Though I'm not an advocate of "eye for an eye" mentality, it may just work
with spammers.
For example, a spammer sends out 1 million emails of which only a fraction
are received by real and active accounts, read, and either determined to be
spam by a content filter (not ideal) or manually designated as spam
(unwanted and unsolicited) by the recipient. Let's say 10000 of these spam
reportings come back from users.
Most spam messages have a call to action to visit a URL or call a phone
number.
URL DDoS: If, say, 10000 reportings share the same URL (see #3 below), then
those users each receive back word (see #4 below) to institute a distributed
denial of service (DDoS) attack against the URL they were originally given.
Each user hits the site, say, 77777 times so that the site gets over 777
million hits.
Phone DDoS: If, say, 10000 reportings share the same phone number, then
users in the local area (in the U.S., local calls are free) who have modems
institute a DDoS by dialing up the number 77 times and playing an audio
message describing why the DDoS is occurring. This number is smaller, since
it doesn't take 77777 times per user to cause DDoS on phones.
Issues with the idea:
1. Is it legal for this to occur in all or many countries? For example,
would it be considered legal harassment for a user to have her computer call
a number several times if the number were provided as discussed?
2. How would you stop someone framing someone else? If an unscrupulous
company wants to hurt their competitor, they could send out spam on behalf
of that competitor, with links or phone numbers back to their competitor.
The retribution ratios above (77777x for URL and 77x for phone) should be
chosen to compensate for true business that might be earned by the mailing.
Therefore, the competitor would both gain and lose equally by the actions of
its unscrupulous foe. That's why I prefer user designation of spam rather
than content filters, since otherwise spam emails could be crafted to make
the competitor lose much more than gain. Also, before doing a phone DDoS, at
least a few users should call to verify that the company that answers the
phone number actually purveys the spammed goods or services.
3. How do you compare URLs? Obviously, many URLs have path or query-string
values that make each unique, and even the subdomain may be generated (i.e.
werowobirwub.<spamdomain>.com). Therefore, I think that each user should
make a handful of nslookups on their local DNS to get the IP of the targeted
machine, and get a list in case there are multiple A records (several IP
addresses for a single domain). However, the DDoS hit goes back to the full
URL, so that if spammers are operating from shared servers, the service
operators will know who to kick off their system.
4. Instructions to institute a DDoS attack need to be authentic. When users
send a spam reporting to their local I4I (eye for an eye DDoS system)
server, they include a message encrypted using that user's public key. The
encrypted message is returned to the user with the DDoS instruction, and the
user only considers it authentic if they can decrypt the included message
with their private key.
5. What are the rules for I4I (eye for an eye DDoS system) servers? First,
there's not just one global server; there are many local ones just like DNS.
An I4I server needs to support enough users (or work with other I4I servers
to have enough combined users) to adequately tally up spam from individual
sources. A tuned number of spam messages would need to come within a tuned
timeframe (i.e. 24 hours) from a particular source (same URL IP - #3 above,
or same phone) before the contributing users are instructed to attack. The
attack is proportional to the spam received (77777x or 77x).
What other issues can you think of? Feedback?
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg