Fwd: Re: [SURBL-Discuss] In support of Project Honeypot

Jeff Chan jeffc at surbl.org
Thu Oct 28 06:01:06 CEST 2004


Here's a response to Chris Albert's concerns about Project
Honeypot from Matthew Prince, the head of Project Honeypot and
unspam.com.  He also gives his direct phone number as: 312.543.3046.
Matthew's reply address is:  phpot-surbl at matthew.unspam.com or
you may be able to reply all since I included this on the To:
list.

I invited him to join our lists, but expect he may already get
plenty of mail.

Jeff C.
__

It's a strange thing to have to prove that you're one of the good guys. 
I've certainly been skeptical of a lot of supposed anti-spam websites 
that turned out to be nothing more than advertising schemes (for 
example, I was in part responsible for the FTC's investigation a few 
months ago of the subsequently shut down EthicalEmail.com site -- you 
may have heard the ads they were running on the radio about a "private 
national do not email registry"). It's good to ask questions, and I 
understand how things could look skeptical.... especially those Google 
ads.

We've had a running debate all day ourselves about whether we should 
pull down the Google ads. As you know, we have no control over what ads 
appear on that site. I have no idea why Google has decided to put up 
ads for mailers on some of our pages. When we've used Google to serve 
ads to the News Ticker on our Unspam site they've typically been spam 
filter companies. Our goal, since our means are modest, has been to 
simply cover the costs of our bandwidth and servers.

I was really, really surprised myself when the ads that appeared were 
for marketers. I tried initially to use the AdSense interface in order 
to block them. If you haven't used it, the way AdSense works is you 
have to list advertisers one at a time by their URL. There is no way to 
block an entire category. Unfortunately, enough bulk mailers are using 
Google's ads that they just kept appearing. I was about to pull the ads 
from the pages entirely when one of our developers -- who's a lot 
smarter than I am -- sent me an email saying:

"You know, this is sort of a sweet justice. The bulk mailers are paying 
to have their ads listed on our site. It's certainly an efficient way 
to transfer the wealth from the spam community to the anti-spam 
community. Talk about hitting spammers in their pockets!"

That's clever, I thought. While I'm not ready to say that everyone 
advertising there is a "spammer" (I don't want to get sued, or get the 
Google lawyers coming after me for violating the terms of service 
somehow) the reasoning above resonated and I (so far) decided to leave 
the ads up. To that end any page where an ad appears we've now added a 
disclaimer to the bottom. And there's a paragraph in the FAQ about the 
ads that appear. You can check it out here:

http://www.projecthoneypot.org/faq.php#e

I'm having second thoughts seeing that there's skepticism in the 
anti-spam community. I'd love your feedback. If people are adamant we 
should pull down the ads then I definitely will. Otherwise, again, 
seems like sweet justice.

As far as our "consulting," the people who started Unspam, myself 
included, are attorneys by trade. We are occasionally -- although 
rarely -- asked to speak at conferences to talk about the legal risk to 
companies and individuals that send unsolicited commercial email. That 
is the extent of our "consulting" practice. I, for example, spoke at 
Anne Mitchell's ISIPP conference in July and the majority of audience 
members were bulk mailers. I believe you can actually listen to a copy 
of my speech from the ISIPP website (http://www.isipp.org/). I was 
invited by the ITU, a branch of the UN, to speak about why anti-spam 
laws have failed in Geneva, Switzerland a few months ago. There are 
several other similar speeches online. For example, you can see a whole 
video at:

http://otel3.uis.edu/impatica/kmill2/Summit.htm

Click Lunch Speaker. Or, maybe most appropriately, I think there's 
video floating around from last year's MIT SpamConference where I was a 
speaker again and talked about the initial ideas that formed the basis 
for Project Honey Pot.... how, currently, spammers were most vulnerable 
at the beginning of the "spam cycle," the point at which they are 
gathering email addresses, but no one was focusing on that. I'm also 
told that the video from CEAS where I spoke about what we're trying to 
do with the Project will be available soon through the CEAS website 
(http://www.ceas.cc/). Watching my talks, you may or may not agree with 
everything I had to say, but I think it's pretty clear we're not 
spammers or in any way in support of spammers (or bulk mailers, or list 
brokers).

A couple of things I think you already know, but maybe it'd be good for 
the SURBL list to hear. First, we have never taken money from or been 
hired to consult with any spammer, harvester, bulk mailer, list broker, 
or ISP. (If our business were primarily consulting, we'd be fairly 
pathetic failures.) We started Project Honey Pot in order to help 
governments and individuals investigate, understand, and prosecute the 
spammers. We saw a problem -- that no one was tracking the entire spam 
cycle -- and are in the process of trying to solve it. One of the 
things we realized we could do once we had that infrastructure in place 
was assist other people in the anti-spam fight. We've already pledged 
to make the corpus of spam we receive available to anti-spam authors. 
And, as I've told you, we will turn over the complete list of URLs from 
the messages that we receive to the SURBL and potentially other open 
source RBLs.

The point that has been made on the list that spammers will adjust and 
I'm sure that is true. While today I think the number of IP addresses 
used for spamming is small, over time more harvesters will use proxies 
and other tools to obscure their identities. In our initial tests we 
observed at least a few that appeared to already be doing that. That's 
not a reason to not do this now, at worst it's just an indictment that 
we're wasting our time. I don't agree with that and think the Project 
will prove useful even as spammers adjust to it. But it should be said 
that I have never believed that we would make much, if any, dent in the 
overall volume of spam. All I think is that we have a chance to gather 
a lot more data on the behavior of spammers, to answer some key 
questions, and hopefully set the stage for someone a lot more clever 
than me to come up with the idea that will be the final nail in spam's 
coffin.

I just got a call from Eric Langheinrich, one of the people developers 
behind the software that makes Project Honey Pot possible, about a bug 
we're trying to track down and fix in the registration process. I told 
him people were saying we looked "too corporate." He started laughing 
and didn't stop until he finally said, "Wow, if they only knew! That's 
what you get for making a pretty website and including all that legal 
mumbo jumbo." Maybe that's our sin, but does seem like strange 
reasoning to say that we must be on the side of the spammers because 
our site is pretty....

So, with all that, I encourage anyone who wants to sign up to do so; 
we'd love to have as many website participating as possible. You can do 
so at:

http://www.projecthoneypot.org/

It's hard for us to prove that we're going to do what we promise 
because we've only been open for 3 days and, to be honest, have only 
received one spam message so far. (They're start flooding in soon. Our 
initial tests show that on average there's about 1 week between 
harvesting and the first messages to arrive.) If you're skeptical of 
our intent then I just ask that you give us a chance and wait and see 
how we behave.

Thanks to everyone who's donated MX entries and installed honey pots. 
In three days with no publicity other than than emails sent out to 
friends of ours about the launch we're up to about 50 installed honey 
pots and over 100 donated MXs. That's more successful than we could 
have ever hoped. If anyone has a question, you're welcome to email or 
call me directly and I'd be happy to do what I can to answer it.

Keep fighting the good fight!

Matthew Prince
CEO, Unspam, LLC
Adjunct Professor of Law
John Marshall Law School
312.543.3046 (direct)
phpot-surbl at matthew.unspam.com



More information about the Discuss mailing list