Home / Blogs

Abusive Anti-Anti-Spam Scheme a Dreadful Strategy

A new company called Blue Security purports to have an innovative approach to getting rid of spam. I don’t think much of it. As I said to an Associated Press reporter:

“It’s the worst kind of vigilante approach,” said John Levine, a board member with the Coalition Against Unsolicited Commercial E-mail. “Deliberate attacks against people’s Web sites are illegal.”

Before they started their current scheme they contacted every anti-spam organization around, including CAUCE where I’m a board member, trying to find someone who would sponsor their scheme. Everyone including CAUCE said no. Since they announced their plan as a separate company, it is my understanding that at least two and maybe three web hosts have booted them off due to their abusive plans.

Blue Security’s approach (described on their web site) is to sign people up to provide spam trap addresses and to run a program that Blue Security provides. As spam arrives at spamtraps, Blue Security plans to take a variety of approaches to get the spammers to stop, starting with notifying the sender and the ISP hosting the web site, as many spam recipients do now, and eventually escalating to a denial-of-service (DOS) attack on the web site.

The DOS attack consists of a zillion unsubscribe requests all sent at once. There’s no question it’s intended to be a DOS attack; a page on their web site says so:

The overwhelming flow of complaints sent by the Blue Community keeps rogue advertisers’ sites busy for long periods of time and causes them to have very long response times. Potential buyers are driven away by the slow response time and poor experience.

Since spammers are bad guys, what’s wrong with this? Two things: it won’t work, and it turns good guys into bad guys.

The reason it won’t work is that this technique could only be effective against spammers who are mostly legal, and have web sites in fixed places. That rules out about 99% of the spam I see, which is from spammers who use throwaway web sites on virus-controlled zombie computers, just like they use zombies to send their spam. By the time you find the server, it’s gone, and even if you could hit it, you’re going to attack some cable modem user with a virus, not the spammer.

But let’s say they are able to correctly identify a site (more on this later), and decide to unsubscribe-bomb someone. In practice, if you can collect a few hundred complaints about a spammer, that’s a lot. But a few hundred hits on a web server is no big deal. The only way that they’re going to overwhelm a web server with unsub requests is to send each request over and over, to generate tens or hundreds of thousands of web hits. One or two unsubs per person is plausible, but hundreds or thousands is pure abuse.

Fighting abuse with abuse might seem emotionally satisfying, but it is a dreadful strategy. Spammers have long argued that the only people who oppose them are extremist anti-commerce communist etc. etc. radicals. The responsible anti-spam community doesn’t do stuff that’s illegal, since it would confirm the spammers’ argument, and it would make it impossible to work with the cops to shut down the spammers who are breaking the law. One of the biggest challenges in the spam fight has been to get lawmakers and law enforcement to realize that spam really is bad enough to be worth taking legal action, something that’s only started to happen on a large scale in the past year. DOS attacks are just plain illegal, even if you think the person you’re DOS’ing deserves it. For example, in New York where I live, there is a specific crime called computer tampering which clearly covers DOS attacks and, depending on the amount of damage, can be up to a class C felony punishable by 15 years in jail. The list of defenses does not include “they deserved it.’‘

The other reason it’s a bad idea to fight abuse with abuse, is that you cannot be sure you know who your target is. So called joe jobs, in which someone sends out spam pretending to be from someone else, to make trouble for the someone else, are fairly common. Every spammer of course claims to be the victim of a joe job, not to be spamming himself, and sorting out the truth involves is not straightforward. A DOS against the wrong site (or even against the intended site, but causing damage to other people who happen to use the same computer) would be illegal, incredibly unethical, and a public relations disaster. So no responsible member of the anti-spam community would consider it.

It’s certainly frustrating that the fight against spam is so slow. I’m doing what I can, including working with governments to pass effective anti-spam laws, and using existing laws to put spammers in jail, but if the proposal is to start breaking laws to punish people we think deserve it, no thanks.

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

Tim  –  Jul 27, 2005 1:30 AM

John, you’re going to have to explain to me how you require an e-mail address to respond to you.  Are you in favor of spam?

BTW, you’re wrong.

Tim

John Levine  –  Jul 27, 2005 2:16 AM

I think Tim is asking about my blog at http://weblog.taugh.com from which this article is mirrored. As the comment form there says:

Note: all comments require an email address so we can send a confirmation to verify that it was posted by a person and not a spambot. Your email won’t be displayed unless you check the box below, and won’t be used for other purposes.

If you don’t put some sort of control on comments, a blog quickly fills up with blog spam, typically links to gambling sites. The confirmation keeps the spam away with minimal hassle all around.

If Tim is implying that the confirmations are just so I can steal the names and make a spam list, sheesh. Get a life.


Incidentally, I have never had much sympathy for the theory that the way to solve the spam problem is to hide from spammers. My goal is to make spam go away while still letting people who have real mail send it to me.

Kevin Murphy  –  Jul 29, 2005 10:59 PM

My understanding is that each participant sends one single complaint per spam, via the spammer’s web site. Is it still a DoS?

It’s something that could be, and is, done manually by many pissed off consumers.

What if we all coordinated and decided to all manually complain at the same time?

Would that be a DoS?

Is it the *intention* to impair performance that makes it a DoS? Or a combination of intention and automation?

John Levine  –  Jul 30, 2005 1:21 AM

The real answer is that an illegal DOS is whatever a court says it is, but having looked at a lot of computer crime laws, I’d have to say that intention counts for a lot.  As I noted in my article, BS clearly intends to damage the web sites they attack, which makes it a DOS in my book.

If it is really the case that they send only one complaint per spam, the whole issue is moot since they’ll never collect enough spam to do enough web hits to cause more than a hiccough.

Tim  –  Jul 31, 2005 2:15 PM

John, I was talking about posting a comment on circleid.com. I don’t see your e-mail address there, yet I had to supply mine.  I understand the need to control spam posts, I just found it interesting that most reporters will supply their e-mail address after their article, yet you hide yours.  It was simply an observation.

As for your claim that Blue Security coordinates DoS attacks, they don’t.  A DoS attack on a web site might affect other legitimate sites on the same host, and that would not be fair to them.  http://community.bluesecurity.com/[email protected]@.3c3ea1b5  When a campaign is in progress, complaints are metered so as to NOT all arrive at the same time.  http://community.bluesecurity.com/[email protected]@.3c3eb2a6/0 

You say intent is the determining factor in deciding if this is a DoS attack.  I’ve run the Blue Frog for almost two weeks now, and I doubt it has used a megabyte of bandwidth, outside of the 1 megabyte download of the Blue Frog client.  I’ve been active in campaigns against spamversized sites, and watched my bandwidth usage during that campaign.  For the most part, I was absolutely idle.  No bandwidth used whatsoever.  Although the icon in my system tray tells me when a campaign is underway, for the most part the Frog just sits there and waits for my turn to send a single HTML complaint to the site.  As for your claim we send “a zillion unsubscribe requests .. at once”, you are wrong.  Only one complaint is sent for each spam received, and we don’t have a zillion members… yet. ;-)

Most of Blue Security’s efforts are focused on negotiating with the web site’s owner to encourage them to only advertise with bulk mailers that download and use their free cleaning tool.  We are a Community that will not buy from web sites that send us spam, and simply decided to join forces to make our complaints heard.  We are not here to hurt legitimate businesses, we want rogue spammers to lose business.

For the record, I am not an employee of Blue Security. For the past two years, I’ve spent entirely too much time complaining to spamversized sites.  It works.  It reduced my spam by approximately 75%, but a noticeable difference wasn’t achieved until after the first 3 to 6 months.  I still got (and still get) spam from the worst of the worst on ROKSO. http://www.spamhaus.org/rokso/index.lasso  I signed up for Fred (that’s the frog’s name) and I would estimate my remaining spam has been reduced by half.  I’ll contend the Blue Community is already large enough to make a difference, and the campaigns haven’t even really begun yet.  That is the last thing we want to do.

But we can do it.  And it scares spammers. They don’t like when people complain about them.  I know, I’ve done it for the past two years.  Alone.  Now, I bring 15,000 (and counting) friends along with me. :-D

Lee  –  Jul 31, 2005 8:49 PM

Interesting last paragraph in your “put spammers in jail” article:

“While it’s certainly satisfying that such a major spamming crook got the jail time he deserves, this case cost the Commonwealth of Virginia a whole lot of time and money money for preparation, staff work, and expenses. (We experts don’t work for free, we wouldn’t be credible if we did.) Going to this level of effort to knock out the top 10 or top 20 spammers is plausible, but going after 100 or a thousand just isn’t going to happen. That tells me that we still need more effective civil remedies that individuals or small networks can afford to pursue.”

Blue Security is clearly an affordable, effective, small community effort to counter spam. If their strategies are unacceptable, what sort of civil remedies would you suggest individuals or small networks undertake - uh, ideally that will work in THIS decade.

Suresh Ramasubramanian  –  Aug 1, 2005 2:17 AM

Here’s a lovely article about bluesecurity and the mindset of its users. I’m quite happy for useless “let’s spam the spammer back” schemes to auto-darwinate. Saves time having to explain to a lot of people that no, not all antispam operators, and not all antispam organizations, are a bunch of vigilantes with more technical acumen than sense (and not too much of either)

http://cio-asia.com/ShowPage.aspx?pagetype=2&articleid=2145&pubid=5&issueid=55
Spamming spammers sparks ethics queries
Bob Francis
InfoWorld (US online)

Blue Security’s plan to fight spam with spam has gotten me thinking. Blue Security is a startup security firm that’s taking the fight against spam to the spammers by enlisting end-users to create a Do Not Intrude Registry and making
it painful for junk mailers to operate.

It works like this: If spammers send you spam, you have a right to complain. If the spammers send you one spam, you complain one time. Chances are, however, that they will send you thousands of spam messages, so Blue Security lets you complain a thousand times.

Users can download Blue Security’s Blue Frog client and sign up with the Do Not Intrude Registry starting this week. When the software is up and running, users register an e-mail address to monitor for spam. The software analyzes the messages that come into the user’s account, and then follows the links to the
spammer’s site. Blue Frog then finds any kind of contact form to fill out and demands the e-mail address be removed from the spammer’s list.

I call this the George-and-Charlie defense, because I did much the same thing to a pair of buddies with the same names. George and Charlie were two friends from my old neighborhood, a Levittown-type area on the edge of downtown Fort
Worth, Texas. We played football, baseball, and all those other bucolic childhood activities, along with a few others for which the statute of
limitations have run out, I hope.

Like many of us, George and Charlie found adulthood to be somewhat less than the “high school with money and nobody to hassle us” fantasy that many of us had when first venturing out on our own.

In other words, we had to get a job and get money and be responsible; unless, like me, you became a journalist. Then it sort of ended with the “get a job part.”

George and Charlie both chose the life insurance route for awhile. One of the first things they teach you in life insurance school is to call on all your old buddies, which is what George and Charlie did. Funny, I never tried to sell
them a newspaper subscription or an ad in my newspaper.

Anyway, eventually I got tired of it and so when George called one more time to snap up some of my meager paycheck for a life insurance plan, I told him no. I added, however, that I had run into our old buddy Charlie, and he was asking
about life insurance, too. A few days later Charlie called and I told him the same thing about George. I never heard from either again. I assume they’re still trying to sell each other life insurance in some never-ending Jean-Paul
Sartre play.

That is kind of what Blue Security is trying to do. It’s more than happy to be George to the spammer’s Charlie. Or vice versa.

Blue Security is hardly the first company to attempt this. Lycos Europe attempted a similar system last year, but dropped the plan when the security community argued that Lycos Europe was engaging in vigilantism and had crossed the line by launching DDoS attacks on spammers’ sites.

True enough, probably. On the other hand, I know plenty of users whose computer systems have simply been shut down by all the junk that spammers and zombie systems have loaded on their machines. At some point, someone is going to pull a Howard Beale from “Network” and scream, “I’m as mad as hell and I’m not going
to take this anymore!”

That’s exactly the target audience, says Maribel Lopez, a security analyst at Forrester, although she put it in more analyst-like language: “Blue Security is looking for passionate users, users who are tired of all the spam and are riled
up enough to do something about it,” she says.

The big question, Lopez says, is whether Blue Security’s plan is ethical and legal. “I think those questions are still unanswered,” she adds.

If it’s not ethical and legal, then I guess I have to call George and Charlie and apologize. The only problem is, I don’t want them to have my phone number.

Mark A. Craig  –  Aug 31, 2005 3:10 PM

Mr. Levine simply doesn’t understand the BlueSecurity mechanism, apparently because he was predisposed to be dismissive of anything that vaguely resembles previous schemes which did involve DOS assaults.

Denial of service is not the purpose or point of the automated Blue Frog submissions.

As explained rather clearly at BlueSecurity’s Web site, they:

(1) analyze spam submissions;
(2) identify the biggest common offenders;
(3) determine the Web sites employed to take spam-product orders;
(4) analyze the structure of the form(s) used to accept orders;
(5) craft instructions for Blue Frog clients to submit COMPLAINTS - not unsubscribe requests - via those sites’ own order forms; and finally
(6) instruct the Blue Frog clients to automagically submit form complaints equal in number to the reported instances of spam from the site’s owner.

Thus the purpose of the campaigns is to waste the “bandwidth” of the HUMAN OWNERS and operators of the sites, NOT the physical servers of the sites, by forcing them to inspect hundreds or thousands or tens of thousands of “order form” submissions which are COMPLAINTS and not actual orders.

The one thing a spammer most desires is a completed order form, and the frustration, letdown, and waste of time involved with having to slog through huge numbers of submissions that DON’T actually make them money is immensely DEMORALIZING.  Eventually the spammer realizes that spamming, at least to BlueSecurity members, is no longer profitable and either quits spamming altogether or uses the BlueSecurity Registry tool to avoid the people he now knows will cause him frustration and net him no profit.

None of that qualifies as “denial of service”.  It’s using the spammers’ own tools against them.  It’s reverse-engineering the illicit tools of the social engineers.

Mr. Levine needs to learn how to read and analyze before he judges, rather than than prejudging based on some presumed pattern.

Mark A. Craig

Lee  –  Sep 1, 2005 6:57 PM

Gee, an expert working with government to punish elusive spammers. Impressive.

So, I’d still like to know what sort of “...effective civil remedies that individuals or small networks can afford to pursue.” you propose to support your expert role.

John Levine  –  Sep 1, 2005 8:15 PM

Re Mr Craig’s question, the quote I cited from BS’s web site seems pretty clear to me. Despite all the smoke and mirrors, it’s basically intended as a DOS attack. I haven’t seen any noticable change in the amount of spam flowing, so the whole thing is pointless, as predicted.

Re Mr Lee’s question, the private right of action in the US junk fax law has been fairly effective. That’s what I’ve always wanted in a spam law.

Lee  –  Sep 10, 2005 11:50 AM

<“Re Mr Lee’s question, the private right of action in the US junk fax law has been fairly effective. That’s what I’ve always wanted in a spam law.”>


Fairly effective? That’s odd; I haven’t observed “any noticable change in the amount of spam flowing, so the whole thing (so far)is pointless, as predicted.”

Thank goodness for individual and small community proactivity like Blue Security eh.

- and btw; I am no “Mr.”



John Levine  –  Sep 10, 2005 1:28 PM

Now I’m completely confused by Comrade Lee’s comments.  There is a private right of action in the junk fax law, and it works.  There is no PROA in a CAN SPAM and it doesn’t work. I agree that we haven’t seen any drop in spam, so presumably we agree that neither CAN SPAM nor Blue Security are having any effect.

Tim  –  Sep 11, 2005 6:35 AM

G’day Mate!  And you too, John.

“so presumably we agree that neither CAN SPAM nor Blue Security are having any effect.”

Have you checked YesNIC’s web page?  They now have an anti-abuse policy.  CAN-SPAM didn’t do that. Maybe your spam hasn’t gone down because you didn’t sign up for Fred’s services.  Do that, and talk to me in a month.

There are changes going on in the spam industry, and Blue Security is causing it, John.  Hundreds of people sign up for Blue Secuity every day.  They don’t do that because Blue doesn’t work, John, they do it because Blue Security does.

If you took more than a cursory glance at their web page, you would see that Blue Security is CAN-SPAM compiant.  Against criminals.  And working.

You may have wanted the CAN-SPAM act to work, but it doesn’t.  Fred does.

Oh, and Lee is a chick. (G’day Mate!)

roderick whitney stillwell  –  Dec 12, 2005 3:49 PM

I can only hope I have not found this thread too late.

At present reading, I am disposed to give equal weight to both assertions: 1. A concerted effort to thwart deception based UBE is needed, and 2. That the bounds of law and ethics take precedence over all other considerations.

Legal considerations are subject to challenge, debate and refinement. But they need not be ignored or depreciated.

The question that I have not been able to answer satisfactorily regarding the Blue Security approach is whether it can really be effective in modifying the spamming practices of Spam Kings such as those on the ROKSO, ‘preferred miscreants’, list. If diluting the harvest of responses to their spam by sowing tares (complaints) in their fields such that it tasks them with trying to pick flys**t out of pepper, then I would be inclined to favor the BS tactic. I accept a literal interpretation of spamvertisements; to whit, they are asking for a response. I am comfortable with the ethics of compelling the sender to accept a response, even if it is inconvenient, on 2 counts: spamming my inbox using my address which was not obtained legitimately in the first place, and sending lewd and highly distasteful material to a computer my family shares in the second.

There is a third reason that is a bit convoluted; if I overtly respond to the spam by asking to be removed from the proto-mailing list, I am in effect increasing the value of his assets, (my email address and IP which he can and does sell for money), while at the same time, forfeiting some of the value of my assets as it attaches to my family’s compromised access to a service for which we must pay. In law, as Mr. Levine well understands, this is the foundation for a petition for remedy. At present here in Canada, civil law does not provide a means of remedy for these circumstances, (excepting child pornography, which is criminal); not yet anyway. The law does protect the spammer against, “eye-for-an–eye”, retaliation though, eh?

I report spam to Spamcop now and I make the extra effort to check domain registrations and submit reports to InterNic, registrars and, when practical, various BL services. This is very time consuming. I have been patiently doing this for a year; BUT, the same spam king continues to populate my inbox every day with 10 to 20 porn-spamvertisements. My experience doing this makes me want to concur with Mr. Levine’s view that big-league spammers have hundreds of, “throw-away”, domains available to them on any given day and therefore are immune to legitimate domain killing practices. And the sheer number of complaints many registrars require against a client before, “kicking them off”, is entirely beyond the reasonable expectation of any individual’s endeavour, no matter how dedicated. “Enom,” is a good example; I don’t even want to think about Chinese and Russian registrars.

If it can be demonstrated that there is a 1:1 relationship between spam received and complaint sent, then I could be persuaded no ethical or legal transgressions are being committed. If bandwidth taken up for an ISP or it’s ‘innocent’ clients is problematic, then I am inclined to think it appropriate that issue be resolved between the ISP and the spammer. They could at the same time resolve any issues around the use of forged headers, open relays and proxies and other improprieties used to persuade the public to access the site in the first place.

roderick whitney stillwell

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign