Spam War
I wrote about spam last week.
Thought I’d write a little about some recent events, since I’m not sure that these stories have penetrated the mass media very well — just the tech media, and I think some of you might be interested, as it is kind of a Big Deal (TM). Seriously, you may find this interesting.
Last week (I think), a site called Blue Security came under attack by some spammers.
Blue Security takes a proactive approach to dealing with spam. Until recently, the only options have really been to filter it. There are many downsides to filtering, like the fact that filters can’t catch everything and that sometimes they mark legitimate mail as spam (this is a severe annoyance for me).
What’s worse is that it is incredibly passive. Sure, we have the CAN-SPAM act, but it seems to be toothless.
What Blue Security does, as I understand it, is allow users who register their email addresses to report spam. Blue Security then sends a request to the “advertiser” asking them to remove the email addresses of Blue Security registrants. CAN-SPAM allows for this. Not only that, but the “advertiser” is legally obligated to comply. If they don’t comply, Blue Security basically sends one “unsubscribe” request for every spam reported.
This is simplifying it, but you get the point.
The result is basically a DDOS attack. If the spammer sends out a lot of messages, and a lot of the recipients are members of Blue Security, the advertiser gets swamped with unsubscribe requests, potentially temporarily knocking their servers out.
Is it a coordinated attack? Yup, I’d say so. Is it ok? I lean towards saying that it is.
Last week, though, some spammers staged an attack on Blue Security and its members. First, they sent threatening emails to people registered with Blue Security. Basically extortion. They demanded that people quit using the service. If they refused, they would be bombarded by spam. They sprinkled in some anti-semiticism as well. Real charming.
Then they attacked Blue Security’s servers. I’m not entirely clear on the details yet, but there were two victims. One was Blue Security, and the other was Six-Apart’s various blog services. There is some controversy over whether Blue Security off-loaded the attack to Six-Apart. At this point it’s not entirely clear what happened. Besides, the details that I do know are kind of geeky, and I’ve been too geeky on this blog lately. If you’re interested, you can start by reading here.
Anyway, it swung back over the other direction early this week. This story on digg prompted basically a DDOS on a spammer message board. It was actually two-fold — first, there is the “slashdot effect” (sometimes called the “digg effect” when it involves digg.com) where the simple act of a crapload of geeks clicking on a link can bring a server to its knees (incidentally, this has happened to Flapping Crane once or twice when a skit would get onto a popular web site). This is non-malicious, but still harmful to the server. Second, there were some deliberate attempts to continue keeping the server down by various digg readers (you can follow it by reading the link to digg above).
So we’re at an interesting point. A breaking point, perhaps. We’ve been dealing with spam for years. Lots of passive filtering technology and toothless laws have not improved the situation as much as it should have. Spammers continue to try to find ways around filters and laws.
On that note, I’d like to point something else out here. A lot of people are asking why the spammers don’t simply remove Blue Security subscribers from their lists. There are two answers to this, I think. The first is that they don’t want people getting the idea that they can simply register at Blue Security and not get spam. Once it caught on, spammers would be out of business in short order. That would also explain their threatening emails. Second, I’m not sure how spammers get paid. They are typically freelance, apparently. So when you get spam, the “product” being advertised isn’t from the spammer, but from someone who pays the spammer to send out a gazillion messages. Are they being paid per email address? If so, they certainly wouldn’t want to remove the half million email addresses demanded by Blue Security.
Finally, this does raise some legal and ethical issues. Is it okay to DDOS spammers and/or their clients? It is tricky, but I think the spammers are disingenuous in their appeals to ethics or law when they are clearly unlawful and unethical. Still, unambiguously legal methods are not working. What it comes down to is that spammers want to spam, and most people don’t want the (often sexually explicit) spam. Spammers also disregard requests to be “unsubscribed”.
As I noted before, I’ve been very careful about keeping some email addresses private, yet I still get spam. Saying that I should have been even more careful is the tired old line of blaming the victim.
As I said, there is some controversy over what actually happened. The timeline provided by Blue Security is quite sketchy on details, and some people have pointed out problems with their claims.
All very interesting.
EDIT — Here’s a message from one of the spammers on a spam forum:
Ginsta, they didn’t do anything to you YET, but they are attacking many sponsors, some you might even be promoting. They aren’t just attacking sponsors, they’re attacking our community by the hypocritical position of justifying their means by the end
It’s just a matter of time (if we don’t take action now) before they have a botnet of which we would have no chance of stopping, you have to understand that. If they built their userbase to say 2+ million, 1 request command to each of their “frogs” would drop the host in a minute. No point letting someone gain power without being challenged. If they want to be on top they’ll have to show they have the balls to undergo some deep shit.
In all reality, these idiots try to speak as if their intelligent on their forum, you should read it. Half the assholes can’t spell “protocol” and 50% of them are high school drop outs who don’t realize it takes 1 second to click a delete key and be mindful of where you place your email address.
While bad attention is always good, because it’s still attention, this is a rare case where no one will jump into this fight simply to “stand up to fight spam” while also being mindful they are willing participating in illegally ddos operations. It’ll be a matter of time before BlueSecurity gets shut down for that fact alone, until then, stand up for your industry and kill the shit out of their userbase.
Their page is being held down, you won’t get complaints, just hit the shit out of their inbox until they realize they’d get LESS spam by not being part of the BF botnet.
My enemy’s enemy is my friend, just remember that and spam the fuck out of those dipshits
Don’t you love it when someone who spells “they’re” as “their” criticizes the spelling of others?
This one is good too:
Spam will never be stopped. It is comparable to the war against drugs. You might not do drugs, but alot of people obviously do, or drug dealers wouldn’t make money. You might not like spam but some people obviously do, or mailers wouldn’t make money. So stop being a whiny bitch and hit the delete button when you get something in your mailbox you don’t want just like anyone else. Soon, txt message and spam will be blown up just as bad youroui email inbox is. You’ll never stop it, just make it harder to accomplish.
Remember pussies, you may be able to jail some of us, but you won’t stop us all.
And for the people who buy/subscribe our products/our sponsors products, Thank you very much.