What is an FFB?
A Filter that Fights Back.
What would an FFB do?
Spider every url in each newly arrived spam,
if the ip address of the server was blacklisted.
Ideally the http requests would be spread over the
lifetime of the spam-- the period during which
"customers" respond to it. I suspect
most responses occur within a couple hours of the
spam being sent. It may be different for spams sent at
Could spammers make servers fast
enough to handle the flood of http requests?
The hardcore spammers probably could. But not sites like
What kind of bandwidth costs could FFBs generate?
If there were 100,000 FFBs, a spammer's site had a total of
100k of stuff in it, and each FFB crawled the site 10x per
spam, this would generate 100 GB of transfer. At current
for spam hosting that would cost the spammer
about $1000-4000 per spam.
Introductory spam hosting plans have transfer limits
well under 100 GB/month, so FFBs would shut down such sites
before the "customers" had a chance to respond. In a world
containing FFBs, it would be hard to get started as a spammer.
Couldn't spammers protect against crawlers?
They probably could, by putting invisible links in their pages.
Anything that followed such a link must be a crawler and could
safely be ignored. But the easiest way to protect against
FFBs would be to include working unsubscribe links. This would
be particularly necessary for small fry just getting started and
"legitimate" sites that hire
spammers to generate traffic.
These would not have the infrastructure or expertise to protect
Wouldn't retrieving web beacons show your address was live?
Yes, so that might bring more spam. But it would also make
web beacons stop working as an index of open rates. And
you'd be clicking on unsubscribe links as well, which FFBs
would make more popular.
Wouldn't this encourage people to send spams promoting sites
that pay for clickthroughs?
If there are still sites that pay for
clickthroughs, they must already
have some way to protect themselves against people who
generate traffic by spamming. So there would be no money in it.
This is a bad idea because it just uses up more bandwidth.
That's like arguing that we shouldn't have police, because
in addition to all the losses caused by crime, we have
people taken away from productive work to chase criminals.
If FFBs make working unsubscribe links universal,
the result is net less use of bandwidth.
I'm not proposing that FFBs should
be used by people on dialup lines, just by users who have
bandwidth to spare-- people at universities and corporations,
and on DSL lines.
Isn't a denial of service attack on spammers illegal?
This one would be uncoordinated, and so distributed that no one client
would have to submit too many http requests.
I'm not proposing that a given
filter hit a spammer's site with 10,000 http requests.
More like a couple hundred, at most.
It would be hard
for someone to claim you were mounting a DoS attack
on them for submitting a couple hundred http requests.
If a couple hundred requests is a DoS attack,
then I have several times been guilty of
In any case, spammers like to keep a low profile.
I can't imagine spammers, especially spammers based
offshore, trying to
invoke the protection of the law. They've probably
already been victims of conventional DoS attacks,
and I haven't heard of any of them doing this.
This could be used to DoS innocent victims.
That's the point of the blacklist. A site doesn't
get pounded simply by being mentioned in a spam. It has
to be mentioned in a spam and be on the blacklist.
How would blacklists be managed?
I'm not committed to one way of doing it. But I suspect
it couldn't be entirely automated.
Sites would have to be inspected by humans
to protect innocent sites from being blacklisted.
If FFBs become a threat to
them, spammers will try to give them a bad name by causing
them to attack innocent victims.
So blacklists should include ip addresses as well as domain names.
Otherwise a spammer could
switch the DNS record of a blacklisted site to point to
an innocent victim.
Anyone running a blacklist should assume, by default, that
any url mentioned in a spam is the victim of a
and only blacklist sites when, after inspection,
this is clearly not the case.
Aren't blacklists prone to abuse?
Yes. To be honest, this is the weak link in this plan.
A widely used FFB blacklist run by nuts like MAPS could
do a lot of damage. And all blacklists seem to become
FFB blacklists are less dangerous
than mail server blacklists, because being on the blacklist
alone is not enough to cause a site trouble. You only get
crawled when you're already on the blacklist, and a new
spam arrives with your url in it. On
the other hand, FFBs are going to be run by individual users,
who will not be as discerning about the blacklists they
subscribe to as ISPs are.
Couldn't spammers just sue or DoS the blacklist?
To protect against DoS attacks, the blacklist might have to
be distributed through a p2p network.
I don't think lawsuits would be much of a threat, though.
A blacklist of spamvertised sites could legitimately claim
that it wasn't intended specifically for use by FFBs.
There's a genuine need for such blacklists to aid in spam
filtering. To evade filters, spammers now change their
domain names regularly. When a filter sees a domain name
for the first time, it would be very helpful if there
were a list it could check to see if other users had
reported spams containing it.
If FFBs happened to use this list too, well, that would be
be done without the knowledge of the administrators, just as those
naughty "affiliates" are spamming without the knowledge of the
sites they send traffic too.
Wouldn't this miss spammers using Migmaf-style proxies?
Yes. But if we
drive spammers to use such measures to survive, I think we'll
drive a lot of them out of business. Writing viruses
seems to be taken more seriously by the criminal justice
system than forging headers. I think many current spammers
wouldn't take the risk.
What about spammers breaking into people's web servers and
using them to redirect?
This wouldn't help them. FFBs would still
interfere with the spammers' "customers".
What about spammers using redirects off sites like Geocities?
Such spams are rare, probably because Geocities
has figured out how to prevent spammers from using them for
this purpose. Hosting services that hadn't figured
this out would soon learn.
Why have email as part of the system? Why not just have
a blacklist of spam sites and encourage people to beat on them?
Several people have written suggesting a "DDoS@Home" project
of this type. (Two correspondents who shall remain nameless
simultaneously invented this
catchy name.) But I think mail should remain in the system for
two reasons: (a) it tells you which sites to pound, and when,
and (b) if you included it as part of a filter, you could
get more users.
On the other hand, if some group managed to launch a DDoS@Home
project aimed at spammers, that would be enormously amusing.
I'd sign up for it.