of all e-mail traffic reaching his company’s mail gateway each month.

Now, AOL Time Warner, Microsoft and even the Direct Marketing Association are all lobbying the government for anti-spam laws. But don’t count on legislation to stop the technically inspired.

Even spam-blocking technology isn’t foolproof. Sure, Lotus Domino already does it and Microsoft Exchange e-mail servers will automatically check blacklists of Internet addresses reported as sources of spam. But spammers just move quickly to new addresses.

Filtering incoming content and attachments has its own hazards. Spammers increasingly put their messages in graphics to defeat older keyword filters. And word filters have trouble with a lot of language, often foreign. Michael O’Brien, the director of information technology for the Carnegie Endowment for International Peace, has had to turn off filtering entirely for some key employees to get all their important e-mails.

And Henry says when his company tested one filter, “within hours we got a ton of false positives.” That meant desirable mail went into the spam bucket. Henry would rather have the few spam messages that slip past his SpamCop, than lose customers in the process.

In the long run, the answer is to make creating spam too expensive or difficult.Thus, David Black’s modest spam-fighting proposal. Ironically, the source of his concept is a little piece of software spammers may have once used—AOHell, used to take advantage of code found on AOL subscription disks, to penetrate its network. AOHell was designed “to hoist AOL on the petard of the ubiquitous floppy disks,” says Black. Using AOL’s own sign-up software, AOHell would open accounts with the requisite name, address, phone number, ZIP code, and credit card number—”all of which were fictitious, but were consistent.”

Black’s proposal is to turn this sort of software against the Web sites of spammers—turning the economics of spam on its head. The software would run on a Web site where people could post the Web links embedded in spam they received.

Once the link to the spammer’s Web site was posted, the counterspam site would generate Web posts to the spammer’s site from supposed buyers. “His database would fill up with fictitious names,” says Black. To find real customers, he would first have to sort through hundreds of fake ones.

This would have a minimal impact on corporate Internet resources. All this activity would take place on a remote Web site, not a company Web site. For less effort than it takes to report an incident of e-mail abuse, such a site could put a huge burden on the systems of spammers. It could become the digital equivalent of being run out of town on a rail, tarred and feathered.

Internet service providers might not appreciate the idea, because it could essentially create a denial-of-service attack when spammers are pointing to their Web servers. This could mean breaking laws designed to protect service providers against digital vandalism and abuse.

The idea does cut to the heart of the problem, however. In order to really stop spam, it needs to become economically and technically unfeasible to use it. The only way to do so may be to spam the spammers.

Sean Gallagher is technology editor of Baseline magazine.
He can be reached at [email protected].