Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

29 Dec 2005

Blue Security's anti-anti-spam scheme Email

A new company called Blue Security purports to have an innovative approach to getting rid of spam. I don't think much of it. As I said to an Associated Press reporter:

"It's the worst kind of vigilante approach," said John Levine, a board member with the Coalition Against Unsolicited Commercial E-mail. "Deliberate attacks against people's Web sites are illegal."

Before they started their current scheme they contacted every anti-spam organization around, including CAUCE where I'm a board member, trying to find someone who would sponsor their scheme. Everyone including CAUCE said no. Since they announced their plan as a separate company, it is my understanding that at least two and maybe three web hosts have booted them off due to their abusive plans.

Blue Security's approach (described on their web site) is to sign people up to provide spam trap addresses and to run a program that Blue Security provides. As spam arrives at spamtraps, Blue Security plans to take a variety of approaches to get the spammers to stop, starting with notifying the sender and the ISP hosting the web site, as many spam recipients do now, and eventually escalating to a denial-of-service (DOS) attack on the web site.

The DOS attack consists of a zillion unsubscribe requests all sent at once. There's no question it's intended to be a DOS attack; a page on their web site says so:

The overwhelming flow of complaints sent by the Blue Community keeps rogue advertisers' sites busy for long periods of time and causes them to have very long response times. Potential buyers are driven away by the slow response time and poor experience.

Since spammers are bad guys, what's wrong with this? Two things: it won't work, and it turns good guys into bad guys.

The reason it won't work is that this technique could only be effective against spammers who are mostly legal, and have web sites in fixed places. That rules out about 99% of the spam I see, which is from spammers who use throwaway web sites on virus-controlled zombie computers, just like they use zombies to send their spam. By the time you find the server, it's gone, and even if you could hit it, you're going to attack some cable modem user with a virus, not the spammer.

But let's say they are able to correctly identify a site (more on this later), and decide to unsubscribe-bomb someone. In practice, if you can collect a few hundred complaints about a spammer, that's a lot. But a few hundred hits on a web server is no big deal. The only way that they're going to overwhelm a web server with unsub requests is to send each request over and over, to generate tens or hundreds of thousands of web hits. One or two unsubs per person is plausible, but hundreds or thousands is pure abuse.

Fighting abuse with abuse might seem emotionally satisfying, but it is a dreadful strategy. Spammers have long argued that the only people who oppose them are extremist anti-commerce communist etc. etc. radicals. The responsible anti-spam community doesn't do stuff that's illegal, since it would confirm the spammers' argument, and it would make it impossible to work with the cops to shut down the spammers who are breaking the law. One of the biggest challenges in the spam fight has been to get lawmakers and law enforcement to realize that spam really is bad enough to be worth taking legal action, something that's only started to happen on a large scale in the past year. DOS attacks are just plain illegal, even if you think the person you're DOS'ing deserves it. For example, in New York where I live, there is a specific crime called computer tampering which clearly covers DOS attacks and, depending on the amount of damage, can be up to a class C felony punishable by 15 years in jail. The list of defenses does not include ``they deserved it.''

The other reason it's a bad idea to fight abuse with abuse, is that you cannot be sure you know who your target is. So called joe jobs, in which someone sends out spam pretending to be from someone else, to make trouble for the someone else, are fairly common. Every spammer of course claims to be the victim of a joe job, not to be spamming himself, and sorting out the truth involves is not straightforward. A DOS against the wrong site (or even against the intended site, but causing damage to other people who happen to use the same computer) would be illegal, incredibly unethical, and a public relations disaster. So no responsible member of the anti-spam community would consider it.

It's certainly frustrating that the fight against spam is so slow. I'm doing what I can, including working with governments to pass effective anti-spam laws, and using existing laws to put spammers in jail, but if the proposal is to start breaking laws to punish people we think deserve it, no thanks.

posted at: 19:13 :: permanent link to this entry :: 1 comments
posted at: 19:13 :: permanent link to this entry :: 1 comments

comments...        (Jump to the end to add your own comment)

Director of Marketing
Dear Mr. Levine

We feel that some of the points mentioned in your article are based on inaccurate interpretation of key points in our service and would like to highlight some key issues where we have apparently failed to make our message clear.

First and foremost, it is important to stress that the total number of complaints posted by the community is exactly equal to the number of spam messages received. For example, if 20,000 spam messages promoting a certain Web site are sent to the Blue Community, the Blue Community will post exactly 20,000 complaints on that site.

We have spent considerable resources developing our solution such that we are able to receive the large amounts of spam our approach requires - both from honeypot accounts and from our community members. This allows us to stick to the "one spam, one complaints" principle.

As you have accurately noted, some spammers use zombie computer to host their site. However, we do not post complaints on zombie computers. This is only one aspect of our strict policy never to cause any harm to innocent third parties. While this may reduce the effectiveness of our solution, we prefer to do things right.

As for Joe Jobs, spam messages are examined by experienced analysts who research spammers and become familiar with their tactics, including the content of the spam messages they send, the structure and content of the websites they advertise, and more.

Before allowing Blue Frog clients to post complaints on a spam site, our analysts examine the spam messages to verify they match the profile of the suspected spammer and advertiser.

To validate the identity of the site owner, links in spam messages undergo a thorough inspection and authorization process, which includes cross-referencing with URL blacklists and whitelists as well as with data on the WWW/Usenet and with WHOIS records.

Complaints are posted by the community only if the result of this process indicates the site is indeed operate by a spammer, and no response is received from the site's operator and/or hosting facility.

In any case where there is a doubt as to the real identity of the advertised site (e.g. a suspected Joe Job) or a chance that an innocent third party will be affected, no complaints will be posted.

We would be more than happy to presents to you the details of our service and receive your feedback and comments.

Best Regards,

Eran Aloni Director of Marketing Blue Security

(by Eran Aloni 25 Jul 2005 04:32)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

Email: you@wherever (required, for confirmation)
Title: (optional)
Show my Email address
Save my Name and Email for next time


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
112 days ago

A keen grasp of the obvious
Italian Apple Cake
670 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.