Slashdot forum on the announcement that bluesecurity is getting out of the spam-fighting business. Some of the juicier comments:
Which brings us right back to a centralized server in the first place. As long as everything has to pass through a single choke point (or even a small number of them), they are susceptible to the same DDOS attack. If there is no authoritative verification, you essentially just created a P2P DDOS system that the spammers/organized crime/anybody can (and will) readily abuse. Therin lies the rub.
Most of the ISPs are now large telcos and cable companies who hire support staff at would-you-like-fries-with-that wages. They don’t have the capacity or the incentive to disinfect a zillion Windows boxes. It’s much cheaper to buy a bigger pipe. Of course, Microsoft owns the root problem. They sold a supposedly consumer-grade operating system that consumers can’t maintain. Windows needs a dialog box that says, “You computer has been invaded by evil fuckwads. Would you like to kick them out?” where the two choices are “Yes” and “Ok”.
The other co-dependent in spam are the credit card companies. They make a killing off of the tranaactions. If VISA were to pull the plug on any company that allows their account to be used by spammers we would see an instant end to spam. Call up your bank and ask why they allow their visa acounts to be used for spam.
Personally I’m waiting for Google to step in, collect the pieces of Blue Security, then offer it as an automatic feature built into gMail. Spam gMail (x million accounts), someone checks that it really is spam, and then the spammer effectively gets a message saying “Stop spamming Google customers”. Ignore it, and that’s x million identical requests sent by one mother of a system.
Finally, a sobering article by Mark Pilgrim. It’s old but still relevant:
It’s a full-time job, and everyone will hate you, and it still won’t work. Spammers are smart and determined, and people are numerous and stupid, and spam pays. You can’t make it not pay. Going after their ISPs won’t help; they’ll auto-register somewhere else. (Already happening.) Going after their upstream provider won’t help; they’ll cut deals with the backbone providers and keep going. (Already happening.) Going after them in court won’t help; they’re already living under friendly governments. (Already happening.) You can’t stop them with Turing tests; they’ll hire child workers to read your images and manually register/post/ping/trackback/whatever. (Already happening.) Then they’ll attack you with the power of 100 million owned Windows boxes and knock you off the Internet. (Already happening.) They will keep coming and coming and coming until you give up, go home, cry uncle, take Prozac, get a regular day job to replace the one you quit when being an anti-spammer became your full-time job.
I don’t know enough about the problem or the financial costs to have a serious opinion. However, I expect blue frog supporters to rise again, this time with a better plan of attack (or even a noncommercial motive). I worry about South Korea and China. I shudder to think of the hundreds of thousands of future zombie webservers coming online every year, most being run by amateurs like myself.
I like the idea of ISP’s quarantines zombie servers into subnets that block smtp, although surely spammers could find more friendly ISP overseas. (It also boils down to Walmart-style cost-cutting: the lower cost a webhosting service is, the less likely you are to adopt zombie prevention measures.
From a user perspective, perhaps the email spam problem may simply mean more reliance on web-based emails rather than desktop clients. As an aside, I’m interested in phishing techniques on the subject line: how do you get people to open an email purely on the basis of the subject line (The question of eye-grabbing headlines is important to any journalist as well).
On another note, my apartment is being overrun by a different species of vermin: roaches!