So if not Blue Security’s approach, then what?
Become a Patron of Ask Leo! and go ad-free!
Hi everyone, this is Leo Notenboom with news, commentary and answers to some
of the many questions I get at askleo.info.
Last week I discussed Blue Security’s going out of business. I got several
comments in support of their methods, mostly born out of people’s frustration
with spam, and that even if unethical, Blue Security had been doing something
So what are the ethical ways to stop spam?
There are two schools of thought.
School one says “educate the masses.” That means making sure that everyone
us running anti-spyware and anti-virus software, as well as staying up to date
with software patches and so on. The goal here is to rob the spammers of one of
their most powerful tools: bot nets. Machines that have been compromised and
have been turned into spam-sending machines referred to as zombies.
That also means educating people that they should never, EVER, purchase from
or respond to spam. That really is the bottom line – if spam didn’t work, then
there’d be no point in sending it. Sadly, enough people do buy, that it does
While educating everyone as mush as is possible is critical, I
still believe relying on it as “the solution” is a technique doomed to failure.
The education must be continuous as things change, and even the smallest
percentage of folks who don’t get the message are enough for spam to continue
I believe that the answer lies in the technology. I believe that the
fundamental tools and techniques used to transmit email across the internet
need to be changed and/or modified. That modification? Absolute verification of
the sender. It is email’s fundamental anonymity and it’s ability to be spoofed
that allows spam to thrive. If I could, with certainly, say “accept only mail
that is guaranteed to be from who it says it is from” 90% of my spam would
disappear over night. And with accountability, the other 10% could be either
tracked down and silenced, or legitimately opted out of.
There are several solutions out there already that attempt to do this
already. Why isn’t it working? Lack of widespread adoption and, to put it
bluntly, politics. Companies are attempting to use various spam fighting
solutions for competitive advantage rather than the betterment of the system as
a whole. Company A pushing solution Z doesn’t want to accept solution Y being
supported by consortium B. Spam solution provide Q would go out of business if
there were a single, effective solution, so they’re not likely to play along
Until the playing field is level, and everyone adopts the same solution,
spam will continue.
But as difficult as it sounds, I believe that’s still more likely than
educating the masses.
I’d love to hear what you think. Visit ask leo dot info, and enter 10327 in
the go to article number box. Leave a comment, I read them all.
This is a presentation of askleo.info, a free on-line technical question and
answer service. Hundreds of questions and answers are online and ready to help
solve your computer problems.
9 comments on “So what do we do about spam?”
Leo, I agree with your conclusion. We must all lobby our respective service providers, politicians etc. to insist on a safe and secure email system for all. I Don’t know enough about email specs to suggest a solution but as I understand it, emails are moved around the internet through a limited number of ‘gateways’. Surely it is possible for the source and destination to be controlled and/or verified before being passed on. Or am I being too simplistic ?
You will never educate or even convince ALL computer users not to allow their machines to be co-oped to this use. Education should be continued but is doomed to failure as the ONLY solution. Computer technology is becomming so inexpensive it will become cost efective to build spam generating farms. Your possition on Blue’s actions is correct. D.D.
Sadly, the financial incentive to sell products to reduce spam will most likely prevent awy real, total solution. Educating the masses is a concept akin to Utopia and equally unreachable
One argument that has been proposed to make education more effective is to fine people whose computers are turned into zombies. If it could be proved that your system had been compromised and used as part of a bot net, you’d be fined $500.
The possibility of losing $500 (more for repeat infections) would cause a lot of people to secure their computers. Sadly, it would cause even more to throw them out.
But it would also be a great marketing tool for anti-virus/anti-spyware vendors. “We’re so confident that our program will keep your PC safe, we’ll pay the fine if your system is compromised while running our software.”
Nice idea to have ‘verified sender’- but if it’s verified that the sender is some guy in Russia, what then? Blue Frog found a way to go to the heart of the matter, and make it cost those actually paying the spammers. They were, predictably, counterattacked by similar methods. I can understand why they stopped, but I’d sure like someone to take up the cause and the tactic.
But who? Since it appears we’re dealing with some Russian with who knows what government/KGB/mafia ties, and obviously with considerable technical expertise and resources, what company would/could risk these continuing counterattacks? If fighting spam were not their core business, how could a company make a business case for doing this?
If a company were solely in the antispam business, how many subscribers would they have to have at what subscription rate to assemble the resources to duplicate the Blue Frog approach, and deal with the subsequent attacks? Simpler to avoid the wrath of the spammers and do what’s being done now- sell subscriptions to so-so filtering software that’s constantly being circumvented by spammers and doesn’t affect the companies who send spam one whit.
The core effectiveness of Blue Frog’s techniques lies in making it uneconomical for a company to hire a spammer to send spam, making it too expensive in terms of wasted resources. It obviously works. The other side- the spammers- have simply used the same technique against Blue Frog. I hate bullies, and spammer bullies even more, but I couldn’t justify using up my company assets ‘for the good of the net’ and because I hate spam. I really can’t blame Blue Frog.
Maybe this is the sort of national security issue that our government should take up. Sure looks like a terrorist attack on our vital infrastructure to me.
Can’t think of anyone with more resources and expertise in this sort of thing than the NSA. They’d have to make it clear that they were the ones protecting the privacy of US citizens by sending the opt-out floods, so attacks wouldn’t be directed elsewhere, and there would have to be some protection for those who submitted their email addresses for opt-out to avoid reprisals directed at individuals. Maybe all the protected-address emails would have to pass through some big honkin’ NSA server to prevent revenge. There would have to be national security-level antihacking and anti-DoS protections in place.
Big brother? Sure. Let big brother do something useful for me for once. This wouldn’t require any domestic warrantless surveillance; the problematic spammers are not US based. If there are any US-based spammers, the FBI can take care of them. If I didn’t want the NSA to have my email address, I wouldn’t have to submit it for antispam protection.
It has been repeatedly stated that spam is a huge problem, sapping vital national resources. Blue Frog has found an effective way to stop it, but doesn’t have the ability on its own to continue- altruism only goes so far when it’s costing you your livelihood.
The government does many billions of dollars worth of things every year that are Constitutionally questionable. Defending US ‘netizens’ from foreign enemies seems very clear.
I have to take issue with your suggestion that Blue Security’s approach was unethical – if an advertiser sends out a large number of adverts and a percentage of the recipients respond asking not to receive any more adverts from them, one response per email received, how is that unethical? One email goes out, one response comes back – and it’s targeted at the true originating source, not some poor spoofed return address. The advertiser is given the opportunity to remove the complainants from their distribution, reducing their costs and targetting their campaign away from non-purchasers. Six of the largest commercial spammers accepted the strategy and complied.
It was the subset of anti-social ‘dark-side’ criminal spammers who saw this as a threat and an opportunity to show their control of the internet mail system and the damage they can do. These are the unethical people, not Blue Security or the compliant commercial spammers. Their focus on making vast sums of money regardless of legality and their ability to bring down whole internet domains with illegal DOS attacks and other techniques indicates they have a true terrorist potential. I only hope their attack on Blue Security, its ISP and supporting DNS services has attracted the attention of governmental agencies with the ability to respond appropriately, but I fear it has not.
I agree with your analysis that only a change in the underlying email infrastructure will make spam fully controllable, but the response of the spammers suggests that the Blue Security approach can be effective if continued over a longer term and in a more distributed manner. I believe there are projects to attempt this currently in development.
Domain Rider: They were unethical because it was not one response per spam. My understanding is that once a spammer hit a threshold of sending out spam, Blue Security use their entire network of participants to snd unsubscribe requests, whether or not they had actually recieved the spam.
Relying on new technology to replace e-mail is a good idea, and although not entirely possible in the near future, is partly possible with current tools and the situation will surely improve as time goes by. There is an e-mail extension that checks if the mail actually originated at the address it says it’s from and some major servers support it. The technology is coming, and as more users demand it, more providers will support it. (Unfortunately I don’t know much about how the extension works; Search for DomainKeys or Sender Policy Framework if you want more info.)
That being said, let me concentrate on the other “school of thought”.
I’m for educating people, but not necessarily the masses. If you do not want spam, get to know your computer and you won’t get spam. Of course, having ALL e-mail users educated is not possible unless they’re forced to, such as by a fine.
Having to pay a fine for having your system compromised is not a good solution: firstly it would promote nasty things like blackmail, but, perhaps more importantly, it would discourage people from using computers, or experimenting with them, without worrying about the consequences. If I didn’t know anything about computers, I’d not want to start using them if there was a $500 fine for doing nothing (that is, not protecting it). And, of course, a fine would only work in the countries where that would be the law.
Here, I’d like to warn everybody about limiting others’ rights on the Internet (such as the proposed fine). The Internet’s based on the fact that anything is possible on it, and every limitation takes away more freedom than it’s supposed to. To name a few lame examples, what’s the difference between this site’s newsletter and some types of spam? What’s the difference between my helping my mother, who lives across the ocean, install a program over the Internet, and a hacker installing a spam-sending utility on your machine? Please don’t support any legislation that limits Internet use unless you really, really know it won’t hurt people with good intentions. Besides, we can’t force spammers to stop spamming by creating laws. It’s been tried with pirated computer games, ripped music, stolen videos, and it always failed. It just doesn’t work, there will always be someone who break the laws.
Don’t force others to not send their mail, even if it is spam. The possibility of sending a message instantly and for free is a privilege too valuable to be lost, even for a good cause.
My general solution to spam is similar to the free market economy theory: Don’t try to prevent others from sending spam. Concentrate on yourself, on blocking the spam YOU *get, read and click.* If everybody does that, it reduces the spammers’ profits, and once those are below the spamming costs, we win.
A first rule of thumb is obvious – never *click* on links in spam messages. Even if it says “unsubscribe”, to the evil spammer it will just confirm that you are a real person, and a susceptible one at that. A perfect target for future attempts. (But don’t be paranoid, if the message is not clearly spam, clicking links shouldn’t hurt you.)
A second rule of thumb – don’t *read* spam. If the subject line looks too spammy and you don’t know the sender, don’t even open the message. And if you do, make sure you at least have pictures blocked.
The third rule is about *getting* the spam. Just like you don’t go hunting down virus writers but buy anti-virus software instead, don’t hunt down spammers but get a spam filter instead.
My personal solution is simple but effective. I have a GMail account. Although I put my e-mail addres (firstname.lastname@example.org) everywhere, even in direct links where it just screams to be harvested, I get at most one spammy message a week. I report that message to GMail, and GMail updates their spam filter. Of course, thousands of other people do this, so GMail learns about thousands of kinds of spam every week and stops all their clones. That is the advantage of having a freemail account: lots of people are using it, and if the provider cares about its spam filters, it’s very effective at blocking the spam. And GMail apparently does care.
Of course, as Leo says everywhere, free mail accounts are potentially dangerous as far as sending important information. Who knows who’ll read it, who knows if it’ll still be there tomorrow. To solve the first problem, I save my messages on my computer (GMail lets you do that). For the other problem, I have a private account with my ISP for sensitive information. But I only give my private address (as well as the sensitive information) to people I trust. I could also set up a policy of blocking all mail from all addresses except the ones I explicitly allow and allow only the people I trust, but I haven’t had a problem with my current setup yet.
To sum it up: Educate yourself, educate the people around you, and give up forcing spammers to quit. They’ll give up once spamming doesn’t work.
Leo: Blue frog offered some degree of relief from that “helpless” feeling. It upset spammers. It worked! We should continue.I have multiple accounts through comcast, four outlook express accounts and one outlook account(all as a result of listening to your How To’s) spred over three home machines plus five online accounts.Your are right about where the spam settles, mystifing to be sure….? I placed an animated PNG., signature in the Outlook mail which seemed to foul the spy bots some, but I couldn’t successfully configure similiar attempts in Outlook Express.