John, you’re going to have to explain to me how you require an e-mail address to respond to you.  Are you in favor of spam?

BTW, you’re wrong.

Tim

I think Tim is asking about my blog at http://weblog.taugh.com from which this article is mirrored. As the comment form there says:

Note: all comments require an email address so we can send a confirmation to verify that it was posted by a person and not a spambot. Your email won’t be displayed unless you check the box below, and won’t be used for other purposes.

If you don’t put some sort of control on comments, a blog quickly fills up with blog spam, typically links to gambling sites. The confirmation keeps the spam away with minimal hassle all around.

If Tim is implying that the confirmations are just so I can steal the names and make a spam list, sheesh. Get a life.

Incidentally, I have never had much sympathy for the theory that the way to solve the spam problem is to hide from spammers. My goal is to make spam go away while still letting people who have real mail send it to me.

My understanding is that each participant sends one single complaint per spam, via the spammer’s web site. Is it still a DoS?

It’s something that could be, and is, done manually by many pissed off consumers.

What if we all coordinated and decided to all manually complain at the same time?

Would that be a DoS?

Is it the *intention* to impair performance that makes it a DoS? Or a combination of intention and automation?

The real answer is that an illegal DOS is whatever a court says it is, but having looked at a lot of computer crime laws, I’d have to say that intention counts for a lot.  As I noted in my article, BS clearly intends to damage the web sites they attack, which makes it a DOS in my book.

If it is really the case that they send only one complaint per spam, the whole issue is moot since they’ll never collect enough spam to do enough web hits to cause more than a hiccough.

John, I was talking about posting a comment on circleid.com. I don’t see your e-mail address there, yet I had to supply mine.  I understand the need to control spam posts, I just found it interesting that most reporters will supply their e-mail address after their article, yet you hide yours.  It was simply an observation.

As for your claim that Blue Security coordinates DoS attacks, they don’t.  A DoS attack on a web site might affect other legitimate sites on the same host, and that would not be fair to them.  http://community.bluesecurity.com/[email protected]@.3c3ea1b5  When a campaign is in progress, complaints are metered so as to NOT all arrive at the same time.  http://community.bluesecurity.com/[email protected]@.3c3eb2a6/0 

You say intent is the determining factor in deciding if this is a DoS attack.  I’ve run the Blue Frog for almost two weeks now, and I doubt it has used a megabyte of bandwidth, outside of the 1 megabyte download of the Blue Frog client.  I’ve been active in campaigns against spamversized sites, and watched my bandwidth usage during that campaign.  For the most part, I was absolutely idle.  No bandwidth used whatsoever.  Although the icon in my system tray tells me when a campaign is underway, for the most part the Frog just sits there and waits for my turn to send a single HTML complaint to the site.  As for your claim we send “a zillion unsubscribe requests .. at once”, you are wrong.  Only one complaint is sent for each spam received, and we don’t have a zillion members… yet. ;-)

Most of Blue Security’s efforts are focused on negotiating with the web site’s owner to encourage them to only advertise with bulk mailers that download and use their free cleaning tool.  We are a Community that will not buy from web sites that send us spam, and simply decided to join forces to make our complaints heard.  We are not here to hurt legitimate businesses, we want rogue spammers to lose business.

For the record, I am not an employee of Blue Security. For the past two years, I’ve spent entirely too much time complaining to spamversized sites.  It works.  It reduced my spam by approximately 75%, but a noticeable difference wasn’t achieved until after the first 3 to 6 months.  I still got (and still get) spam from the worst of the worst on ROKSO. http://www.spamhaus.org/rokso/index.lasso  I signed up for Fred (that’s the frog’s name) and I would estimate my remaining spam has been reduced by half.  I’ll contend the Blue Community is already large enough to make a difference, and the campaigns haven’t even really begun yet.  That is the last thing we want to do.

But we can do it.  And it scares spammers. They don’t like when people complain about them.  I know, I’ve done it for the past two years.  Alone.  Now, I bring 15,000 (and counting) friends along with me. :-D

Interesting last paragraph in your “put spammers in jail” article:

“While it’s certainly satisfying that such a major spamming crook got the jail time he deserves, this case cost the Commonwealth of Virginia a whole lot of time and money money for preparation, staff work, and expenses. (We experts don’t work for free, we wouldn’t be credible if we did.) Going to this level of effort to knock out the top 10 or top 20 spammers is plausible, but going after 100 or a thousand just isn’t going to happen. That tells me that we still need more effective civil remedies that individuals or small networks can afford to pursue.”

Blue Security is clearly an affordable, effective, small community effort to counter spam. If their strategies are unacceptable, what sort of civil remedies would you suggest individuals or small networks undertake - uh, ideally that will work in THIS decade.

Here’s a lovely article about bluesecurity and the mindset of its users. I’m quite happy for useless “let’s spam the spammer back” schemes to auto-darwinate. Saves time having to explain to a lot of people that no, not all antispam operators, and not all antispam organizations, are a bunch of vigilantes with more technical acumen than sense (and not too much of either)

http://cio-asia.com/ShowPage.aspx?pagetype=2&articleid=2145&pubid=5&issueid=55
Spamming spammers sparks ethics queries
Bob Francis
InfoWorld (US online)

Blue Security’s plan to fight spam with spam has gotten me thinking. Blue Security is a startup security firm that’s taking the fight against spam to the spammers by enlisting end-users to create a Do Not Intrude Registry and making
it painful for junk mailers to operate.

It works like this: If spammers send you spam, you have a right to complain. If the spammers send you one spam, you complain one time. Chances are, however, that they will send you thousands of spam messages, so Blue Security lets you complain a thousand times.

Users can download Blue Security’s Blue Frog client and sign up with the Do Not Intrude Registry starting this week. When the software is up and running, users register an e-mail address to monitor for spam. The software analyzes the messages that come into the user’s account, and then follows the links to the
spammer’s site. Blue Frog then finds any kind of contact form to fill out and demands the e-mail address be removed from the spammer’s list.

I call this the George-and-Charlie defense, because I did much the same thing to a pair of buddies with the same names. George and Charlie were two friends from my old neighborhood, a Levittown-type area on the edge of downtown Fort
Worth, Texas. We played football, baseball, and all those other bucolic childhood activities, along with a few others for which the statute of
limitations have run out, I hope.

Like many of us, George and Charlie found adulthood to be somewhat less than the “high school with money and nobody to hassle us” fantasy that many of us had when first venturing out on our own.

In other words, we had to get a job and get money and be responsible; unless, like me, you became a journalist. Then it sort of ended with the “get a job part.”

George and Charlie both chose the life insurance route for awhile. One of the first things they teach you in life insurance school is to call on all your old buddies, which is what George and Charlie did. Funny, I never tried to sell
them a newspaper subscription or an ad in my newspaper.

Anyway, eventually I got tired of it and so when George called one more time to snap up some of my meager paycheck for a life insurance plan, I told him no. I added, however, that I had run into our old buddy Charlie, and he was asking
about life insurance, too. A few days later Charlie called and I told him the same thing about George. I never heard from either again. I assume they’re still trying to sell each other life insurance in some never-ending Jean-Paul
Sartre play.

That is kind of what Blue Security is trying to do. It’s more than happy to be George to the spammer’s Charlie. Or vice versa.

Blue Security is hardly the first company to attempt this. Lycos Europe attempted a similar system last year, but dropped the plan when the security community argued that Lycos Europe was engaging in vigilantism and had crossed the line by launching DDoS attacks on spammers’ sites.

True enough, probably. On the other hand, I know plenty of users whose computer systems have simply been shut down by all the junk that spammers and zombie systems have loaded on their machines. At some point, someone is going to pull a Howard Beale from “Network” and scream, “I’m as mad as hell and I’m not going
to take this anymore!”

That’s exactly the target audience, says Maribel Lopez, a security analyst at Forrester, although she put it in more analyst-like language: “Blue Security is looking for passionate users, users who are tired of all the spam and are riled
up enough to do something about it,” she says.

The big question, Lopez says, is whether Blue Security’s plan is ethical and legal. “I think those questions are still unanswered,” she adds.

If it’s not ethical and legal, then I guess I have to call George and Charlie and apologize. The only problem is, I don’t want them to have my phone number.

Mr. Levine simply doesn’t understand the BlueSecurity mechanism, apparently because he was predisposed to be dismissive of anything that vaguely resembles previous schemes which did involve DOS assaults.

Denial of service is not the purpose or point of the automated Blue Frog submissions.

As explained rather clearly at BlueSecurity’s Web site, they:

(1) analyze spam submissions;
(2) identify the biggest common offenders;
(3) determine the Web sites employed to take spam-product orders;
(4) analyze the structure of the form(s) used to accept orders;
(5) craft instructions for Blue Frog clients to submit COMPLAINTS - not unsubscribe requests - via those sites’ own order forms; and finally
(6) instruct the Blue Frog clients to automagically submit form complaints equal in number to the reported instances of spam from the site’s owner.

Thus the purpose of the campaigns is to waste the “bandwidth” of the HUMAN OWNERS and operators of the sites, NOT the physical servers of the sites, by forcing them to inspect hundreds or thousands or tens of thousands of “order form” submissions which are COMPLAINTS and not actual orders.

The one thing a spammer most desires is a completed order form, and the frustration, letdown, and waste of time involved with having to slog through huge numbers of submissions that DON’T actually make them money is immensely DEMORALIZING.  Eventually the spammer realizes that spamming, at least to BlueSecurity members, is no longer profitable and either quits spamming altogether or uses the BlueSecurity Registry tool to avoid the people he now knows will cause him frustration and net him no profit.

None of that qualifies as “denial of service”.  It’s using the spammers’ own tools against them.  It’s reverse-engineering the illicit tools of the social engineers.

Mr. Levine needs to learn how to read and analyze before he judges, rather than than prejudging based on some presumed pattern.

Mark A. Craig

Gee, an expert working with government to punish elusive spammers. Impressive.

So, I’d still like to know what sort of “...effective civil remedies that individuals or small networks can afford to pursue.” you propose to support your expert role.

Re Mr Craig’s question, the quote I cited from BS’s web site seems pretty clear to me. Despite all the smoke and mirrors, it’s basically intended as a DOS attack. I haven’t seen any noticable change in the amount of spam flowing, so the whole thing is pointless, as predicted.

Re Mr Lee’s question, the private right of action in the US junk fax law has been fairly effective. That’s what I’ve always wanted in a spam law.

<“Re Mr Lee’s question, the private right of action in the US junk fax law has been fairly effective. That’s what I’ve always wanted in a spam law.”>

Fairly effective? That’s odd; I haven’t observed “any noticable change in the amount of spam flowing, so the whole thing (so far)is pointless, as predicted.”

Thank goodness for individual and small community proactivity like Blue Security eh.

- and btw; I am no “Mr.”

Now I’m completely confused by Comrade Lee’s comments.  There is a private right of action in the junk fax law, and it works.  There is no PROA in a CAN SPAM and it doesn’t work. I agree that we haven’t seen any drop in spam, so presumably we agree that neither CAN SPAM nor Blue Security are having any effect.

G’day Mate!  And you too, John.

“so presumably we agree that neither CAN SPAM nor Blue Security are having any effect.”

Have you checked YesNIC’s web page?  They now have an anti-abuse policy.  CAN-SPAM didn’t do that. Maybe your spam hasn’t gone down because you didn’t sign up for Fred’s services.  Do that, and talk to me in a month.

There are changes going on in the spam industry, and Blue Security is causing it, John.  Hundreds of people sign up for Blue Secuity every day.  They don’t do that because Blue doesn’t work, John, they do it because Blue Security does.

If you took more than a cursory glance at their web page, you would see that Blue Security is CAN-SPAM compiant.  Against criminals.  And working.

You may have wanted the CAN-SPAM act to work, but it doesn’t.  Fred does.

Oh, and Lee is a chick. (G’day Mate!)

I can only hope I have not found this thread too late.

At present reading, I am disposed to give equal weight to both assertions: 1. A concerted effort to thwart deception based UBE is needed, and 2. That the bounds of law and ethics take precedence over all other considerations.

Legal considerations are subject to challenge, debate and refinement. But they need not be ignored or depreciated.

The question that I have not been able to answer satisfactorily regarding the Blue Security approach is whether it can really be effective in modifying the spamming practices of Spam Kings such as those on the ROKSO, ‘preferred miscreants’, list. If diluting the harvest of responses to their spam by sowing tares (complaints) in their fields such that it tasks them with trying to pick flys**t out of pepper, then I would be inclined to favor the BS tactic. I accept a literal interpretation of spamvertisements; to whit, they are asking for a response. I am comfortable with the ethics of compelling the sender to accept a response, even if it is inconvenient, on 2 counts: spamming my inbox using my address which was not obtained legitimately in the first place, and sending lewd and highly distasteful material to a computer my family shares in the second.

There is a third reason that is a bit convoluted; if I overtly respond to the spam by asking to be removed from the proto-mailing list, I am in effect increasing the value of his assets, (my email address and IP which he can and does sell for money), while at the same time, forfeiting some of the value of my assets as it attaches to my family’s compromised access to a service for which we must pay. In law, as Mr. Levine well understands, this is the foundation for a petition for remedy. At present here in Canada, civil law does not provide a means of remedy for these circumstances, (excepting child pornography, which is criminal); not yet anyway. The law does protect the spammer against, “eye-for-an–eye”, retaliation though, eh?

I report spam to Spamcop now and I make the extra effort to check domain registrations and submit reports to InterNic, registrars and, when practical, various BL services. This is very time consuming. I have been patiently doing this for a year; BUT, the same spam king continues to populate my inbox every day with 10 to 20 porn-spamvertisements. My experience doing this makes me want to concur with Mr. Levine’s view that big-league spammers have hundreds of, “throw-away”, domains available to them on any given day and therefore are immune to legitimate domain killing practices. And the sheer number of complaints many registrars require against a client before, “kicking them off”, is entirely beyond the reasonable expectation of any individual’s endeavour, no matter how dedicated. “Enom,” is a good example; I don’t even want to think about Chinese and Russian registrars.

If it can be demonstrated that there is a 1:1 relationship between spam received and complaint sent, then I could be persuaded no ethical or legal transgressions are being committed. If bandwidth taken up for an ISP or it’s ‘innocent’ clients is problematic, then I am inclined to think it appropriate that issue be resolved between the ISP and the spammer. They could at the same time resolve any issues around the use of forged headers, open relays and proxies and other improprieties used to persuade the public to access the site in the first place.

roderick whitney stillwell