Slashdot Mirror
Blue Security Gives up the Fight
bblboy54 writes "According to The Washington Post, Blue Security has closed its doors, which can be confirmed by the Blue Security application failing to work today and their domain no longer resolving. Blue Security's CEO is quoted in the article: "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing." You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"
Will someone else adapt this concept, or does the internet world give up?
/. (not hiding behind childish obfuscation), yet I only get one Spam per week that actually makes it into my inbox! I know the flip side of the spam problem is bandwidth wastage, but anyone who's still getting spam in their inbox should install some nice filtering software.
How about a third choice - will the internet world try a different method that doesn't involve vigilantism? (and the inevitable chaos that follows a war)
Slightly Offtopic: My email (whineymacfanboy@gmail.com) is in clear text on
Completely Offtopic: Has anyone else noticed the "Compare prices on YRO Products" link in the "Related links" sidebar? WTF is a YRO product?
There are shills on slashdot. Apparently, I'm one of them.
Anyone want to state the obvious answer?
Hey, wait a minute, I've followed Blue Security since I first read about them on /., and I can't believe they're just gonna fold up shop and give up! Isn't this what they got into the business for? Can't they take this attack and use it to demonstrate the validity of their concept? I wish they could think up another tactic besides, 'you win' -- perhaps diversifiying their URLs/IPs so that they're more spread out...less vuln to an attack on one IP? Come on, what do readers think...I know there's got to be some way to use BS software and reroute things through an Onion style network to fight back.
fak3r.com
"When the company's founders first approached the broader anti-spam community and asked them what they thought of the idea, everyone said this was a terrible idea and that they would eventually cause a lot of collateral damage," Underwood said. "But it's also extremely unfortunate, because it shows how much the spammers are winning this battle."
Hell, the idea of flooding the spammers network is older then a reasonably aged Armagnac and was discounted even when it came up.
Building a business model on such an innane idea looks as if the company execs are a few fries short of a happy meal. Speceifically since they where warned by more experienced people.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
This episode proves that the spammers own and control the internet.
The internet is no longer free (not as in beer). We must pay obesience to the owners by allowing their spam in out inboxes.
I, for one, do NOT welcome our spam-spewing overlords.
Ignorance is curable, stupid is forever.
I'm a recent new Blue member. Spam to my work, gmail and home accounts has plummetted thanks to Blue Frog. And to whiners who moan about "vigilantism", blow me. Fight fire with fire.
Trolling is a art,
According to The Washington Post, Blue Security has closed it is door which
http://www.stormloader.com/garyes/its/#top
It's not that hard.
http://www.bluesecurity.com/ - which seems to be up or down at any given moment.... still under attack?
I'll wait to see an official satement from them. Considering they are offline right now, likely due to another DoS, and the spammers have spent the last 2 weeks doing joejob attacks and all sorts of e-mails supposedly from bluesecurity... it doesn't seem too unlikely to me that the spammers could convince the media of something.
My name is coaxeus, and I approve this message. In fact, I think it is awesome.
Was about to post the same thing. Make a distributed app, receive spam, post "unsubscribe" link to app, (assuming this is how blue worked) instant mass traffic for spammer. The problem here is that if you don't have a central authority controlling what gets hit the someone will sooner or later abuse the P2P DDoS machine that you've effectively just created.
Spelling matters.
Spam wins
Sad, but true: you cannot defeat the spammers using their own methods.
Rediculous is ridiculous!
Wow so the bad guys won? This isn't the way it's suppose to happen. wtf
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start
Funny, not having the authority to do it didn't stop them before...
This guy's the limit!
The Blue Frog client was open source. It shouldn't that hard to modify it so that anyone could install a module onto their web/mail server so Blue Frog can send emails, and have the entire system run decentralized. I.E. I run two mail servers with a Blue Frog module on it, and I publish those servers for public use by the BlueFrog client. System administrators can check sites and domains to send spam reports to and control it. I'd love to see the spammers take down a decentralized since it would be nearly impossible to shut down every node in a decenteralized system.
This signature was left intentionally blank.
If you want to be an anti-spam advocate, if you want to write software or maintain a list or provide a service that identifies spam or blocks spam or targets spam in any way, you will be attacked. You will be attacked by professionals who have more money than you, more resources than you, better programmers than you, and no scruples at all. They want to make money, this is how they have decided to make money, they really can make a lot of money, and youre getting in their way.
[...]Someone challenged me, Well, how am I supposed to continue hosting these low-barrier discussions? I'm sorry, but I don't know. To quote Bruce Schneier, "I feel rather like the physicist who just explained relativity to a group of would-be interstellar travelers, only to be asked, 'How do you expect us to get to the stars, then?' I'm sorry, but I don't know that, either."
From Dive Into Mark (which doesn't seem to be responding, so try Google's cache.)
Carousel is a lie!
what really makes me sick every time I read such horror stories about spam, zombies, virus, etc. is that this whole ecosystem only exists because this industry as a whole is full of fucktards completely clueless with regards to security (and that problem is affecting more than a single platform [needing to be root to install a fscking .rpm while the equivalent .tar.gz can be installed by a user without privileges? Fscking fucktards...]).
I really don't understand what the point of spam is anyway. If I see it in my inbox (thankfully both my company as well as gmail have excellent spam reduction software), I delete it. How can spam be a "multi-million dollar" business? Are there really people that respond and follow through on the various offers proferred through such venues? What is it that really makes spam so worthwhile, seriously?
On the other hand, it is unfortunate that the spammers weild such massive power to force a company's closure. I can see it now...
"Hey, ya, I think you needs some 'insurance'. It'd be bad if anything, ya know, happened to your servers or sumtin'."
Blue Security Ceases Anti-Spam Operations
When we founded Blue Security in 2004, we believed that if we automated a way for users to rise up and exercise their rights under the CAN-SPAM Act, we could reduce the amount of spam on the Internet.
Over the past few months we were able to leverage the power of the Blue Community and convince top spammers responsible for sending over 25% of the world's spam to comply with our users' opt-out list. We were making real progress in eliminating spam from the lives of our users.
However, several leading spammers viewed this change as a strategic threat to their spam business. The week before last, these spammers launched a series of attacks against us, taking down hundreds of thousands of other websites via a massive Denial-of-Service attack and causing damage to ISPs, website owners and Internet users worldwide. They also began a relentless campaign of email intimidation against many members of the Blue Community.
After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.
As we cannot build the Blue Security business on the foundation we originally envisioned, we are discontinuing all of our anti-spam activities on your behalf and are exploring other, non spam-related avenues for our technological developments. As much as it saddens us, we believe this is the responsible thing to do.
You need not do anything as a result of this change. We will continue to protect your names and addresses and honor all privacy commitments we made to you.
We have concluded we should not take Blue Security to the full deployment stage we originally planned to achieve, but we are proud of what we have accomplished thus far as a young startup company.
We are extremely proud to have had the chance to work with such a devoted and dedicated community: thank you for the vote of confidence you gave us over the past few months as well as the particularly vocal support you have shown over the last two weeks.
We will be innovating and building our technology in new, other directions and will continue to give back to you, our Community.
Thank you for your support,
The Blue Security Team.
What about a solution like the SETI project? A nice graphical screensaver that uses spare processor cycles to send email spam to known spammers. It could even display something funny like a graph showing how much harassment you're causing.
However, I don't think any kind of attack spam with spam solution is worth it. We need to either redesign the protocol, marginalize the spammers, or make it very illegal and put them in jail. Sure, you might argue that direct marketing through email really isn't illegal (junk snail mail sure isn't), but I think if you don't respect the don't spam lists and requests to stop, or even go so far as to launch a DOS attack as TFA describes, then you definitely belong behind bars or without access to a computer.
I've been itching to sign up since I heard of this here, but first it was no confirmation email, then the members site went for a whole week with a "we're reorganizing it" message. I was wondering what kind of moron they have as an admin.
This is extremely disappointing, I must say. Now that they finally got a noticeable success, world wide recognition and made lots of spammers squirm and wonder what will they do, they go and give up? Sheesh.
But ah well. The client was Open Source, wasn't it? So, who will pick this one up, and get it back running? Pretty much all of the work seems to be done already, all it seems to need is becoming distributed, which would avoid this situation in the future.
Fine, I'm happy for you. You obviously don't own an active domain, or a business. Because otherwise I could guarantee that it gets to be a problem for you.
But the problem is not you, it's not me, it's not my little kid sisters dog.
The problem is that a couple of hundred big time spammers are getting rich by shitting into the communal water supply!
If you think that's acceptable within a society then you will apologise that I have no respect for you and the likes of you.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
"It seems an effective method has been found but more than a small private company could handle."
is much less confusing like so:
It seems an effective method has been found, but it's more than a small private company could handle.
I'm probably wrong here, but I thought this would be the perfect application of P2P functionality. No matter how much someone tries to poison P2P shared files, they can never poison them all. When the whitelist/blacklist updates are shared out as signed, and user rankings can be compared, all should work. There is no central server, and if you can see that the file you have downloaded comes from a user with excellent karma, then it can be trusted. Sure, even that will have ups and downs, but there is no way to stop any user from updating from multiple sources, many times per day.
If the client was written to judge on differences and other algorithms for comparing lists from different sources, I think it would work well, at least better than trying to make your own lists all the time.
Support NYCountryLawyer RIAA vs People
It seems that the problem here is that they were brought down by the spammer's huge number of bots running on compromised machines. Why has no one tackled this problem? It seems to me that this should be the responsibility of the ISP's. I'm no expert but I believe that if someone reports to an ISP that a particlular IP address is running a bot, that it should be a simple process for the ISP to do some tests to see if that is true by checking the nature of the traffic coming out of the machine. If they decide that the machine has been compromised, they should shut down it's connection and redirect port 80 requests to a web page explaining to the owner that their machine has be compromised and how to fix it.
This does not seem to me to be a difficult technical problem and it is in everyone's interest to get the compromised machines off the net.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
...they could do what other large companies do. They get the senate and congress to talk to their buddies overseas to pressure THEM to curtail their illegal activities and such. This tactic worked wonders for Enron when they were trying to get their power set up in other countries in spite of resistance from local governments. (They just got the U.S. Goverment to throw a little weight around, threatening to cut off any aid.)
This really drives home how important it is for Average-Joe users to have decent security. Time was, if you got infected with a virus you'd get your hard drives wiped and have to reboot your machine. Then, viruses stole information instead. Nowadays, it seems like anyone with the inclination to do so can set up their own botnet using relatively simple tools.
And of course, if you're in the business of breaking the law online (or rather just being generally anti-social) it's simply prudent to gather an army of computers, and then use that power to make others give into your demands. The actions of one hacker and his botnet caused an entire company to shut down operation - that's scary.
And scarier still is that the thousands of people whose computers were hammering away at the server, contributing to the victory of evil over good, are unaware of the part their machines played, and will doubtless play again.
This really is the computing equivalent of creating massive private armies with a mind-control drug - and while the email system really needs an overhaul, while the possibility to harness this kind of power exists there'll be the opportunity for extortion on this scale.
My, that was a yummy potato!
Make it illegal to send spam AND to charge somebody else with sending it. Most of the spam does advertise something so fight the seller, not the spammer.
You mess with their illegal profits - they'll mess you up. It's as plain and simple as that. They're not even hiding it anymore.
Let's just hope they'll start receiving the treatement that their real-world counterparts have recieved. In our lifetime.
"In an effort to help reduce the amount of spam reaching Comcast.net email addresses, Comcast has implemented a new policy that will block email sent from an email server that has no rDNS entry."
http://forums.comcast.net/comcastsupport/board/mes sage?board.id=2&message.id=79035
Since they did this spam getting through to my home account has dropped by at least 90%, as has mail ending up in the "screened mail" folder for my comcast email address.
It's means "it is" or "it has". The line should read "Blue Security has closed its doors."
you cannot defeat the spammers using their own methods.
At the current level of effort. Escalation may be the key. I'll mirror an earlier poster about decentralization. Maybe more servers, or a whole P2P type network bombing these bastards would be more effective.
BTW, like your sig. =)
Weaselmancer
rediculous.
I find it very hard to believe that it is this straight-forward for one individual to potentially bring down the entire internet infrastructure. The Register reported on this story and said, "Anti-spam firm Blue Security is to cease trading after deciding its escalating conflict with a renegade spammer was placing the internet as a whole in jeopardy." It went on to say, "During an ICQ conversation, PharmaMaster told Blue Security that if he can't send spam, there will be no internet."
I suppose the most concerning part of this story is the bit where bribery appears to persuades a top ISP to make some dodgy configs:
"According to Blue Security, a renegade Russian language speaking spammer known as PharmaMaster succeeded in bribing a top-tier ISP's staff member into black holing Blue Security's former IP address (194.90.8.20) at internet backbone routers. This rendered Blue's main website inaccessible outside Israel."
This story smells a bit.
What the reports fail to mention is that the spammers ran Blue Security's hashed email list, discovered who on their (Spammer's)list was also on the BS list and are now sending a multitude of 'Joe Job' emails using people on the BS list as the 'From' address. I am now getting about 400 bounce-backs a day, god knows how many get through.
Zion has been destroyed, the robots have won over free humans.
Ok, well maybe that's taking the metaphor to far, but it is definitally a score for the spammers here. I say if the Blue method worked, as it is obvious that the spammers were very annoyed, it should continue. If one batallion has fallen, another will rise.
So, are the ISP's gonna do something about this in their "Net Neutrality" fight? I mean, most of the traffic out there has to be Spam, viruses and whatnot. Why are they not mentioned? Oh, I know because the entire case of the ISP's are Bullsh@#t.
What word rhymes with buried alive?
The bad guys won this time because we tried to match force with force. I've said it multiple times in this forum - we have to accept that spam isn't going to go away. The only way we're going to get it down to an acceptable level is to make it not worth doing.
Filtering is one way, but basing it on the raw content of the email won't work. If there was a public key repository where legitimate users placed a public key for decryption, and all legitmate email were sent encrypted with the corresponding private key, the authenticity of the email could be known. Then, if someone starts making a nuisance of themselves, they could get their public key revoked. If this method were used, filters could be made to only let through emails that decrypted with the public key of the sender.
Let's face it, spam is a fact of life. Remember that you're up against people who do this as their 9-5er with no regard for law, ethics or their public image if you want to go the force-vs-force route.
DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
I though it was a bit of a no brainer that the spammers would win.
Blue security were/are dealing with people who thought they were above the law
Their servers got attacked ( if spammers control 50% of email messages i'm pretty sure one site wont be beyond their capabilities to DDOS)
It was a good idea but the only outcome was escalation and Blue Security didn't have the firepower to take them down
The following says it all (from http://poetry.eserver.org/light-brigade.html)
[snip]
Flash'd all their sabres bare,
Flash'd as they turn'd in air,
Sabring the gunners there,
Charging an army, while
All the world wonder'd:
Plunged in the battery-smoke
Right thro' the line they broke;
Cossack and Russian
Reel'd from the sabre stroke
Shatter'd and sunder'd.
Then they rode back, but not
Not the six hundred.
[snip]
Cannon to right of them,
Cannon to left of them,
Cannon behind them
Volley'd and thunder'd;
Storm'd at with shot and shell,
While horse and hero fell,
They that had fought so well
Came thro' the jaws of Death
Back from the mouth of Hell,
All that was left of them,
Left of six hundred.
[snip]
---------------THE END----------------
http://www.xanga.com/petantik
Be pretty hard to get a murder conviction ... after all, there are literally MILLIONS of people with a motive ... I can picture it now ... the jury is deliberating, and says "the spammer got his skull crushed in ... sounds like he got off too lightly, dah?"
From Spammers forum:
Congratulations to all contributors! Kiss the frog goodbye
(disable scripting before clicking to get past login)
You fight fire with water. Fighting fire with fire will just make the fire bigger unless it's very well directed fire.
So if you're gonna fight the spam fire with fire, use live fire. Or use water. Like from a firehose into thier systems. Motherboards LOVE "direct liquid cooling".
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
When I read the article, I was struck by the fact that they're trying to use voluntary DOS attacks against spammers. I've NEVER heard of this company before, and I imagine Joe Average User hasn't either. I'm willing to bet that there are a lot more Joe Average Users out there with compromised systems on a botnet than there are people participating in the Blue Security net - probably by a couple factors of 10. Besides, do we really need another million computers wasting bandwidth on such an obviously failure-destined approach to spam-fighting? It just seems lose-lose all around to me.
picpix image polls. create - share - vote. fun!
It was only a few days ago that everyone here was predicting that membership would surge due to the recently publicity. Then they suddenly go out of business? WTF? I hope this is some sort of ploy just to make spammers look bad, because this is definitely NOT a happy ending. Hell, this isn't even an ending.
Maybe it is time for them to start charging subscribers. Or to make this a community project.
This works as well.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
[quote]After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations. [/quote]
I would have risked it.
I would urge people to ask blue to reconsider
No one has any balls anymore.
If you dont play high stakes you don't win much.
Sad to say, but the BlueFrog anti-spam client never really worked correctly. I tried it for two weeks, and found that often failed to successfully report any spam at all about 1/3rd of the time. Even when it did work, it never seemed cut down on my spam at all. If anything, the amount of spam that I'm getting now has doubled, since some spammers seem to be intentionally retaliating against me and sending me a dozen copies of same spam mail over and over again. I went from getting 50 spam messages to 100 spams a day, and I did nothing to promote my e-mail addresses during that time besides installing BlueFrog. Thanks for nothing, guys.
According to my unversity's spam filter, up to 25 percent of all incoming messages from off-campus addresses are spam!
I installed Blue Frog some months ago. But I rarely found the icon indicating that it was working (I think the frog put a mask on). Also, they were never doing anything about the sites sending the spam that I was reporting. When I got a new computer I didn't bother to install Blue Frog on it. I installed SpamCopper, http://pctech.invisibill.net/mozext/spamcopper/, a Thunderbird extension that reports everything flagged as Junk to spamcop. I'm not sure if that's doing any good, either. I keep getting spammed from the same ISPs, mostly in .il (I'm in .il), .cn, .tr, and .br.
And underground, it'd be also be helpful to DDoS the fuckers. The problem with that is that the dickhead 13 year old kids running the botnets don't care about spam.
If you want spam to be regulated and stopped, then you are opening the Internet to wider regulation and greater limits on free speech.
It is completely illogical to argue in favour of one form of censorship (stopping people sending E-Mail) but against another (e.g. Google censorship).
The frog needs to evolve into a P2P service that passes the addresses that need to receive opt-out requests. To prevent poisoning, there will still have to be a central cabal vetting spam, but rather than having spam reports come to a central server, they can be passed P2P--maybe even over an existing file sharing network. Then the cabal can send cryptographically signed instructions to the evolved frogs, which (ideally) in their large numbers could drop a spamvertized host in a few minutes.
I too have felt the cold finger of injustice.
Ok, one central server is easy to ddos, and flooding anyone that an anonymous packet tells you to is downright stupid. But you could set up a bot that visits every link in your mail (maybe except the whitelisted ones). If every mail server in the world did that, the spammers would get ddos-ed and the system would not be easy to abuse - to ddos someone with a milion page hits you'd have to send a million e-mails.
This is not a novel idea, there was an article about it that I am too lazy to dig up right now.
This really looks like the ideal place to implement a P2P style model. Your server is a nice central target that the bad guys can attack. Distributing the load across a distributed archetecture means there's no head to attack or cut off.
They're essentially using the power of numbers for attack, adapt a defense to match.
"We're hearing from federal law enforcement that they are getting more than one new case of online extortion each day"
Blue Security's network of over half a million hosts was dwarfed by a single Russian spammer.
Most spammers and extortionists perpetrate much more than a single act, using many hosts to launch the attacks. Certainly the Russian spammer is launching many attacks to justify their arsenal.
Why isn't the FBI and the State Department going after these attackers? Maybe they're too busy listening to American phone conversations. Those conversations must be very valuable, especially running up to elections...
--
make install -not war
You can't fight spam at the originating point. More often than not it's sent through hijacked PCs. Hitting them won't help anyone.
So you have to hit the site that's been advertised by the spam. P2P has been mentioned as the "way to go" to avoid a similar fate. And the dangers of "seed poisoning". This can be circumvented. Have the clients "read" the spam folder of the participating person. Have them exchange their spam folders. Have them count the messages received. And once a critical amount of similar or identical messages have been identified, have them hold a vote who's going to get it for the next, say, 8 hours.
This all can be done without the participation of a host.
Now, of course someone could send around some spam to, say, shoot at Microsoft. How to prevent that?
Well, spam needs some time to propagate. This time can be used to update some whitelist. This whitelist, again, would have to be administered decentralized. I.e. you declare something "not spam". If enough people call spam "no spam", the attack won't happen. At the same time, run a blacklist that lets you identify something "clearly as spam", which puts more weight behind the counter.
If something has circulated for 2 days or more and is still labeled "Spam", the flood rolls in. Yes, I'm aware that quite a few spam-ad'ed servers are hijacked too. That's why the attack should not run for more than about 2 hours. Should give the admin there a good heads-up, to say the least, and take a look at his setup. Should he not wise up, the next one runs for 4, then 8, 16, 24 hours and so on.
Still needs some fleshing out, but I guess that'd be a way to run it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Spam vampire - sap the bandwidth of spamming web sites. Copy and paste the urls from the spam you receive into the config file (make sure to check them first), or just pick someone elses below. Leave it on all day.
e x.htm (scroll down to "Other Vampires")
http://thescambaiter.com/antispam/SpamVampire/ind
http://www.feedbackarchive.com/spamvampire/
http://spamdot.sourceforge.net/
One that targets 419 and bank sites:
http://aa419.org/vampire/ladvampire.php
Oh, and for you pussies that think fighting fire with fire is wrong, you can kiss our asses. They probably smell better than what is in your inbox anyway.
Kill the SPAMers. Don't arrest them; don't berate them; find them and kill them. The world is overcrowded with scum anyway.
I never really understood the term "fight fire with fire."
Fighting fire with fire actually does make sense in the context of some sorts of fires. The most common one is forest fires. Intentional fires are used both as a prophylactic and as a method for fighting an in-progress wildfire. As a prophylactic, the idea is to deliberately burn out the flammable undergrowth before it gets sufficiently dense and dry to ignite the trees. To contain an already-burning wildfire, firefighters often use controlled burns to create firebreaks, since fire is the quickest way to clear an area of flammable materials. Of course, using fire to create firebreaks carries some obvious risks, but most of the time even if the deliberate fire gets out of control it just burns land that would have burned shortly anyway.
It does sound kind of funny, though: "Since we can't control that fire over there, let's start one here that we can control".
Historically, controlled burns have been used to contain large-scale fires in cities as well.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I came home the other day with a message on my answerphone telling me I had a spam bot or something similar running on my network. I took a look and there it was! I was amazed that they actually bothered to phone me and explain.
It was aaisp.com by the way.
Paul.
You wrote:
Spam is just as bad as child pornography or rape
No. It's not.
Our users never signed up for this kind of thing.
I'll sign up.
Is there a command line installable Linux client for this thing? I'll put a machine or two into the fray. I may not be very good at real security, but I know how to close ports.
Stop-Prism.org: Opt Out of Surveillance
"It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing."
You started the fight and you expected them to buckle but you forgot one thing. They don't care if what they do is illegal. You do.
They will keep sending their junk and if you think they will ever stop you are naive. You can't stop them from doing it. You have to accept that first and then come up with a method that will just make it harder for them to get their junk out.
So, the spammers win.
This is so depressing. Not because I just got Blue Frog set up this last weekend, but because, well, quite literally "the terrorists have won".
I see little recourse but to join a network of DDoS-bots that bombs the spam zombies off the net, and http requests any websites their email links to into oblivion.
Where do I sign up?
-- I have monkeys in my pants.
Right, so this approach to spam has been proven to work, or at least to get enough attention from the people it's working against that they've taken action. Which has killed the company, but its software is still around. Isn't this a perfect opportunity for the open source community? Without a central server or corporate body to attack, the principle could be made unkillable. Where do you direct your DDoS attacks if there is no single person or entity responsible for harming your shady business? Or does this require more than just the software to do - in which case, how many people does it take to run, and how much time each would a network of worldwide users have to donate to make it effective? Maybe it's a pipe-dream, mass human cooperation on a worldwide scale to take back the internet, but distributed cooperation like this could effect some major change. If people will donate hours of their time to look for grains of cosmic dust, would they donate hours to sending off emails to spammers under the banner of taking back their inbox? Probably not. Because they want that done automatically. And there's the problem. Any solutions?
I got hit for a couple of days, then I got the "I'm the evil spammer king, roll over and die" message, then the flood stopped. I've been at a normal level of spam for over a week now.
That sucks that they're throwing in the towel.
When you sympathize with stupidity, you start thinking like an idiot.
Seems to me that they've missed a wonderful opportunity. I seem to recall that there was a recent case of a Russian spammer who was found shot to death in his apartment. The Russian authorities didn't have time or interest in following up the case, so whoever got him (may I shake your hand, sir?) gets away with it. Seems like history needs to repeat itself. That'd clarify the situation quite a bit.
Being quick to take offense is not a virtue.
I say bring it! A war means troops and I'm ready to go. It also means the enemy will have to show his guns. There can only be so many bots on his net and everyone he exposes will be a fatality. Obviously the government isn't capable of doing anything more than listen to phone calls and read e-mail.
Having to work for a living is the root of all evil.
Anymore then people want to know their 3 ton car is causing global warming. Imagine if Shell refused to sell gas to cars that do not have a certain fuel efficiency. How long would they stay in business?
It is one of the reason to liberetarians are wrong. A lot of things can only happen because they are written down in law.
Should there be a law that forces ISP's to shutdown bots? Well, it all depends on the kind of internet you want. A totally free on that is controlled by criminals or a non-free one that is controlled by the state.
Cause freedom doesn't exist. There is always someone in control. For now it is the spammers.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
This really demonstrates the need for a distributed version. Not only is the centralised architecture easy to attack, as we saw with BS vs PM, but also it's at the mercy of its operators. A living breathing antispam system was in place, with many willing users, but had to be shut down because the tiny head at the top of the body wanted out. If it was less monolithic, head shots wouldn't even exist.
Tie that in with my other idea, and maybe there's a good method in there somewhere.
1) the friendly DoSS machine should be distributed (screen saver's are fair game for this)
2) although initial marketing/word spreading should be via a centralized site, this will inevitably become a target, so distrabution should quickly become P2P base (BT etc...) once word has spread
2) The mechanism for centrally controling the targets HAS to be centralized
3) you need to hide the centralized server behing something nice like Tor
Now go build it!, I'm sick of this spam crap.
Because you can - or because you should?
Hello spammers. In Soviet Russia, the angry citizens beat the shit out of YOU!
Bastards! They deleted the source files! They could at least give the source code for us to share.
Anyway, this clearly gives us one choice: Decentralizing Blue Frog.
The concept has been proven. Flooding the servers with opt-out requests.
So I propose this: Make a decentralized "black frog" which directly analyses the e-mails and begins doing what Blue Frog did. But this time, it's per-user.
If anyone wants to start the Black Frog project, give me a message (my gmail address is posted in my account).
The concept is this. Instead of asking the spammers to download the "do not intrude" list, hash your own mails using the following formula:
hash = substr(SHA1(e-mail),32). And in the post tell the spammer to remove this hash from their mailing list. (We can include random hashes to make it blurry).
If anyone wants to start the project, I'd be happy to organize it.
We need:
* At least one person with access to the Blue Frog sourcecode, or someone who has helped in programming the Blue Frog
* Lots of programmers
So instead of one central server...
You have one or more central seed servers (which could be attacked) and everyone else using the client also acted as a secondary server. When a central server was attacked, they could set up a new server on a new IP and attach to the network and still upload new banned spam.
So the spammers would essentially be taking on the entire world.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
The fact that BlueSecurity caused spammers such a headache that they either complied or attacked is proof that the idea of DoSing the advertisers is absolutely valid. This really hit spammers where it hurt which is why it provoked such a massive response. The failure of the model is that BlueSecurity represented a single point of failure -- they could be singled out for attack. IMHO, I think Paul Graham's idea outlined in his excellent article "Filters That Fight Back" will be the next step in this idea. If all mail servers were sending unsubscribe requests to spamvertisers, the assault on the advertisers would be distributed... DDoS. While spammers could take down BlueSecurity, they couldn't take down all the world's mailservers.
"Our users never signed up for this kind of thing. You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"
/. style, I haven't *yet* done), but can we please at least try to make somewhat clear what an article is about, so that everyone can decide for himself whether this subject is of interest to them in the first place?
What kind of thing? What kind of effective method has been found to do, what exactly? What is "this" concept we are talking about?
I read this site (almost) daily but have never ever heard of this company before. As it is apparently some kind of small startup, I'd imagine many others around here have never heard of them, either.
Without any context, this "article" is pure gibberish. Maybe it makes sense after reading the linked article (which, I'll admit in good
Every expression is true, for a given value of 'true'
French.
Welcome to the maximalist's world, enjoy your stay. If you want to be competitive here, one should hope you are equipped to compete. No? Draconian methodology is, and always will be a very delicate, double-edged sword. I sincerely hope none here are surprised by this.
Lets hunt these F@ckers down and K*ll them.
After a couple dozen spammers end up dead, I bet the remaining ones would re-think thier business plan.
If somebody knows the equivalent newEgg store in Europe, I would really appreciate.
Thanks!
It is wonderfull really because it does in fact allow one person to commit crimes that in the real world would require a small army.
That one man can control a lot of crime is nothing new. Check the history of the mafia. It is filled with nobody's rising to control entire cities.
Imagine if Al Capone had the use of robots that cost virtually nothing to produce. He would have owned the world.
And a bot doesn't cost anything to produce and can easily be set to produce countless offspring.
When you read the occasional story of botnets being discovered counting a million+ machines that means 1 person effictly controls all the home PC's of a small country.
So I don't find it at all amazing that one person can create so much havoc.
What is amazing that we let them get away with it.
Countries like Russia and China should have had their internet cut off years ago and MS been forced at gun point to secure their OS.
Imagine if Sony's robot dog went around stealing peoples mail, how long would it be before Sony was called to order and those robot dogs shot on sight?
Just because it is on the internet we tend to accept things we would never tolerate in real life.
On the other hand, perhaps this is what makes the internet so special. Nobody ever said total freedom would come without a heavy price.
Perhaps this is the reason that where ever people have had total freedom they couldn't wait to introduce law and order. At least that is what westerns tell me.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Well...
This just proves that good does not always wins against bad. I am always for a pro-active solution to problem, and Blue Security had that kind of approach. Though I never used it, I am all up for it. And to tell you the truth, if I was a member and got a few more spams due to that, I would not mind a bit. Hell, getting a couple more emails in a sea of spam wont make a difference.
I wish they would have stayed their ground, maybe loosing some of their userbase. If they could have just got through this hard time....
But it aint over until its over
I hope....
If the spammers didn't control botnets that had tens of thousands of zombies under their control, then they wouldn't be empowered to bring such power to bear. The power to spray packets at people they don't like. The answer? Kneecap the botnets. And there is serious work underway to do just that. If you know anything, then you know what is going on to quell bot replication. There are companies and consortiums and the domestic US law enforcement agencies like the FBI get more international cooperation than you think.
Why doesn't the article state the obvious: All those zombie computers use MS windows. So, unfortunately, this problem is here to stay. We need a real Justice League: Anonimous heroes living in the shadows, who will put a bullet to criminals' heads when the long arm of the law can't reach them.
from: http://www.sonshi.com/
Therefore, to gain a hundred victories in a hundred battles is not the highest excellence;
to subjugate the enemy's army without doing battle is the highest of excellence
Therefore, the best warfare strategy is to attack the enemy's plans, next is to attack alliances, next is to attack the army, and the worst is to attack a walled city.
What we just saw was a failed attack on the walled city. Comeon people, this spam stuff is easy. We should be more passive, evasive, quiet, never raising our voices to spammers, never confronting them, yet battling them by proxy, and avoiding them. Use spamassassin to quietly drop email's that are flagged as spam. Use various rules, checks, and metrics to assign probable spam flags to messages, keep your rules up to date, monitor trends, evade and obfuscate.
If the general cannot control his temper and sends troops to swarm the walls, one third of them will be killed, and the city will still not be taken.
This is the kind of calamity when laying siege to a walled city.
Generally in warfare:
* If ten times the enemy's strength, surround them;
* if five times, attack them;
* if double, divide them;
* if equal, be able to fight them;
* if fewer, be able to evade them;
* if weaker, be able to avoid them.
Evade, evade, evade. Avoid, avoid, avoid.
Toddlers are the stormtroopers of the Lord of Entropy.
Putting a price on having your email delivered is the only way to get rid of spam.... hell if regular snail mail was free, think of how much junk mail you'd get every day.
This doesn't mean that organizations who qualify won't be able to receive a "Postage Paid" certification or whatever... such as small org newsletters, etc. It simply means that non-certified mailers will no longer be able to send out gobs of spam for the price of startup expenses. They will have to go legit, meaning no more Zombie networks and higher operating expenses... which means even higher startup costs for newcomers and much much smaller profit margins, meaning a lot of them will decide to do something else.
Businesses will eat any expenses associated with direct emailings, just as they have done before and mostly do now... it's an operating expense.. part of the marketing budget.
Small businesses will need to account for this new expense and band together to form purchasing blocks to get better deals, or go through a media buyer who will parcel out chunks of a pre-purchased block... just as what happens with magazine ads, newspaper ads, cable tv, etc.
Small orgs and non-profits will want to lobby for a non-profit emailer certification status account.
Individuals will get unlimited emails via their ISP but will have a unique per email abuse link automatically attached to their email as a footer.... which will not trigger an automated blacklisting but will debit the individuals abuse quota monthly limit (say 30 per) by which their priviliges will be suspended after they have reached the threshold. Additionally the abuse link will forward to a web page where a form will require a valid email to finalize the notification which will need to be verified by confirmation via a return email to the person reporting the abuse. This will prevent casual 'revenge' reporting as much as is possible.
TBC
A fool throws a stone into a well and a thousand sages can not remove it.
I have some inside information about this story. I can't fully disclose it, but there are some facts you should know:
There are millions of zombie PCs at homes arround the world. These run hidden services that wait for commands. The commands can be "send spam", "initiate DOS", and alike. Most spam messages in your boxes come from these machines.
The guys that 0wn the machines are spammers, and they act like internet mafia - with protection fees and the like. Their power effectively means they 0wn the Internet.
Blue Security's method was so successful that it made spammers fight back. By using only part of their power - a few tens of PCs - they brought Blue (and their ISPs) down.
They can, at will, launch DDoS attacks even on Google/Microsoft - and bring them to their knees.
-N.
How exactly did this work?
I understand the idea was to SPAM the Spammers.
But who exactly did they span? The spoofed addresses? The owner of the original IP?
>The problem is that a couple of hundred big time spammers are getting rich by shitting into the communal water supply!
That may be, but the REAL problem is that email was never designed to prevent its users from shitting into the communal water supply. We need a new email system/protocol/whatever, the current one is dead. I don't know how the new one should work, but I'm sure a lot of people have ideas on how to do it.
It's burried several.. paragraphs? sentences? words? letters? no, no, no, no... well it's got some whitespace before it.. so I understand how you missed the explaination of who they were and what they did which started on the first word of the first sentence of the first paragraph of the article. So I'll explain.
Some guy had the idea of: "Spam is like a DDoS. So, let's launch an actual DDoS against spammers."
Some spammer had the idea of: "Spam is not like a DDoS. This is a DDoS."
Some guy seems to have realized he was an idiot and stopped.
-- 'The' Lord and Master Bitman On High, Master Of All
A backfire is used to burn out a fire by depleating it's fuel. Hence the term fighting fire with fire. It's really only useful for forest fires though.
Ooo man the floppy drive is broken. No wait. The computer is just upside down.
Fuck this for a lark! Where do I get to sign up for the cyberwar?
This is proof that their system pissed spammers off enough for a few of them to join forces and try and fuck things up. To be quite honest this is the first time spammers have been proactive in their attempts to fill my inbox, sure they may update lists, and change algos, but this differant.
If "spam" was a company this is the kind of move it would make if it felt threatened, and frankly even if the best we're doing is annoying these people, thats enough to justify this.
BlueSec: you got my vote and spare bandwidth if ever you decide to throw caution to the wind and try again.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Perhaps it would be more productive to analyse the behaviour of the botware itself, by allowing a machine to become compromised (a la "honeypot" - a "botpot" perhaps ;-) Once this is done, you could sniff the "botnet control" traffic, work out where the bots are being directed from, and attempt to tackle the problem further upstream ?
Also, an analysis of the control traffic may yield useful info as to the functionality of the bot. Some of this functionality could be used to *our* advantage (although it would be a very hazy legal area...) e.g. can the bot remotely shut down the machine ? Bots can do a lot more than just send spam, no ?
All idle speculation (on my part, at least. YMMV etc...)
"Our users never signed up for this kind of thing."
You'd better damn well believe this is exactly the kind of thing I signed up for. Showdown at high-noon and all that.
It's sad when choosing an installation directory on your own qualifies you as an "advanced user."
Spamcop has been around much longer than bluesecurity, it has already weathered many more DoS attacks than bluesecurity, spamcop has been sued a couple of times by spammers (and the spammers lost), spamcop has had its domain name hijacked, and yet it has survived. Granted, part of the reason they survived is because the are now owned by the anti-spam vendor, Ironport who also provides the free senderbase service.
I'm sorry to see bluesecurity go, but there are still other options for people who want to fight spam.
SPF support for most open source mail servers can be found at libspf2.
Is there any way to make a bandwidth counter that can only counts what the user is purposefully uploading? Any large descrepencies would be a sign of a bot, and the system admin could be notified and the system checked.
We are all just people.
The CIA would go after spammers, if the spammers publically spoke against Bush's policy or exposes Bush's lies.
Far fetched? What is Valerie Plame Wilson doing now? Of course it had nothing to do with her husband accusing Bush of lying.
Fight Spammers!
If we could reduce spam, we'd hopefully reduce the "need" (or desire) for zombie computers, and thus decrease the number of trojans/viruses/worms. Zombies are useful for spam and DDOS, and cutting the spammers out of the picture cuts the number of new viruses trying to make botnets.
No, the problem is it relies on someone having to run the service and make sure it runs smoothly.
Do you really think criminals who earn huge amounts of money are going to stop at DDoSes, spams and hacks? Do you really think that if the system were P2P the spammers will just say, "oh well, we lose, let's get another job"? No, they'll go after the people who run the service - sounds much more effective. This fight can and should be picked up by a government agency that can use the law to protect itself, not by security geeks who, with all due respect, won't really know what to do when a giant man with a club breaks into their house one night.
Blue's last actions are very not typical, given their PR history of calling to war. I wouldn't be surprised if they received additional threats they preferred to keep quiet, that forced them to quit the business with their heads down. Their site seems to have been closed already, within less than a day. Does that really sound like the company that's been pumping us with their PR for the last few weeks? Wouldn't they want to enjoy the Slashdot effect they could have with this post? Seems to me someone is very very scared...
The Spammers can thank Microsoft for the army of zombies they used to counter-attack.
Once again Microsoft ruins the internet.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
There is much irony in the quote that appears at the bottom of the page as I read the comments:
It would seem that evil retreats when forcibly confronted. -- Yarnek of Excalbia, "The Savage Curtain", stardate 5906.5
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
Come on guys!!, let me join the battle the next time, please?
An increasing amount of spam in my inbox comes from people advertising "the next great company" to invest in. No website is given. This is a cute tactic as it allows them to speculatively invest in the company (or perhaps own it), then pump up stock prices but without putting a web presence out there that people can visit, opt out of or whatever. Even a few cents increase (and I suspect its working (I'll use "its" anyway I please, thank you)) can result in nice profits. And of course the company's owners can always (and effectively) deny that they had anything to do with it.
What a say day this is.
I did a fair amount of work behind the Digg-based response to there bastards.
We did a fair amount of temporary damage against this guy before it was all apparently for nothing.
Someone big needs to take this up *MICROSOFT ARE YOU LISTENING!!??*
I'd been thinking about joining before the attacks happened. When they did, I joined as soon as I could. I thought, "This must really work." The community was patting itself on the back for survivng the attacks. They were bringing stuff back online and reporting their progress in a little box on their website.
This makes no fscking sense. One minute they're bulletproof antispam gods, the only ones with a winning solution, and the next they've shut down the entire website for good, and I have to read about it in the Post?
I thought it was pretty much over. Didn't they set up a new firewall, or get a different host, or something? Sorry, but that's exactly what I signed on for. So,
What the hell?
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
It is clear that the one we use now is broken. So why is there no alternative yet?
The larger emailers like Google, AOL and what not could accept both. Using the new protocol will go as fast as it goes now. Using the old protocol takes 1 hour (to begin with).
People will ask why and the answer is that it takes so much time to check if it is actually spam, but if their server uses the new protocol, the delay will be gone.
Peopl will start asking their providers/IT department why they don't use the new protocol and start preasuring them to use it.
It is clear that the way we go now can not last.It is also clear that switching everybody at 00:00GMT on day X won't work either. It should also be clear that nothing will remove Spam completely.
Don't fight for your country, if your country does not fight for you.
I'd say, that 99 per cent of company networks are not filtering outgoing traffic. This is one of the biggest problems. If they would start to block outgoing traffic from their clients and only allow connections to servers in the DMZ (mail, proxy, whatever), we would have a lot less SPAM. "Why?" you ask? Because almost every spambot sends out spam mails with its own SMTP engine and even if the spambot would use the configured local SMTP server, it would be easier to figure out that something is going on.
Next time you want to go all vigilante on spammers, use a baseball bat. -GiH
If I were Microsoft, I'd go right in and buy up Blue Security and take over where they left off. Microsoft surely has the infrastructure to withstand these types of attacks and having them do something good in the fight against spam would certainly increase my respect for them. I'm willing to bet that a lot of people here would also have some newfound respect for MS if they did this.
Google makes a lot of money off spammers. They don't want the industry to go away. If disreputable everchanging entities aren't trying to outbid each other Google loses money.
Man, you really need that seminar!
This is really the only thing that could work. Add some kind of interface for adding and removing public keys of trusted parties, and you're in business...
except, of course, for the small problem of what to do when spammers decide to send spam advertising random companies. Any solution for that one?
Russian Police Claim Biggest Spammers Murder Solved
. shtml
The police also examined another lead suggesting that Kushnir could have been attacked by robbers.
On Sunday the Moscow criminal investigation directorate detained a group of young people on suspicion of murdering Kushnir with a view to rob him. The investigators believe that a 15-year-old girl and two boys, 18 and 17 years of age, along with a 27-year-old accomplice had broke into Kushnirs apartment.
One of the boys wielded a baseball bat which he used to beat the man to death. The detainees insist Kushnir had invited them to his place himself where he made passes at the girl by the name of Vika. Her friends tried to stop him, then Kushnir grabbed a knife and the young men hit the man with an empty bottle on the head in order to defend themselves.
http://mosnews.com/news/2005/08/15/kushnirinquiry
Teasing the nobles, and rightfully so!
Catchall accounts are so much fun when a spammer decides to phonebook your site. Abby@yoursite.com, Abby.Adams@ yoursite.com, Abby.Alda@yoursite.com, Adelaide@yoursite.com, Adelaide.Adams@yoursite.com, and so forth, just send email to every-name-in-the-phonebook@yoursite.com and some are bound to get through, right? One of my clients got 40-50 thousand emails in one day this way.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Too bad! This must have actually been working. If you boil it down to money, in order for the SPAM industry to spend time & money to attack, it HAD to have been costing them something (or posing a threat). I think this merely validates this type of response. Good job BLUE! Maybe someone with more guts will pick up the baton.
SpamKing: Stop the blue frogging!
BlueFrog: No. We're doing good here. Our users know we're doing good and they'd know we were doing bad if we caved in to your petty demands.
SpamKing: You can stop it and save face if you tell your users that you realized you were doing wrong and you're closing your doors for ethical reasons.
BlueFrog: No.
SpamKing: Stop it or we'll threaten your users.
BlueFrog: So? If our users are smart enough to use the blue frog, they're smart enough to see thru your threats.
SpamKing: Stop it or we'll kill you after we kill everyone you love.
BlueFrog: Hmmm... Okay.
Support the FairTax
Ironport management finally decided they couldn't play both sides of the street, sold off Bonded Spammer to ReturnPath, and discontinued the "A-series". The A-series supposedly reaches end of life at the end of 2006, so there are probably still supported Ironport engines out there spamming away. After that, the community can consider whether Ironport is a white hat or not.
The users who didn't "sign up for this kind of thing" can quit themselves. I, for one, did sign up for it, and I'm more than a tad pissed that the one obviously functional way to thwart spammers has been removed from my arsenal.
I can think of four possibilities for the real reason Blue Security is offline now:
1) It's a ruse, perpetrated either by BlueSecurity for unknown purposes, or by someone posing as BlueSecurity. http://www.bluesecurity.com/ is still down, so I'm going to wait and see what shakes out.
2) Reshef received enough serious threats against his person, family, friends to be forced out. This is absolutely possible when someone is the spearhead of stopping a less than legitimate flow of money.
3) Reshef took a payoff from the spammer(s). One would hope this wasn't the case, but it has to be considered as a possibility.
4) BlueSecurity's business model wasn't profitable. It costs a lot of money for hosting and internet services, especially when you're the target of DDoS all the time. BlueSecurity could have run out of money.
In any event - someone with big cohones and a crapload of mon-ay, please pick up the ball and run with it.
Web 2.0 == Giant Blogspam Circle Jerk
Funny how the quote at the bottom of the page is now:
'It would seem that evil retreats when forcibly confronted. -- Yarnek of Excalbia, "The Savage Curtain", stardate 5906.5'
It would seem the same is true for good.
all the bugmenot accoutns are blocked so i cant login.
It's the spammers' CLIENTS that Blue Security is going after.
This is why they got so pissed off in the first place.
Sorry if someone already suggested this, but, why not penalize the companies whose services are advertised in the spam e-mail? Obviously this won't work with the Nigerian scams, but any legitimate company who shows up in spam could be fined. Or in cases of egregious abuse, company officers jailed. Kill the market for spam, and it should be reduced.
The problem of course, is getting worldwide buy-in.
Now personally, I'd rather mix metaphors and literally fight spam with fire - Track these less-than-worthless bastards down and surround their offices or houses with a ring of fire moving in toward the core. Then roast marshmallows over their charred corpses as we sing "We Shall Overcome".
Here's my spam hate-speech. I hate spam as much as everyone here, and like most of them here, I also take an active part in anti-spam measures. I fight spam too.
Let me say that I'll bring some chips and beer and hand out marshmallows, we'll have a grand ol' time.
Zhrodague.net - I do projects and stuff too.
I'm with you! Spam drives me nuts... and I want to do something about... even it's not legal.
Meh.
I'd like to see Google go on the offensive, too. It should cost too much for Spammers to send out thier emails, mostly in bandwidth costs. Isn't there a way to blacklist IPs that send spam? We need a realtime blacklist, and just not allow them to talk on the Internet.
Google, you already have minions of spam haters that aren't on your staff. Use us like a clue-by-four with sharp nails sticking out of one end: make it part of Adsense.
Zhrodague.net - I do projects and stuff too.
The ISPs should just close port 25 by default unless they get a phone request.
Is that so hard to do?
Pin a medal on their chests! Thats one less piece of shit filling my inbox.
My patience is infinite, my time is not.
Identity will have to be withheld until negotiations are final. We are in the process of buying Blue Security intellectual property and continuing the fight. Our company currently owns an off-site data center here in the USA. We have approximately 1700 servers that will initially be dedicated in continuing the fight against spam. This number will certainly increase over time. Our company has the capacity and the know-how to continue this fight against spam. It is not over yet.
Watch for the frog to return in the next incarnation... Blue Frog Squared...
Blue security failed because they had a central location on the net which could be attacked by spammers. What if everything was distributed. Databases and content were stored encrypted and distributed across many nodes, like FreeNet or Tor. Emails deemed as spam would be put into the database, and when it hit a certain threshold (like say 50 reports of a particular message as spam) everyone would start hitting it.
I'm normally not a fan of this sort of action, but what spammers are doing is shady, and the only way to fight it involves shady tactics. Blue Security DID hurt the spammers, that's why there was such a backlash. As far as I can remember, it's probably the only thing that has actually hurt them in a significant way. If we could improve this sort of thing and make it decentralized, the spammers will have no one to attack and no way to fight back.
Bastards! They deleted the source files!
Damn guys. You won. Did you have to salt the earth too?
but spam is a problem of traffic
NO! SPAM is a problem of bandwidth STEALING! Spammers are using OUR bandwidth to GAIN MONEY.
Remove one of the two (our bandwith, or their money) and we'll solve the problem.
We can only hope that politicians in all countries can be shamed into doing SOMETHING REAL about the problem. For one thing any individual that is willing to wage a cyber war of this magnitude should be taken out permanently. Surly the Russian government knows how to do that.
The race isn't always to the swift... but that's the way to bet!
SPAM is _NOT_ a fact of life! It's the symptom of a very serious problem: Lack of computer security, and a bad mail protocol.
If you give up now, you'll end up admitting that stealing, raping, kidnapping and murdering is a fact of life.
It's not. Crimes are to be FOUGHT and our AUTHORITIES are doing NOTHING about it.
All he did was show the spammers that in the end they always WIN. He should have started the war. Period. This spamming crap won't stop until it crashes the net and governments start throwing people in jail for it.
If you're not prepared to go big, don't go at all!
The problem with opening up draconian measures for spam is that it would become the new kiddie porn -- you don't like someone? Plant kiddie porn on their machine, send a tip to the FBI and presto, if they manage to avoid pound-me-in-the-ass prison somehow, they'll be dogged by a ruined reputation for the rest of their lives.
But hey, why stop there if you can whip whole populations into a literally murderous frenzy by getting someone tarred as a spammer?
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
They reportedly were also DNS blackholed first, which isn't good either.
This does not seem to me to be a difficult technical problem
It's not. It's a difficult social problem: getting end users to secure their machines properly. The technical parts of the problem are all pretty easy. It's the meatware that needs upgrading.
//Information does not want to be free; it wants to breed.
It is more plausible that Blue Security just ran out of money. They raised $3m in 2004 - it is entirely plausible, even likely, they burned through all of it. It is a dis-service on their part to spin it as some chivalrous act "for the net". They make it sound like the spammers won when it was just VC funding that ran out.
Netcraft confirms it. No, really.
Now they have a huge list of emails to sell.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
> I have a catch-all email address set up on my domain - so $anything@$mydomain gets to me.
> [...] a few months ago, some [...] decided to use my domain name in forged From: addresses.
> I now receive on the order of a thousand spams, bounces and assorted related crap per day.
> [...] (Yes, I could switch off the catch-all addressing, but I actually find it useful,
> inconsiderate wankers trying to ruin the entire net for everyone not withstanding)
I use a Fastmail account.
The Sieve filtering is pretty good so I don't usually get more than a couple of spam messages/day while still being conservative about false positives.
However, the "secondary" spam -- mostly automated replies to forged addresses -- are getting quite annoying.
We will have spam as long as we rely on on an email system that relies on the good citizenship of senders. The only fix is a new system where you can't create a new identity just by modifying your email header.
Your argument is flawed, because you have changed the argument; equating "hate" with "admonition" and "love" with "permissiveness". If I correct my child, it does not mean I don't love him or her. Indeed, it's usually the opposite. While some people express their views with hate, others do so because they are genuinely concerned. It is possible to tell someone you think they are doing something wrong without hating them!
Gamingmuseum.com: Give your 3D accelerator a rest.
but it does suggest that this is *one* tactic that *did* hurt the spammers. could we build a distributed system of email boxes that will virally fight back spam? what if all the google, ms, yahoo and other *major* mail servers/softwares agree on one common point: to send back the mail to the originator if it is a junk mail. you might want to mess up with the source address to avoid getting urself validated and added in the :active mailboxes list: though.
but seriously imagine that if all the mailboxes in the world emailed back all junk mail; then the spammers would have one mother lode to take care of.
PharmaMaster is in Russia, right? We create a pay-pal account for donations to the Russian mob to correct the problem. Better yet, the Russian Goverment.
In God we trust, all others require data.
No shit! We need to start up a "legal defense*" fund for these kids.
*retroactive bounty
It's not offtopic, dumbass. It's orthogonal.
Yes indeed, if you correct your child, then you have a point. If you'll reread my above post, you'll find that I have no problem with god correcting someone's misunderstandings.
My problem is with people who think they understand god's mind better than god does. Who are they to judge? Are they not mortal and falliable? In their own minds, the answer is clearly no, which is all kinds of pride and hubris.
(Sorry for the OT thread hijack, but I've got Karma to burn, and I don't feel like letting this one pass)
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Comment removed based on user account deletion
Possibly true, if the bot is on a per-use line, the ISP doesn't have as much reason to care. However, that isn't the norm. The preferred hack victim is on an unlimited usage high speed connection (which most are). The ideal victim has an asymmetric UP-preferred line, but those are NOT common. Unlimited-high-speed is practically one word in most of the ads I've seen here on the East Coast.
Since the bot tends to be a high-bandwidth user, ISPs do have a strong interest to shut such down when they notice them on an unlimited use line: it's cutting into their profit margin, and benefitting neither the ISP nor their customer. Ideally, they first try less intrusive methods than cutting off the connection for letting a customer know they've been hacked (EG: a phone call, as others have noted). The full ROI is pretty good.
And as you said: Business is Business.
I also think you're too blase about end users dismissing notification that they've been hacked. If an notice apparently from the ISP also says "increased risk of identity theft", most users demonstrably sit up and pay attention. (Admittedly, they don't check whether it really comes from the ISP often enough....)
//Information does not want to be free; it wants to breed.
this is a grass roots distributed application if I've ever seen one. I'd be happy to help put spamers out of business.
This was doomed from the start when the service would basically ask the spammers to "stop nicely".
....
These fuckers are pond scum - we need to fight back and fight back with a vengence. Non-stop DDOS I say
There has to be a penalty for this behavior - asking nicely is not an option
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
Does the federal government remember how to kill a men (or group of men). It is time to start getting Gitmo bay on these bastards and podcast the video out to others...this is how the US deals with terrorist spammers. HAHAHA. Nothing is wrong with murder and torture as long its intentions are good.
Junk email is *mostly* free. That is, you usually don't have to pay someone real money to send 1 email vs. 100,000 emails. So let's make spamming be a theft of services offense at the very minimum, but preferably a felony (grand-theft-bandwidth?). Since it is an international problem, get countries to sign treaties allowing the extradition of potential offenders (with the appropriate documentation, of course). Then have the CIA set up a third world country to handle the court system and prisons for this type of offense prosecution and incarceration, with humanitarian aid from the US and other countries to fund the infrastructure. I think that most spammers would be hestitant to spam if it meant 8 to 20 years of hard labor in a Turkish prison.
My first reaction was to email all the TV news outlets in my area with a link to the Washington Post article and a summary of what's been going on, asking them to educate the public as to what is going on. I'd encourage other slashdotters to do likewise.
If people don't see that 1) not doing anything about a virus on their computer and 2) the internet operating more slowly are connected, we'll never get rid of spam/spam-bots.
JGG
What can we do now?
Why direct the attact at the spammer. Direct the DDos attact at any business that hires the spammers. They are the real problem!
They want to increase traffic. I say increase it to the point they can no longer work, and get buried with bandwith charges. The Spammer may be able to handle the attact, but not every idiot that hires them.
My guess at this point is that some physical threat was made to the owners/operators of the company. Probably surveillance photos of their houses/kids/spouses or something along those lines. They seemed so gung ho right up to this point, and I cannot imagine what changed so suddenly to reverse their position.
Spammers and organized crime have been in bed together for quite a while, would this really be a surprise?
Finkployd
Or the lack of public outrage may indicate that /. is juat full of whining, bored nerds looking for some moral ranterbation.
They can have my command prompt when they pry it from my cold dead fingers.
1) Google is the root of the problem.
2) People are obsessed with sex.
3) People are stupid.
4) Empowered female sexual selection in the western world favours the stupid and well endowed.
5) The muslim extremists are right.
5) We are doomed.
I bet most people wouldn't know this seemingly urban myth...that water is NOT always good to fight fire with, particularly when:
1. the accelerant base is excessively fluid, in which water would
only spread the fire.
2. In vacuum or space, water gets vaporized. Fire-fighting in space must be a new science here.
3. In deep ocean, nothing burns for too long.
4. fire is WAY WAY too hot (not normally found in nature, but magnesium fire is one), in that case, the water BECOMES the fuel with continuous splitting of water molecules at that ultra-hot zone plus recombinant energy from refusion in colder zone.
Hey NASA? Would that make a new jet engine using compressed (deep ocean) water as a compacted, cheap and efficient fuel storage? Need to kickstart this, somehow? Oh, wait, its called Tomahawk fusion... drat...
NB: This message is more or less a scratchpad of my thoughts about this subject. I don't think I have attacked your problem properly, but it does propose some countermeasures against rampant DDoSing.
;-))
With bluefrog:
You send all your spam to a central authority (bluesecurity). They do some stuff to group spammails into clusters. Those clusters are then analysed by hand. The spammer is warned. The cluster gets a URL of the spammers server attached to submit complaints to. When the spammer doesn't comply within X days, everybody who sent a mail for that spammail-cluster is told the URL and how many mails they sent. These people then send as many complaints to that URL as they received spams (1 spam -> 1 complaint).
The latter part is handled by the personal(!) bluefrog client on behalf of the people that use bluefrog. The first part of the chain is either initiated by the user or an automated spamfilter, so this is also on the user side.
With a P2P approach:
The middle part was centralised, and therefor attack-prone. I have been thinking about ways of decentralising the spammail clustering. There ought to be a way for a client to learn what other clients have recieved the same spam-message. For example by doing DHT lookups on hashes of chunks of spam messages (doh!).
Attaching a URL to send complaints to could then be handled by requesting several users in the cluster to find an appropriate form on the spammers website. Clients that have concluded that they are talking about the same spam mails could then use this URL too (that's somewhat the dangerous part, indeed..). If the verification of mail similarity is done right, a spammer that wants to use the the network to DDoS can only generate as much complaints as that he is sending spams. Which means that spoofed complaint URLs have less of a bad effect on innocent bystanders, though it does cripple the effectiveness of the network.
But how do you handle malicious clients that try to overload the lookup network, try to spoof wrong complaint URLs into the network, etc. etc. I know there has been done lots of research in this area. It's not an easy thing to tackle. Basicly (*cough*) you need to code the clients so it tries to maintain goodness in the social network.
There are already several companies that track the spammyness of websites. You could use that to weed out bad complaint URLs (measure of badness). And good complaint URLs are probably URLs in the same domain as URLs mentioned in the spam. Or the complaint webpage should contain (the same) spammy words as the ones in the mail (measure of goodness).
Hmm, I think I forgot the central authority needed for the do-no-intrude registry. Are there algorithms to build a large list whereby nobody understands other parts until everything is brought together? Which comes to the point that if everyone in your cluster is an attacker, they will know it was you anyways. Which isn't even that bad, because they already knew you were the only non-attacker.
Or you just trust on the fact that a centralised do-no-intrude registry is so loosely coupled with the succes of the anti-spam network that it won't be attacked..
Conclusion: Blah.. whatever.. probably imposible to fully decentralise.. (or ask the freenet developers
As I read the article it occured to me that the spammers won mostly because of one thing. Blue Security was centralized. If a similar service operated in a manner similar to a BitTorrent where each client was also a mini-server could attack succeed? The problem that I see here is that the mini-servers would still need to be controlled and would need to have some sort of remote update ability. It would I suppose also be difficult to keep them all adequately sinchronized - bout would these problems be insurmountable? I'd think not but I am no expert. I'd think the old Kaazza client would be a good example to start from...
The possibility that it would be difficult to profit from something like this may be more of a problem than the technical challenges. Maybe this makes it an ideal candidate for open source? Again, I am no expert. I really am hoping to spur some discussion more than anything else.
You both have a point. If you're talking Old Testament Bible-based God, he loves people. He generally doesn't tolerate destructive actions, however. It's the old "Hate the sin, not the sinner" attitude. This is the same God that commanded the nation of Israel to commit genocide on more than one occasion, so it kind of makes you re-evaluate the Western humanist concept of "love" in this context. The nation of Israel was almost wiped out itself for refusing to commit the genocide commanded. If you're talking about a Trinitarian-post-Christ God, you're talking about the same God... however, he loved people enough to give them one way out of the retribution if they were willing to humble themselves and take it. In this situation, NOT telling others about this one way would be an unforgivable sin, as you'd be saying "I don't care that you don't know." In such a situation, the person isn't saying they know God's mind better than he does, they're saying they're willing to follow explicit instructions from God. This being said, judging is not one of the things they've been commanded to do. Judging in this situation would be hypocritical; sharing information however, would be required.
I couldn't let this one pass either, as it seemed to be assuming too much on both sides of the argument :)
Until you have a legal resource against people who allow their home boxes to get rooted and be turned into zombies. That's the real weak link here, that's what makes it possible, so that's where the action should be. There's no actual financial fine/penalty for running a rooted box that affects joe (mostly windows) luser other than his machine slows down. They don't care, not enough to get educated, learn how to do anything, nothing at all. And you won't get any of them to admit to being part of the problem, oh,no, it's always someone else's problem, they accept zero responsibility for driving their computer on the internet highway, zero fault, although they all bitch about SPAM.
Until people are held liable for something like the well established legal principle of "maintaining an attractive nuisance" and you can win damages in court, SPAM will continue. If SPAM costs you as a host company or just your individual website gets zapped, whatever, for x-large-dollars in lost revenue when you get DDoSed, and you have the IPs of the zombies, and then fail to follow through and sue them folks, well, tough noogies. Whine about it, beat your head against the wall. You can at least do it for any IPs inside your own nation, outside,where they don't giove a crap about laws or anything that affects you, just block whole subdomains, and keep doing that until you get to a level you can live with. You have two choices, keep trying to be passive and work on ineffective anti missile defenses, or go pro-active and hit the individual sites where the attacks come from in the WALLET. a combination of sheer embarrasment, lost cash and public notice of how bogus that system is and how insecure it is will work, nothing else will. And you know why? Because once hundreds of people lose in court, then THEY will sue the upstream vendors who "licensed" them this crap, who foisted this abomination on them and told them (screw the EULA, it's real world smiling people using the net with zero problems on the commercials) it was suitable for internet use, when obviously it is NOT.
This wasn't their business model. They were a front for spammers, helping them listwash. The whole DDoS thing was just a way to get publicity, get more addresses and an excuse to get out before they were caught.
No, I don't really believe that, but who's to say?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Filling out the forms on legitimate companies using spammers to get more business may be effective.
;-)
But to stop the pharma-spam (and other non legal business) it would be better to target their merchant accounts.
They need to get paid so they use Visa, Mastercard & Amex.
Surely Visa, MC & Amex would be willing to close down the merchant accounts if they knew the kinds of business they were supporting
How anybody is stupid enough to type their credit card details into these sites never ceases to amaze me. I wonder how much card fraud is a result of these sites selling on card details?
There is no reason why spam should be as serious as you make it out to be, for an individual, a business, or any sort of organization with an online presence.
First of all, there are numerous spam filtering systems out there. Many are open source, and freely available. It may take some time to set them up, but if spam's as big of a problem as you make it out to be, then the cost of setting up such a system likely pales in comparison to the cost of receiving the spam in the first place.
A typical 500 MHz PC running OpenBSD is more than capable of filtering tens of millions of emails a day. Such systems are dirt-cheap when bought used. Again, there will be a cost associated with getting OpenBSD up and running, but again it is quite minimal.
Of course, you could probably get away with using an ancient Sun Sparcstation if you installed a mail server that properly blocks mail from known spammers.
Furthermore, you can always use good practice when it comes to email. Munge your address whenever you post to public forums. Use one of the many temporary email services. Have a special address that you only give out to trusted acquaintances. And the list goes on.
Taking those very simple steps will eliminate the vast majority of your spam problem. Even just doing a few of them, such as maintaining good practice, will often be enough. Those who bitch most about spam are often those who are too lazy to take the basic precautions against getting it. And these are precautions that work almost all of the time!
The only reason spammers are getting rich is because people are allowing them to do so, by people in general not acting in a rational, defensive fashion.
1: add your address to anti-spam list
2: watch spam go down
3: company cannot fight war, closes doors
4: bankrupcty firm sells asset email address list to spam factory
5: your spam quadruples
6: ?
7: profit!
The question is, are you giving them the way out, or are you leading them into damnation? You're assuming that your interpretation is the only possible true interpretation, and that therefore you have the right & duty to enforce that interpretation on people who disagree with you. That is incredible hubris.
In the modern day, we see a lot of people judging and throwing stones, and claiming that they're right to do so. Now, I'm no biblical scholar, but I'm pretty sure that both the OT and the NT are pretty specific about people usurping the perogatives that belong to god.
Let me be blunt: It is not given to you to be judge and jury to your fellow man. No one appointed you the sole keeper of god's laws, and nothing makes your interpretation of those laws superior to anothers.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
[raised specter of attacking a non-spammer victim by] whip[ping] whole populations into a literally murderous frenzy by getting someone tarred as a spammer?
Criminal justice STARTS from vigilantism and revenge: In the absense of effective law enforcement and the presence of repeat offenders, people will act individually or in groups to hunt down the repeat offenders and punish or kill them, to create a disincentive to commission of more offenses (at least in that area and to those victime), or eliminate the offender.
(Note that this is distinct from self-defense resistance to a crime in progress. Self-defense becomes vigalantism once the perpetrator is out of sight.)
But such do-it-yourself activity has downsides. Sometimes the wrong person is targeted - especially if the crime was heinous and emotions are high. Sometimes penalties are excessive. Sometimes some "leader" uses the mechanism to commit crimes of his own. And always there's an uncertainty about exactly what constitutes enough of a "crime" t0 rouse the hue and cry.
So governments formalize the process. They establish a list of what's permitted and what's not. They establish rules for identifying and accusing perpetrators. The may designate people to do this, and/or define how much of the process designated and ordinary people may do. They establish mechanisms for determining guilt or innocense - and may designate people to perform this. They establish schedules of punishments.
And they generally claim a monopoly on this, forbidding the freelance form.
People will generally go along with this as long as it's working at least moderately well. Though a particluar government's version of this formalized vigilantism may have any or all the problems of the ad-hoc sort, it tends to have less of them - and it's out in the open so it can be debugged.
But when someone is repeatedly imposing damage on others, government refuses to do anything about it, and the problem keeps recurring and escalating, people will fall back on the informal form of "justice".
That's the situation we have now, with spam.
Now government is apparently keeping its hands off mainly to try to avoid regulating the internet - because it has recognized that this flock of geese is laying a MOUNTAIN of golden eggs and they don't want to risk killing it. So the regulators are foot-dragging as much as possible, to see if some non-regulatory solution can be achieved.
Unfortunately, the organized spam/malware gangs are a pack of predators that are starting to decimate the flock.
So don't be surprised if a continued governmental hands-off of this problem leads to vigilantism - in increasing amounts and number of forms - first in the virtual world, then in the real one.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It is NOT a fact of life to just be accepted.
The problem is, and has been for a LONG fucking time now, that SMTP IS BROKEN.
And every time this is brought up, the security gentry stroke their beards and cough out their derision. "NO!" they cry, "There's nothing wrong with SMTP! There's nothing wrong with an antiquated system that pre-supposes a friendlier internet that no longer exists and allows carte-blanche forging! Pshaw!"
The entire mail protocol common on the internet today is a relic made for an internet of yesterday--one which wasn't infested with criminals, dumbass script kiddies, and the "proof of concept" criminals that are more than happy to arm the kiddies with new toys to play with.
That's one. It will take at least two.
(Given that the police are saying this one may be unrelated to spamming, it may take at least two MORE.)
Hiroshima showed Japan that the US COULD make and deliver a nuclear bomb.
The Japanese generals knew what it was, because they were working on one themselves. At that point, many of them thought the war was lost, and were prepared to surrender. But some of them argued that collecting and processing the necessary materials was such an effort that the US probably only HAD one and wouldn't have a second for a long time.
Nagasaki showed Japan that we had more than one. This left open the possibility that the US might be able to keep this up - once a month, once a week, once a day, once an hour - until Japan was all rubble and slag. So enough of the rest threw in the towel, too, for Japan to submit without total loss of honor - and thus drastically cut the loss of life on both sides.
A deterrent doesn't deter until there is reasonable expectation that it may occur. One dead spammer - who may be dead for other reasons than spamming - might make them think a little. But it will take at least two dead spammers - unambiguously dead because of their spamming - to provide enough datapoints for the intelligent among the pack to start including it in their cost-benefit analyses.
Please note that I'm NOT advocating the wholesale and gory murder of spammers. I'm just noting that, if that DOES end up being the solution (or even a component of it), it won't be limited to one bloody corpse.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The real problem today is the combination of broadband and Microsoft having a criminal monopoly that has created a virtual monoculture of software that is easily crackable.
Think about it, any legit mail server that sends UCE would be dumped in a month by the ISP. So spammers have to hijack systems. Win98 and XP makes this very do-able.
The article should have said, "The spammer, with the help and complicity of Microsoft via it's legions of insecure computers, launched a DOS attack."
When I first heard about Blue Security's idea it sounded very cool. ... in order to fill the database with crap.
Blue Security's idea is to submit bogus entries for input fields like name, address,
However, what do you do if the website has a captcha on the oder form?
You are pretty much f*cked up.
I wanted to check it out with real life spam.
So, I opened my spam folder and choose the first spam email from this list.
Visited the website adverstised here and looked for the order form.
And here it was: a really hard captcha.
Use digital signatures and throw out all unsigned mail and all mail signed by anyone you don't trust.
Unsigned email will disappear, and I bet it will happen in a 6 month window some time in the next 3 years.
In Free America, Spammers legislate to get the shit beat out of angry citizens!
I can't honestly say that I feel saddened by this. It's a shame they didn't simply crush his hands or something though. Let him live a miserable life without the ability to control a computer with ease.
Your honour, my client pleads first degree pesticide.
If Em believes that his interpretation a) asserts itself to be the only true interpretation (possibly true? wtf do you mean by that? It is either true or it is not.) and b) demands that he act in a certain manner, whether or not some other people see his actions as "enforcing his interpretation on others", then it would be bloody stupid for him not to act in that particular manner.
If you're going to argue against a particular set of beliefs, you must begin with all the assumptions, moral and otherwise, of that set of beliefs. Taking a set of beliefs which calls for evangelism as a virtue to be practiced, and denouncing it on the grounds that "You're enforcing your beliefs on someone else!!" is just bad reasoning. Someone who holds that set of beliefs obviously doesn't think that enforcing his/her beliefs is wrong. You might try persuading him/her that enforcing beliefs is wrong, but just saying it doesn't make it so.
On the other hand, it would appear that you do think that enforcing beliefs is wrong. Thus, you prohibit yourself from telling the first person (who perhaps thinks enforcing beliefs is right) to stop, because that would be enforcing your own beliefs on him/her. Now then, of course, if your beliefs include some double standard, which is perfectly plausible, although rare, then that is fine, you are perfectly consistent. For that matter, you could exclude the double standard, so long as you also excluded the principle of non-contradiction. That is perfectly fine.
I just wanted to make sure that you had thought about things and were certain that your system of morals, which appears to tell you that anyone enforcing their beliefs on someone else is wrong, does not condemn your own actions.
nothing makes your interpretation of those laws superior to anothers.
So what makes whatever interpretation of "those laws" that allows you to say this superior to his?
One more question: Does this come under the heading of me enforcing my beliefs on you, or me enforcing your beliefs on you?
SIGSEGV caught, terminating
wait... not that kind of sig.
I admire their plan of spamming back spammers, but the spammer body is bigger than Blue Security's. They died honorably for this cause.
You got my point exactly. I was assuming he was able to figure this out from my original post ;)
Opt out a single request (your blurry-hashed e-mail). This way the P2P network can concentrate on the logic of "if" and "how" a server should be requested.
In my journal (see below) we're discussing approaches to decentralize blue frog.
Looks like the spammers are continuing their attacks against Blue Security, even after it threw in the towel. This from The Post's Security Fix blog:
"Hours after anti-spam company Blue Security pulled the plug on its spam-fighting Blue Frog software and service, the spammers whose attack caused the company to wave the white flag have escalated their assault, knocking Blue Security's farewell message and thousands more Web sites offline.
Just before midnight ET, Blue Security posted a notice on its home page that it was bowing out of the anti-spam business due to concerted attacks against its Web site that took millions of other sites and blogs with it. Within minutes of that online posting, bluesecurity.com went down and remains inaccessible at the time of this writing.
According to information obtained by Security Fix, the reason is that the attackers were hellbent on taking down Blue Security's site again, but had trouble because the company had signed up with Prolexic, which specializes in protecting Web sites from "distributed denial-of-service" (DDoS) attacks."
More here.
...because you never know who you're dealing with.
I propose a new solution to carry over. It would require some organization, and project managment.
Utilize P2P technology to process complaints similar to how Blue Security did. Instead of storing people's email addresses somewhere centrally, we'd need a different mechanism (like hashes).
This should be headed by someone reputable in the biz. Once we de-centralize this, the issue of central DoS becomes somewhat moot.
Granted the spammers kiddies will continue to try DoS, but they won't have a central target this time.
Thoughts, ideas?
I'm sorry but BS wasn't solving the problem, despite your desire that it would
The evidence simply doesn't support your assertion - unless you are claiming that the spammers retaliated against Blue Security despite the fact that BS's activities were not affecting the spammers.
My next sig will be ready soon, but subscribers can beat the rush
If I had a security company which had absolutely nothing to sell and I ran out of money, I would fake an attack of a vicious spammer and blame him for the closing of doors.
"It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start" sounds like a lousy excuse.
Interesting point. I am not, as you seem to be suggesting, an ethical relativist. On the other hand, Christian dogma is so amazingly fragmented it would be difficult to attribute anything like a consistency of belief across the whole of the religion.
My point, thus, is that, where there is doubt, there should be circumspection. I've never heard a defense of murder, for example, that would appeal to a rational audience. On the other hand, biblical passages have in times past been used to justify murder, for example, the Salem Witch Trials.
Now while I hold that anyone who feels strongly that witches should be burned has every right to that belief, I strongly object when they try to impose that belief on a world that disagrees. Likewise with the modern evangelical tradition of deciding, arbitrarily, on what constitues the truth, and then attempting to force that belief on all and sundry. They would certainly expect their beliefs to be honored...indeed recent history can be conclusively shown to demonstrate a tendency on the part of evangelical christians to hysterically denounce any and every action that they feel impinges on the fullness of their belief (e.g The "Holiday Tree" debate, and others).
Now, historically, there has been a way around this impasse of beliefs that I'm going to refer to as laws, which, for the purposes of discussion, we can think of as "enforcable beliefs" that are agreed on by people who otherwise have different belief structures. Now recently, the evangelical types have taken to thinking of any "belief" (be it legal, moral, logical, or scientific) that runs a counter to their own beliefs as less valid, and, indeed, a purely personal attack on their correct beliefs.
Now my argument, if you would call it thus, is simply to point out that, with so much disagreement on the fine points as it were, of their beliefs, it would be wise for them to accept, with some Christ-style holy humility, that other people are also entitled to beliefs, before their hysterical intolerance breeds domestically the very same problems we see all over the world.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The basic problem with most anti-spam systems is that they allow by default, and have a list of things to block, instead of blocking all, and a list of things to allow.
A shared whitelist system would be better, where you can share your whitelist with your contacts, or download whitelist catalogs from authenticated sources. In the p2p whitelist, each step of propegation would increment a counter so that it could only spread 'N' degrees, while the whitelist catalogs would have digital signatures for the package. and of coarse the list wouldn't contain actual e-mail addresses, but instead hashes of them.
Yes, the Whitelist would be huge, but, it would be much smaller than the Blacklist!
another way would be to start a private mail network; large corporations that send mail to each other would probably appreciate a special authentication, when an employee of Dell sends an e-mail to an employee of Microsoft, the businesses could afford a seperate e-mail 'universe' unconnected to the general internet (Which would help protect trade secrets, special deals, etc from prying eyes) entry to the system would be by posting a multi-thousand dollar bond to an escrow fund, which may be forfeit if the exclusive semi-private network is abused, but refunded if the organization leaves on good terms.
Another easy system would combine whitelists with a small challenge, such as requiring the sending computer to determine the square root or factors of a 1000 digit number, or some other task that requires a few seconds of CPU effort, to slow down spam a lot. and if the senders e-mail software can't handle it, a human readable CAPTCHA image as an auto-reply, with a correct answer allowing access.
His post was much more articulate. Also, I would have to say that, if you were trying to say the same thing, you failed utterly.
His point was that my point contained a logical inconsistency, whereas your point, and correct me if I'm wrong here, was that preaching to everyone who one would happen to meet on the streets was a moral imperative, and the refusal of the passerby to listen would necessarily encompass the destruction of their nation, or a 40' drop, depending.
While I view his post as a bit of a logical nit-pick, as he is clearly willfully missing my point of tolerance, I view your post as a good example of the sort of obstinate "I'm right and you're wrong" arrogant, and intractible belief system that I'm talking about. God very clearly spelled out his command to Israel in the OT, and they skipped it, and paid the price. Well and good.
I am unaware of any modern commands so explicitly laid out. All modern imperatives, in fact, seem to be originating with a group of intolerant demagogues who remind me much more of Pharisees than Christians, who preach out of temples with built-in ATMs and gift shoppes, while claiming, with no sense of shame, to be in complete understanding of the mind of god.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Perhaps one solution would be to get a bunch of email addresses of mobsters, and then get the spammers to send lots of email to those addresses ... Mobsters are pretty good at getting rid of those that annoy them.
Laws only help if the spammers all live within the same jurisdiction as the lawmakers, can't move around much, and are easy to trace. They don't, and they're not, and the Internet and cheap foreign corporations make it easy to move to anywhere in the world without leaving home so that even if they do get caught, the perp that gets caught is just a paper shell corporation in a file-drawer, not the cracker in his double-wide who's the stockholder.
Spam laws mainly let politicians claim to be Doing Something, and they at best encourage spammers to do a better job of hiding, so it's harder to identify and block their stuff (though filters and blocklists do the same thing.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The real subtle nasty DDOS attacks, of course, are the ones that use the structure of the target's site, e.g. filling out the target's forms with bogus information, which takes much less bandwidth to make a much bigger impact than simple shutdown. This is what Blue was doing - I hope now that they've had to stop, that they'll at least publish a good story about it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Where do we send the payment? Somebody needs to setup a website for this.
Meh.
If you re-read my post, you'll notice that I never said I agreed with it, just that it was a solid argument within the worldview it was espousing.
And for the record, I tend to agree with you on your last paragraph. For Bible-based Christians, the last imperatives were: "Love YWH your God with all your heart," "Love your neighbour as yourself" and "Go and make disciples of all nations, baptizing them in the name of the Father, the Son, and the Holy Spirit." Anything extrapolated beyond that is open to debate.
Plus, if you don't believe the Bible is the Voice of God, then EVERYTHING in that world view is open to debate. Including tolerance being the right solution.
Darn it, I submitted the story to SlashDot last night around 1am EST (May 17th) but guess my copy writing was not good enough (sigh)
Help poke pirates in the eyepatch, arr.
B.S. wasn't trying to overwealm with the entwork connections or the cpu of the targetted machines. only to provide so many junk form submitions as to make it a chore for the spammers to sort our the actual purchase orders from the crud. it was just not a DDOS.
someone got paid.
However, it can fail, too; in the Great Fire of Boston, an attempt was made to blast a firebreak using gunpowder. Unfortunately the firefighters started too close to the edge of the fire, and so by the time the charges were set off the roofs of those buildings were already burning, and so actually spread the fire even further! And in both the Great Baltimore Fire of 1904 and the Great Atlanta Fire of 1917, the fire managed to jump across the dynamited firebreak, which hadn't been made wide enough -- however at least in Atlanta the break slowed the spread down enough that firefighters were able to reorganise and stop the fire.
I guess this is kind of wandering off topic, but to sort of bring it back with an over-stretched analogy: against a powerful foe, fighting fire with fire may be the only thing that works, but if you're going to do it, you have to be prepared to destroy a lot of houses.
What if you made the ISP through which an email is sent automatically sign each email? That removes the burden from the uninitiated user. The ISP could even have a different key per MAC address. Now you plunk any email that is not automatically signed, or is signed with a key that has been voted on as being an infected machine. Google or yahoo or each ISP could do that for you too. How many botted machines are there in the world? 100k? 500k? Not so many that you couldn't do this.
Then the question is would the ISP's make money from this (ie be motivate to make this effort)? Charge a little extra for the verification, and access to the latest votes on who is a source of spam. ISP's would be motivated to opt into the system to get more customers, and to make it possible for their customers to send trustable emails.
Who is harmed? Only guys that have infected machines. They will wonder why they can't seem to send anyone emails. Or they send it from their yahoo account.
Maybe the do not spam list guys should sponsor such a system.
Oops. I meant to say:
Firebreaks are also used to control very severe conflagrations in cities, except that the firebreak is then generally created by very fast burning -- explosives! -- rather than backburning.
In the Great Fire of London in 1666 the Lord Mayor was reluctant to create a firebreak until overruled by King Charles II; the first, created by manual demolition, was not ambitious enough and did not work, but a much larger break blasted out with gunpowder by the Royal Navy did work. Similarly the Great Fire of San Francisco in 1906 was only stopped when Mayor Schmitz authorised the US Army to dynamite a firebreak from a row of luxury mansions facing a very wide avenue. (The US Navy was then used to rescue 20,000 people trapped inside the firebreak).
However, it can fail, too; in the Great Fire of Boston, an attempt was made to blast a firebreak using gunpowder. Unfortunately the firefighters started too close to the edge of the fire, and so by the time the charges were set off the roofs of those buildings were already burning, and so actually spread the fire even further! And in both the Great Baltimore Fire of 1904 and the Great Atlanta Fire of 1917, the fire managed to jump across the dynamited firebreak, which hadn't been made wide enough -- however at least in Atlanta the break slowed the spread down enough that firefighters were able to reorganise and stop the fire.
I guess this is kind of wandering off topic, but to sort of bring it back with an over-stretched analogy: against a powerful foe, fighting fire with fire may be the only thing that works, but if you're going to do it, you have to be prepared to destroy a lot of houses.
Well, yay.
Terrorist thugs get themselves shut down. No one cries.
These people were not solving spam; they were making the problem worse in a way that let people delude themselves into thinking it mattered. They were not contributing, and the essential problems with their model were first sorted out and identified probably in 1997 or so. Maybe 1998. It wasn't a new idea, and it wasn't a good idea. I am very glad that they are gone.
Please don't reinvent it. You can't fix the fundamental problems, all you can do is waste more bandwidth accomplishing nothing.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Guys...agree or disagree with Blue Security.
It was working. It was THE ONLY thing working. It's the only thing that IS going work. Countries/governments do not have the will to legislate a fix for it - if you're waiting for this, you don't understand how life works.
And now we've handed the internet to the spammers. Have you guys seen the ICQ posts? 'If I can't send spam, there will be no internet' The arrogance of this douchebag.
The fact that this moron felt he had to attack them like this PROVES it is something that MUST continue to stay alive. I ran Blue Security and I was happy to see my spam rates were actually dropping - honestly I was shocked it was working.
But it was. WAKE UP people. The spammers are now ONE step closer to taking over the internet. The government isn't going to fix it (cause then poltical e-mails will get classified as spam) Everyone has such a hard-on to be anonymous in everthing they do, we'll never be able to track them down.
This is the only solution - and IT WAS WORKING. Does anyone else not see how signficant this is? NOTHING else has ever worked. NOTHING. This was working. If the internet has to get shutdown for 24 hours to get the powers that be to wake up and FIX the problem - so be it. It is worth it for us to take back the net.
This current events are just plain unacceptable. Everyone should be outraged..but everyone is too worried about the season finale of Lost or whos' gonna win 'American Idiot'.
traceroute 194.90.8.20, fails inside Israel
9 48 48 48 63.218.9.2 netvision.ge4-4.br01.nyc01.pccwbtn.net
10 196 189 189 212.143.12.44 pos2-6.core2.hfa.nv.net.il
11 190 190 190 212.143.8.71 gi1-2.srvc01.hfa.nv.net.il
Terry Bowden, from CastleCops warned: My urgent recommendation. Remove the Blue Frog Application NOW. We have witnessed the destruction of Blue Security from a wave of different attacks. First the spam wave, second the DDOS wave. There is a strong reason to believe that the third wave takes control of the frog to launch both spam attacks and DDOS attacks. http://castlecops.com/modules.php?name=Forums&file =viewtopic&p=768501/
Below is today's spam report from our mail server. Now take a good look at the numbers and tell me something needs to be done. This is money from the company I work for pocket. Filtering is NOT the solution. vigilantism DOES work. Look at this incident. It sure got a rise out of them.
Back in the early days this is how we kept spam off the net. It wasn't until people got this attiude of being nice to the person robbing that things got so carried away.
Personally I am very sad to see them shut down.
This is your daily traffic report from the Barracuda Spam Firewall at XXX.XXX.XXX.XXX for 05/17/06.
Breakdown of traffic per hour:
Hour |Blocked | Blocked: Virus | Quarantined | Allowed: Tagged | Allowed | Total Received
Total | 10368 | 1 | 39 | 77 | 1419 | 11904
Yes take a good hard look at these numbers. The number of accepted or good mail stays about the same over the months but the number of blocked messages continues to grom on a DAILY basis. Over 10,000 pieces of spam to get less than 1,500 that the people wanted. What is wrong with the pitcure and you say you only get one a day.
Personally I hope some one with big enough balls picks up this idea and runs with it. Think about this is the FIRST time such a rise has come out of the spamming community. You see filters DON'T effect their business. They still get paid because the mail may have been filtered but it was delivered. They get paid for DELIVERED! mail. Yea come do my job for a bit if you think spam is not a problem.
Nah. He'd have found a way to get around that with accessibility measures and continue spamming. Most of it is no doubt highly automated.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Go and sign the petition to bring back Blue Security and its fight against spammers:
t ml/
http://www.petitiononline.com/bbbsp101/petition.h
To: The former Blue Security group.
Dear Blue Security,
We, the computer users who will always see you as idols in the struggle against spam, wish that you would come back and continue to fight back against spammers by our sides.
If that is not possible, please help us create an open source version of Blue Frog so that we may create a distributed network of spam resistance founded on the principles you have set.
We understand that you were digitally attacked a brainless tool with at least enough of an adolescent taste to take the handle "Pharmamaster" and matching stupidity to make a website in his name, and we sympathize. In fact, we respect you immensely for not deciding for us whether we would be your troops in a war against these rabid dogs who relish and profit in their own filth (spammers) and the tails that get wagged by them (black hats like "PharmaMaster").
Indeed, it is the mindfulness and benevolence you have shown that cements Blue Security's desirable place in digital history no matter what happens now.
Again though, we are coming to you requesting that you raise high the Blue Frog flag or make it possible to honor your legacy by creating an open source distributed network of spam resistance.
Sincerely,
The Undersigned
Imagine If everyone run this-alike tool on the spamvertized links...
http://slashdot.org/~piotru/journal/135829
Think of spamvertizer's costs. We don't need anyone to do it for us. Fight!
There are OS X botnets
They key is, if you run malicious software, the malicious software owns your computer. Period. There are ways to get around this, of course, but anything that has any sort of startup or auto-run format, and allows software to be installed on the system is not "internet ready"
It's a sad day when criminals threaten a war and decent people back down. Sad and cowardly. Let's all huddle and hope and pray the spammers don't extort something more from us all tomorrow. We can hide, keep a low profile, change e-mail addresses, buy filters, refuse to use email as the free and open invention it should have been...we can accept viagra and pornography and vicodin advertisments in our kids inboxes.
We just don't want a war....for gods sake...and we know the benevolent spammers will now make peace and leave us alone now that they have one this one.
Who here *isn't* ashamed? Who here knows how to operate Blue frog? I'll pay you to do it.
The spammers' attack for such a system could be any of these:
Using a dedicated P2P network for this could make it an easier target, so it might be wise to use an existing P2P network, perhaps something like Gnutella. All that would be needed is for the trusted party to post a file named in a certain way every so often, and then the peers could search for and download this file, and then verify that it was signed by the right key. The trusted party could inject the file at any peer, so the only way to stop the file from being injected would be to take down the whole network.
Of course, the spammers could then poison the network with files that are named the same way and have the same file size. That could result in a lot of peers wasting their time downloading invalid files, but it wouldn't result in attacking the wrong targets. The solution to that would be a "fake system," that could automatically tell the P2P network which files have not been signed and are invalid, which would then be rated low by the system, and then not downloaded by any more peers. Such systems already exist on some networks, although I don't know how effective they are.
The spammers could also attack individual peers that have the files. After all, how do you tell a good peer from an undercover-spammer peer that's looking for peers that have the files? 20,000 zombies hitting 100,000 peers can still hurt. In fact, it could hurt *worse* than their attack on BlueSecurity, because it might be trivial for the bad guys to DDoS the peers that are participating in the anti-spam network, and then you have 100,000 individual people getting their ISP accounts shut off.
20,000 zombies all grinding away at the key in a SETI-like fashion would eventually crack it; perhaps they'd even get lucky and crack it sooner than expected. Then the spammer could quickly use the system to attack the wrong targets, getting lots of people in lots of trouble, and causing the system to be shut off ASAP. This would also destroy the reptutation of the system and any future similar systems.
A solution to this would be to frequently change the key, by posting a message signed with the previously-valid key, containing the new key. However, any clients that missed this message, but continued to receive the attack instructions, could still end up hitting the wrong targets.
All software has bugs, and all network-aware software has security holes at some point. No matter how big, widely-used, inspected, trusted, and open-sourced, the security notices still get posted for things like Apache, the Linux kernel, etc. Any software used in such a system would have to be thoroughly audited on a regular basis, and thoroughly tested against attack by experienced people. Even then, people running such software would still take a risk of their systems attacking the wrong targets and getting themselves in trouble.
Despite all that, such a system might work quite well. There could be more than one trusted party doing what BlueSecurity did, and adding them to the system could be as simple as adding their key to the software's keyring. And using non-P2P bands for passing the instructions could make it even more resiliant. I guess, in the end, no one has really seen a cyber war on the scale on which such a scenario could take place.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
I understand the reasons for the only-hit-spammers-that-spammed-you approach, but I dislike it. It's simply reverse extortion. "Stop spamming me and I'll stop spamming you. But you can keep spamming other people all you want; as long as you don't spam me, I won't spam you." If the spammers do opt-out all the blackfrogs, you've only reduced spam by 1% (if that much). Everyone else on the Net keeps getting spammed.
One should not have to become a blackfrog to get one's received spam to stop. Spam should stop because spam is wrong.
(We should really call it White Frog or Gray Frog, because these frogs are supposed to be the good guys; like white hat or gray hat vs. black hat.)
The message to the spammers should be, "Stop spamming, because it's wrong. And stop spamming everyone, not just those who take the time to complain." And the goal should be to eradicate all spam, not to merely stop oneself from receiving spam.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Each spammer's email server would autoreply to the 20 on the list which would then autoreply and so on. That was truly fun until they started to hijack other people's computers.
just Slashdot pharma master !
I had this idea several years ago, but I couldn't find a way to make it profitable or feasable. It has many weaknesses, but I wanted to be proactive, not reactive and this idea relies on spammers following the law, which we have seen many times before just isn't the case. In a perfect world that allowed spammers to punch you until you objected, and they have to remove you from their list when you fill out their form (or whatever).. here is my idea: "My" company collects opt-out urls, email addresses, and other schemes used by spammers to fullfill their obligation to provide you with a way to refuse future spam. This database is then shared with all its "members". Each member has a client that pre-emptively fills out the do-not-send mechanism as the database is updated. Essentially allowing it's members to opt out BEFORE receiving the junk. The database, or database updates could be posted to Usenet, emailed, downloaded, or bit-torrented. There is no master email list that spammers could use to hard target members. The down-side is of course that by filling out an opt-out, you may be confirming your email address and opening up to more spam than before. (I don't know if it is illegal for spammers to take your confirmed opt-out email address and then sell that to other spammers.) Maybe, If I had a perfect list of all spammers though, and sent an opt out to every single one, they wouldn't be able to send me junk (legally) because I have already opt-ed out from everyone's list and it wouldn't matter that everyone had my email address. Of course this scheme does nothing to prevent illegal spam. An Additional feature could provide mechanisms to remember which sites have been filled out so that legal action can be placed against those who send disregarding the opt out action. Possible sending automated emails to the fair trade commission so they can follow up on illegal spam (because we know they are short on leads).
http://www.prolexic.com/spam/spam-051706.php
-=[ place
http://wiki.okopipi.org/wiki/Main_Page
-=[ place
The point is NOT to build a DDoS machine (and that's not what BF was). That would be illegal, and I understand that everyone is pissed off about spam and so on, but if we want a solution that will really make a difference it MUST be totally above board so that major corporations, media, etc. can back it once it gains some momentum.
Blue Frog just facilitated the complaint process for an individual. One complaint per spam, sent FROM the individual that got the spam. We aren't building a DDoS army. If people aren't getting spam, their client won't be doing a damned thing. If they ARE getting spam, they don't need a central directing authority telling them where to complain (hint: it's in the email they just marked "spam"). They just need a helpful script telling their client how to complain, exactly. That's where the P2P network comes in.
Sorry for being severe about this, but every time someone makes a comment like "we'll DDoS them!" -- and of course there's much worse out there -- the coverage any eventual tool is going to get goes negative one notch, and our chances of coming up with a real solution that the general public will use (and understand to be legal and moral) go down.
I really can't believe that this is happening. I only found out about this situation today, after hearing about the attack earlier. The service provided by BlueSecurity was invaluable, and probably even more so to those users who are even less computer oriented than us IT people. I understand and respect with the decisions of BlueSecurity and its CEO. However, I do not believe that BlueSecurity and the BlueFrog application should be allowed to shut down. All this has managed to do is show that if someone tries to stand in the way of spammers, then spammers are both justified and encouraged to attack them like criminals. Spam is an annoying blight on the Internet and BlueSecurity was one of the few groups out there that took an active stance against it. Now they are gone, thanks to a pathetic group of idiotic ingrates who piss people off as badly as stupid drivers. In the end, I think those of us who greatly appreciated the services of BlueSecurity should do something to keep the company alive. While I understand that they wanted to avert a potential "cyberwar" that only us users could condone, I personally feel that if those slug spammers wanted to risk a cyberwar, then we should at least let them feel that their loss is both deserving and painful. In the end, it is those of us who use the Internet, loathe spam, and appreciated and respected the services and goals of groups like BlueSecurity who have the power and responsibilty to let the spammers know that they were wrong to attack these groups and that they are not welcome anymore. I would like to know if there is anyone out there who would like to support me in this quest, just to get an idea if it is possible to do so, or if pacifistic apathy really has begun to take root in too many places.