Spam is profitable. With sufficient advertising by email, there will be some people who respond and generate revenue. Kanich et al. measure the conversion rate for two spam campaigns, and show that while profitable, the conversion rate is so low that spammers likely need to be vertically-integrated to be profitable. Push the conversion rate lower still, and spam may become unprofitable.
Modern operations make extensive use of DNS and botnet indirection, to avoid detection and increase bandwidth. Sending spam and hosting websites requires maintaining a population of compromised bots (usually Windows machines for sending, Linux machines for hosting). As machines get cleaned, there needs to be a fresh supply of compromised hosts to maintain the botnet population. For Windows bots, this is through distributing malware, while Linux bots seem to be by finding weak root passwords.
The number of active bots can be reduced by reducing the time-to-fix once a machine is taken over. The time-to-detection can be reduced by maintaining a blacklist of compromised hosts, and having end users query themselves automatically. Maintainers of IP address blocks should also be persuaded to monitor the list and contact their customers or create automatic port blocks in response (e.g. port 25).
Getting a substantial proportion of the user population to regularly query such a list is a huge social engineering task. It may have some chance of being successful if the list were heavily promoted, and came with a suite of tools that even the computer-illiterate can install and use.
Thus, build the following:
- A real-time blacklist of compromised machines generated from observing spam. Other techniques are possible.
- An extension to draft-irtf-asrg-dnsbl-08 so that address prefixes and traversals of subtrees of the list can be done efficiently. This includes a DNS server and client library so others may make similar lists.
- A suite of client tools for easy querying of the list, including browser plugins and daemons for Windows and Linux, and a more advanced tool for querying entire subnets for the ISPs.
