a bikeshed color problem

Recently, I made a very informal proposal for Drupal developers to cooperate to fight spam at the source of the problem. Unfortunately, there has been no reply to my email.

Regularly, the developers' mailing list, just like many other discussion groups, would go into lengthy debates about fairly inconsequential topics. Around that time, a new default theme for Drupal was being heavily discussed, as well as a new convention to name different Drupal releases.
At one point, a developer wrote:

This whole argument is starting to sound like painting a bike shed

He gave a link to the wikipedia entry "Color of the bikeshed" which explains this very interesting expression (check the links in the wikipedia article).

Basically, people tend to argue endlessly about details, and petty problems, but nobody seem to have any opinion about much more consequential but also much more complicated topics.

I was not surprised but still disappointed that nobody showed any interest in fighting spam at the root of the problem. To secure one's own little site is one thing. To secure the web and eradicate the spammers would require a very high level of cooperation...

I bounced back on the Color of the bikeshed problem and wrote:

On Wednesday 20 September 2006 06:12 am, Nelson, Curtis wrote:
> > I guess it's obvious I'm in favor of codenames, andrew
> > http://en.wikipedia.org/wiki/Color_of_the_bikeshed
> And so the first codename becomes "bikeshed"

I didn't know this expression but it's a nice one.

Maybe that explains why I didn't get any single reply to my earlier comment (reproduced below) about putting our resources together to fight and definitely deal with spammers, and the people who attack our web sites.

Can you imagine the wealth of information we *collectively* have? The list of web sites and domains used to host malicious scripts? The list of IP used as relays?
Do we sit on this data mine and do nothing?

The only thing needed for evil to win, is that good people do nothing.

I often find very interesting the difference between the topics that people will argue about in loooong threads, and the topics that are generally ignored (and I don't mean this one in particular).
It is the problem of the color of the bikeshed, indeed.

Is the following unrealistic?
Impossible to implement?
Judging by the lack of replies: all of the above.

I wrote:
> @everybody: the .htaccess solution works for my immediate need, but it is a
> bit selfish because it doesn't help anyone else.
> What follows is not specific to trackback spam, but is relevant to any kind
> of spam being propagated via compromised servers or computers.
> [strong class="must-understand" ]
> The only thing needed for evil to win, is that good people do nothing.
> [/strong]
> At first, all the trackback spam came from the same IP, but then they
> upgraded their software, so that each spam submission came from a different
> IP. Certainly, each of those IP correspond to a compromised Windows(TM)
> box, or a compromised web site (using a CMS minus security updates), don't
> they? (or do I misunderstand the way open relays can be used?)
> For now, I have successfully denied trackback spammers access to my site,
> but they are still free to spam the rest of the world.
> What bothered me the most about cpu usage, was that it was such a waste: it
> was not even helping the spammers who never got a single of their links
> published.
> Now, if my cpu power can be put to better uses, I don't mind the extra
> resources needed:
> is there a way to collect those IPs used by spammers, and share them among
> us, and with organizations fighting spam.
> The aim would be to get wormed or trojaned windows(TM) boxes (or
> compromised web sites) to upgrade to a safe version or shut down.
> If all Drupal web sites were collaborating on gathering useful data, and
> passing on this data to relevant organizations, we might collectively
> achieve something.
> One spam report against one IP might achieve nothing, but a concerted
> effort to systematically denounce bad IPs might force people to take
> positive actions.
> I really don't know how such a thing could be organized. One has to study
> first how organizations fighting spam and organizations setting up
> blacklists operate.
> Maybe the developers on this list have better, more concrete ideas...

My questions remain: Is the possibility to cooperate on a large scale unrealistic? Impossible to implement? Naive?

If I find the time, and if I hear about such endeavors, I will post the details here.

By the way:

which one do you prefer?