Spammers Win This Round: Blue Security Shuts Down
from the well,-that's-unfortunate dept
We’ve never been fully comfortable with the model Blue Security used to fight back against spammers. While defenders point out that they were just having Blue Security handle their opt-outs for them, the company did aggregate them all and send them in a manner that could be seen as a denial of service attack (yes, there is some debate on this). Some, obviously, claim that this is fair game when it comes to spammers — and it’s tough to argue with that. However, the risk of any such effort, is that it could take out innocent websites, with no real recourse. That said, however, it’s unfortunate to see that the company has decided to call it quits following the series of attacks it faced a couple weeks ago. If you happened to have been away from the internet for the first week of May, you missed the story about how a spammer figured out Blue Security’s “opt-out” list by seeing who it clear out of his own list, and then proceeded to bombard them with even more spam. Immediately after this, a fairly massive denial of service attack was directed at Blue Security’s servers, which ended up taking out many other sites, including major blog provider Six Apart (which hosted a Blue Security blog). The decision to shut the company down appears to have been based on threats that another such attack was pending — and Blue Security’s belief that it wasn’t fair to take out other sites again. As skeptical as we were over Blue Security’s original model, and the risks it entailed, this still seems like bad news. It certainly will embolden spam attackers to hit hard at anyone who takes them on. In the end, perhaps that was the worst legacy of Blue Security’s system: it simply escalated the war with spammers to new, unfortunate, levels.
Comments on “Spammers Win This Round: Blue Security Shuts Down”
Six apart (typepad) hosted a Blue Security blog, but the problem was Bluesecurity redirected their main domain to the blog, thus redirecting the entire DDoS onto someone elses network..
Sad to see them go down, but it’s a responsible decision, as the collateral damage has shown to be too great.
holding out for a hero
Is there no one in all of Geekdom with sufficient wit to do battle with these criminal cocksuckers? We just roll over and show our underbellies? Piss all over ourselves in our subservience?
This is incredible. Poor Blue Security…No one else with any backbone to join them?
If the infamous pimple-headed teenage hacker geeks want a noble project for their idle hands and minds why not sic them on the spammers? Now there, perhaps, would be a project worthy of their talents. I mean how smart do they have to be to stick a virus on my PC? NOT VERY…for damn sure. Pro bono, and I don’t mean ‘THAT’ Bono …
Personally I’m thinking of getting the band back together… so..FUCK YOU, TOWEL HEADS…
Re: holding out for a hero
Charlie Potatoes, That is a fine idea you propose. There’s a snooty University a few blocks away from me that is full of kids in black, dying for an opportunity to create havoc.
I’m going to share your idea with them. I may even be willing to kick in a case or two of Jolt and a dozen pizzas.
Having said that, there are tools that have all but made spam a faint memory for me. Like SpamSeive and others.
money wins again, in the end this will be the end of the killer application of the net, we can concider the idea of e-mail dead from today on…
Bluesecurity was a very good idea, unfortunately some corrupted people at large ISPs and providers were against the idea of having their bribes from the spam mafia been taken away. There is no defence against spam when the major internet providers are ALL into it as well.
Responsible users win this round
First, we only have Bluesecurity’s word that they were attacked
*by spammers*. They have produced no proof substantiating this.
And given how tiny and inconsequential their operation is, especially
when compared to far more valuable anti-spam resources, it seems quite
odd that any spammer would bother with them. (Please…spare me the
“…because it was hurting them” propaganda that Bluesecurity’s spouting.
If you’re so naive as to believe that pro spammers would even _notice_
the miniscule impact of Bluesecurity’s tactics, then you have a great
deal to learn about spamming.)
Second, Blueseurity’s business model is based on two stupid and
long-discredited ideas: (1) responding to abuse with abuse and (2) trying
to build an opt-out list. So I’m quite glad to see them go; there’s enough
stupidity on the ‘net as it is, and we really don’t need any more.
Re: Responsible users win this round
Only BlueSecurity’s word? What about that other blog?
Re: Responsible users win this round
Seriously, you’re a spammer! No right minded person who add a comment like that if they weren’t a spammer. And don’t give me that conspiracy crap “how do you know it was a spammer”. It was a recorded DDOS attack that didn’t just knock down Blue Security, but many other companies including Tucows. And second, fighting fire with fire as proven effective so maybe you shouldn’t use the internet seeing you think the web already has enough stupidity – think before you post!
New Service Fights SPAM
I followed this entire story with interest. The idea of “hitting back” against spammers certainly sits well with me on a visceral level.
Spammers waste the most precious commodity any of us have: our time. Worst yet, they do so in order to scam money from folks who likely have very little and are by definition easy marks.
We have a new service designed to eliminate SPAM from our members’ lives.
The idea is dead simple: You set up a whitelist of your contacts and organizations. Email from everyone else gets junked (or better yet deleted).
You direct other folks you come in contact with to our website. They contact you that way and are thus guaranteed a free ride to your inbox. Finally, you decide to whether to add them to your whitelist so that they may email normally there after.
If you want to email me on this, try it out!
Email: http://NokNokNumber.com/100-0012
Re: New Service Fights SPAM
Your new service has a fundamental flaw that every service based on whitelisting has: “From” addresses are not authenticated. A lot of email viruses use this fact to go through compromised systems’ address books and send copies of themselves to all the victims’ contacts. Remember the “I Love You” virus? People opened its messages because of the subject line plus the recipient usually knew the “sender” from the return address. Sparmmers are increasingly using more sophisticated tools to get email addresses, including viruses. If a spammer knows your address and the addresses to those you correspond with, guess what From addresses he is going to use to get you to open his message?
Since the “From” address isn’t authenticated, it can be spoofed, and that gets around whitelisting.
What is needed is some way to establish trust. Public-key and other encryption mechanisms are nice, but they have to be (1) easy and (optimally) free to obtain, (2) universally available, (3) easy and reliable to verify. So far, some people have attempted to step up to the plate on this, but they haven’t fulfilled all three requirements.
Unfortunately, due to the ease at which a spammer can operate, the SPAM problem will not go away, and I would imagine that email (as we know it) will go away first. This latest round iin which a spammer has used RICO-style tactics to get back at Blue Security shows that the battle is stepping up.
Re: Re: New Service Fights SPAM
White Lists do currently work. I have yet to receive SPAM from someone in my address book (spoofed or not). I don’t think the spammers are to the point of pulling address books for addresses…yet. Viruses are a different story…not sure based on your message if you’re aware that there’s a difference between a virus and SPAM–you mention the Iloveyou virus as evidence of spammers spoofing.
So, for now the white list option as described is the best option going, for now. Obviously spoofing for spam can be done, and will eventually, but whitelisting will eliminate 99.9% of spam today.
Re: Re: Re: New Service Fights SPAM
I know the difference between viruses and SPAM.
However, spammers are using more and more intrusive ways of getting to you. One spammer launched a DDoS agsinst Blue Security, and you think that them using/abusing virus technologies is something they can’t figure out?
A white list is not a solution. It may work for you… now… but it has inherent flaws. Relying that, or any other (current) anti-SPAM technology is putting a band-aid on the dyke. Dont fool yourself!
Re: Re: Re:2 New Service Fights SPAM
Sounds like we may end up leaning toward Stephen’s suggestion: Implement SPF, DomainKeys.
If I understand it correctly, this method guarantees that email was sent from the sender it purports to come from…
One problem with this might be that if the sender’s computer is infected with a “spamming” virus, it would likely send out properly encoded email.
What about the math puzzle approach?
http://NokNokNumber.com/100-0012
Re: New Service Fights SPAM
Shameless plug for yourself. There are many PROFESSIONAL services, and most of these will be around tomorrow. Why should I “donate” my hard earned money to you and then have your service disappear?
We will bring spam under control only when we start holding both the advertiser AND the mailer, the direct financial beneficaries of the spam, jointly and severally responsible for compliance with laws.
The spammer/mailer can do a lot to cloak their identity, but the advertiser can’t if it expects to profit from the spam. I hate to say we need some new laws, but unfortunately, it looks like we do
I actually got a threatening letter from a spammer telling me if I didn’t unsubscribe from Blue Security my spam would increase 100 fold.
Blue Security responded to my letter about this by saying said spammer was was just sending out letters in the hopes of finding and intimidating a Blue Frog client.
I marked all future letters from the spammer as spam..
My filter is so good I might see one spam a week slip by.
His was one of those.
Anyway,I’m not sure what it will take to get real changes to be made that will put an end to spamming.
Implement SPF, DomainKeys
It is too bad that SPF and/or DomainKeys aren’t widely used. But even what limited adoption SPF has seen I find it quite useful. Those messages that pass SPF still get scrutinized by my anti-spam tool, but those that fail get rejected even before they can get to my spam filter. Microsoft/Hotmail, AOL, Google all have implemented SPF as have many publishers.
Here is more info on SPF:
http://www.openspf.org/
and DomainKeys
http://antispam.yahoo.com/domainkeys
What about some form of handshake?
Could an e-mail client be devised that would require a handshake of some sort between the sender and receiver? Imagine this… once a sender hits “send” he gets a verification box of squiggly letters (or pictures that must be identified, or some other sort of key that is difficult for bots to crack) that is auto-generated by the intended recipient’s mail client. The sender would then be prompted to correctly re-type the letters before the mail could actually be sent? Granted, this wouldn’t stop spam that is sent by actual humans, but it could work something like many sites do to weed out bots that are trying to establish log-ins, etc.
Re: What about some form of handshake?
This is similar to what happens in a challenge-response system. In these cases, you send an email to someone and then get an email back that requires you to pass a “test” similar to that one you’ve described here.
It turns out that many people find these “challenges” offensive. I must admit that I don’t really understand this feeling.
Microsoft and others have proposed that for every message that is delivered the sender’s computer must solve a mathematical “puzzle” posed by the receiving computer. All of this would be done automatically. If you were sending mail to a dozen of your friends, you wouldn’t even be noticed your computer “answering” these puzzles.
On the other hand, as a spammer, you would not be able to send out enough spam per minute (because your computer would have to solve a puzzle for each piece of spam).
The “computational cost” of sending email in this system would, in theory, put an end to spam. Its important to note that this “cost” is very different from the monetary costs being proposed by AOL and others.
http://NokNokNumber.com/100-0012
Re: Re: What about some form of handshake?
Cool. It’s at least good to know that folks are working hard on this problem.
I’m fairly naive, but it doesn’t seem like the puzzle system would work in the long run. From your description, it sounds like the puzzle solution would simply require more computational power per batch of spam sent. I also gather that spamming is a fairly profitable venture. Therefore, a spammer would probably use some of that money he/she is raking in for purchasing more computers to send out the same amount of garbage. The initial cost of purchasing more computers to remain at a given level of operation would eventually be recovered and the spammer would be back to business as usual. Is there something I am missing?
I agree. It does seem strange that people would find a challenge-response system offensive. Surely folks can be educated to recognize that getting challenged when they send out their next e-mail is less offensive than the “adult oriented” spam that is currently sitting in their 12 year old’s inbox.
New Service Fights SPAM
I completely agree that whitelisting is subject to emails with forged From addresses. Perhaps if a large enough percentage of folks start using whitelisting, spammers will counter in this way. Until then, as was mentioned, viruses would seem to be the largest culprit.
I also think that anyone considering joining our service has to factor in that we have not been around too long. My only counter is that everyone has to start somewhere. As for “professional” services: we certainly feel we’re professional. Our use of “cartoon-like” graphics may seem whimsical; we do, perhaps, lack a well developed sense of somberness.
We feel our service is an innovative way to support whitelists. Other services we’ve reviewed use a challenge-response system to support email from people and organizations that are not already on their members’ whitelists. We avoid this by providing a simple web based method to send that first email.
If you rule out the following options for dealing with spam: challenge-response systems, Blue Security’s method, and cost based email, what’s left?
We noticed that even the best Bayesian and other filtering systems result in false positives that cause us to “dumpster-dive” routinely in order to ensure that no “good” email is lost.
Should we (as some seem to be attempting to do) joint sheltered email networks that vet their members and sanction those who start spamming?
Do any of you have other ideas?
Perhaps the most galling thing in all of this is various governments’ support of spam as a viable marketing method that should be protected. In addition to the time that spam costs us it also burdens the internet as a whole and so costs us all in real terms as more bandwidth and physical facilities have to be added to “support” it.
http://NokNokNumber.com/100-0012
pretty soon we’re going to see some vigilante kill the bastards, but of course he won’t kill all of them, and the war will escalate even higher, and they’ll all move overseas to escape any influence of the U.S. government, and it’ll turn into full-scale terrorism. Just wait.
Challenge Response still Works
I see that Spam Arrest is offering Blue Security customers a free 90 day trial.
http://www.spamarrest.com/affl?4021707
Yes but
90 day free trial, that means i have to PAY for something. Why do I need to fork out cash in order to “remain safe” from SPAM. Sounds like a dirty deal to me. Looking at all these SPAM filters they all want your money! Which I feel is not right.