Click the comments link on any story to see comments or add your own.
Subscribe to this blog
29 Dec 2005
A new company called Blue Security purports to have an innovative approach to getting rid of spam. I don't think much of it. As I said to an Associated Press reporter:
"It's the worst kind of vigilante approach," said John Levine, a board member with the Coalition Against Unsolicited Commercial E-mail. "Deliberate attacks against people's Web sites are illegal."
Before they started their current scheme they contacted every anti-spam organization around, including CAUCE where I'm a board member, trying to find someone who would sponsor their scheme. Everyone including CAUCE said no. Since they announced their plan as a separate company, it is my understanding that at least two and maybe three web hosts have booted them off due to their abusive plans.
Blue Security's approach (described on their web site) is to sign people up to provide spam trap addresses and to run a program that Blue Security provides. As spam arrives at spamtraps, Blue Security plans to take a variety of approaches to get the spammers to stop, starting with notifying the sender and the ISP hosting the web site, as many spam recipients do now, and eventually escalating to a denial-of-service (DOS) attack on the web site.
The DOS attack consists of a zillion unsubscribe requests all sent at once. There's no question it's intended to be a DOS attack; a page on their web site says so:
The overwhelming flow of complaints sent by the Blue Community keeps rogue advertisers' sites busy for long periods of time and causes them to have very long response times. Potential buyers are driven away by the slow response time and poor experience.
Since spammers are bad guys, what's wrong with this? Two things: it won't work, and it turns good guys into bad guys.
The reason it won't work is that this technique could only be effective against spammers who are mostly legal, and have web sites in fixed places. That rules out about 99% of the spam I see, which is from spammers who use throwaway web sites on virus-controlled zombie computers, just like they use zombies to send their spam. By the time you find the server, it's gone, and even if you could hit it, you're going to attack some cable modem user with a virus, not the spammer.
But let's say they are able to correctly identify a site (more on this later), and decide to unsubscribe-bomb someone. In practice, if you can collect a few hundred complaints about a spammer, that's a lot. But a few hundred hits on a web server is no big deal. The only way that they're going to overwhelm a web server with unsub requests is to send each request over and over, to generate tens or hundreds of thousands of web hits. One or two unsubs per person is plausible, but hundreds or thousands is pure abuse.
Fighting abuse with abuse might seem emotionally satisfying, but it is a dreadful strategy. Spammers have long argued that the only people who oppose them are extremist anti-commerce communist etc. etc. radicals. The responsible anti-spam community doesn't do stuff that's illegal, since it would confirm the spammers' argument, and it would make it impossible to work with the cops to shut down the spammers who are breaking the law. One of the biggest challenges in the spam fight has been to get lawmakers and law enforcement to realize that spam really is bad enough to be worth taking legal action, something that's only started to happen on a large scale in the past year. DOS attacks are just plain illegal, even if you think the person you're DOS'ing deserves it. For example, in New York where I live, there is a specific crime called computer tampering which clearly covers DOS attacks and, depending on the amount of damage, can be up to a class C felony punishable by 15 years in jail. The list of defenses does not include ``they deserved it.''
The other reason it's a bad idea to fight abuse with abuse, is that you cannot be sure you know who your target is. So called joe jobs, in which someone sends out spam pretending to be from someone else, to make trouble for the someone else, are fairly common. Every spammer of course claims to be the victim of a joe job, not to be spamming himself, and sorting out the truth involves is not straightforward. A DOS against the wrong site (or even against the intended site, but causing damage to other people who happen to use the same computer) would be illegal, incredibly unethical, and a public relations disaster. So no responsible member of the anti-spam community would consider it.
It's certainly frustrating that the fight against spam is so slow. I'm doing what I can, including working with governments to pass effective anti-spam laws, and using existing laws to put spammers in jail, but if the proposal is to start breaking laws to punish people we think deserve it, no thanks.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.