By Martin Brampton, 2 August 2005 07:00
COMMENT The very thing legislators are outlawing - denial of service attacks - could be the only tool we have in fighting anti-social behaviour on the web. Could this be a case where the law is not the answer, asks Martin Brampton.
Last week it was reported that a Russian spammer had been beaten to death. My views on appropriate penalties for internet 'crimes' are still ambivalent. Especially as I am sometimes sorely tempted to commit them myself.
The stream of email scams is little more than an irritant, although it seems enough people fall for them to make them financially viable. Usually they can be filtered out quite easily, and one wonders why ISPs do not do more to eliminate them closer to source, freeing up bandwidth for more useful purposes.
But it is attacks on a wiki that have upset me. Part of my website uses the very neat wiki technology to provide documentation as a collaborative venture. Anyone can add to it, correct it or extend it. This is very much in the spirit of open source. Clearly one could use a system that required registration with login and password. The ability to just come along and contribute an improvement without any barriers is part of the appeal, though.
Unfortunately, such an open system is an irresistible attraction to some people. Spammers are no longer an undifferentiated group, and wiki sites attract the 'link spammers'. Their automated bots look for wiki sites and insert large numbers of links, usually to gaming or porn sites. The aim is to improve their search engine rankings.
There are ways to resist this without spoiling the openness of the wiki. The wiki can use HTML to instruct the search engines not to take account of a document for at least 24 hours, by which time the damage has usually been undone. The spammed links are retained on the site as history but the wiki software can nullify the links so that the text remains but no longer points anywhere. Sadly the spammers are not so picky as to worry about their bots wasting effort in this way.
Now the temptation that comes my way is that when the link spammers mess up my wiki, they leave a record of the IP address from which they operated. Often, I block that address from further access to my web server. It is tempting to go further, and if I had the resources to launch a denial of service attack against the websites promoted by the link spammers, would I be able to resist?
There is little point in attacking the IP addresses from which the attacks come, since they are most likely to be ordinary computers that have been subverted unknown to their users. But in the nature of things, link spammers have to disclose the websites that are being pushed. At least in theory, two can play at that kind of game.
Armies of subverted computers are available through highly dubious sources. Would I be able to use Google to search for 'denial of service attack service' and be put in touch with their controllers? Presumably, I would finish up dealing with someone like the dead Russian spammer. Quite apart from the doubtful company I would be keeping, there is the issue that governments seem keen to make denial of service attacks a criminal offence.
That probably does not concern Russian gangsters too much but it would certainly be a deterrent to me. Yet that makes me wonder if legislation in this area is too much of a blunt instrument. Almost anything can be used for good or ill, and denial of service attacks are no exception. Surely it would only be justice if sites that promote themselves by defacing other people's websites found themselves subjected to attack?
While governments look unlikely to take effective action against spamming, either through emails or web links, it seems unfair to invoke criminal sanctions on the one thing that would be a means of retaliation. After all, it should take only a few counter attacks to force the ISPs to take more action against anti-social behaviour on the internet. That would be better than any amount of criminal legislation.
Comments
There are 7 comments. Join the discussion
1. Neil Schwartzman
I posted this recently to an anti-spam discussion group:
"
with all of these spammers dropping off of late ... especially this Russian guy who got unbelievably lucky on a Saturday night and brought two Natashas home for a quick bout of getting beaten to death before having sex, you have to wonder if the spammers are now looking at us with some new respect and a bit of apprehension.
I say we cultivate a real badass persona:
Spamcop converts to a logo featuring a .44 Magnum
CAUCE begin to fly the skull and crossbones ...
Brightmail could change their name to DeathToSpammersMail
We could leak rumours about when Smell-o-vision comes into being, we'll be sending out genetically-modified sinky viruses of our own that will only infect those who deal in illicit mail.
Have Steve 'Spamhaus Project' Linford move from a 'houseboat' (far too whimpy) to a refurbished SWIFT Boat.
And lastly, throw support the BlueSecurity people with the power of Akamai.
"
This was meant as a parody. Apparently your writer has some terribly misguided ideas with uncomfortable synchronicity with my joke post.
First off, two wrongs never make a right. Anti-spammers are the whitehats - any 'counter attack' can only hurt our professional credibility profoundly, and to our detriment. To suggest death as a penalty for email is well beyond the ken, and lacking any kind of perspective.
Secondly, as to the all-too-common tactic of dismissing legal approaches in lieu of technical solutions, I have to say the techies have had a decade to find the ultimate solution to spam. My personal spam load has doubled every year since 1996. The technical solution has failed miserably.
I'd urge you to take a look at the Australian legal model <http://www.noie.gov.au/>, which put severe penalties onto spammers, wherein their problem all but dried up. Even the much-maligned CANSPAM act in the U.S. has seen some initiatives with middling results; and American spammers moving offshore to places with no such laws - like, unfortunately, Canada. <http://www.spamhaus.org/sbl/listings.lasso?isp=telus.com>
Carefully crafted laws that are applied stringently, along with public education and technologic solutions are what is needed - it is not an either-or situation.
What is either or is not negotiable - any illegal act by anti-spammers will bring disrepute upon us all, and besmirch the good work we have been doing for a dozen years. I won't have any of it. The dDOS of BlueSecurity is so inane that they have lost a handful of connectivity providers since they came up with their harebrained scheme.
For a more rational approach, I suggest you take a look at what we are proposing to do in Canada: http://stopspamhere.ca
And drop the hyperbole. Death to spammers? Get a grip.
2. Randy Cowpoke
You could always do a WHOIS and complain to their hosting company. That's what I would do.
3. Derek
I'm not too familiar with the Wiki software other than wikipedia but surely you could use a system similar to name server registrations and other sites where you have to type a graphically displayed code that can't be read by bots but can be by humans. No user/password required just that you're a human sitting at a PC.
I think where software gets deluged in ways such as this the primary fault is the software design not the spammers that abuse it.
People in enough numbers will abuse anything if it's open to them. It's up to the industry to stop it from being possible rather than chasing or deterring the culprits because you'll never get them all and the idiots are multiplying every day.
4. Claes T
"it seems unfair to invoke criminal sanctions on the one thing that would be a means of retaliation."
So, you think the spammer level of action is good enough for you and to good to be declared illegal? Your choice. But I don't care if a attack is made with the best of intentions or not - abuse is abuse, and the one committing abuse is a abuser, legal or not. Pick your choice, stay clean or join the abusers ranks - but personally, I hope you'll manage to resist after letting out some steam.
5. Matt R
To solve the human/bot problem with your wiki, here's an article (from the wikipedia!) about an approach to consider:
http://en.wikipedia.org/wiki/Captcha
"A captcha (an acronym for "completely automated public Turing test to tell computers and humans apart") is a type of challenge-response test used in computing to determine whether or not the user is human."
6. anonymous
So what happens when someone who doesn't like a company does a "Joe Job" on them and spams your wiki in their name? Are you going to be able to ID the real spammers?
7. John
Early in 2003 or 2002, there was a federal bust of a major spammer in the US, and the amount of spam in my mailbox dropped by 25 or 30 percent. But the amount has risen back to about where it was. This means that the federal govt has NOT been using the anti-spam laws on the books to crack down on spam, when they could be doing so. We taxpayers aren't getting our money's worth from the Bush Justice Dept.