Helping people with computers... one answer at a time.

A bad problem, a bad solution, and a bad outcome for all.

Listen:
Download the mp3

Transcript

Hi everyone, this is Leo Notenboom with news, commentary and answers to some of the many questions I get at askleo.info.

Earlier this week the anti-spam company Blue Security ceased its spam fighting efforts in response to on-line attacks by spammers. Blue Security's approach to fighting spam was questionable at best, but the manner of its demise is also very disturbing.

Blue Security's approach was to build a do not spam list that people like you and I would participate in. Sounds like a good idea, right? The "penalty", so to speak, for a spammer sending unsolicited email to the members of the do-not-spam list was a return flood of unsubscribe requests. Now, many call that justified, but I call it vigilante justice. That returned flood of opt-out's is equivalent to a denial of service attack, and that's wrong, no matter who does it or for what reasons.

So while I believe that Blue Security's goal putting the breaks on spam was laudable, in my opinion, their method was not. Two wrongs don't make a right.

Not everyone agrees. In fact, when I got a question last week regarding Blue Security, I replied by saying that their method really concerned me. The person asking the question responded with what I'm sure is a common sentiment: at least they're doing something. People are so frustrated with spam, that doing something, anything, no matter how ill conceived it might be, is seen as a good thing.

As you might expect, violence begat violence, and their denial of service attack on a spammer resulted in retribution in a big way. Blue Security's service was the victim of a denial of service attack, and they were taken off the net. When they moved to a hosted solution, the attack moved with them, and took down not only Blue Security, but SixApart's TypePad blog hosting service as well.

Spammer's don't care who they hurt. In fact, the spammer thought to be responsible is quoted in The Register as saying "if [I] can't send spam, there will be no internet."

Now, while I disagree with Blue Security's approach, the fact that they've folded due to a spammer's actions concerns me. It shows the spammers that the internet equivalent of terrorism can work.

That doesn't bode well for the future of the internet.

I'd love to hear what you think. Visit ask leo dot info, and enter 10299 in the go to article number box. Leave a comment, I read them all.

This is a presentation of askleo.info, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems.

That's askleo.info.

Article C2658 - May 18, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

9 Comments
Bill
May 18, 2006 4:39 PM

I have been fighting spam for years. Dozens per day. If I went out of town for a week I just had to delete everything that arrived during that time due to time contraints. In Other words a service I pay for was stolen by somebody else.
Blue Security worked. My spam dropped to one per week at most. Not only did it work but it was ethical and legal. It is always ethical to send an opt out request to a spammer and it is always legal. Now if they broke the law and sent so much spam that the opt out requests appeared as DOS their business model is at fault. Not Blue Security's response.
And no, violence did not begat violence. The attack on my mailbox already existed. Spam begat opt out requests...and opt out requests begat a obvious reaction which was so localized it appeared more violent. But nothing new was going on. Instead of violating 10 million internet inboxes over an hour they violated one isp millions of times per hour.
So thanks to the net cowards it is back to cowering for normal innocent email users. Filtering, hiding, changing addresses, or even multiple email addreses. Sexually explicit advertisements...drug pushing to underage internet inboxes...anarchy. Weak spines and the criminals step into the moral void.

Miriam
May 19, 2006 8:12 AM

What amazes me about spam is how it finds it's way to my "most" secure email accounts. I have three free email accounts along with the account provided by my ISP. I have NEVER received any spam in the two throw-away free accounts I use when I have to deal with sources I don't totally trust.

alan
May 20, 2006 8:11 AM

Leo...
I believe I was the first person to ask you about Bluesecurity.
I signed up and was crushed when they went out of business. They must have been doing something right because a lot of slime ball spammers were upset with Bluesecurity. I think you were not 100% correct Bluesecurity. My understanding was that they notified the slime ball spammer to let them know about the do not email list and only after communication broke down and the slime ball spammer continue to send spam then they were hit with the opt-out requests, as a last resort.
Even if you do not feel this is the right way to handle the situation I have a lot of respect for Bluesecurity for trying to do something. I think if they were able to continue to grow to millions and millions of people they could have had a BIG impact on spam.
The slime ball spammers hit a new low (I did not think they could get any lower) they threatened people that belong to Bluesecurity that if they did not remove their name from the Bluesecurity list their email would be sent to other slime ball spammers and they also start a “joe-job” attack.
Bottom-line the slime ball spammers put Bluesecurity out of business….now they rule the email world.
My thoughts on stopping spam (I am not a computer geek so some of my ideas might be impossible).
First, the CAN-SPAM act is not working. Only a couple of ISP’s are using it catch slime ball spammers.
Second, I do not think the government will ever put a stop to spam….it is just not that important to them.
Third, I think the only way to stop spam is through the ISP’s and software developers.

As far as, sending spam: My ISP limits me to sending 500 emails within a 24 hour period if I want to send more I have to go through their web site and I can only send 1 email at a time….if all ISP’s did this it would be very helpful on stopping spam. Even if a slime ball spammer had 100 computers they would only be able to send out 50K emails in 24 hours……far cry from what they are doing now. Another thing, if ISP’s were able to stop emails from being sent without at least the ‘subject’ being spell checked. This would help a bunch because mail filters would be able to block emails easier.

As far as, receiving spam (the real answer): If an ISP’s could include the “real” domain name that an email was sent from (not a relay or a forged name etc.) then people that did not want spam could block that domain or email the ISP that the person was sending spam and hopefully shut them down….if not you would still have the option of blocking the entire domain. For example on Outlook Express there is FROM, TO, CC, BCC, AND SUBJECT……add another box for ORIGINATING DOMAIN. Another thing, I can block mail through the mail filter for TO, FROM, CC, and SUBJECT but I can not block email from the MESSAGE, I can only have it forwarded to a spam folder. If you could block mail by way of SUBJECT….again the mail filters would work much, much better.

Sorry this is so long and maybe none of my ideas would not work but if couple of my ideas would work it could have a big impact. We all know that whoever comes up with the solution to stopping spam will end up with more money than Bill Gates.

I would like to know your thought on my ideas and here if you have any ideas on stopping spam.

Have a good one.

Alan

Thor Johnson
May 21, 2006 10:01 PM

According to them, (then again, I only caught BlueSecurity at its downfall), they didn't send a flood of opt-out requests; only 1 per each spam for each user who signed up (from the BlueFrog running on the user's machine); "ordinary behavior" except that if you hit 100K users from BlueSecurity's list (~500K total, iirc), you instantly got 100K "fake orders" or "opt-out requests" instead of a "trickle of concerned users" (and this was after they had contacted the vendor...) [again, all their word, but it looked to me like they were *trying* to be the good guys]

The only thing I thought was slightly shady (but reasonable IMHO), is that the opt-out requests were sent to the address of the person selling crap (aka, not PharmaGod, but the website for ElongateEm that was in the email). But I feel it was a good move because:
1. Kill the spammer's partners, and you hurt them. If nobody wants to touch the spammer because it instantly means that a huge number of fake orders come in, they will die.
2. It avoids hurting zombie machines that were the actual senders of the spam (and the forgeries that spammers stuff in their to do Joe Jobs and the like) (good or bad is debatable here).

I asked Randy Cassingham about it and he was concerned about the collateral damage... I don't think either one of us thought that kicking netblocks off the internet was the type of damage that was going to happen.

Supposedly, there's a rebirth in the works that will try to do the same thing in a peer-to-peer fashion, but I fear that will have other spectacular bits:
1. No central agency reporting pharmacrap to FDA, etc. Thousands of individual emails will likely get filtered, and not even categorized.

2. I think the possibility where the spammer starts adding innocents to the list will quickly halt efforts.

IMHO, its a shame. I thought what they were doing (as they said it) was the right way to do it (kill the people who hire the spammers, and have a human do the preliminary work and investigation), and I saw the business argument (to protect an entire company, pay $xxx/yr, but individuals are free), and I saw their press releases about results (supposedly 2 groups had started cleaning their lists on a regular basis).

I don't think they knew what they were getting into; even though they started using "the best" DDOS provider (at the last minute), the spammer kicked *the entire network* off the internet. I can even forgive them for knocking typepad and Tucows out for a while; in my mind "obviously a network as big as Tucows should be big enough and distributed enough to handle 1 spammer (I mean... good grief, look at all the mirrors and such for the downloads!)".

Slightly off-topic:
Tell everbody to talk to their congresscritter about the DATA act... In the same vein as CAN-SPAM, it usurps state legislation to provide a *maximum* (ie, superseeds more restrictive state laws) amount of protection for information leaks (eg, the ChoicePoint, Equifax, and other identity theft bits). When did the federales start making "uhh... we'll only let you prosecute them this much" kind of deals?!

At least before CAN-SPAM, I knew a few people (maybe you?) who were making decent pests of themselves (attaching leins to spammers properties and such) in WA small-claims court...

Don
May 23, 2006 6:41 AM

Leo, you have fallen victim to the spammers discription of Blue Security. Sending spam to a member did not result in a flood of replies or a DOS. One spam to one member resulted in one request to remove the victim from the spammers list. What could be a more measured response? Requesting to be removed from a spammers list is specifically allowed by the CAN-SPAM Act. Please set the record straight.

{don}

Christophe
May 23, 2006 7:47 AM

Hi Leo,
Your reaction is very mature and you are totally right... On an ethical point of view... Whatever Blue was doing was questionable in the way they applied it....
I notice also a lot of frustation: Blue was one who 'got the balls' to fight back Web terrorism the same way these spammers were using the web. In fact, Blue become the symbol of our frustration and they were fighting back with some success. Blue became a symbol of hope and resistance against an evil despote. Having Blue down is certainly a deep wound inflicted to us... But also it makes the Blue Security a Symbol against spammers.
One day 'justice shall prevail' and the web will be freed from these terrorists.
Chris.

Leo
May 23, 2006 10:08 AM

Don: My understanding is that once a threshold was reached, Bluesecurity flooded the spammer with unsubscribe requests from all blue frog users, regardless of whether or not they had actually recieved the spam. THAT is a DOS attack, and in my opinion, highly unethical.

Stephen Rogers
May 29, 2006 2:24 PM

Leo: I am very disappointed with the demise of Blue Security. It was really working and I don't think IMHO it was doing anything "shady".

You wanted to know about an idea to stop, or at least put a dent in, unsolicited spam. Here is my opinion and a possible way to do something about the problem:

First, we will never be able to stop spammers. They are in the business because there are enough "suckers" out there to fall for their scams. If everyone would simply ignore the spammers they would have no clientel. How likely is that to happen? Not very likely!

Now for a possible solution....

Leo made a comment about "a few people" taking on the spammers legally. This of course would be ineffective. There is however, another option along these same lines. I believe it would be possible to combine the efforts of Blue Security with a reputable internationally based legal organization to produce an organized force to legally challenge spammers by forcing them into a very large class action lawsuit. As individuals it is unlikely we would get much, if any monitary return. But then, that isn't the point of the lawsuit. Reducing spam is!

Here's how it might work:

Anyone who receives unsolicited email and is in any way offended by it has a right to tell the originator of such email to stop sending it. They will of course be ignored by the originating spammer if it is done on an individual basis. If, on the other hand, a large number of spam recipients were to report this spam to a dedicated law firm or other legal organization, the legal organization would be in a position to inform the originating spammer that it was receiving a cease-and-dessist order to stop sending unsolicited emails to the complaining parties (inclusive). This order would not be in the form of flooding the spammers with complaints. It would simply be a single legal document listing the plaintiffs in et-al format (thus preventing the spammers from getting the names and email addresses of the plaintiffs) that would make the offending spammer aware that further legal action would be taken if they did not comply.

Using the Blue Security opt-out model. Users would submit their complaint to the designated legal organization for collection in a complaint database. After x number of complaints, the legal group would issue a restraint order against the offending spammer(s) and their affliated ISP's warning them of further legal action if they continued to harass their clients. If the harrasment continued a class action lawsuit on behalf of the participating plaintiffs would be filed against the the originating spammer and any and all willing participants in the spamming operation.

There are a few gotcha's in this idea though. The first being that spam is international and many spammers are spreading their junk from countries that don't really care about what they (the spammers) are doing, or worse, are actually condoning this activity. However, since it requires the use of ISP's outside of their sphere of influence, I can assure you these ISP's would not like to be listed as defendants in a class action lawsuit where their name is involved. I have a feeling they will find a way to be more attentive as to who is using their service if they knew they could be called to answer for allowing spam to be hosted on their servers.

The second obvious potential drawback in this idea is...Who will pay for all of this? Let's face it, No one, especially lawyers likes working Pro Bono (for free). Well, maybe if the cause were noble enough a large legal organization with international ties might think about it. Or Not! I personally would not be opposed to a modest subscription fee for this service if that was what it would take. Sort of like having an attorney on a retainer. If enough subscribers joined I'm sure the legal firm would make a few dollars on the project.

Maybe my idea sounds too simple...Maybe not. In any case, it's a start.

Thanks for your time,

Steve Rogers

Stephen Rogers
May 29, 2006 3:21 PM

A correction to my last post. It was Thor Johnson who made the comment about "a few people" taking on the spammers legally...Sorry Leo.

Steve Rogers

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.