Helping people with computers... one answer at a time.

So if not Blue Security's approach, then what?

Listen:
Download the mp3

Transcript

Hi everyone, this is Leo Notenboom with news, commentary and answers to some of the many questions I get at askleo.info.

Last week I discussed Blue Security's going out of business. I got several comments in support of their methods, mostly born out of people's frustration with spam, and that even if unethical, Blue Security had been doing something about it.

So what are the ethical ways to stop spam?

There are two schools of thought.

School one says "educate the masses." That means making sure that everyone us running anti-spyware and anti-virus software, as well as staying up to date with software patches and so on. The goal here is to rob the spammers of one of their most powerful tools: bot nets. Machines that have been compromised and have been turned into spam-sending machines referred to as zombies.

That also means educating people that they should never, EVER, purchase from or respond to spam. That really is the bottom line - if spam didn't work, then there'd be no point in sending it. Sadly, enough people do buy, that it does work.

While educating everyone as mush as is possible is critical, I still believe relying on it as "the solution" is a technique doomed to failure. The education must be continuous as things change, and even the smallest percentage of folks who don't get the message are enough for spam to continue to flourish.

I believe that the answer lies in the technology. I believe that the fundamental tools and techniques used to transmit email across the internet need to be changed and/or modified. That modification? Absolute verification of the sender. It is email's fundamental anonymity and it's ability to be spoofed that allows spam to thrive. If I could, with certainly, say "accept only mail that is guaranteed to be from who it says it is from" 90% of my spam would disappear over night. And with accountability, the other 10% could be either tracked down and silenced, or legitimately opted out of.

There are several solutions out there already that attempt to do this already. Why isn't it working? Lack of widespread adoption and, to put it bluntly, politics. Companies are attempting to use various spam fighting solutions for competitive advantage rather than the betterment of the system as a whole. Company A pushing solution Z doesn't want to accept solution Y being supported by consortium B. Spam solution provide Q would go out of business if there were a single, effective solution, so they're not likely to play along either.

Until the playing field is level, and everyone adopts the same solution, spam will continue.

But as difficult as it sounds, I believe that's still more likely than educating the masses.

I'd love to hear what you think. Visit ask leo dot info, and enter 10327 in the go to article number box. Leave a comment, I read them all.

This is a presentation of askleo.info, a free on-line technical question and answer service. Hundreds of questions and answers are online and ready to help solve your computer problems.

That's askleo.info.

Article C2666 - May 25, 2006 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

10 Comments
Roscho
May 26, 2006 2:11 AM

Leo, I agree with your conclusion. We must all lobby our respective service providers, politicians etc. to insist on a safe and secure email system for all. I Don't know enough about email specs to suggest a solution but as I understand it, emails are moved around the internet through a limited number of 'gateways'. Surely it is possible for the source and destination to be controlled and/or verified before being passed on. Or am I being too simplistic ?

Don Davis
May 26, 2006 7:57 AM

You will never educate or even convince ALL computer users not to allow their machines to be co-oped to this use. Education should be continued but is doomed to failure as the ONLY solution. Computer technology is becomming so inexpensive it will become cost efective to build spam generating farms. Your possition on Blue's actions is correct. D.D.

steve
May 26, 2006 8:51 AM

Sadly, the financial incentive to sell products to reduce spam will most likely prevent awy real, total solution. Educating the masses is a concept akin to Utopia and equally unreachable

Greg Bulmash
May 26, 2006 9:46 AM

One argument that has been proposed to make education more effective is to fine people whose computers are turned into zombies. If it could be proved that your system had been compromised and used as part of a bot net, you'd be fined $500.

The possibility of losing $500 (more for repeat infections) would cause a lot of people to secure their computers. Sadly, it would cause even more to throw them out.

But it would also be a great marketing tool for anti-virus/anti-spyware vendors. "We're so confident that our program will keep your PC safe, we'll pay the fine if your system is compromised while running our software."

Craig Benson
May 26, 2006 12:28 PM

Nice idea to have 'verified sender'- but if it's verified that the sender is some guy in Russia, what then? Blue Frog found a way to go to the heart of the matter, and make it cost those actually paying the spammers. They were, predictably, counterattacked by similar methods. I can understand why they stopped, but I'd sure like someone to take up the cause and the tactic.

But who? Since it appears we're dealing with some Russian with who knows what government/KGB/mafia ties, and obviously with considerable technical expertise and resources, what company would/could risk these continuing counterattacks? If fighting spam were not their core business, how could a company make a business case for doing this?

If a company were solely in the antispam business, how many subscribers would they have to have at what subscription rate to assemble the resources to duplicate the Blue Frog approach, and deal with the subsequent attacks? Simpler to avoid the wrath of the spammers and do what's being done now- sell subscriptions to so-so filtering software that's constantly being circumvented by spammers and doesn't affect the companies who send spam one whit.

The core effectiveness of Blue Frog's techniques lies in making it uneconomical for a company to hire a spammer to send spam, making it too expensive in terms of wasted resources. It obviously works. The other side- the spammers- have simply used the same technique against Blue Frog. I hate bullies, and spammer bullies even more, but I couldn't justify using up my company assets 'for the good of the net' and because I hate spam. I really can't blame Blue Frog.

Maybe this is the sort of national security issue that our government should take up. Sure looks like a terrorist attack on our vital infrastructure to me.

Can't think of anyone with more resources and expertise in this sort of thing than the NSA. They'd have to make it clear that they were the ones protecting the privacy of US citizens by sending the opt-out floods, so attacks wouldn't be directed elsewhere, and there would have to be some protection for those who submitted their email addresses for opt-out to avoid reprisals directed at individuals. Maybe all the protected-address emails would have to pass through some big honkin' NSA server to prevent revenge. There would have to be national security-level antihacking and anti-DoS protections in place.

Big brother? Sure. Let big brother do something useful for me for once. This wouldn't require any domestic warrantless surveillance; the problematic spammers are not US based. If there are any US-based spammers, the FBI can take care of them. If I didn't want the NSA to have my email address, I wouldn't have to submit it for antispam protection.

It has been repeatedly stated that spam is a huge problem, sapping vital national resources. Blue Frog has found an effective way to stop it, but doesn't have the ability on its own to continue- altruism only goes so far when it's costing you your livelihood.

The government does many billions of dollars worth of things every year that are Constitutionally questionable. Defending US 'netizens' from foreign enemies seems very clear.

Domain Rider
May 27, 2006 3:04 AM

I have to take issue with your suggestion that Blue Security's approach was unethical - if an advertiser sends out a large number of adverts and a percentage of the recipients respond asking not to receive any more adverts from them, one response per email received, how is that unethical? One email goes out, one response comes back - and it's targeted at the true originating source, not some poor spoofed return address. The advertiser is given the opportunity to remove the complainants from their distribution, reducing their costs and targetting their campaign away from non-purchasers. Six of the largest commercial spammers accepted the strategy and complied.

It was the subset of anti-social 'dark-side' criminal spammers who saw this as a threat and an opportunity to show their control of the internet mail system and the damage they can do. These are the unethical people, not Blue Security or the compliant commercial spammers. Their focus on making vast sums of money regardless of legality and their ability to bring down whole internet domains with illegal DOS attacks and other techniques indicates they have a true terrorist potential. I only hope their attack on Blue Security, its ISP and supporting DNS services has attracted the attention of governmental agencies with the ability to respond appropriately, but I fear it has not.

I agree with your analysis that only a change in the underlying email infrastructure will make spam fully controllable, but the response of the spammers suggests that the Blue Security approach can be effective if continued over a longer term and in a more distributed manner. I believe there are projects to attempt this currently in development.

Lou Gascon
May 27, 2006 7:32 AM

Leo…

This Anti Spam topic is most interesting to me, and I suspect to millions of other Pc users around the world. And I should like to become involved to a small degree to hopefully help find …“The Final Solution” …

Unfortunately, it would appear that Pc users who have some knowledge of their machine use that knowledge for themselves and often do not partake in the discussions and forums debated around the planet ~ and who can blame them? After all, the reality of using a computer has become quite a chore over the past three years or so dealing with Spam…

And just to make the point, here I am on a Saturday afternoon, composing and putting my mind to this debate, when there is a whole load of wonderful sport to be viewed from the UK and around the world on my telly…! Aaaahh…!

I should like to come back to Blue in a moment, but for the mean time, I want to talk about ‘The Machinist’ who I found via your link to: http://www.secureyourcomputer.org/ and their page: Take Back the Net - Secure Your Computer and Sport the Grey Ribbon! And finally to: http://www.theinternetpatrol.com/take-back-the-net-secure-your-computer where there is an interesting Comment by machiner [http://www.madcarters.com] - 5/21/2006 @ 9:47 am
---------------------------------------------------------------------------------------------------------------------------
Tis all well and good making suggestions about what we can or can’t do towards keeping our Pc’s clean and stealthy ~ and I’m sure that Mr Machiner is quite correct in his suggestions, but we are not all computer geeks, and some of the suggestions would appear a bit flippant to lesser mortals who may well be a weenie bit scared of going into services mode or regedit etc

The machiner talks about, and I quote: “Your steps may seem like good ideas, and perhaps at one time they were. However in today’s malicious internet climate those steps will do nothing to protect you …Really
Instead - on a Windows box, go to your Admin Tools in your Control Panel, then to Services… and start disabling the services:
? Server • Messenger • Computer Browser • Remote Registry • Web Client
There are more. There are some to set to Manual as well. You should also turn off that ridiculous media Player Licensing thing as well. That’s not what it’s called - but people will see what I mean in their services widget.”
Start disabling the services ~ God, what does that mean…?
No, I’m sorry Mr Machiner, or as I prefer to endearingly call you: Mr Machinist…
You must tailor your cloth according to the model, and in this case you are dealing with a variety of users who may not have gotten past the start button. I believe that “Start disabling the services” needs some explanation. And certainly over and above the Services (Local) description menu, so that the individual understands what he might be stopping and how that might affect the running of his machine ~ at least then, we will all be sure to be starting from a level playing field…
Mr Machinist, I very much appreciate your efforts in commenting about this issue, but please remember that there are many folk out there who do not have your ability and knowledge of the Pc, and need a little more explanation if they are to add to the worldwide forum of a collective serum for Antispam… I look forward to your essay on Ask Leo! ~ Soonest …
Incidentally, I couldn’t see anything about Media Player licensing, and if I’m going to do the job according to his worshipfulness Mr Machiner – then how about a proper directive…?
Congrats on debiantutorials.org by the way…
About Blue:
Think I’d better start a new post…
see u soon
Lou

Leo A. Notenboom
May 27, 2006 9:29 AM

Domain Rider: They were unethical because it was not one response per spam. My understanding is that once a spammer hit a threshold of sending out spam, Blue Security use their entire network of participants to snd unsubscribe requests, whether or not they had actually recieved the spam.

En-Cu-Kou
May 27, 2006 6:03 PM

Relying on new technology to replace e-mail is a good idea, and although not entirely possible in the near future, is partly possible with current tools and the situation will surely improve as time goes by. There is an e-mail extension that checks if the mail actually originated at the address it says it's from and some major servers support it. The technology is coming, and as more users demand it, more providers will support it. (Unfortunately I don't know much about how the extension works; Search for DomainKeys or Sender Policy Framework if you want more info.)
That being said, let me concentrate on the other "school of thought".

I'm for educating people, but not necessarily the masses. If you do not want spam, get to know your computer and you won't get spam. Of course, having ALL e-mail users educated is not possible unless they're forced to, such as by a fine.
Having to pay a fine for having your system compromised is not a good solution: firstly it would promote nasty things like blackmail, but, perhaps more importantly, it would discourage people from using computers, or experimenting with them, without worrying about the consequences. If I didn't know anything about computers, I'd not want to start using them if there was a $500 fine for doing nothing (that is, not protecting it). And, of course, a fine would only work in the countries where that would be the law.

Here, I'd like to warn everybody about limiting others' rights on the Internet (such as the proposed fine). The Internet's based on the fact that anything is possible on it, and every limitation takes away more freedom than it's supposed to. To name a few lame examples, what's the difference between this site's newsletter and some types of spam? What's the difference between my helping my mother, who lives across the ocean, install a program over the Internet, and a hacker installing a spam-sending utility on your machine? Please don't support any legislation that limits Internet use unless you really, really know it won't hurt people with good intentions. Besides, we can't force spammers to stop spamming by creating laws. It's been tried with pirated computer games, ripped music, stolen videos, and it always failed. It just doesn't work, there will always be someone who break the laws.

Don't force others to not send their mail, even if it is spam. The possibility of sending a message instantly and for free is a privilege too valuable to be lost, even for a good cause.

My general solution to spam is similar to the free market economy theory: Don't try to prevent others from sending spam. Concentrate on yourself, on blocking the spam YOU *get, read and click.* If everybody does that, it reduces the spammers' profits, and once those are below the spamming costs, we win.

A first rule of thumb is obvious - never *click* on links in spam messages. Even if it says "unsubscribe", to the evil spammer it will just confirm that you are a real person, and a susceptible one at that. A perfect target for future attempts. (But don't be paranoid, if the message is not clearly spam, clicking links shouldn't hurt you.)

A second rule of thumb - don't *read* spam. If the subject line looks too spammy and you don't know the sender, don't even open the message. And if you do, make sure you at least have pictures blocked.

The third rule is about *getting* the spam. Just like you don't go hunting down virus writers but buy anti-virus software instead, don't hunt down spammers but get a spam filter instead.

My personal solution is simple but effective. I have a GMail account. Although I put my e-mail addres (encukou@gmail.com) everywhere, even in direct links where it just screams to be harvested, I get at most one spammy message a week. I report that message to GMail, and GMail updates their spam filter. Of course, thousands of other people do this, so GMail learns about thousands of kinds of spam every week and stops all their clones. That is the advantage of having a freemail account: lots of people are using it, and if the provider cares about its spam filters, it's very effective at blocking the spam. And GMail apparently does care.

Of course, as Leo says everywhere, free mail accounts are potentially dangerous as far as sending important information. Who knows who'll read it, who knows if it'll still be there tomorrow. To solve the first problem, I save my messages on my computer (GMail lets you do that). For the other problem, I have a private account with my ISP for sensitive information. But I only give my private address (as well as the sensitive information) to people I trust. I could also set up a policy of blocking all mail from all addresses except the ones I explicitly allow and allow only the people I trust, but I haven't had a problem with my current setup yet.

To sum it up: Educate yourself, educate the people around you, and give up forcing spammers to quit. They'll give up once spamming doesn't work.

Jesse
May 27, 2006 7:24 PM

Leo: Blue frog offered some degree of relief from that "helpless" feeling. It upset spammers. It worked! We should continue.I have multiple accounts through comcast, four outlook express accounts and one outlook account(all as a result of listening to your How To's) spred over three home machines plus five online accounts.Your are right about where the spam settles, mystifing to be sure....? I placed an animated PNG., signature in the Outlook mail which seemed to foul the spy bots some, but I couldn't successfully configure similiar attempts in Outlook Express.
jess.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.