Spammers Win This Round: Blue Security Shuts Down

from the well,-that's-unfortunate dept

We've never been fully comfortable with the model Blue Security used to fight back against spammers. While defenders point out that they were just having Blue Security handle their opt-outs for them, the company did aggregate them all and send them in a manner that could be seen as a denial of service attack (yes, there is some debate on this). Some, obviously, claim that this is fair game when it comes to spammers -- and it's tough to argue with that. However, the risk of any such effort, is that it could take out innocent websites, with no real recourse. That said, however, it's unfortunate to see that the company has decided to call it quits following the series of attacks it faced a couple weeks ago. If you happened to have been away from the internet for the first week of May, you missed the story about how a spammer figured out Blue Security's "opt-out" list by seeing who it clear out of his own list, and then proceeded to bombard them with even more spam. Immediately after this, a fairly massive denial of service attack was directed at Blue Security's servers, which ended up taking out many other sites, including major blog provider Six Apart (which hosted a Blue Security blog). The decision to shut the company down appears to have been based on threats that another such attack was pending -- and Blue Security's belief that it wasn't fair to take out other sites again. As skeptical as we were over Blue Security's original model, and the risks it entailed, this still seems like bad news. It certainly will embolden spam attackers to hit hard at anyone who takes them on. In the end, perhaps that was the worst legacy of Blue Security's system: it simply escalated the war with spammers to new, unfortunate, levels.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Darknet, 17 May 2006 @ 12:26am

    Six apart (typepad) hosted a Blue Security blog, but the problem was Bluesecurity redirected their main domain to the blog, thus redirecting the entire DDoS onto someone elses network..

    Sad to see them go down, but it's a responsible decision, as the collateral damage has shown to be too great.

    link to this | view in chronology ]

  • identicon
    charlie potatoes, 17 May 2006 @ 1:22am

    holding out for a hero

    Is there no one in all of Geekdom with sufficient wit to do battle with these criminal cocksuckers? We just roll over and show our underbellies? Piss all over ourselves in our subservience?
    This is incredible. Poor Blue Security...No one else with any backbone to join them?
    If the infamous pimple-headed teenage hacker geeks want a noble project for their idle hands and minds why not sic them on the spammers? Now there, perhaps, would be a project worthy of their talents. I mean how smart do they have to be to stick a virus on my PC? NOT VERY...for damn sure. Pro bono, and I don't mean 'THAT' Bono ...
    Personally I'm thinking of getting the band back together... so..FUCK YOU, TOWEL HEADS...

    link to this | view in chronology ]

    • identicon
      PopeRatzo, 17 May 2006 @ 5:10am

      Re: holding out for a hero

      Charlie Potatoes, That is a fine idea you propose. There's a snooty University a few blocks away from me that is full of kids in black, dying for an opportunity to create havoc.
      I'm going to share your idea with them. I may even be willing to kick in a case or two of Jolt and a dozen pizzas.

      Having said that, there are tools that have all but made spam a faint memory for me. Like SpamSeive and others.

      link to this | view in chronology ]

  • identicon
    m, 17 May 2006 @ 1:42am

    money wins again, in the end this will be the end of the killer application of the net, we can concider the idea of e-mail dead from today on...

    Bluesecurity was a very good idea, unfortunately some corrupted people at large ISPs and providers were against the idea of having their bribes from the spam mafia been taken away. There is no defence against spam when the major internet providers are ALL into it as well.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2006 @ 4:26am

    Responsible users win this round

    First, we only have Bluesecurity's word that they were attacked
    *by spammers*. They have produced no proof substantiating this.
    And given how tiny and inconsequential their operation is, especially
    when compared to far more valuable anti-spam resources, it seems quite
    odd that any spammer would bother with them. (Please...spare me the
    "...because it was hurting them" propaganda that Bluesecurity's spouting.
    If you're so naive as to believe that pro spammers would even _notice_
    the miniscule impact of Bluesecurity's tactics, then you have a great
    deal to learn about spamming.)

    Second, Blueseurity's business model is based on two stupid and
    long-discredited ideas: (1) responding to abuse with abuse and (2) trying
    to build an opt-out list. So I'm quite glad to see them go; there's enough
    stupidity on the 'net as it is, and we really don't need any more.

    link to this | view in chronology ]

    • identicon
      bendodge, 17 May 2006 @ 5:47am

      Re: Responsible users win this round

      Only BlueSecurity's word? What about that other blog?

      link to this | view in chronology ]

    • identicon
      Andrew, 19 May 2006 @ 12:49pm

      Re: Responsible users win this round

      Seriously, you’re a spammer! No right minded person who add a comment like that if they weren't a spammer. And don't give me that conspiracy crap "how do you know it was a spammer". It was a recorded DDOS attack that didn't just knock down Blue Security, but many other companies including Tucows. And second, fighting fire with fire as proven effective so maybe you shouldn't use the internet seeing you think the web already has enough stupidity - think before you post!

      link to this | view in chronology ]

  • identicon
    Bruce A. Knack, 17 May 2006 @ 6:01am

    New Service Fights SPAM

    I followed this entire story with interest. The idea of "hitting back" against spammers certainly sits well with me on a visceral level.

    Spammers waste the most precious commodity any of us have: our time. Worst yet, they do so in order to scam money from folks who likely have very little and are by definition easy marks.

    We have a new service designed to eliminate SPAM from our members' lives.

    The idea is dead simple: You set up a whitelist of your contacts and organizations. Email from everyone else gets junked (or better yet deleted).

    You direct other folks you come in contact with to our website. They contact you that way and are thus guaranteed a free ride to your inbox. Finally, you decide to whether to add them to your whitelist so that they may email normally there after.

    If you want to email me on this, try it out!
    Email: http://NokNokNumber.com/100-0012

    link to this | view in chronology ]

    • identicon
      lar3ry, 17 May 2006 @ 7:25am

      Re: New Service Fights SPAM

      Your new service has a fundamental flaw that every service based on whitelisting has: "From" addresses are not authenticated. A lot of email viruses use this fact to go through compromised systems' address books and send copies of themselves to all the victims' contacts. Remember the "I Love You" virus? People opened its messages because of the subject line plus the recipient usually knew the "sender" from the return address. Sparmmers are increasingly using more sophisticated tools to get email addresses, including viruses. If a spammer knows your address and the addresses to those you correspond with, guess what From addresses he is going to use to get you to open his message?

      Since the "From" address isn't authenticated, it can be spoofed, and that gets around whitelisting.

      What is needed is some way to establish trust. Public-key and other encryption mechanisms are nice, but they have to be (1) easy and (optimally) free to obtain, (2) universally available, (3) easy and reliable to verify. So far, some people have attempted to step up to the plate on this, but they haven't fulfilled all three requirements.

      Unfortunately, due to the ease at which a spammer can operate, the SPAM problem will not go away, and I would imagine that email (as we know it) will go away first. This latest round iin which a spammer has used RICO-style tactics to get back at Blue Security shows that the battle is stepping up.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 May 2006 @ 8:49am

        Re: Re: New Service Fights SPAM

        White Lists do currently work. I have yet to receive SPAM from someone in my address book (spoofed or not). I don't think the spammers are to the point of pulling address books for addresses...yet. Viruses are a different story...not sure based on your message if you're aware that there's a difference between a virus and SPAM--you mention the Iloveyou virus as evidence of spammers spoofing.

        So, for now the white list option as described is the best option going, for now. Obviously spoofing for spam can be done, and will eventually, but whitelisting will eliminate 99.9% of spam today.

        link to this | view in chronology ]

        • identicon
          lar3ry, 17 May 2006 @ 2:42pm

          Re: Re: Re: New Service Fights SPAM

          I know the difference between viruses and SPAM.

          However, spammers are using more and more intrusive ways of getting to you. One spammer launched a DDoS agsinst Blue Security, and you think that them using/abusing virus technologies is something they can't figure out?

          A white list is not a solution. It may work for you... now... but it has inherent flaws. Relying that, or any other (current) anti-SPAM technology is putting a band-aid on the dyke. Dont fool yourself!

          link to this | view in chronology ]

          • identicon
            Bruce A. Knack, 17 May 2006 @ 2:55pm

            Re: Re: Re: Re: New Service Fights SPAM

            Sounds like we may end up leaning toward Stephen's suggestion: Implement SPF, DomainKeys.

            If I understand it correctly, this method guarantees that email was sent from the sender it purports to come from...

            One problem with this might be that if the sender's computer is infected with a "spamming" virus, it would likely send out properly encoded email.

            What about the math puzzle approach?

            http://NokNokNumber.com/100-0012

            link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 May 2006 @ 8:16am

      Re: New Service Fights SPAM

      Shameless plug for yourself. There are many PROFESSIONAL services, and most of these will be around tomorrow. Why should I "donate" my hard earned money to you and then have your service disappear?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2006 @ 7:01am

    We will bring spam under control only when we start holding both the advertiser AND the mailer, the direct financial beneficaries of the spam, jointly and severally responsible for compliance with laws.

    The spammer/mailer can do a lot to cloak their identity, but the advertiser can't if it expects to profit from the spam. I hate to say we need some new laws, but unfortunately, it looks like we do

    link to this | view in chronology ]

  • identicon
    Riverrat, 17 May 2006 @ 7:10am

    I actually got a threatening letter from a spammer telling me if I didn't unsubscribe from Blue Security my spam would increase 100 fold.
    Blue Security responded to my letter about this by saying said spammer was was just sending out letters in the hopes of finding and intimidating a Blue Frog client.
    I marked all future letters from the spammer as spam..
    My filter is so good I might see one spam a week slip by.
    His was one of those.
    Anyway,I'm not sure what it will take to get real changes to be made that will put an end to spamming.

    link to this | view in chronology ]

  • identicon
    Stephen, 17 May 2006 @ 10:33am

    Implement SPF, DomainKeys

    It is too bad that SPF and/or DomainKeys aren't widely used. But even what limited adoption SPF has seen I find it quite useful. Those messages that pass SPF still get scrutinized by my anti-spam tool, but those that fail get rejected even before they can get to my spam filter. Microsoft/Hotmail, AOL, Google all have implemented SPF as have many publishers. Here is more info on SPF: http://www.openspf.org/ and DomainKeys http://antispam.yahoo.com/domainkeys

    link to this | view in chronology ]

  • identicon
    mindan, 17 May 2006 @ 2:30pm

    What about some form of handshake?

    Could an e-mail client be devised that would require a handshake of some sort between the sender and receiver? Imagine this... once a sender hits "send" he gets a verification box of squiggly letters (or pictures that must be identified, or some other sort of key that is difficult for bots to crack) that is auto-generated by the intended recipient's mail client. The sender would then be prompted to correctly re-type the letters before the mail could actually be sent? Granted, this wouldn't stop spam that is sent by actual humans, but it could work something like many sites do to weed out bots that are trying to establish log-ins, etc.

    link to this | view in chronology ]

    • identicon
      Bruce A. Knack, 17 May 2006 @ 2:42pm

      Re: What about some form of handshake?

      This is similar to what happens in a challenge-response system. In these cases, you send an email to someone and then get an email back that requires you to pass a "test" similar to that one you've described here.

      It turns out that many people find these "challenges" offensive. I must admit that I don't really understand this feeling.

      Microsoft and others have proposed that for every message that is delivered the sender's computer must solve a mathematical "puzzle" posed by the receiving computer. All of this would be done automatically. If you were sending mail to a dozen of your friends, you wouldn't even be noticed your computer "answering" these puzzles.

      On the other hand, as a spammer, you would not be able to send out enough spam per minute (because your computer would have to solve a puzzle for each piece of spam).

      The "computational cost" of sending email in this system would, in theory, put an end to spam. Its important to note that this "cost" is very different from the monetary costs being proposed by AOL and others.

      http://NokNokNumber.com/100-0012

      link to this | view in chronology ]

      • identicon
        mindan, 17 May 2006 @ 3:06pm

        Re: Re: What about some form of handshake?

        Cool. It's at least good to know that folks are working hard on this problem.

        I'm fairly naive, but it doesn't seem like the puzzle system would work in the long run. From your description, it sounds like the puzzle solution would simply require more computational power per batch of spam sent. I also gather that spamming is a fairly profitable venture. Therefore, a spammer would probably use some of that money he/she is raking in for purchasing more computers to send out the same amount of garbage. The initial cost of purchasing more computers to remain at a given level of operation would eventually be recovered and the spammer would be back to business as usual. Is there something I am missing?

        I agree. It does seem strange that people would find a challenge-response system offensive. Surely folks can be educated to recognize that getting challenged when they send out their next e-mail is less offensive than the "adult oriented" spam that is currently sitting in their 12 year old's inbox.

        link to this | view in chronology ]

  • identicon
    Bruce A. Knack, 17 May 2006 @ 2:32pm

    Re: New Service Fights SPAM

    I completely agree that whitelisting is subject to emails with forged From addresses. Perhaps if a large enough percentage of folks start using whitelisting, spammers will counter in this way. Until then, as was mentioned, viruses would seem to be the largest culprit.

    I also think that anyone considering joining our service has to factor in that we have not been around too long. My only counter is that everyone has to start somewhere. As for "professional" services: we certainly feel we're professional. Our use of "cartoon-like" graphics may seem whimsical; we do, perhaps, lack a well developed sense of somberness.

    We feel our service is an innovative way to support whitelists. Other services we've reviewed use a challenge-response system to support email from people and organizations that are not already on their members' whitelists. We avoid this by providing a simple web based method to send that first email.

    If you rule out the following options for dealing with spam: challenge-response systems, Blue Security's method, and cost based email, what's left?

    We noticed that even the best Bayesian and other filtering systems result in false positives that cause us to "dumpster-dive" routinely in order to ensure that no "good" email is lost.

    Should we (as some seem to be attempting to do) joint sheltered email networks that vet their members and sanction those who start spamming?

    Do any of you have other ideas?

    Perhaps the most galling thing in all of this is various governments' support of spam as a viable marketing method that should be protected. In addition to the time that spam costs us it also burdens the internet as a whole and so costs us all in real terms as more bandwidth and physical facilities have to be added to "support" it.

    http://NokNokNumber.com/100-0012

    link to this | view in chronology ]

  • identicon
    SPAM=> Terror, 17 May 2006 @ 2:42pm

    pretty soon we're going to see some vigilante kill the bastards, but of course he won't kill all of them, and the war will escalate even higher, and they'll all move overseas to escape any influence of the U.S. government, and it'll turn into full-scale terrorism. Just wait.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2006 @ 4:40pm

    Challenge Response still Works

    I see that Spam Arrest is offering Blue Security customers a free 90 day trial.
    http://www.spamarrest.com/affl?4021707

    link to this | view in chronology ]

  • identicon
    GreenPickle, 19 May 2006 @ 5:45am

    Yes but

    90 day free trial, that means i have to PAY for something. Why do I need to fork out cash in order to "remain safe" from SPAM. Sounds like a dirty deal to me. Looking at all these SPAM filters they all want your money! Which I feel is not right.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.