Ah, it's harvest time and the crops are in — but we can still hear the
buzzing and whirring of the harvester robots that are sucking e-mail addresses
off Web sites across the Internet.
Most Net users aren't aware that spammers use software programs called
harvesters to gather the hundreds of millions of e-mail addresses they spam.
These automated programs, known as bots, scour Web page after Web page at high
speed, looking for anything containing an "at" sign (@) that might be an
e-mail address.
Now a group of white hats is riding across the prairie to take a bite out of
spam. They reckon they can make harvesters too risky for spammers to use.
Allow me to explain.
Poisoning The Harvesters
The effort is called Project Honey Pot, a service of Unspam LLC, an anti-spam
firm that consults with private companies and governmental agencies. The
project is designed to identify — and then take legal action against
— people who are using harvesting bots:
• Here, Kitty, Kitty.
The heart of Project Honey Pot is a campaign to place "spam trap" e-mail
addresses on thousands of sites across the Internet. These special decoy
addresses, which are unique from page to page, have been used for years
by anti-spam services to collect spam and tag the senders as spammers.
But Project Honey Pot plans to attack the spam industry before spam messages
are actually sent out — when the victims' addresses are first harvested.
• Identifying Spam Sent To Decoy Addresses.
If any messages are received by a unique spam-trap address, the
sender must be a spammer because the address was never used to sign up for
legitimate e-mail lists. The date and time when the Web page containing
the decoy address was read by the harvesting bot helps to identify the
computer used by the spam originator.
• Locating The Origin Of The Harvesters.
Spammers routinely falsify the source of messages they send, but it's more
difficult for them to remain completely anonymous when they're harvesting
e-mail addresses. For one thing, the harvesting bot has to send the collected
addresses back to somewhere. Even if the spammers take advantage of
compromised home PCs, called zombies, there are often signs that point to
the ultimate destination of the data the harvesting bots are sending home.
Suing The Spammers' Pants Off
Having positive identification of the people using the havesters is the
key to suing these individuals and making harvesting too expensive for
spammers, according to Matthew Prince, CEO of Unspam.
The relevant law in the U.S., the CAN-SPAM Act, which went into effect on Jan.
1, 2004, has been widely criticized for legalizing spam until the recipients
ask for it to stop. But Prince points out a little-known fact: the act has
severe penalties against harvesting the e-mail addresses
in the first place.
The law allows fraudulent senders of unsolicited bulk e-mail to be penalized
$25 per individual message. Courts can triple the
amount of this fine if the victims' e-mail addresses were harvested.
Only e-mail service providers and the attorneys general of the 50 states are
authorized to sue spammers under CAN-SPAM. But Prince, who is himself an
attorney and an adjunct professor of law at John Marshall Law School in
Chicago, says of Unspam, "We may qualify as an e-mail service provider." If
that approach is rejected, Prince says Unspam is working with the Internet Law
Group, which has brought successful lawsuits against spammers on behalf of
America Online and other large Internet service providers.
Every Company With A Web Site Can Help
Suing people who use harvesters is a novel application of the CAN-SPAM Act, but
one that flows clearly from the plain wording of the law. Now Project Honey Pot
needs enough decoy addresses so it can clearly connect harvesting activity to
any spam it receives.
That's where companies with Web sites can do a good deed. Project Honey Pot
won't fool harvesting bots for long if all its decoy e-mail addresses end in
"ProjectHoneyPot.org".
For this reason, the project is seeking Webmasters who are willing to donate
one little no-cost resource to the cause.
Donating An MX Record Or Two
This free asset is known as an "MX record," short for mail exchange record.
This is a short text entry defining which servers handle e-mail for a
particular Web domain. The concept is easy to understand:
• Your Primary MX Record.
If you run the Web site www.example.com, your primary MX record
will define how e-mail destined for Example.com is to be routed.
• Subdomain MX Records.
Your company might have different subdomains or "canonical" domains that don't
start with "www." For instance, you might operate the subdomains
marketing.example.com and content.example.com. You could set up
a different MX record to route e-mail separately for each subdomain.
• Making A Honey Pot MX Record.
To donate an MX record to Project Honey Pot, you simply make up some subdomains
that you'll never actually use. The project accepts only five subdomains at
most from each company in order to spread decoy addresses across as many
different sites as possible. So you might donate MX records for
server01.example.com through server05.example.com.
These names don't correspond to any actual machines your company owns. They're
merely shorthand for different MX records that can be pointed wherever you
like. Project Honey Pot points the donated MX records to servers they control.
This way, any harvesters that crawl these pages — and any spam that are
sent to the harvested addresses — never touch your actual servers.
We Have A Few Million MX Records To Go
Prince is the first to admit that his group's project is in its infancy and
hasn't yet received any mass media exposure. "We turned the servers on about
two weeks ago," he says. The effort is so new that a
specifications page lists its version as "0.1."
As a result, the home page of the project at this writing states that little
more than 4,000 decoy addresses have been planted on the Internet, and
only a few dozen harvesters have been identified. (Project Honey Pot shouldn't
be confused with
Honeynet.org, an
unrelated group that's spent years monitoring evil hackers who scan the ports
of vulnerable machines.)
Prince isn't naïve enough to think that his honey pots by themselves will
eradicate spam. But he believes they give antispammers a powerful legal tool.
"What's neat about this arms race is that the adjustments we [the good guys]
need to make are easier than they [the spammers] need to make," Prince
explains. "If they have just one e-mail address that's been harvested from
our network, it makes it easier for us to find them."
That's a fact that legitimate businesses need to seriously ponder. If your
company is sending bulk e-mail to addresses that may have been harvested
by someone in the past, you might be liable for those $25-per-message
penalities. Any company that is advertised in a piece of spam can be sued,
too, Prince notes.
I've given up hope that the U.S. Congress will pass stronger antispam laws
than the existing CAN-SPAM Act. But it just may be possible that the legal
penalties that are already on the books are enough for a gonzo legal team to
make life hell for spammers.
For details on Project Honey Pot and how to donate MX records, see the
organization's FAQ page.