A Vigilante Approach to Spam
A company called Blue Security asks if you are sick of spam and the passive methods being used to fight it. "Enough with the spam filters, let’s fight back!" could be the rallying cry at Blue Security. They have created a new technique to fight spam; according to Wired News, here’s how it works: When users add e-mail addresses to a "do-not-spam" list, Blue Security creates additional addresses, known as honeypots, designed to do nothing but attract spam. If a honeypot receives spam, Blue Security tries to warn the spammer. Then it triggers the Blue Frog software on a user’s computer to send a complaint automatically. Thousands complaining at once will knock out a website and thus encourage spammers to stop sending e-mail to the "do-not-spam" list.
But what they’re doing is a DDoS attack! Via Computerwire, the details of this new technique are explained even further: The
Blue Frog software does not send an email complaint. It automatically
visits the spam web site and fills out any HTML form it finds with a
complaint along the lines of “Your site was advertised in spam” with a
link to the Blue Security site. Each user complains once for each spam
they get. Collectively, that could amount to a distributed
denial-of-service effect on the offending web site.
A leading anti-spam advocate, John Levine, a board member with the Coalition Against Unsolicited Commercial E-mail, made a statement about this technique, saying "It’s the worst kind of vigilante approach," and "deliberate attacks against people’s websites are illegal." Blue Security’s chief executive, Eran Reshef, responds to him and other critics by saying: “It’s not a DDoS, people are exercising their right to complain about spam they get,” he said. “We’re not trying to do anything illegal or unethical. We’re only doing ethical things, but we are being active.”
But is it right? Is it ethical to fight illegal spam with these possibly illegal methods? I’m thinking that it is not. A DDoS is a DDoS no matter what high-principled reasons you have for the attack. It’s an unlawful action. With technology like that at Blue Security, spam is tracked back to originating website, so doesn’t that mean that we know where spam is coming from? It would be more ethical to focus on prosecuting the spammers, instead of trying to shut them down like a bunch of little script kiddie hackers.
Since it’s true that many spammers sites are registered outside of the U.S., then international laws would need to be created. It’s a difficult, but needed task as the online population continues to grow. (Today, it’s 1.07 billion; by 2007, it’s projected to be 1.35 billion.) Spammers (and hackers, and phishers, and identity thieves) cannot be ignored forever by law-enforcement agencies. Though the CAN-SPAM law has been somewhat useless, it’s a good first step in criminalizing the activities of spammers. It’s the "law" part of law enforcement. I’m waiting on the "enforcement" part, too, but I’m not going to jump the gun and participate in a big ol’ DDoS with the other folks at Blue Security.
Follow the conversation at YackTrack!
I think the key word you use is “possibly” when you talk about Blue Frog being illegal. Unless the Department of Justice steps in and declares the technique to be illegal, I say let them give the spammers a taste of their own medicine.
We have seen all too often in the real world when we have vigilante action some innocent people will get harmed, I can not agree with vigilante off-line and I can’t agree with vigilante DDoS attacks on-line.
An automatic complaint against a website advertised in spam in not a problem, even if millions of people participate. That is simply a tactic to put the expense of bulk snail-mail into spam emailing. It is not unethical to vist the links a spammer might provide. Filling in the forms might be, but lacking other contact info it might be acceptable.
The problem comes when someone is able to send spam with someone elses website as the link. For instance, an online drug company could contract a spammer to compile a list of known Blue Frog email addresses, than spam those addresses with links to a competitors web site. This makes the users of the BF service no better than the people who run the open relays that cause some of the spam problem in the first place.
It will also not be effective if it becomes a problem for spammers. They will simply design messages that are human readable, but not machine readable (containing only graphics, or obfusicated text or other techniques).
But it does send a message to legislators. The laws don’t work, and the community isn’t happy about it. Hopefully if something like this does happen, it would prompt the lawmakers and enforcers to be more effective.
FWIW, I wrote a tool that worked just like this one a few years ago, but decided against releasing it because it could easily be abused, and would rapidly become ineffective as spammers adpated.
There is a big difference between a DDoS attack and what Blue Security are doing.
In the case of a DDoS, the botnet is hosted by stealth on the machines of people who have no desire to participate in the attack.
In the case of Blue Security, the individuals who voluntarily offer the use of their machines do so in order to send a measured and proportionate response to the spam that they as individuals receive. They have no direct intent to deny service to any web site - merely to use Blue Security’s system to facilitate a proportionate response that is not sent as a first, but only as a last, resort if, despite warning, the site continues to plague them with spam.
To equate the responses of the Blue Community with what happens in a DDoS is to indulge in lazy thinking. Not a precious commodity.