This is a response to good article that I read on the use of abuse to fight abuse and the issues that surround such activity. There is a link at the end to oringal article by David Cory Hart.

Much of the spam that we receive is sent in direct violation of various federal and local laws. Many purveyors of spam are, simply stated, criminals.

The only issue I have with the above statement is that not all countries regard sending SPAM as a contravention of their laws. Having a global policy of making it illegal would be almost impossible to enforce. What I do agree with David is that it should be illegal everywhere and those responsible treated as criminals where ever..

A significant percentage of spam is transmitted over resources that do not belong to the sender. I have seen spammers openly claim that exploitable computers and proxies are "fair game." Nevertheless, I call it theft of services. It’s no different than an illegal cable TV hookup or suggesting that it’s acceptable to steal a car if someone leaves the keys in the ignition.

In no way can the use of someone’s resources without their knowledge be considered ‘fair game’ and that is just those responsible coming up with a lame excuse for their actions.

Medicine is one of the hottest spam trends. All on-line pharmaceutical sales to residents of the USA constitute the criminal sale of prescription drugs or controlled substances. There is little difference, under US law, between selling Viagra on the Internet and selling cocaine on the corner. Furthermore, a certain percentage of the prescription drugs sold on the Internet are inert, past-date or untested substitutions that could put the buyer’s health at risk.

Unfortunately, the business model for SPAM is quite an attractive one despite the legality of the process and the contempt it creates in those that despise it. Whether drugs or shares, despite the risks involved in sending out a million SPAM’s it remains cost effective. Imagine sending out 1,000,000 emails and getting a 1% interest. That is still 10,000 people, and if a portion of those actually fall for their offer, they’ve made their money back. Whilst there are people who respond to SPAM’s there will always be SPAM. As well as making it illegal, there needs to be better education of the pitfalls of responding to SPAM.

Some spammers are providing, or complicit in providing, criminal pornographic content that exploits children.

The above sort of SPAM although present, is limited and vary rarely seen. Whereas SPAM isn’t illegal in all countries, the abuse of children and underage pornography is illegal in most if not all countries.

However, if you linger in spammer forums, they generally regard themselves as unfairly maligned and misunderstood. They are just hard working folks who are trying to make an honest living through on-line marketing. They may consider themselves to be iconoclastic outlaws but not criminals. They regard anti-spammers has ham-fisted vigilantes. They actually embrace the notion that most people want spam.

Spammers will do anything to justify their existence, but at the end of the day they are only there to make money out of other peoples misery. If there were such a thing as ‘legal SPAM’, in that people could sign up for the totally useless drivel they send out, it would be a sound business idea if they had the numbers of recipients available. But there is no escaping the fact that what they do causes more grief than good in fraud, waste of resources and other such hassle. The SPAMMERS will claim that there is a market for their services, which there is. So perhaps it is time to place more blame on those requesting the services of the SPAMMER. Most often, the SPAMMER is being paid to send out mail on behalf of a client. It’s not often that a large well known company is behind it, but it does happen. We already go after the sites referenced in SPAM perhaps it is time to go after the individuals who stand to gain the most from the SPAM campaign.

Now, along comes something like Blue Security which attacks spammers by creating a distributed denial of service (DoS). Then their CEO announces "agreements" with spam organizations. Blue provides the Do Not Intrude Registry and the spammer washes their lists. I don’t negotiate with criminals and neither should Blue Security. Moreover, it is a reasonable certainty that list washing doesn’t reduce spam; It just redirects some of it. It has no effect on the demand side of the equation.

It should also be noted that it is almost impossible to precisely target a DDoS. This will almost certainly create collateral damage such as a reduction in connectivity for many others which punishes non-spammers.

More importantly, fighting abuse with abuse is unethical, hypocritical and, possibly, illegal. In doing so, we surrender the moral high ground. Ultimately, by participating in these activities, the participant must adopt the idea and concede that the end justifies the means. In a civilized and moral society, we do not engage in bad behavior to stop the bad behavior of others. Societies have learned that doing so blurs the line delineating what is, and what is not, acceptable. We teach our children, in simplest terms, that "two wrongs don’t make a right." There is no "except when someone sends us spam" in that phrase.

Fighting fire with fire is not the right way to go about it IMHO. As David states, there will be collator al damage from those caught up in the crossfire. Why lower ourselves down to the level of the criminal element behind it. That leaves us with the questions of "What can we do to combat the spread and threat of SPAM?"

1. Better email systems – A total redesign of the internet mail transport system that allows better safeguards against abuse. Mainly to prevent the illegal use of unsuspecting users machines without their knowledge. It will never be able to stop someone setting up a system and sending out emails, but it will be a damn site easier to track and shut these down rather than a botnet consisting of 100’s or 1000’s of users PC’s.

2. Better education of the end user – It is about time that ISP’s took responsibility for their end users. Most if not all have TOS that prevent the misuse of their networks in using it for SPAM, but when a user allows his machine to be vulnerable for malicious use, they rarely take action. If someone stole my car from outside my house and it was used in a fatal accident I wouldn’t normally be held responsible. (I might feel bad as the owner of the car, but no one could really apportion blame to me). Yet, if I were to leave the keys in the car every night because I was not concerned about security, would people still think of me as being blameless. Am I not inciting potential theft of the vehicle. I haven’t committed the crime myself and the driver is ultimately responsible for the resulting accident, but you could argue I was complicit in him taking the vehicle.

3. Global condemnation of SPAMing making it illegal across the globe – There are server farms in some countries that do nothing but send out SPAM. They are becoming less prevalent now that so many machines are within botnets. It is easy to blacklist a block of IP space, but it is damn near impossible to block machines within a BOTNET. Already my mail system spends more time processing blacklists, white lists, virus scanning etc etc, than it does downloading the mail in the first place.

Ok, I am going to stop at just the three mainly because although they make valid points, there is a flaw with all three of them. None of them are easy to achieve.
There are new methods to bolt on to the current mail systems (such as SPF) but these are just that, an add on to an already flawed system. To reinvent the wheel right now and introduce a better mail system is a complex process that would be impossible to implement. And there is no guarantee that such a new system would not be without its own abuse.
What ISP in its right mind is going to start imposing fines or loss of service on its customers or in fact blame all but the most serious intentional abusers. It would be business suicide.

But to answer David’s original question the answer is a resounding "No" from me. We cannot lower ourselves to the level of criminals. There will be innocent victims of their so call legitimate DOS attacks. And who is to say that later on, a ‘legal’ spammer won’t be paying a fee so as not to be included in such attacks. There cannot be one rule for them and one rule for us.

You can read David’s full article here.