A bad problem, a bad solution, and
a bad outcome for all.
Become a Patron of Ask Leo! and go ad-free!
Transcript
Hi everyone, this is Leo Notenboom with news, commentary and answers to some
of the many questions I get at askleo.info.
Earlier this week the anti-spam company Blue Security ceased its spam
fighting efforts in response to on-line attacks by spammers. Blue Security’s
approach to fighting spam was questionable at best, but the manner of its
demise is also very disturbing.
Blue Security’s approach was to build a do not spam list that people like
you and I would participate in. Sounds like a good idea, right? The “penalty”,
so to speak, for a spammer sending unsolicited email to the members of the
do-not-spam list was a return flood of unsubscribe requests. Now, many call
that justified, but I call it vigilante justice. That returned flood of
opt-out’s is equivalent to a denial of service attack, and that’s wrong, no
matter who does it or for what reasons.
So while I believe that Blue Security’s goal putting the breaks on spam was
laudable, in my opinion, their method was not. Two wrongs don’t make a
right.
Not everyone agrees. In fact, when I got a question last week regarding Blue
Security, I replied by saying that their method really concerned me. The person
asking the question responded with what I’m sure is a common sentiment: at
least they’re doing something. People are so frustrated with spam, that doing
something, anything, no matter how ill conceived it might be, is seen as a good
thing.
As you might expect, violence begat violence, and their denial of service
attack on a spammer resulted in retribution in a big way. Blue Security’s
service was the victim of a denial of service attack, and they were taken off
the net. When they moved to a hosted solution, the attack moved with them, and
took down not only Blue Security, but SixApart’s TypePad blog hosting service
as well.
Spammer’s don’t care who they hurt. In fact, the spammer thought to be
responsible is quoted in The Register as saying “if [I] can’t send spam, there will be no
internet.”
Now, while I disagree with Blue Security’s approach, the fact that they’ve
folded due to a spammer’s actions concerns me. It shows the spammers that the
internet equivalent of terrorism can work.
That doesn’t bode well for the future of the internet.
I’d love to hear what you think. Visit ask leo dot info, and enter 10299 in
the go to article number box. Leave a comment, I read them all.
This is a presentation of askleo.info, a free on-line technical question and
answer service. Hundreds of questions and answers are online and ready to help
solve your computer problems.
That’s askleo.info.
I have been fighting spam for years. Dozens per day. If I went out of town for a week I just had to delete everything that arrived during that time due to time contraints. In Other words a service I pay for was stolen by somebody else.
Blue Security worked. My spam dropped to one per week at most. Not only did it work but it was ethical and legal. It is always ethical to send an opt out request to a spammer and it is always legal. Now if they broke the law and sent so much spam that the opt out requests appeared as DOS their business model is at fault. Not Blue Security’s response.
And no, violence did not begat violence. The attack on my mailbox already existed. Spam begat opt out requests…and opt out requests begat a obvious reaction which was so localized it appeared more violent. But nothing new was going on. Instead of violating 10 million internet inboxes over an hour they violated one isp millions of times per hour.
So thanks to the net cowards it is back to cowering for normal innocent email users. Filtering, hiding, changing addresses, or even multiple email addreses. Sexually explicit advertisements…drug pushing to underage internet inboxes…anarchy. Weak spines and the criminals step into the moral void.
What amazes me about spam is how it finds it’s way to my “most” secure email accounts. I have three free email accounts along with the account provided by my ISP. I have NEVER received any spam in the two throw-away free accounts I use when I have to deal with sources I don’t totally trust.
According to them, (then again, I only caught BlueSecurity at its downfall), they didn’t send a flood of opt-out requests; only 1 per each spam for each user who signed up (from the BlueFrog running on the user’s machine); “ordinary behavior” except that if you hit 100K users from BlueSecurity’s list (~500K total, iirc), you instantly got 100K “fake orders” or “opt-out requests” instead of a “trickle of concerned users” (and this was after they had contacted the vendor…) [again, all their word, but it looked to me like they were *trying* to be the good guys]
The only thing I thought was slightly shady (but reasonable IMHO), is that the opt-out requests were sent to the address of the person selling crap (aka, not PharmaGod, but the website for ElongateEm that was in the email). But I feel it was a good move because:
1. Kill the spammer’s partners, and you hurt them. If nobody wants to touch the spammer because it instantly means that a huge number of fake orders come in, they will die.
2. It avoids hurting zombie machines that were the actual senders of the spam (and the forgeries that spammers stuff in their to do Joe Jobs and the like) (good or bad is debatable here).
I asked Randy Cassingham about it and he was concerned about the collateral damage… I don’t think either one of us thought that kicking netblocks off the internet was the type of damage that was going to happen.
Supposedly, there’s a rebirth in the works that will try to do the same thing in a peer-to-peer fashion, but I fear that will have other spectacular bits:
1. No central agency reporting pharmacrap to FDA, etc. Thousands of individual emails will likely get filtered, and not even categorized.
2. I think the possibility where the spammer starts adding innocents to the list will quickly halt efforts.
IMHO, its a shame. I thought what they were doing (as they said it) was the right way to do it (kill the people who hire the spammers, and have a human do the preliminary work and investigation), and I saw the business argument (to protect an entire company, pay $xxx/yr, but individuals are free), and I saw their press releases about results (supposedly 2 groups had started cleaning their lists on a regular basis).
I don’t think they knew what they were getting into; even though they started using “the best” DDOS provider (at the last minute), the spammer kicked *the entire network* off the internet. I can even forgive them for knocking typepad and Tucows out for a while; in my mind “obviously a network as big as Tucows should be big enough and distributed enough to handle 1 spammer (I mean… good grief, look at all the mirrors and such for the downloads!)”.
Slightly off-topic:
Tell everbody to talk to their congresscritter about the DATA act… In the same vein as CAN-SPAM, it usurps state legislation to provide a *maximum* (ie, superseeds more restrictive state laws) amount of protection for information leaks (eg, the ChoicePoint, Equifax, and other identity theft bits). When did the federales start making “uhh… we’ll only let you prosecute them this much” kind of deals?!
At least before CAN-SPAM, I knew a few people (maybe you?) who were making decent pests of themselves (attaching leins to spammers properties and such) in WA small-claims court…
Leo, you have fallen victim to the spammers discription of Blue Security. Sending spam to a member did not result in a flood of replies or a DOS. One spam to one member resulted in one request to remove the victim from the spammers list. What could be a more measured response? Requesting to be removed from a spammers list is specifically allowed by the CAN-SPAM Act. Please set the record straight.
{don}
Hi Leo,
Your reaction is very mature and you are totally right… On an ethical point of view… Whatever Blue was doing was questionable in the way they applied it….
I notice also a lot of frustation: Blue was one who ‘got the balls’ to fight back Web terrorism the same way these spammers were using the web. In fact, Blue become the symbol of our frustration and they were fighting back with some success. Blue became a symbol of hope and resistance against an evil despote. Having Blue down is certainly a deep wound inflicted to us… But also it makes the Blue Security a Symbol against spammers.
One day ‘justice shall prevail’ and the web will be freed from these terrorists.
Chris.
Don: My understanding is that once a threshold was reached, Bluesecurity flooded the spammer with unsubscribe requests from all blue frog users, regardless of whether or not they had actually recieved the spam. THAT is a DOS attack, and in my opinion, highly unethical.
Leo: I am very disappointed with the demise of Blue Security. It was really working and I don’t think IMHO it was doing anything “shady”.
You wanted to know about an idea to stop, or at least put a dent in, unsolicited spam. Here is my opinion and a possible way to do something about the problem:
First, we will never be able to stop spammers. They are in the business because there are enough “suckers” out there to fall for their scams. If everyone would simply ignore the spammers they would have no clientel. How likely is that to happen? Not very likely!
Now for a possible solution….
Leo made a comment about “a few people” taking on the spammers legally. This of course would be ineffective. There is however, another option along these same lines. I believe it would be possible to combine the efforts of Blue Security with a reputable internationally based legal organization to produce an organized force to legally challenge spammers by forcing them into a very large class action lawsuit. As individuals it is unlikely we would get much, if any monitary return. But then, that isn’t the point of the lawsuit. Reducing spam is!
Here’s how it might work:
Anyone who receives unsolicited email and is in any way offended by it has a right to tell the originator of such email to stop sending it. They will of course be ignored by the originating spammer if it is done on an individual basis. If, on the other hand, a large number of spam recipients were to report this spam to a dedicated law firm or other legal organization, the legal organization would be in a position to inform the originating spammer that it was receiving a cease-and-dessist order to stop sending unsolicited emails to the complaining parties (inclusive). This order would not be in the form of flooding the spammers with complaints. It would simply be a single legal document listing the plaintiffs in et-al format (thus preventing the spammers from getting the names and email addresses of the plaintiffs) that would make the offending spammer aware that further legal action would be taken if they did not comply.
Using the Blue Security opt-out model. Users would submit their complaint to the designated legal organization for collection in a complaint database. After x number of complaints, the legal group would issue a restraint order against the offending spammer(s) and their affliated ISP’s warning them of further legal action if they continued to harass their clients. If the harrasment continued a class action lawsuit on behalf of the participating plaintiffs would be filed against the the originating spammer and any and all willing participants in the spamming operation.
There are a few gotcha’s in this idea though. The first being that spam is international and many spammers are spreading their junk from countries that don’t really care about what they (the spammers) are doing, or worse, are actually condoning this activity. However, since it requires the use of ISP’s outside of their sphere of influence, I can assure you these ISP’s would not like to be listed as defendants in a class action lawsuit where their name is involved. I have a feeling they will find a way to be more attentive as to who is using their service if they knew they could be called to answer for allowing spam to be hosted on their servers.
The second obvious potential drawback in this idea is…Who will pay for all of this? Let’s face it, No one, especially lawyers likes working Pro Bono (for free). Well, maybe if the cause were noble enough a large legal organization with international ties might think about it. Or Not! I personally would not be opposed to a modest subscription fee for this service if that was what it would take. Sort of like having an attorney on a retainer. If enough subscribers joined I’m sure the legal firm would make a few dollars on the project.
Maybe my idea sounds too simple…Maybe not. In any case, it’s a start.
Thanks for your time,
Steve Rogers
A correction to my last post. It was Thor Johnson who made the comment about “a few people” taking on the spammers legally…Sorry Leo.
Steve Rogers