What is an FFB?

A Filter that Fights Back.

What would an FFB do?

Spider every url in each newly arrived spam, if the ip address of the server was blacklisted. Ideally the http requests would be spread over the lifetime of the spam-- the period during which "customers" respond to it. I suspect most responses occur within a couple hours of the spam being sent. It may be different for spams sent at night.

Could spammers make servers fast enough to handle the flood of http requests?

The hardcore spammers probably could. But not sites like AmericanSingles.Com.

What kind of bandwidth costs could FFBs generate?

If there were 100,000 FFBs, a spammer's site had a total of 100k of stuff in it, and each FFB crawled the site 10x per spam, this would generate 100 GB of transfer. At current rates for spam hosting that would cost the spammer about $1000-4000 per spam.

Introductory spam hosting plans have transfer limits well under 100 GB/month, so FFBs would shut down such sites before the "customers" had a chance to respond. In a world containing FFBs, it would be hard to get started as a spammer.

Couldn't spammers protect against crawlers?

They probably could, by putting invisible links in their pages. Anything that followed such a link must be a crawler and could safely be ignored. But the easiest way to protect against FFBs would be to include working unsubscribe links. This would be particularly necessary for small fry just getting started and "legitimate" sites that hire spammers to generate traffic. These would not have the infrastructure or expertise to protect against FFBs.

Wouldn't retrieving web beacons show your address was live?

Yes, so that might bring more spam. But it would also make web beacons stop working as an index of open rates. And you'd be clicking on unsubscribe links as well, which FFBs would make more popular.

Wouldn't this encourage people to send spams promoting sites that pay for clickthroughs?

If there are still sites that pay for clickthroughs, they must already have some way to protect themselves against people who generate traffic by spamming. So there would be no money in it.

This is a bad idea because it just uses up more bandwidth.

That's like arguing that we shouldn't have police, because in addition to all the losses caused by crime, we have people taken away from productive work to chase criminals. If FFBs make working unsubscribe links universal, the result is net less use of bandwidth.

I'm not proposing that FFBs should be used by people on dialup lines, just by users who have bandwidth to spare-- people at universities and corporations, and on DSL lines.

Isn't a denial of service attack on spammers illegal?

This one would be uncoordinated, and so distributed that no one client would have to submit too many http requests. I'm not proposing that a given filter hit a spammer's site with 10,000 http requests. More like a couple hundred, at most.

It would be hard for someone to claim you were mounting a DoS attack on them for submitting a couple hundred http requests. If a couple hundred requests is a DoS attack, then I have several times been guilty of DoSing eBay.

In any case, spammers like to keep a low profile. I can't imagine spammers, especially spammers based offshore, trying to invoke the protection of the law. They've probably already been victims of conventional DoS attacks, and I haven't heard of any of them doing this.

This could be used to DoS innocent victims.

That's the point of the blacklist. A site doesn't get pounded simply by being mentioned in a spam. It has to be mentioned in a spam and be on the blacklist.

How would blacklists be managed?

I'm not committed to one way of doing it. But I suspect it couldn't be entirely automated. Sites would have to be inspected by humans to protect innocent sites from being blacklisted.

If FFBs become a threat to them, spammers will try to give them a bad name by causing them to attack innocent victims. So blacklists should include ip addresses as well as domain names. Otherwise a spammer could switch the DNS record of a blacklisted site to point to an innocent victim.

Anyone running a blacklist should assume, by default, that any url mentioned in a spam is the victim of a Joe job, and only blacklist sites when, after inspection, this is clearly not the case.

Aren't blacklists prone to abuse?

Yes. To be honest, this is the weak link in this plan. A widely used FFB blacklist run by nuts like MAPS could do a lot of damage. And all blacklists seem to become corrupt eventually.

FFB blacklists are less dangerous than mail server blacklists, because being on the blacklist alone is not enough to cause a site trouble. You only get crawled when you're already on the blacklist, and a new spam arrives with your url in it. On the other hand, FFBs are going to be run by individual users, who will not be as discerning about the blacklists they subscribe to as ISPs are.

Couldn't spammers just sue or DoS the blacklist?

To protect against DoS attacks, the blacklist might have to be distributed through a p2p network.

I don't think lawsuits would be much of a threat, though. A blacklist of spamvertised sites could legitimately claim that it wasn't intended specifically for use by FFBs. There's a genuine need for such blacklists to aid in spam filtering. To evade filters, spammers now change their domain names regularly. When a filter sees a domain name for the first time, it would be very helpful if there were a list it could check to see if other users had reported spams containing it.

If FFBs happened to use this list too, well, that would be be done without the knowledge of the administrators, just as those naughty "affiliates" are spamming without the knowledge of the sites they send traffic too.

Wouldn't this miss spammers using Migmaf-style proxies?

Yes. But if we drive spammers to use such measures to survive, I think we'll drive a lot of them out of business. Writing viruses seems to be taken more seriously by the criminal justice system than forging headers. I think many current spammers wouldn't take the risk.

What about spammers breaking into people's web servers and using them to redirect?

This wouldn't help them. FFBs would still interfere with the spammers' "customers".

What about spammers using redirects off sites like Geocities?

Such spams are rare, probably because Geocities has figured out how to prevent spammers from using them for this purpose. Hosting services that hadn't figured this out would soon learn.

Why have email as part of the system? Why not just have a blacklist of spam sites and encourage people to beat on them?

Several people have written suggesting a "DDoS@Home" project of this type. (Two correspondents who shall remain nameless simultaneously invented this catchy name.) But I think mail should remain in the system for two reasons: (a) it tells you which sites to pound, and when, and (b) if you included it as part of a filter, you could get more users.

On the other hand, if some group managed to launch a DDoS@Home project aimed at spammers, that would be enormously amusing. I'd sign up for it.