Date: 2008-02-08 23:50:00
spamcop can eat my shorts

As you probably know, I run lnk.nu which is a generic link shortening service. Occasionally, spammers will run their URL through lnk.nu to create a shorter version, and spam that instead. For example:

Subject: Want it to hang?

We know you wish yours was bigger for the ladies, now it has been proven
to work

http://lnk.nu/plqaksjuw.defote.com/imq

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
You may 0pt 0ut anytime

Now, when a certain subset of normal internet users receive spam like this, they forward it on to spamcop.net in the mistaken belief that doing so actually helps. Allow me to elaborate.

Spamcop inspects all aspects of the user's forwarded spam, including all RFC822 headers and the full message body, looks up the IP addresses of all involved servers, uses those IP addresses to look up the party responsible for the address range, and fires off automated messages to all involved abuse@ addresses. Now, they don't send messages to (in my case) abuse@lnk.nu, because if I were really a spammer, I wouldn't care. They send the messages to abuse@(my-hosting-provider).com. If you'll forgive the strained analogy, this is sort of like trying to solve schoolyard bullying by writing little notes to the principal and not even putting your name on them.

Anyway, my hosting provider appears to have an automated system for handling such abuse@ complaints. They log the complaint in their system, and a 24 hour clock starts ticking. If that clock reaches 24 hours without an acceptable response from the customer, network access for the customer's server is cut off (this actually happened to my server earlier this week because they sent the complaints to an email address I closed over two years ago). The customer must respond to each and every spam complaint in order to clear the abuse@ tickets from their system. This week, I have had to individually resolve no less than 14 such tickets.

My resolution action for each of the tickets is to mark the shortened link as "blocked" in the database, which disables the URL forwarding. Then I have to respond to the ticket email, and say what I've done (believe me, I have boilerplate text for this now). I hope they're getting tired of reading my response.

Further investigation into this week's spamvertised links indicates that they are all hosted in China. Lots of Chinese companies offer so-called "bulletproof" hosting that is friendly to spammers and is well outside the reach of antispam laws elsewhere in the world. This is where the spammers host their web sites. My solution to try to prevent this kind of thing from happening in the future is to identify the country in which the destination server is hosted (using the handy countries.nerd.dk), and if it's China, then apply some automatic heuristics that determines whether I'm going to allow the link to be created or not. For the case of this week's spammer, they would not have been able to create the lnk.nu URL and so would have gone somewhere else. You can still create short links for a legitimate site such as China Daily.

Spamcop is the master at causing collateral damage. I don't believe it actually helps, because it just keeps doggedly reporting the same thing over and over to the same people (every time some random user on the internet forwards a spam message to Spamcop). The people on the receiving end of the abuse@ mails either get tired of this pretty quickly and set up some filters, or simply pass on the annoyance to their customers.

Comment

[info]goulo
2008-02-08T11:17:03Z
Annoying indeed. 2 questions leap to mind:

Do you have ideas of technically better ways to implement the spirit of what SpamCop tries to do, or do you think it's a fundamentally flawed idea to try automatically creating blacklists and abuse reports based on user reports of spam?

Have you contacted SpamCop to point out the nature of lnk.nu links to see if they have some way of recognizing and handling such redirected links (i.e. they should look at the linked-to site instead of blaming lnk.nu itself)?
[info]ghewgill
2008-02-09T06:06:07Z
I can't think of any improved way to try to identify spam sources automatically. I subscribe to the theory that there are actually just a few spammers that are the source of most of the spam we see. These spammers have become very good at hiding their identity, and leave little or no trace of the real source in the messages they send. Spamcop's approach of identifying servers related to the spam reminds me (to continue with the strained analogies) of the little Dutch boy with his finger in the dike. They might be able alert Aunt Millie's ISP that her computer is part of a botnet and is sending out spam messages, but her computer is of only marginal value to the spammer who won't even notice that hole has been plugged. I think a better approach is the one taken by http://www.spamhaus.org who try to track the actual people behind the spam. They do actual research to try to uncover the spam sources.

I haven't contacted Spamcop, but I suppose it's worth a try. Who knows, maybe they will be sympathetic and add an exception for link shortening services. If anything comes of this, I'll post about it further.
[info]goulo
2008-02-09T06:25:55Z
"I subscribe to the theory that there are actually just a few spammers that are the source of most of the spam we see."

Seriously? E.g. just 5 people in the world are individually responsible for most of the avalanche of inane spam we all get every day? I have no idea if that is true, but if so, I must say it's an impressive "achievement" in its own twisted despicable idiotic way. I wonder if they are proud of what they have "accomplished".
[info]ghewgill
2008-02-09T07:48:03Z
I should have qualified the terminology - it's an internet-scale "few". Spamhaus estimates that "200 Known Spam Operations responsible for 80% of your spam." Still, on the scale of the internet, even 500-600 individuals isn't very many at all. It's an impressive achievement indeed.
[info]cetan
2008-02-08T11:59:04Z
What if you blocked all of China from link creation for a period of time? If the spammers think the site is unavailable perhaps they'll move on?
[info]ghewgill
2008-02-09T06:07:15Z
The links in question were actually created by computers at various ISPs in North America. These computers are almost certainly part of a botnet under the spammer's control.
[info]cetan
2008-02-09T13:47:07Z
Well that rather complicates matters!

[info]radmoose
2008-03-22T06:43:16Z
Greg, I didn't know your service existed until I saw Scoble's comment about the SXSW torrents. I talked to you a long time ago in Bakersfield, CA =P

Would it be possible to put a "peek" type functionality to see the whole URL displayed on your site, instead of just relying on the inclusion of domain/ext into the shortened URL?

Just wondering.
[info]ghewgill
2008-03-27T05:22:18Z
lnk.nu just returns a normal HTTP redirect when queried for a short link, so it'd be easy to write a little script that returned the full link. I'll leave the implementation as an exercise for the reader. :)
(anonymous) : Hello
2008-08-18T00:56:53Z
I'm new here, just wanted to say hello and introduce myself.
[info]ghewgill : Re: Hello
2008-08-18T09:42:22Z
Hello. You really didn't do much in the way of actually introducing yourself.
Greg Hewgill <greg@hewgill.com>