Attached Link: Blue Security's website

From Wired Magazine:   "A startup whose aggressive antispam measures drew a blistering counterattack from spammers two weeks ago that brought down the company's servers along with a wide swath of the internet is shuttering its program targeting junk e-mailers..."   You can read more about this story (and the Blue Frog software) at Blue Security's website.   --John

This is so terrible.

A company is essentially murdered and what is done? NOTHING! Some scumbag in Russia can just take out dozens or hundreds of websites in Canada and the US with impunity? Guess so. Industry, government - everybody just gives this a big shrug.

If REGULATION wasn't such a dirty word in American politics, we could solve this problem tomorrow, next week at the latest. The big ISPs (Verizon, et al.) could neuter most of the zombie armies that were used in this attack by implementing a simple filter setting on their routers. But they don't want to for some reason, and no one seems to be able to make them.

If you've ever wondered what government by corporation would look like, this is it. Clueless suits with their heads too far up Wall Street to run things, with petty thugs stepping in to fill the gap. Anyone who complains or tries to change things, gets a beating. Or worse.

The main problem is internationalization of laws to protect and litigate these things.  Note that most of these attacks are spawned from places where they can (Russia, for instance).  In the U.S., you might eventually get caught, prosecuted, serve jail time or be heavily fined.  In Russia, you are part of the black market mafia, run a small village as pseudo-king, and have impunity from all prosecution.

I look at it this way: the internet is an international communication system - laws for it should be able to upheld using international policing.  In other words, one should not be able to hide behind a corrupt, incapable government when performing international crimes.  But international governing (the U.N.) is even more limp than our's and others.

Barring this (which will probably not happen for some decades), nations should be allowed to protect their internet systems as well as retaliate if the directors of such attacks can be found (or, better, let it attack innocent users - who may be zombies - and watch the global change of mind on the matter.  If you can't shovel it, don't dish it out or acquiesce) ;)

Most of all spam still comes from the US. In 2004 it was more than 50%, in the first quarter of this year about 25%. China now follows with some 20%, South Korea with 10%. The UK is responsible for some 2%. Seen per continent, North America is still the biggest, followed by Asia and Europe.

This does not make things any better of course, but blaming the Russians is not the way to go, Cheney!

Unfortunately, as companies develop security measures to stop spammers and hackers alike, there will be those who will spend countless amounts of time figuring out how to get around the new security measure. Its just a matter of time before banner like ads are enabled in email subject lines. Heck, there are email viruses out there that infect your computer without even being opened.

As a website owner/developer - I have to take the threat of hackers/spammer seriously. But, i also realize that there is only so much I can do to keep them out. If they want in bad enough - they're going to find a way. Not even government sites are safe.

That's just soooo wrong.

Something I've never understood about spamers is that their massive attacks inevitably run through the server that is hosting your website and that's where something can be done. Why don't those servers, and the one before on the net too, massively delete spams. If you get thousands mails with same text - or just thousands mails within minutes, I think it is easy to guess it has to be deleted. Same for virus.

Okay, but when do the lawsuits end from corporations and companies emailing their customers. Think Daz here - their newsletter, if it weren't for being legitimate, would appear as spam since they probably send thousands if not tens of thousands.  This is an inherent problem with the block 'all' spam ideology - because not all 'spam' is spam (although, yes, most of it is).

And there are few safeguards against DDOS attacks.  What would really be needed are intelligent tools to recognize them and automatically perform operations that would push the rampant data stream either as close to the originator as possible or to some specific-purpose packet muncher.  Redirection might be the only solution.

How to stop DDOS attacks

It's an old article (2001), but discusses the issues and solutions.  And I think that my idea is pretty close to the one discussed, but obviously not implemented by many internet hubs and servers around the world.

Attached Link: Blue Frog and Six Appart

Kuroyume, it's interesting that you mention DDOS attacks and redirection of the stream of data, as Blue Frog did exactly this with the first wave... and landed the nice bill on Six Appart's footstep. For those that don't know, Six Appart is the company behind LiveJournal, Movable Type and TypePad. [More information here](http://q.queso.com/archives/001917). For those who do not want to read the whole article, here's what happened in a nutshell: BlueFrog got attacked and redirected all traffic to the company's blog, hosted by SixAppart. How anybody that has the knowledge to do this could have failed to realise it would cripple SixAppart sites is beyond me.  So any company that thinks this was a correct course of action is a little suspicious in my book.

It also happens that some people had issues with BlueFrog's methods . I happen to think those concerns were well placed: I'm all up for fighting spam, but I know enough of web hosting to know that a retaliation the sort they were trying to push, aside from being way too close to a DDOS itself, would cripple lots of other people on the same server/ISP.  I don't think that is right. Enough so that when MailWasher came with the offer to sign up to Blue Frog, after reading about their methods I decided to decline.

I'm not saying that what the spammers did was right: it wasn't, by any extent of imagination. However, I also don't think that Blue Frog was playing by the rules either. This doesn't make it right to attack it, but doesn't make me mourn their demise too much either.

I liked Blue Frog and felt that they were doing good, legal work to reduce spam. One piece of spam generated one complaint from me or any other Blue Frog member who received spam. Unfortunately I could not use Blue Frog effectively because Comcast would not forward most of my spam email back to Blue Frog for processing. Their filtering devices were OK with the spam getting into my email box, but they wouldn't let me send it to Blue Frog. Weird. So I opted out of Blue Frog after two weeks of forwarding only to find out hardly anything I sent to them was being received. I couldn't justify doing all that forwarding for no purpose. I deleted Blue Frog from my computer. About two weeks after that I got a very threatening email from an unidentified group of spammers telling me to delete Blue Frog and not use the service anymore because they were going to take out Blue Frog. Indeed, they did, so the spammers win again.

Whats always got me with Spam is folks must be responding to them, surely if we all just delete them there would be no point in sending them.........maybe we need to start an organisation to teach people to ignore spam and while we are at it lets sort those damn sales telephone calls..........Steve

It's not just that most spam comes from the USA, most of it comes from one town in Florida. All that needs to be done is a little change in legislation so that the police can walk in and confiscate the spammers' equipment. That would cure most of the problem. You tell me why this hasn't been done.

Some anti-spamming techniques are actually a pest in themselves. I know of one outfit that has decided how everyone else's mail servers should be set up. They then blacklist every mail server not so set up as a spamming outfit, whether it is responsible for spam or not. If you are unlucky enough to be so blacklisted, you have to do the work to reconfigure your server to their specifications, otherwise your emails bounce back from anyone whose ISP subscribes to their blacklist.

Steve: It's a volume thing. It is fairly cheap to send out 10 or even 50 million spams, and if I get only 100 hits on my 'product' as a result, I have probably made a profit. It has taken me years to convince my sister and mother to stop replying to them, and stop resending the "interesting ones" (like those chain letters with a joke in them that are the means by which they gather valid emails...). Not less than two years ago we had to do an 'intervention' to get my sister out os sending money to a guy in Africa... And this was after it had been on the news... And she's a very smart educated individual who's even managed to become trilingual (which in this country (USA), takes work). I'm guessing they're just not telling me about it anymore... I tried blue frog out for a few weeks, right before I got that win Polipos virus, and as a result the spam on the email account I tried it on went up by a dramatic amount, and it still now gathering several hundred spams per day...

A few ways to beat spam:
 

1. Obviously, don't click on the links in spam messages. NEVER buy anything advertised in a spam message. Tell everyone you know to do the same... even your elderly neighbor who thinks he's getting a deal by purchasing "gener!c v!aGr@".
   Hint: if the e-mail can't spell a product correctly, then something is suspicious... this includes offers to "refinac morttagges" and "curee ur deseases".
   Unfortunately, as long as people buy the products advertised in spam messages, the spammers will make money.
    
2. Complain to the advertised company or billing company. For example, porn sites need paying subscribers... and to get payments, they need a billing company. If enough people complain about the spam directly to the billing company, they could shut off the site's account.
   However, I don't recommend visiting porn sites advertised in spam. If they're using spam to advertise, who knows what other nasties are on the site?
    
3. We hear news stories about brilliant hackers who find security flaws in Windows and such. Why can't some of these people use their talents to make anti-spam software? Can't they get Russian servers to anti-spam the spammers?
    
   --John

#1: Easy to say, hard to do. Eventually the people likely to click will click no matter how hard you try to convince them that snake oil just doesn't work good... There's always a new brand of snake oil... #2: This can backfire - it lets them know they're reaching live people, and they can then assume that if x% are calling them, some greater number isn't, and likely some profitable portion of that will buy in... #3: Isn't that what Blue Frog was? One problem is that Blue Frog used the very tactic they complained of... spamming back... Most viable method is to get legislation in criminalizing the activities, and then fight it out in the WTO when the countries that refuse to criminalize object and demand you let them spam you... Of course, this becomes hard when we in turn refuse to respect their laws and the rulings in the WTO that went in their favor: http://news.com.com/WTO+slams+U.S.+Net-gambling+ban/2100-1030_3-5658636.html (when gets even more difficult when we had good reason to do so... too bad we aren't willing to ignore the WTO when it comes to environmental issues like dolphin safe tuna, toxic dumping, and whaling, or labor issues and sex trafficking...)

I agree completely with arcady.

And in my previous post, I was in no way suggesting that anti-spam tactics include respamming the spammers.  What one should do is not divert a spam or DDOS attack to a supposed spam server-gateway, but to some facility that is specifically designed as a waste depository for such attacks.  Think of it as diverting a flood into an uninhabited plain or something.  The problem here is that the internet is not a direct link pathway, so routing the attack (in both meanings) in this way, effectively, would require some sophisticated routing scheme whereby the attack is pushed back to some capable routing hubs to reduce or remove the stress on other more public hubs.  This would mean, I guess, a 'ring of defense' around normal servers and hubs whose main task is to divert the attack, like a firewall (the real type).

This and legislation would start to put a damper on these activities.  Make it both useless and  illegal.  At first, penalties should be painful.  A company that uses spam tactics should be filing for Chapter 11 or something after being found guilty of using them (if not put out of business altogether).

Individual hackers and attackers have been arrested on occasion, but it requires that they step into a nation where the laws are enforced.  Such a case occured to a Russian hacker who showed up at a US 'Con' and was promptly encarcerated.  But that is not going to happen often. :)

OK, Kuroyume, except that legislation HAS been passed - bad, bad legislation that makes spamming a legitimate activity. This is thanks to direct marketing associations pouring some of their money into Washington and getting their own language into the CAN SPAM act (which has rightly been characterized as the "now you CAN SPAM act.") So don't hold your breath on that one.

Most spam still comes form the US? Sure it does - that's the biggest pool of computers with high-speed connections suitable for sending spam. If we can't educate people to stop clicking on spam e-mails, how are we ever going to inform them that "hey, remember that nice waterfall screensaver you downloaded last summer and then deleted around Thanksgiving? Well, it was really a carrier for a trojan horse program that has been running on your computer ever since, and even now some sleazeball in Romania is using your cable connection to send out spam." Unfortunately most people haven't a clue what is meant by y0ur b0>< i5 0wn3d, d00d.

BTW, Phantast - this is the reason taking out the Florida guy is pointless. Let's even suppose you convict him  - a REALLY big if. His lawyer is as nasty and underhanded as he is, and the jury probably includes at least a few spam-clicker types. But say you get him. He walks free in 6 months, moves to Georgia, turns on his PC and checks in with his army of remote spam-bots. Yep, there they all are, or at least most of them. He's back in business.

Some people did question Blue Frog's tactics, but really they were just harvesting the power of the Internet to allow their users to reply LAWFULLY to spams they received, as provided for by the CAN-SPAM act. They simply aggregated the replies and were a bit forceful in how they delivered them.

As for redirecting malicious traffic, yes that is what happened, but I don't think it was their intent. This spammer shut down their website, and they had to communicate with their users somehow and let them know what was going on. So they made a posting to their blog about being attacked. Then the spammer attacked the site that hosted their blog and brought that down too. It's easy in hindsight to say they should have known he would do this, but really. If you've been mugged, and you go out to a restaurant with some firends to recover from the shock, is it your fault if the mugger follows you there and starts shooting up the place?

I think the Blue Frog swan song page summed it up nicely. Spamming is a branch of organized crime, not a legitimate business, no matter what its high-profile defenders might say. You don't send a security guard or a neighborhood watch patrol to deal with the mob. You send the police, the FBI and the full legal weight of the court system. If the guy is in Russia, you put enough political and economic pressure on the Russians that they deal with it. And, even more importantly, you put a LOT of pressure on the domestic entities that are enabling or abetting the activity.

That is, you WOULD do these things IF you didn't have a big campaign check from the Direct Marketing Association or Verizon in your breast pocket :m_pig:

"I think the Blue Frog swan song page summed it up nicely. Spamming is a branch of organized crime, not a legitimate business, no matter what its high-profile defenders might say. You don't send a security guard or a neighborhood watch patrol to deal with the mob. You send the police, the FBI and the full legal weight of the court system. If the guy is in Russia, you put enough political and economic pressure on the Russians that they deal with it. And, even more importantly, you put a LOT of pressure on the domestic entities that are enabling or abetting the activity.

That is, you WOULD do these things IF you didn't have a big campaign check from the Direct Marketing Association or Verizon in your breast pocket"

I agree 100% They say over 1/2 half of ALL net trafic now is spam related. How much faster would servers be, and how much better would th einternet work, if all that traffic was stopped?

If even 50% of it was curtailed, the internet would run SO much faster, and most likely, we'd all end up paying less for service, because our provider's operating costs would be lowered drastically.

It's be nice to see the guys that shut down Blue Security put behind bars.

 

I agree that US law is 'in the pocket'.  Let's face it, if you haven't figured out that our federal government is a bunch of greedy illegitimate children cowtowing to the rich and screwing everyone else, you should discontinue the mind-altering drug usage (see taxbreaks, estate tax, oil-exploration funding with billions profit while gas prices go up, the beautiful example of Katrina, healthcare, education, social security, minimum wage, blah, blah, blah, blah). =;0)

Back to the topic, I don't know the percentage of spam from the US, but why is it that 75% of my spam is in foreign languages (mainly - Chinese, Russian, Korean, some Spanish)?  In Outlook, they are just garbled junk, but on my Mac, I can see the Unicode text.  Answer me that, Batman? :P

And to the education idea - won't help.  When you've convinced the billions of Christians or Muslims (or other religions) that there really isn't a pink fairy-dust unicorn (God) ruling the universe, you may then start to work on the 'don't feed the spammers' idea...

I hate spam as much as anyone.... but the "Blue Security" goroups tactics were not only silly on a technical level but bordering on DOS attacks themselves in some cases.

Spam seams to be one of those issues that people just freak out about and decide that the ends justify the means to stop - but it doesn't. Some groups that "fight spam" are little more than thugs themselves. This is especially applcable to the "black list" databases that so many companies blindly trust to filter their email.

If you admin the email for a company or run a server (I do both) then you will find that these groups (geek thugs) will arbitrarily add your ip / domain to the database and will refuse to tell you what reason there was. And you can forget about contacting them about it. End result? 3 or four "groups" control whether your company can send email and have it actually recieved by most clients.

Blue Security tactics were a little out of the ordinary, but even with black lists, if you tick off a spammer you can be subject to blackmail through a dos attack. The service providers must be take a harsher stand.  All service providers should have a black list  and be more proactive.  Otherwise governments will enter the fray  (laws would be nice if they were enforced) in a very heavy handed manner.

This is the 'CAN-SPAM Act: http://en.wikipedia.org/wiki/Can_Spam_Act_of_2003 And the actual law: http://www4.law.cornell.edu/uscode/html/uscode15/usc_sup_01_15_10_103.html The most interesting aspect of this act is how it defines 'protected computer'.

"why is it that 75% of my spam is in foreign languages (mainly - Chinese, Russian, Korean, some Spanish)?"

This has happened on one of my email accounts, but not others. I think it means that some Korean spammer has got your email address and is selling it on to others in Asia.

Other tips... Open your email in text only format first (no images) or filter with MailWasher. Spammers are know including a gif or jpeg image. If their server gets a hit fom this image then they know your email is valid and then sale it on a list of known valid addresses to other spammers.

As mentioned before, never buy anything from a spam email. Never reply to a spam email. If a service requires you to enter a email address to sign up, use a free email addy such as Yahoo or Hotmail. If a spam email has an unsubscribe button, do not use it, another trick.

Here is a site that has a lot of info on Spam

http://spamlinks.net/