Fighting Spam by Breaking the Econonmy of Advertisment by Unsolicited Emails

Unsolicited email (spam) is still a problem for users of the email service. Even though current email anti-spam solutions filter most spam emails, some spam emails still are delivered to the inbox of users. A special class of spam emails advertises websites, e.g., online dating sites or online pharmacies. The success rate of this kind of advertisement is rather low, however, as sending an email does only involve minimal costs, even a very low success rate results in enough revenue such that this kind of advertisement pays off. The anti-spam approach presented in this paper aims on increasing the costs for websites that are advertised by spam emails and on lowering the revenues from spam. Costs can be increased for a website by increasing traffic. Revenues can be decreased by making the website slow responding, hence some business gets lost. To increase costs and decreased revenues a decentralized peer-to-peer coordination mechanism is used to have mail clients to agree on a start date and time for an anti-spam campaign. During a campaign, all clients that received spam emails advertings a website send an opt-out request to this website. A huge number of opt-out requests results in increased traffic to this website and will likely result in a slower responsibility of the website. The coordination mechanism presented in this paper is based on a peer-to-peer mechanisms and a so-called paranoid trust model to avoid manipulation by spammers. An implementation for the Thunderbird email client exist. The anti-spam approach presented in this paper breaks the economy of spam, hence makes advertisement by unsolicited emails unattractive.

💡 Research Summary

The paper proposes a novel anti‑spam mechanism that attacks the economic model of spam‑based advertising by generating costly traffic to the advertised websites. Recognizing that a large fraction of spam (over 86 % according to cited studies) consists of advertisements for dating sites, online pharmacies, and similar services, the authors argue that the low marginal cost of sending email makes even a tiny conversion rate profitable for spammers. To undermine this profitability, the system increases the operational cost of the target site and reduces its revenue by flooding it with coordinated “opt‑out” requests, thereby raising bandwidth costs and potentially slowing the site enough to lose customers.

The core of the solution is a decentralized coordination layer built on an existing Distributed Hash Table (DHT) such as Kademlia or Chord. Clients that receive a spam message extract the advertised URL via a “Target Evaluator” (which strips redirection services, URL parameters, and filters whitelisted domains). Each client then participates in a “campaign” for that URL. Campaigns are defined by a target URL and a start date‑time; all participants (called comrades) agree on the start time through the DHT. Three tables are stored in the DHT: a Campaign Table (listing URLs and possible start times), a Campaign Comrades Table (listing which clients will act at each start time), and an Inbox Table (encrypted messages addressed to a client’s public key). The use of public‑key encryption and a “paranoid trust model” prevents malicious actors from injecting false campaigns or manipulating campaign data.

When the agreed start time arrives, the Opt‑Out Module on each client automatically sends HTTP GET requests that embed opt‑out parameters into image URLs or other resources on the target site. This generates a burst of traffic that is difficult to block with captchas or rate‑limiting because the requests appear as legitimate resource fetches. The authors note that this approach may effectively constitute a Distributed Denial‑of‑Service (DDoS) attack, and they acknowledge the legal ambiguity surrounding unsolicited traffic generation; they argue that in jurisdictions where similar opt‑out services are legal, their method would be permissible.

The paper situates its contribution among related work: Hashcash and other proof‑of‑work schemes increase the cost of sending email but are ineffective against botnet‑based spam; centralized opt‑out services like Blue Frog and Lycos demonstrated the power of coordinated traffic but suffered from single points of failure and required users to forward spam messages, leading to collateral blacklisting. By contrast, the proposed system leverages a large, existing peer‑to‑peer network (e.g., eMule) to achieve resilience against Sybil and DDoS attacks on the coordination layer.

A prototype implementation for the Thunderbird email client is described. Users classify messages as spam, confirm the target URL, and the plugin registers the campaign in the DHT. Experiments with dozens of participants show measurable increases in response latency and bandwidth consumption on the target sites. The evaluation also examines attack scenarios such as false‑positive campaigns, message forgery, and DHT partitioning, concluding that the paranoid trust model and encrypted inbox mitigate most threats.

In conclusion, the authors claim that by inflating the cost and degrading the performance of spam‑advertised websites, their decentralized opt‑out campaign framework can render spam advertising economically unattractive. They suggest future work on more sophisticated URL validation, legal‑policy analysis, and large‑scale field trials to assess real‑world impact.