Spammers Win This Round: Blue Security Shuts Down
from the well,-that's-unfortunate dept
We've never been fully comfortable with the model Blue Security used to fight back against spammers. While defenders point out that they were just having Blue Security handle their opt-outs for them, the company did aggregate them all and send them in a manner that could be seen as a denial of service attack (yes, there is some debate on this). Some, obviously, claim that this is fair game when it comes to spammers -- and it's tough to argue with that. However, the risk of any such effort, is that it could take out innocent websites, with no real recourse. That said, however, it's unfortunate to see that the company has decided to call it quits following the series of attacks it faced a couple weeks ago. If you happened to have been away from the internet for the first week of May, you missed the story about how a spammer figured out Blue Security's "opt-out" list by seeing who it clear out of his own list, and then proceeded to bombard them with even more spam. Immediately after this, a fairly massive denial of service attack was directed at Blue Security's servers, which ended up taking out many other sites, including major blog provider Six Apart (which hosted a Blue Security blog). The decision to shut the company down appears to have been based on threats that another such attack was pending -- and Blue Security's belief that it wasn't fair to take out other sites again. As skeptical as we were over Blue Security's original model, and the risks it entailed, this still seems like bad news. It certainly will embolden spam attackers to hit hard at anyone who takes them on. In the end, perhaps that was the worst legacy of Blue Security's system: it simply escalated the war with spammers to new, unfortunate, levels.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Sad to see them go down, but it's a responsible decision, as the collateral damage has shown to be too great.
[ link to this | view in chronology ]
holding out for a hero
This is incredible. Poor Blue Security...No one else with any backbone to join them?
If the infamous pimple-headed teenage hacker geeks want a noble project for their idle hands and minds why not sic them on the spammers? Now there, perhaps, would be a project worthy of their talents. I mean how smart do they have to be to stick a virus on my PC? NOT VERY...for damn sure. Pro bono, and I don't mean 'THAT' Bono ...
Personally I'm thinking of getting the band back together... so..FUCK YOU, TOWEL HEADS...
[ link to this | view in chronology ]
Re: holding out for a hero
I'm going to share your idea with them. I may even be willing to kick in a case or two of Jolt and a dozen pizzas.
Having said that, there are tools that have all but made spam a faint memory for me. Like SpamSeive and others.
[ link to this | view in chronology ]
Bluesecurity was a very good idea, unfortunately some corrupted people at large ISPs and providers were against the idea of having their bribes from the spam mafia been taken away. There is no defence against spam when the major internet providers are ALL into it as well.
[ link to this | view in chronology ]
Responsible users win this round
*by spammers*. They have produced no proof substantiating this.
And given how tiny and inconsequential their operation is, especially
when compared to far more valuable anti-spam resources, it seems quite
odd that any spammer would bother with them. (Please...spare me the
"...because it was hurting them" propaganda that Bluesecurity's spouting.
If you're so naive as to believe that pro spammers would even _notice_
the miniscule impact of Bluesecurity's tactics, then you have a great
deal to learn about spamming.)
Second, Blueseurity's business model is based on two stupid and
long-discredited ideas: (1) responding to abuse with abuse and (2) trying
to build an opt-out list. So I'm quite glad to see them go; there's enough
stupidity on the 'net as it is, and we really don't need any more.
[ link to this | view in chronology ]
Re: Responsible users win this round
[ link to this | view in chronology ]
Re: Responsible users win this round
[ link to this | view in chronology ]
New Service Fights SPAM
Spammers waste the most precious commodity any of us have: our time. Worst yet, they do so in order to scam money from folks who likely have very little and are by definition easy marks.
We have a new service designed to eliminate SPAM from our members' lives.
The idea is dead simple: You set up a whitelist of your contacts and organizations. Email from everyone else gets junked (or better yet deleted).
You direct other folks you come in contact with to our website. They contact you that way and are thus guaranteed a free ride to your inbox. Finally, you decide to whether to add them to your whitelist so that they may email normally there after.
If you want to email me on this, try it out!
Email: http://NokNokNumber.com/100-0012
[ link to this | view in chronology ]
Re: New Service Fights SPAM
Your new service has a fundamental flaw that every service based on whitelisting has: "From" addresses are not authenticated. A lot of email viruses use this fact to go through compromised systems' address books and send copies of themselves to all the victims' contacts. Remember the "I Love You" virus? People opened its messages because of the subject line plus the recipient usually knew the "sender" from the return address. Sparmmers are increasingly using more sophisticated tools to get email addresses, including viruses. If a spammer knows your address and the addresses to those you correspond with, guess what From addresses he is going to use to get you to open his message?
Since the "From" address isn't authenticated, it can be spoofed, and that gets around whitelisting.
What is needed is some way to establish trust. Public-key and other encryption mechanisms are nice, but they have to be (1) easy and (optimally) free to obtain, (2) universally available, (3) easy and reliable to verify. So far, some people have attempted to step up to the plate on this, but they haven't fulfilled all three requirements.
Unfortunately, due to the ease at which a spammer can operate, the SPAM problem will not go away, and I would imagine that email (as we know it) will go away first. This latest round iin which a spammer has used RICO-style tactics to get back at Blue Security shows that the battle is stepping up.
[ link to this | view in chronology ]
Re: Re: New Service Fights SPAM
So, for now the white list option as described is the best option going, for now. Obviously spoofing for spam can be done, and will eventually, but whitelisting will eliminate 99.9% of spam today.
[ link to this | view in chronology ]
Re: Re: Re: New Service Fights SPAM
However, spammers are using more and more intrusive ways of getting to you. One spammer launched a DDoS agsinst Blue Security, and you think that them using/abusing virus technologies is something they can't figure out?
A white list is not a solution. It may work for you... now... but it has inherent flaws. Relying that, or any other (current) anti-SPAM technology is putting a band-aid on the dyke. Dont fool yourself!
[ link to this | view in chronology ]
Re: Re: Re: Re: New Service Fights SPAM
If I understand it correctly, this method guarantees that email was sent from the sender it purports to come from...
One problem with this might be that if the sender's computer is infected with a "spamming" virus, it would likely send out properly encoded email.
What about the math puzzle approach?
http://NokNokNumber.com/100-0012
[ link to this | view in chronology ]
Re: New Service Fights SPAM
[ link to this | view in chronology ]
The spammer/mailer can do a lot to cloak their identity, but the advertiser can't if it expects to profit from the spam. I hate to say we need some new laws, but unfortunately, it looks like we do
[ link to this | view in chronology ]
Blue Security responded to my letter about this by saying said spammer was was just sending out letters in the hopes of finding and intimidating a Blue Frog client.
I marked all future letters from the spammer as spam..
My filter is so good I might see one spam a week slip by.
His was one of those.
Anyway,I'm not sure what it will take to get real changes to be made that will put an end to spamming.
[ link to this | view in chronology ]
Implement SPF, DomainKeys
[ link to this | view in chronology ]
What about some form of handshake?
[ link to this | view in chronology ]
Re: What about some form of handshake?
It turns out that many people find these "challenges" offensive. I must admit that I don't really understand this feeling.
Microsoft and others have proposed that for every message that is delivered the sender's computer must solve a mathematical "puzzle" posed by the receiving computer. All of this would be done automatically. If you were sending mail to a dozen of your friends, you wouldn't even be noticed your computer "answering" these puzzles.
On the other hand, as a spammer, you would not be able to send out enough spam per minute (because your computer would have to solve a puzzle for each piece of spam).
The "computational cost" of sending email in this system would, in theory, put an end to spam. Its important to note that this "cost" is very different from the monetary costs being proposed by AOL and others.
http://NokNokNumber.com/100-0012
[ link to this | view in chronology ]
Re: Re: What about some form of handshake?
I'm fairly naive, but it doesn't seem like the puzzle system would work in the long run. From your description, it sounds like the puzzle solution would simply require more computational power per batch of spam sent. I also gather that spamming is a fairly profitable venture. Therefore, a spammer would probably use some of that money he/she is raking in for purchasing more computers to send out the same amount of garbage. The initial cost of purchasing more computers to remain at a given level of operation would eventually be recovered and the spammer would be back to business as usual. Is there something I am missing?
I agree. It does seem strange that people would find a challenge-response system offensive. Surely folks can be educated to recognize that getting challenged when they send out their next e-mail is less offensive than the "adult oriented" spam that is currently sitting in their 12 year old's inbox.
[ link to this | view in chronology ]
Re: New Service Fights SPAM
I also think that anyone considering joining our service has to factor in that we have not been around too long. My only counter is that everyone has to start somewhere. As for "professional" services: we certainly feel we're professional. Our use of "cartoon-like" graphics may seem whimsical; we do, perhaps, lack a well developed sense of somberness.
We feel our service is an innovative way to support whitelists. Other services we've reviewed use a challenge-response system to support email from people and organizations that are not already on their members' whitelists. We avoid this by providing a simple web based method to send that first email.
If you rule out the following options for dealing with spam: challenge-response systems, Blue Security's method, and cost based email, what's left?
We noticed that even the best Bayesian and other filtering systems result in false positives that cause us to "dumpster-dive" routinely in order to ensure that no "good" email is lost.
Should we (as some seem to be attempting to do) joint sheltered email networks that vet their members and sanction those who start spamming?
Do any of you have other ideas?
Perhaps the most galling thing in all of this is various governments' support of spam as a viable marketing method that should be protected. In addition to the time that spam costs us it also burdens the internet as a whole and so costs us all in real terms as more bandwidth and physical facilities have to be added to "support" it.
http://NokNokNumber.com/100-0012
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Challenge Response still Works
http://www.spamarrest.com/affl?4021707
[ link to this | view in chronology ]
Yes but
[ link to this | view in chronology ]