Back to article
Harvest Time For SpammersBy Brian Livingston
November 30, 2004
Ah, it's harvest time and the crops are in — but we can still hear the buzzing and whirring of the harvester robots that are sucking e-mail addresses off Web sites across the Internet.
Most Net users aren't aware that spammers use software programs called harvesters to gather the hundreds of millions of e-mail addresses they spam. These automated programs, known as bots, scour Web page after Web page at high speed, looking for anything containing an "at" sign (@) that might be an e-mail address.
Now a group of white hats is riding across the prairie to take a bite out of spam. They reckon they can make harvesters too risky for spammers to use. Allow me to explain.
Poisoning The Harvesters
The effort is called Project Honey Pot, a service of Unspam LLC, an anti-spam firm that consults with private companies and governmental agencies. The project is designed to identify — and then take legal action against — people who are using harvesting bots:
• Here, Kitty, Kitty. The heart of Project Honey Pot is a campaign to place "spam trap" e-mail addresses on thousands of sites across the Internet. These special decoy addresses, which are unique from page to page, have been used for years by anti-spam services to collect spam and tag the senders as spammers. But Project Honey Pot plans to attack the spam industry before spam messages are actually sent out — when the victims' addresses are first harvested.
• Identifying Spam Sent To Decoy Addresses. If any messages are received by a unique spam-trap address, the sender must be a spammer because the address was never used to sign up for legitimate e-mail lists. The date and time when the Web page containing the decoy address was read by the harvesting bot helps to identify the computer used by the spam originator.
• Locating The Origin Of The Harvesters. Spammers routinely falsify the source of messages they send, but it's more difficult for them to remain completely anonymous when they're harvesting e-mail addresses. For one thing, the harvesting bot has to send the collected addresses back to somewhere. Even if the spammers take advantage of compromised home PCs, called zombies, there are often signs that point to the ultimate destination of the data the harvesting bots are sending home.
Suing The Spammers' Pants Off
Having positive identification of the people using the havesters is the key to suing these individuals and making harvesting too expensive for spammers, according to Matthew Prince, CEO of Unspam.
The relevant law in the U.S., the CAN-SPAM Act, which went into effect on Jan. 1, 2004, has been widely criticized for legalizing spam until the recipients ask for it to stop. But Prince points out a little-known fact: the act has severe penalties against harvesting the e-mail addresses in the first place.
The law allows fraudulent senders of unsolicited bulk e-mail to be penalized $25 per individual message. Courts can triple the amount of this fine if the victims' e-mail addresses were harvested.
Only e-mail service providers and the attorneys general of the 50 states are authorized to sue spammers under CAN-SPAM. But Prince, who is himself an attorney and an adjunct professor of law at John Marshall Law School in Chicago, says of Unspam, "We may qualify as an e-mail service provider." If that approach is rejected, Prince says Unspam is working with the Internet Law Group, which has brought successful lawsuits against spammers on behalf of America Online and other large Internet service providers.
Every Company With A Web Site Can Help
Suing people who use harvesters is a novel application of the CAN-SPAM Act, but one that flows clearly from the plain wording of the law. Now Project Honey Pot needs enough decoy addresses so it can clearly connect harvesting activity to any spam it receives.
That's where companies with Web sites can do a good deed. Project Honey Pot won't fool harvesting bots for long if all its decoy e-mail addresses end in "ProjectHoneyPot.org".
For this reason, the project is seeking Webmasters who are willing to donate one little no-cost resource to the cause.
Donating An MX Record Or Two
This free asset is known as an "MX record," short for mail exchange record. This is a short text entry defining which servers handle e-mail for a particular Web domain. The concept is easy to understand:
• Your Primary MX Record. If you run the Web site www.example.com, your primary MX record will define how e-mail destined for Example.com is to be routed.
• Subdomain MX Records. Your company might have different subdomains or "canonical" domains that don't start with "www." For instance, you might operate the subdomains marketing.example.com and content.example.com. You could set up a different MX record to route e-mail separately for each subdomain.
• Making A Honey Pot MX Record. To donate an MX record to Project Honey Pot, you simply make up some subdomains that you'll never actually use. The project accepts only five subdomains at most from each company in order to spread decoy addresses across as many different sites as possible. So you might donate MX records for server01.example.com through server05.example.com.
These names don't correspond to any actual machines your company owns. They're merely shorthand for different MX records that can be pointed wherever you like. Project Honey Pot points the donated MX records to servers they control. This way, any harvesters that crawl these pages — and any spam that are sent to the harvested addresses — never touch your actual servers.
We Have A Few Million MX Records To Go
Prince is the first to admit that his group's project is in its infancy and hasn't yet received any mass media exposure. "We turned the servers on about two weeks ago," he says. The effort is so new that a specifications page lists its version as "0.1."
As a result, the home page of the project at this writing states that little more than 4,000 decoy addresses have been planted on the Internet, and only a few dozen harvesters have been identified. (Project Honey Pot shouldn't be confused with Honeynet.org, an unrelated group that's spent years monitoring evil hackers who scan the ports of vulnerable machines.)
Prince isn't naïve enough to think that his honey pots by themselves will eradicate spam. But he believes they give antispammers a powerful legal tool.
"What's neat about this arms race is that the adjustments we [the good guys] need to make are easier than they [the spammers] need to make," Prince explains. "If they have just one e-mail address that's been harvested from our network, it makes it easier for us to find them."
That's a fact that legitimate businesses need to seriously ponder. If your company is sending bulk e-mail to addresses that may have been harvested by someone in the past, you might be liable for those $25-per-message penalities. Any company that is advertised in a piece of spam can be sued, too, Prince notes.
I've given up hope that the U.S. Congress will pass stronger antispam laws than the existing CAN-SPAM Act. But it just may be possible that the legal penalties that are already on the books are enough for a gonzo legal team to make life hell for spammers.
For details on Project Honey Pot and how to donate MX records, see the organization's FAQ page.