Helping people with computers... one answer at a time.
•
Listen to the podcast: Blue Security:
Singing the blues about spam.. 
Transcript
Hi everyone, this is Leo Notenboom with news, commentary and answers to some of the many questions I get at askleo.info.
Earlier this week the anti-spam company Blue Security ceased its spam fighting efforts in response to on-line attacks by spammers. Blue Security's approach to fighting spam was questionable at best, but the manner of its demise is also very disturbing.
Blue Security's approach was to build a do not spam list that people like you and I would participate in. Sounds like a good idea, right? The "penalty", so to speak, for a spammer sending unsolicited email to the members of the do-not-spam list was a return flood of unsubscribe requests. Now, many call that justified, but I call it vigilante justice. That returned flood of opt-out's is equivalent to a denial of service attack, and that's wrong, no matter who does it or for what reasons.
So while I believe that Blue Security's goal putting the breaks on spam was laudable, in my opinion, their method was not. Two wrongs don't make a right.
Not everyone agrees. In fact, when I got a question last week regarding Blue Security, I replied by saying that their method really concerned me. The person asking the question responded with what I'm sure is a common sentiment: at least they're doing something. People are so frustrated with spam, that doing something, anything, no matter how ill conceived it might be, is seen as a good thing.
As you might expect, violence begat violence, and their denial of service attack on a spammer resulted in retribution in a big way. Blue Security's service was the victim of a denial of service attack, and they were taken off the net. When they moved to a hosted solution, the attack moved with them, and took down not only Blue Security, but SixApart's TypePad blog hosting service as well.
Spammer's don't care who they hurt. In fact, the spammer thought to be responsible is quoted in The Register as saying "if [I] can't send spam, there will be no internet."
Now, while I disagree with Blue Security's approach, the fact that they've folded due to a spammer's actions concerns me. It shows the spammers that the internet equivalent of terrorism can work.
That doesn't bode well for the future of the internet.
I'd love to hear what you think. Visit ask leo dot info, and enter 10299 in the go to article number box. Leave a comment, I read them all.
This is a presentation of askleo.info, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems.
That's askleo.info.
Article C2658 - May 18, 2006
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
Leo, you have fallen victim to the spammers discription of Blue Security. Sending spam to a member did not result in a flood of replies or a DOS. One spam to one member resulted in one request to remove the victim from the spammers list. What could be a more measured response? Requesting to be removed from a spammers list is specifically allowed by the CAN-SPAM Act. Please set the record straight.
{don}
Posted by: Don at May 23, 2006 6:41 AMHi Leo,
Posted by: Christophe at May 23, 2006 7:47 AMYour reaction is very mature and you are totally right... On an ethical point of view... Whatever Blue was doing was questionable in the way they applied it....
I notice also a lot of frustation: Blue was one who 'got the balls' to fight back Web terrorism the same way these spammers were using the web. In fact, Blue become the symbol of our frustration and they were fighting back with some success. Blue became a symbol of hope and resistance against an evil despote. Having Blue down is certainly a deep wound inflicted to us... But also it makes the Blue Security a Symbol against spammers.
One day 'justice shall prevail' and the web will be freed from these terrorists.
Chris.
Don: My understanding is that once a threshold was reached, Bluesecurity flooded the spammer with unsubscribe requests from all blue frog users, regardless of whether or not they had actually recieved the spam. THAT is a DOS attack, and in my opinion, highly unethical.
Posted by: Leo at May 23, 2006 10:08 AMLeo: I am very disappointed with the demise of Blue Security. It was really working and I don't think IMHO it was doing anything "shady".
You wanted to know about an idea to stop, or at least put a dent in, unsolicited spam. Here is my opinion and a possible way to do something about the problem:
First, we will never be able to stop spammers. They are in the business because there are enough "suckers" out there to fall for their scams. If everyone would simply ignore the spammers they would have no clientel. How likely is that to happen? Not very likely!
Now for a possible solution....
Leo made a comment about "a few people" taking on the spammers legally. This of course would be ineffective. There is however, another option along these same lines. I believe it would be possible to combine the efforts of Blue Security with a reputable internationally based legal organization to produce an organized force to legally challenge spammers by forcing them into a very large class action lawsuit. As individuals it is unlikely we would get much, if any monitary return. But then, that isn't the point of the lawsuit. Reducing spam is!
Here's how it might work:
Anyone who receives unsolicited email and is in any way offended by it has a right to tell the originator of such email to stop sending it. They will of course be ignored by the originating spammer if it is done on an individual basis. If, on the other hand, a large number of spam recipients were to report this spam to a dedicated law firm or other legal organization, the legal organization would be in a position to inform the originating spammer that it was receiving a cease-and-dessist order to stop sending unsolicited emails to the complaining parties (inclusive). This order would not be in the form of flooding the spammers with complaints. It would simply be a single legal document listing the plaintiffs in et-al format (thus preventing the spammers from getting the names and email addresses of the plaintiffs) that would make the offending spammer aware that further legal action would be taken if they did not comply.
Using the Blue Security opt-out model. Users would submit their complaint to the designated legal organization for collection in a complaint database. After x number of complaints, the legal group would issue a restraint order against the offending spammer(s) and their affliated ISP's warning them of further legal action if they continued to harass their clients. If the harrasment continued a class action lawsuit on behalf of the participating plaintiffs would be filed against the the originating spammer and any and all willing participants in the spamming operation.
There are a few gotcha's in this idea though. The first being that spam is international and many spammers are spreading their junk from countries that don't really care about what they (the spammers) are doing, or worse, are actually condoning this activity. However, since it requires the use of ISP's outside of their sphere of influence, I can assure you these ISP's would not like to be listed as defendants in a class action lawsuit where their name is involved. I have a feeling they will find a way to be more attentive as to who is using their service if they knew they could be called to answer for allowing spam to be hosted on their servers.
The second obvious potential drawback in this idea is...Who will pay for all of this? Let's face it, No one, especially lawyers likes working Pro Bono (for free). Well, maybe if the cause were noble enough a large legal organization with international ties might think about it. Or Not! I personally would not be opposed to a modest subscription fee for this service if that was what it would take. Sort of like having an attorney on a retainer. If enough subscribers joined I'm sure the legal firm would make a few dollars on the project.
Maybe my idea sounds too simple...Maybe not. In any case, it's a start.
Thanks for your time,
Steve Rogers
Posted by: Stephen Rogers at May 29, 2006 2:24 PMA correction to my last post. It was Thor Johnson who made the comment about "a few people" taking on the spammers legally...Sorry Leo.
Steve Rogers
Posted by: Stephen Rogers at May 29, 2006 3:21 PM