On the Offensive Against Spam

Sorry for the another spam-related post, but I had another thought which didn't seem related enough to merit an edit. Boing Boing's coverage of Scamorama, Eve Edelson's book on "scam baiting", made me wonder: why don't we take a similar approach with spam in general?

One simple idea would be to give the spammers what they want. Imagine this scenario: a spammer sends out a million emails, expecting a click-through rate of 0.1%, or a thousand visitors. Any old server should be able to handle this load with relative ease, assuming the visits are spread out a little. But it takes a decent server to handle a million visits-- not the kind of server a spammer is running (hopefully). If email clients, rather than simply discarding spam emails, automatically opened every link in those emails, it would create a server load on spammers proportional to the amount they sent.

This does make it simpler to execute denial-of-service attacks in which servers are intentionally overloaded with requests in order to deny service to it's legitimate users. One workaround for this is a whitelist/report system, where an email won't auto-open links to legitimate websites and where people can report email attacks of this kind to put the linked site on a whitelist. Another solution would be to have a waiting period during which linked site administrators should be contacted, but that also has the downside of being annoying, as well as requiring some way for webmasters to provide contact information.

Another solution is similar to that described in this post at philosecurity: use social engineering to take down spammers directly. While taking down spammers who comply with the law (CAN-SPAM and similar) may put you in a questionable legal situation, taking out illegally operating ones, especially those who rely on botnets, is likely to be overlooked. The government (or Google, or Microsoft, or whoever) could pay professional hackers to work on seeking out and destroying these botnets, as well as hiring investigators to find and prosecute spammers. Sure, there are things which are higher-priority, but it seems like it would probably be financially feasible for someone, especially considering the increased network activity and processing power required by spam filters.

Spammers are more like mafiosos than street robbers. Thieves are usually unpredictable; you have some people who steal frequently, but most do it occasionally or even only once. The main lines of defense against thieves are locks, lights, and 911, because you can't really do much to predict them. But with organized crime, the opposite is the case; you bring it down by investigating it, recording it, and finally taking it out with a bang. You hunt the mafia.

Why don't we hunt spammers?