shanen's Journal: How the spammers almost nuked Rosetta@home

Not that they meant to. Just more of their collateral damage. Let me explain:

It seems that the DNS problem was ultimately due to increased security for domain registrations. The driver for making the domain registration process more secure is that spammers and various other cyber-criminals need domains to abuse. I'm going to lump all of them under the tag "spammers" because the spammers were the first cyber-criminals and because I really HATE spam. Also, I believe that spamming was the entry point (gateway drug?) for most of them, the first step in losing their souls, so to speak, as well as the source of most of their seed capital.

The abuse their domains in MANY ways. You probably know that 419 spammers like to use bulletproof domains to harvest their suckers. The anti-google PageRank attackers want vast networks of controllable domains for the links they can create.

However, in the case of BOINC the threat of a hijacked domain for ANY project is vastly greater. I know it's hard, but imagine there is a bug in the BOINC client. Imagine that bug allows a downloaded work unit to hijack (AKA pwn) the computer. Now imagine that the spammer hijacks the project's domain and captures ALL of the client computers for his zombie network. This spammer now "owns" the most powerful spam-generation system in the world and could probably DDoS attack the Pentagon with his spare cycles.

As a sort of sick joke, I sort of blame Al Gore. If he hadn't been so competent and effective in giving the nice creators of the Internet all that nice money, then maybe they would have considered real-world economics in the design. SMTP didn't have to assume the world is full of nice people who deserve "free" email. (No such thing, per my sig.)

Solution time? Really hard to get all of the worms and cats back into the bag now, but focusing just on email, I think there are two basic approaches. I used to advocate for a non-SMTP-based email system with tracking that would automatically slow down the spammers so their marginal costs would rise to infinity from the present zero, but now I think it's too much trouble.

Instead, what I would like now is an anti-spammer tool that would let nice volunteers donate bits of their human time towards breaking the spammers' economic models. Actually the same tool could be extended to fight against most kinds of cyber-crime, and I still think most people are nice, notwithstanding how much the spammers seem to outnumber us. One implementation would be as a "Fight spam" button added to an online email system (such as Gmail).

If you choose to be a good Samaritan, then it would parse your suspected spam and let you confirm the analysis in a webform. There would probably be several rounds of iteration, where you would adjust and correct the analysis and help select the best countermeasures and their priorities.

As the joke goes, lots of details available upon polite request. Even better if you have a stronger and more constructive alternative.