Slashdot Mirror
Blue Security Gives up the Fight
bblboy54 writes "According to The Washington Post, Blue Security has closed its doors, which can be confirmed by the Blue Security application failing to work today and their domain no longer resolving. Blue Security's CEO is quoted in the article: "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing." You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"
Will someone else adapt this concept, or does the internet world give up?
/. (not hiding behind childish obfuscation), yet I only get one Spam per week that actually makes it into my inbox! I know the flip side of the spam problem is bandwidth wastage, but anyone who's still getting spam in their inbox should install some nice filtering software.
How about a third choice - will the internet world try a different method that doesn't involve vigilantism? (and the inevitable chaos that follows a war)
Slightly Offtopic: My email (whineymacfanboy@gmail.com) is in clear text on
Completely Offtopic: Has anyone else noticed the "Compare prices on YRO Products" link in the "Related links" sidebar? WTF is a YRO product?
There are shills on slashdot. Apparently, I'm one of them.
Anyone want to state the obvious answer?
Hey, wait a minute, I've followed Blue Security since I first read about them on /., and I can't believe they're just gonna fold up shop and give up! Isn't this what they got into the business for? Can't they take this attack and use it to demonstrate the validity of their concept? I wish they could think up another tactic besides, 'you win' -- perhaps diversifiying their URLs/IPs so that they're more spread out...less vuln to an attack on one IP? Come on, what do readers think...I know there's got to be some way to use BS software and reroute things through an Onion style network to fight back.
fak3r.com
"When the company's founders first approached the broader anti-spam community and asked them what they thought of the idea, everyone said this was a terrible idea and that they would eventually cause a lot of collateral damage," Underwood said. "But it's also extremely unfortunate, because it shows how much the spammers are winning this battle."
Hell, the idea of flooding the spammers network is older then a reasonably aged Armagnac and was discounted even when it came up.
Building a business model on such an innane idea looks as if the company execs are a few fries short of a happy meal. Speceifically since they where warned by more experienced people.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
This episode proves that the spammers own and control the internet.
The internet is no longer free (not as in beer). We must pay obesience to the owners by allowing their spam in out inboxes.
I, for one, do NOT welcome our spam-spewing overlords.
Ignorance is curable, stupid is forever.
I'm a recent new Blue member. Spam to my work, gmail and home accounts has plummetted thanks to Blue Frog. And to whiners who moan about "vigilantism", blow me. Fight fire with fire.
Trolling is a art,
According to The Washington Post, Blue Security has closed it is door which
http://www.stormloader.com/garyes/its/#top
It's not that hard.
http://www.bluesecurity.com/ - which seems to be up or down at any given moment.... still under attack?
I'll wait to see an official satement from them. Considering they are offline right now, likely due to another DoS, and the spammers have spent the last 2 weeks doing joejob attacks and all sorts of e-mails supposedly from bluesecurity... it doesn't seem too unlikely to me that the spammers could convince the media of something.
My name is coaxeus, and I approve this message. In fact, I think it is awesome.
Was about to post the same thing. Make a distributed app, receive spam, post "unsubscribe" link to app, (assuming this is how blue worked) instant mass traffic for spammer. The problem here is that if you don't have a central authority controlling what gets hit the someone will sooner or later abuse the P2P DDoS machine that you've effectively just created.
Spam wins
Sad, but true: you cannot defeat the spammers using their own methods.
Rediculous is ridiculous!
Wow so the bad guys won? This isn't the way it's suppose to happen. wtf
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start
Funny, not having the authority to do it didn't stop them before...
This guy's the limit!
The Blue Frog client was open source. It shouldn't that hard to modify it so that anyone could install a module onto their web/mail server so Blue Frog can send emails, and have the entire system run decentralized. I.E. I run two mail servers with a Blue Frog module on it, and I publish those servers for public use by the BlueFrog client. System administrators can check sites and domains to send spam reports to and control it. I'd love to see the spammers take down a decentralized since it would be nearly impossible to shut down every node in a decenteralized system.
This signature was left intentionally blank.
If you want to be an anti-spam advocate, if you want to write software or maintain a list or provide a service that identifies spam or blocks spam or targets spam in any way, you will be attacked. You will be attacked by professionals who have more money than you, more resources than you, better programmers than you, and no scruples at all. They want to make money, this is how they have decided to make money, they really can make a lot of money, and youre getting in their way.
[...]Someone challenged me, Well, how am I supposed to continue hosting these low-barrier discussions? I'm sorry, but I don't know. To quote Bruce Schneier, "I feel rather like the physicist who just explained relativity to a group of would-be interstellar travelers, only to be asked, 'How do you expect us to get to the stars, then?' I'm sorry, but I don't know that, either."
From Dive Into Mark (which doesn't seem to be responding, so try Google's cache.)
Carousel is a lie!
Blue Security Ceases Anti-Spam Operations
When we founded Blue Security in 2004, we believed that if we automated a way for users to rise up and exercise their rights under the CAN-SPAM Act, we could reduce the amount of spam on the Internet.
Over the past few months we were able to leverage the power of the Blue Community and convince top spammers responsible for sending over 25% of the world's spam to comply with our users' opt-out list. We were making real progress in eliminating spam from the lives of our users.
However, several leading spammers viewed this change as a strategic threat to their spam business. The week before last, these spammers launched a series of attacks against us, taking down hundreds of thousands of other websites via a massive Denial-of-Service attack and causing damage to ISPs, website owners and Internet users worldwide. They also began a relentless campaign of email intimidation against many members of the Blue Community.
After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.
As we cannot build the Blue Security business on the foundation we originally envisioned, we are discontinuing all of our anti-spam activities on your behalf and are exploring other, non spam-related avenues for our technological developments. As much as it saddens us, we believe this is the responsible thing to do.
You need not do anything as a result of this change. We will continue to protect your names and addresses and honor all privacy commitments we made to you.
We have concluded we should not take Blue Security to the full deployment stage we originally planned to achieve, but we are proud of what we have accomplished thus far as a young startup company.
We are extremely proud to have had the chance to work with such a devoted and dedicated community: thank you for the vote of confidence you gave us over the past few months as well as the particularly vocal support you have shown over the last two weeks.
We will be innovating and building our technology in new, other directions and will continue to give back to you, our Community.
Thank you for your support,
The Blue Security Team.
What about a solution like the SETI project? A nice graphical screensaver that uses spare processor cycles to send email spam to known spammers. It could even display something funny like a graph showing how much harassment you're causing.
However, I don't think any kind of attack spam with spam solution is worth it. We need to either redesign the protocol, marginalize the spammers, or make it very illegal and put them in jail. Sure, you might argue that direct marketing through email really isn't illegal (junk snail mail sure isn't), but I think if you don't respect the don't spam lists and requests to stop, or even go so far as to launch a DOS attack as TFA describes, then you definitely belong behind bars or without access to a computer.
I've been itching to sign up since I heard of this here, but first it was no confirmation email, then the members site went for a whole week with a "we're reorganizing it" message. I was wondering what kind of moron they have as an admin.
This is extremely disappointing, I must say. Now that they finally got a noticeable success, world wide recognition and made lots of spammers squirm and wonder what will they do, they go and give up? Sheesh.
But ah well. The client was Open Source, wasn't it? So, who will pick this one up, and get it back running? Pretty much all of the work seems to be done already, all it seems to need is becoming distributed, which would avoid this situation in the future.
Fine, I'm happy for you. You obviously don't own an active domain, or a business. Because otherwise I could guarantee that it gets to be a problem for you.
But the problem is not you, it's not me, it's not my little kid sisters dog.
The problem is that a couple of hundred big time spammers are getting rich by shitting into the communal water supply!
If you think that's acceptable within a society then you will apologise that I have no respect for you and the likes of you.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
I'm probably wrong here, but I thought this would be the perfect application of P2P functionality. No matter how much someone tries to poison P2P shared files, they can never poison them all. When the whitelist/blacklist updates are shared out as signed, and user rankings can be compared, all should work. There is no central server, and if you can see that the file you have downloaded comes from a user with excellent karma, then it can be trusted. Sure, even that will have ups and downs, but there is no way to stop any user from updating from multiple sources, many times per day.
If the client was written to judge on differences and other algorithms for comparing lists from different sources, I think it would work well, at least better than trying to make your own lists all the time.
Support NYCountryLawyer RIAA vs People
It seems that the problem here is that they were brought down by the spammer's huge number of bots running on compromised machines. Why has no one tackled this problem? It seems to me that this should be the responsibility of the ISP's. I'm no expert but I believe that if someone reports to an ISP that a particlular IP address is running a bot, that it should be a simple process for the ISP to do some tests to see if that is true by checking the nature of the traffic coming out of the machine. If they decide that the machine has been compromised, they should shut down it's connection and redirect port 80 requests to a web page explaining to the owner that their machine has be compromised and how to fix it.
This does not seem to me to be a difficult technical problem and it is in everyone's interest to get the compromised machines off the net.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
...they could do what other large companies do. They get the senate and congress to talk to their buddies overseas to pressure THEM to curtail their illegal activities and such. This tactic worked wonders for Enron when they were trying to get their power set up in other countries in spite of resistance from local governments. (They just got the U.S. Goverment to throw a little weight around, threatening to cut off any aid.)
This really drives home how important it is for Average-Joe users to have decent security. Time was, if you got infected with a virus you'd get your hard drives wiped and have to reboot your machine. Then, viruses stole information instead. Nowadays, it seems like anyone with the inclination to do so can set up their own botnet using relatively simple tools.
And of course, if you're in the business of breaking the law online (or rather just being generally anti-social) it's simply prudent to gather an army of computers, and then use that power to make others give into your demands. The actions of one hacker and his botnet caused an entire company to shut down operation - that's scary.
And scarier still is that the thousands of people whose computers were hammering away at the server, contributing to the victory of evil over good, are unaware of the part their machines played, and will doubtless play again.
This really is the computing equivalent of creating massive private armies with a mind-control drug - and while the email system really needs an overhaul, while the possibility to harness this kind of power exists there'll be the opportunity for extortion on this scale.
My, that was a yummy potato!
You mess with their illegal profits - they'll mess you up. It's as plain and simple as that. They're not even hiding it anymore.
Let's just hope they'll start receiving the treatement that their real-world counterparts have recieved. In our lifetime.
"In an effort to help reduce the amount of spam reaching Comcast.net email addresses, Comcast has implemented a new policy that will block email sent from an email server that has no rDNS entry."
http://forums.comcast.net/comcastsupport/board/mes sage?board.id=2&message.id=79035
Since they did this spam getting through to my home account has dropped by at least 90%, as has mail ending up in the "screened mail" folder for my comcast email address.
you cannot defeat the spammers using their own methods.
At the current level of effort. Escalation may be the key. I'll mirror an earlier poster about decentralization. Maybe more servers, or a whole P2P type network bombing these bastards would be more effective.
BTW, like your sig. =)
Weaselmancer
rediculous.
Now if only we could get the spammers on a tax evasion charge...
I find it very hard to believe that it is this straight-forward for one individual to potentially bring down the entire internet infrastructure. The Register reported on this story and said, "Anti-spam firm Blue Security is to cease trading after deciding its escalating conflict with a renegade spammer was placing the internet as a whole in jeopardy." It went on to say, "During an ICQ conversation, PharmaMaster told Blue Security that if he can't send spam, there will be no internet."
I suppose the most concerning part of this story is the bit where bribery appears to persuades a top ISP to make some dodgy configs:
"According to Blue Security, a renegade Russian language speaking spammer known as PharmaMaster succeeded in bribing a top-tier ISP's staff member into black holing Blue Security's former IP address (194.90.8.20) at internet backbone routers. This rendered Blue's main website inaccessible outside Israel."
This story smells a bit.
So, are the ISP's gonna do something about this in their "Net Neutrality" fight? I mean, most of the traffic out there has to be Spam, viruses and whatnot. Why are they not mentioned? Oh, I know because the entire case of the ISP's are Bullsh@#t.
What word rhymes with buried alive?
The bad guys won this time because we tried to match force with force. I've said it multiple times in this forum - we have to accept that spam isn't going to go away. The only way we're going to get it down to an acceptable level is to make it not worth doing.
Filtering is one way, but basing it on the raw content of the email won't work. If there was a public key repository where legitimate users placed a public key for decryption, and all legitmate email were sent encrypted with the corresponding private key, the authenticity of the email could be known. Then, if someone starts making a nuisance of themselves, they could get their public key revoked. If this method were used, filters could be made to only let through emails that decrypted with the public key of the sender.
Let's face it, spam is a fact of life. Remember that you're up against people who do this as their 9-5er with no regard for law, ethics or their public image if you want to go the force-vs-force route.
DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
I though it was a bit of a no brainer that the spammers would win.
Blue security were/are dealing with people who thought they were above the law
Their servers got attacked ( if spammers control 50% of email messages i'm pretty sure one site wont be beyond their capabilities to DDOS)
It was a good idea but the only outcome was escalation and Blue Security didn't have the firepower to take them down
The following says it all (from http://poetry.eserver.org/light-brigade.html)
[snip]
Flash'd all their sabres bare,
Flash'd as they turn'd in air,
Sabring the gunners there,
Charging an army, while
All the world wonder'd:
Plunged in the battery-smoke
Right thro' the line they broke;
Cossack and Russian
Reel'd from the sabre stroke
Shatter'd and sunder'd.
Then they rode back, but not
Not the six hundred.
[snip]
Cannon to right of them,
Cannon to left of them,
Cannon behind them
Volley'd and thunder'd;
Storm'd at with shot and shell,
While horse and hero fell,
They that had fought so well
Came thro' the jaws of Death
Back from the mouth of Hell,
All that was left of them,
Left of six hundred.
[snip]
---------------THE END----------------
http://www.xanga.com/petantik
Be pretty hard to get a murder conviction ... after all, there are literally MILLIONS of people with a motive ... I can picture it now ... the jury is deliberating, and says "the spammer got his skull crushed in ... sounds like he got off too lightly, dah?"
You fight fire with water. Fighting fire with fire will just make the fire bigger unless it's very well directed fire.
So if you're gonna fight the spam fire with fire, use live fire. Or use water. Like from a firehose into thier systems. Motherboards LOVE "direct liquid cooling".
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
When I read the article, I was struck by the fact that they're trying to use voluntary DOS attacks against spammers. I've NEVER heard of this company before, and I imagine Joe Average User hasn't either. I'm willing to bet that there are a lot more Joe Average Users out there with compromised systems on a botnet than there are people participating in the Blue Security net - probably by a couple factors of 10. Besides, do we really need another million computers wasting bandwidth on such an obviously failure-destined approach to spam-fighting? It just seems lose-lose all around to me.
picpix image polls. create - share - vote. fun!
It was only a few days ago that everyone here was predicting that membership would surge due to the recently publicity. Then they suddenly go out of business? WTF? I hope this is some sort of ploy just to make spammers look bad, because this is definitely NOT a happy ending. Hell, this isn't even an ending.
Maybe it is time for them to start charging subscribers. Or to make this a community project.
This works as well.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
Sad to say, but the BlueFrog anti-spam client never really worked correctly. I tried it for two weeks, and found that often failed to successfully report any spam at all about 1/3rd of the time. Even when it did work, it never seemed cut down on my spam at all. If anything, the amount of spam that I'm getting now has doubled, since some spammers seem to be intentionally retaliating against me and sending me a dozen copies of same spam mail over and over again. I went from getting 50 spam messages to 100 spams a day, and I did nothing to promote my e-mail addresses during that time besides installing BlueFrog. Thanks for nothing, guys.
According to my unversity's spam filter, up to 25 percent of all incoming messages from off-campus addresses are spam!
I installed Blue Frog some months ago. But I rarely found the icon indicating that it was working (I think the frog put a mask on). Also, they were never doing anything about the sites sending the spam that I was reporting. When I got a new computer I didn't bother to install Blue Frog on it. I installed SpamCopper, http://pctech.invisibill.net/mozext/spamcopper/, a Thunderbird extension that reports everything flagged as Junk to spamcop. I'm not sure if that's doing any good, either. I keep getting spammed from the same ISPs, mostly in .il (I'm in .il), .cn, .tr, and .br.
And underground, it'd be also be helpful to DDoS the fuckers. The problem with that is that the dickhead 13 year old kids running the botnets don't care about spam.
The frog needs to evolve into a P2P service that passes the addresses that need to receive opt-out requests. To prevent poisoning, there will still have to be a central cabal vetting spam, but rather than having spam reports come to a central server, they can be passed P2P--maybe even over an existing file sharing network. Then the cabal can send cryptographically signed instructions to the evolved frogs, which (ideally) in their large numbers could drop a spamvertized host in a few minutes.
I too have felt the cold finger of injustice.
This really looks like the ideal place to implement a P2P style model. Your server is a nice central target that the bad guys can attack. Distributing the load across a distributed archetecture means there's no head to attack or cut off.
They're essentially using the power of numbers for attack, adapt a defense to match.
"We're hearing from federal law enforcement that they are getting more than one new case of online extortion each day"
Blue Security's network of over half a million hosts was dwarfed by a single Russian spammer.
Most spammers and extortionists perpetrate much more than a single act, using many hosts to launch the attacks. Certainly the Russian spammer is launching many attacks to justify their arsenal.
Why isn't the FBI and the State Department going after these attackers? Maybe they're too busy listening to American phone conversations. Those conversations must be very valuable, especially running up to elections...
--
make install -not war
Let us know how it goes.
Pessimists.net - as if life wasn't depressing enough.
You can't fight spam at the originating point. More often than not it's sent through hijacked PCs. Hitting them won't help anyone.
So you have to hit the site that's been advertised by the spam. P2P has been mentioned as the "way to go" to avoid a similar fate. And the dangers of "seed poisoning". This can be circumvented. Have the clients "read" the spam folder of the participating person. Have them exchange their spam folders. Have them count the messages received. And once a critical amount of similar or identical messages have been identified, have them hold a vote who's going to get it for the next, say, 8 hours.
This all can be done without the participation of a host.
Now, of course someone could send around some spam to, say, shoot at Microsoft. How to prevent that?
Well, spam needs some time to propagate. This time can be used to update some whitelist. This whitelist, again, would have to be administered decentralized. I.e. you declare something "not spam". If enough people call spam "no spam", the attack won't happen. At the same time, run a blacklist that lets you identify something "clearly as spam", which puts more weight behind the counter.
If something has circulated for 2 days or more and is still labeled "Spam", the flood rolls in. Yes, I'm aware that quite a few spam-ad'ed servers are hijacked too. That's why the attack should not run for more than about 2 hours. Should give the admin there a good heads-up, to say the least, and take a look at his setup. Should he not wise up, the next one runs for 4, then 8, 16, 24 hours and so on.
Still needs some fleshing out, but I guess that'd be a way to run it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And why do you think that sending a million email is difficult. The spam networks can generate a lot of mail traffic.
I never really understood the term "fight fire with fire."
Fighting fire with fire actually does make sense in the context of some sorts of fires. The most common one is forest fires. Intentional fires are used both as a prophylactic and as a method for fighting an in-progress wildfire. As a prophylactic, the idea is to deliberately burn out the flammable undergrowth before it gets sufficiently dense and dry to ignite the trees. To contain an already-burning wildfire, firefighters often use controlled burns to create firebreaks, since fire is the quickest way to clear an area of flammable materials. Of course, using fire to create firebreaks carries some obvious risks, but most of the time even if the deliberate fire gets out of control it just burns land that would have burned shortly anyway.
It does sound kind of funny, though: "Since we can't control that fire over there, let's start one here that we can control".
Historically, controlled burns have been used to contain large-scale fires in cities as well.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I came home the other day with a message on my answerphone telling me I had a spam bot or something similar running on my network. I took a look and there it was! I was amazed that they actually bothered to phone me and explain.
It was aaisp.com by the way.
Paul.
You wrote:
Spam is just as bad as child pornography or rape
No. It's not.
Our users never signed up for this kind of thing.
I'll sign up.
Is there a command line installable Linux client for this thing? I'll put a machine or two into the fray. I may not be very good at real security, but I know how to close ports.
Stop-Prism.org: Opt Out of Surveillance
"It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing."
You started the fight and you expected them to buckle but you forgot one thing. They don't care if what they do is illegal. You do.
They will keep sending their junk and if you think they will ever stop you are naive. You can't stop them from doing it. You have to accept that first and then come up with a method that will just make it harder for them to get their junk out.
So, the spammers win.
This is so depressing. Not because I just got Blue Frog set up this last weekend, but because, well, quite literally "the terrorists have won".
I see little recourse but to join a network of DDoS-bots that bombs the spam zombies off the net, and http requests any websites their email links to into oblivion.
Where do I sign up?
-- I have monkeys in my pants.
Right, so this approach to spam has been proven to work, or at least to get enough attention from the people it's working against that they've taken action. Which has killed the company, but its software is still around. Isn't this a perfect opportunity for the open source community? Without a central server or corporate body to attack, the principle could be made unkillable. Where do you direct your DDoS attacks if there is no single person or entity responsible for harming your shady business? Or does this require more than just the software to do - in which case, how many people does it take to run, and how much time each would a network of worldwide users have to donate to make it effective? Maybe it's a pipe-dream, mass human cooperation on a worldwide scale to take back the internet, but distributed cooperation like this could effect some major change. If people will donate hours of their time to look for grains of cosmic dust, would they donate hours to sending off emails to spammers under the banner of taking back their inbox? Probably not. Because they want that done automatically. And there's the problem. Any solutions?
I got hit for a couple of days, then I got the "I'm the evil spammer king, roll over and die" message, then the flood stopped. I've been at a normal level of spam for over a week now.
That sucks that they're throwing in the towel.
When you sympathize with stupidity, you start thinking like an idiot.
Seems to me that they've missed a wonderful opportunity. I seem to recall that there was a recent case of a Russian spammer who was found shot to death in his apartment. The Russian authorities didn't have time or interest in following up the case, so whoever got him (may I shake your hand, sir?) gets away with it. Seems like history needs to repeat itself. That'd clarify the situation quite a bit.
Being quick to take offense is not a virtue.
I say bring it! A war means troops and I'm ready to go. It also means the enemy will have to show his guns. There can only be so many bots on his net and everyone he exposes will be a fatality. Obviously the government isn't capable of doing anything more than listen to phone calls and read e-mail.
Having to work for a living is the root of all evil.
Anymore then people want to know their 3 ton car is causing global warming. Imagine if Shell refused to sell gas to cars that do not have a certain fuel efficiency. How long would they stay in business?
It is one of the reason to liberetarians are wrong. A lot of things can only happen because they are written down in law.
Should there be a law that forces ISP's to shutdown bots? Well, it all depends on the kind of internet you want. A totally free on that is controlled by criminals or a non-free one that is controlled by the state.
Cause freedom doesn't exist. There is always someone in control. For now it is the spammers.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
This really demonstrates the need for a distributed version. Not only is the centralised architecture easy to attack, as we saw with BS vs PM, but also it's at the mercy of its operators. A living breathing antispam system was in place, with many willing users, but had to be shut down because the tiny head at the top of the body wanted out. If it was less monolithic, head shots wouldn't even exist.
Tie that in with my other idea, and maybe there's a good method in there somewhere.
1) the friendly DoSS machine should be distributed (screen saver's are fair game for this)
2) although initial marketing/word spreading should be via a centralized site, this will inevitably become a target, so distrabution should quickly become P2P base (BT etc...) once word has spread
2) The mechanism for centrally controling the targets HAS to be centralized
3) you need to hide the centralized server behing something nice like Tor
Now go build it!, I'm sick of this spam crap.
Because you can - or because you should?
Hello spammers. In Soviet Russia, the angry citizens beat the shit out of YOU!
Bastards! They deleted the source files! They could at least give the source code for us to share.
Anyway, this clearly gives us one choice: Decentralizing Blue Frog.
The concept has been proven. Flooding the servers with opt-out requests.
So I propose this: Make a decentralized "black frog" which directly analyses the e-mails and begins doing what Blue Frog did. But this time, it's per-user.
If anyone wants to start the Black Frog project, give me a message (my gmail address is posted in my account).
The concept is this. Instead of asking the spammers to download the "do not intrude" list, hash your own mails using the following formula:
hash = substr(SHA1(e-mail),32). And in the post tell the spammer to remove this hash from their mailing list. (We can include random hashes to make it blurry).
If anyone wants to start the project, I'd be happy to organize it.
We need:
* At least one person with access to the Blue Frog sourcecode, or someone who has helped in programming the Blue Frog
* Lots of programmers
So instead of one central server...
You have one or more central seed servers (which could be attacked) and everyone else using the client also acted as a secondary server. When a central server was attacked, they could set up a new server on a new IP and attach to the network and still upload new banned spam.
So the spammers would essentially be taking on the entire world.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
"Our users never signed up for this kind of thing. You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"
/. style, I haven't *yet* done), but can we please at least try to make somewhat clear what an article is about, so that everyone can decide for himself whether this subject is of interest to them in the first place?
What kind of thing? What kind of effective method has been found to do, what exactly? What is "this" concept we are talking about?
I read this site (almost) daily but have never ever heard of this company before. As it is apparently some kind of small startup, I'd imagine many others around here have never heard of them, either.
Without any context, this "article" is pure gibberish. Maybe it makes sense after reading the linked article (which, I'll admit in good
Every expression is true, for a given value of 'true'
Welcome to the maximalist's world, enjoy your stay. If you want to be competitive here, one should hope you are equipped to compete. No? Draconian methodology is, and always will be a very delicate, double-edged sword. I sincerely hope none here are surprised by this.
It is wonderfull really because it does in fact allow one person to commit crimes that in the real world would require a small army.
That one man can control a lot of crime is nothing new. Check the history of the mafia. It is filled with nobody's rising to control entire cities.
Imagine if Al Capone had the use of robots that cost virtually nothing to produce. He would have owned the world.
And a bot doesn't cost anything to produce and can easily be set to produce countless offspring.
When you read the occasional story of botnets being discovered counting a million+ machines that means 1 person effictly controls all the home PC's of a small country.
So I don't find it at all amazing that one person can create so much havoc.
What is amazing that we let them get away with it.
Countries like Russia and China should have had their internet cut off years ago and MS been forced at gun point to secure their OS.
Imagine if Sony's robot dog went around stealing peoples mail, how long would it be before Sony was called to order and those robot dogs shot on sight?
Just because it is on the internet we tend to accept things we would never tolerate in real life.
On the other hand, perhaps this is what makes the internet so special. Nobody ever said total freedom would come without a heavy price.
Perhaps this is the reason that where ever people have had total freedom they couldn't wait to introduce law and order. At least that is what westerns tell me.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Well...
This just proves that good does not always wins against bad. I am always for a pro-active solution to problem, and Blue Security had that kind of approach. Though I never used it, I am all up for it. And to tell you the truth, if I was a member and got a few more spams due to that, I would not mind a bit. Hell, getting a couple more emails in a sea of spam wont make a difference.
I wish they would have stayed their ground, maybe loosing some of their userbase. If they could have just got through this hard time....
But it aint over until its over
I hope....
If the spammers didn't control botnets that had tens of thousands of zombies under their control, then they wouldn't be empowered to bring such power to bear. The power to spray packets at people they don't like. The answer? Kneecap the botnets. And there is serious work underway to do just that. If you know anything, then you know what is going on to quell bot replication. There are companies and consortiums and the domestic US law enforcement agencies like the FBI get more international cooperation than you think.
Why doesn't the article state the obvious: All those zombie computers use MS windows. So, unfortunately, this problem is here to stay. We need a real Justice League: Anonimous heroes living in the shadows, who will put a bullet to criminals' heads when the long arm of the law can't reach them.
from: http://www.sonshi.com/
Therefore, to gain a hundred victories in a hundred battles is not the highest excellence;
to subjugate the enemy's army without doing battle is the highest of excellence
Therefore, the best warfare strategy is to attack the enemy's plans, next is to attack alliances, next is to attack the army, and the worst is to attack a walled city.
What we just saw was a failed attack on the walled city. Comeon people, this spam stuff is easy. We should be more passive, evasive, quiet, never raising our voices to spammers, never confronting them, yet battling them by proxy, and avoiding them. Use spamassassin to quietly drop email's that are flagged as spam. Use various rules, checks, and metrics to assign probable spam flags to messages, keep your rules up to date, monitor trends, evade and obfuscate.
If the general cannot control his temper and sends troops to swarm the walls, one third of them will be killed, and the city will still not be taken.
This is the kind of calamity when laying siege to a walled city.
Generally in warfare:
* If ten times the enemy's strength, surround them;
* if five times, attack them;
* if double, divide them;
* if equal, be able to fight them;
* if fewer, be able to evade them;
* if weaker, be able to avoid them.
Evade, evade, evade. Avoid, avoid, avoid.
Toddlers are the stormtroopers of the Lord of Entropy.
Putting a price on having your email delivered is the only way to get rid of spam.... hell if regular snail mail was free, think of how much junk mail you'd get every day.
This doesn't mean that organizations who qualify won't be able to receive a "Postage Paid" certification or whatever... such as small org newsletters, etc. It simply means that non-certified mailers will no longer be able to send out gobs of spam for the price of startup expenses. They will have to go legit, meaning no more Zombie networks and higher operating expenses... which means even higher startup costs for newcomers and much much smaller profit margins, meaning a lot of them will decide to do something else.
Businesses will eat any expenses associated with direct emailings, just as they have done before and mostly do now... it's an operating expense.. part of the marketing budget.
Small businesses will need to account for this new expense and band together to form purchasing blocks to get better deals, or go through a media buyer who will parcel out chunks of a pre-purchased block... just as what happens with magazine ads, newspaper ads, cable tv, etc.
Small orgs and non-profits will want to lobby for a non-profit emailer certification status account.
Individuals will get unlimited emails via their ISP but will have a unique per email abuse link automatically attached to their email as a footer.... which will not trigger an automated blacklisting but will debit the individuals abuse quota monthly limit (say 30 per) by which their priviliges will be suspended after they have reached the threshold. Additionally the abuse link will forward to a web page where a form will require a valid email to finalize the notification which will need to be verified by confirmation via a return email to the person reporting the abuse. This will prevent casual 'revenge' reporting as much as is possible.
TBC
A fool throws a stone into a well and a thousand sages can not remove it.
How exactly did this work?
I understand the idea was to SPAM the Spammers.
But who exactly did they span? The spoofed addresses? The owner of the original IP?
It's burried several.. paragraphs? sentences? words? letters? no, no, no, no... well it's got some whitespace before it.. so I understand how you missed the explaination of who they were and what they did which started on the first word of the first sentence of the first paragraph of the article. So I'll explain.
Some guy had the idea of: "Spam is like a DDoS. So, let's launch an actual DDoS against spammers."
Some spammer had the idea of: "Spam is not like a DDoS. This is a DDoS."
Some guy seems to have realized he was an idiot and stopped.
-- 'The' Lord and Master Bitman On High, Master Of All
A backfire is used to burn out a fire by depleating it's fuel. Hence the term fighting fire with fire. It's really only useful for forest fires though.
Ooo man the floppy drive is broken. No wait. The computer is just upside down.
Fuck this for a lark! Where do I get to sign up for the cyberwar?
This is proof that their system pissed spammers off enough for a few of them to join forces and try and fuck things up. To be quite honest this is the first time spammers have been proactive in their attempts to fill my inbox, sure they may update lists, and change algos, but this differant.
If "spam" was a company this is the kind of move it would make if it felt threatened, and frankly even if the best we're doing is annoying these people, thats enough to justify this.
BlueSec: you got my vote and spare bandwidth if ever you decide to throw caution to the wind and try again.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
The people paying them would soon stop if the vast majority of hits were never going to result in sales since it's just a bot.
"Our users never signed up for this kind of thing."
You'd better damn well believe this is exactly the kind of thing I signed up for. Showdown at high-noon and all that.
It's sad when choosing an installation directory on your own qualifies you as an "advanced user."
Spamcop has been around much longer than bluesecurity, it has already weathered many more DoS attacks than bluesecurity, spamcop has been sued a couple of times by spammers (and the spammers lost), spamcop has had its domain name hijacked, and yet it has survived. Granted, part of the reason they survived is because the are now owned by the anti-spam vendor, Ironport who also provides the free senderbase service.
I'm sorry to see bluesecurity go, but there are still other options for people who want to fight spam.
SPF support for most open source mail servers can be found at libspf2.
Is there any way to make a bandwidth counter that can only counts what the user is purposefully uploading? Any large descrepencies would be a sign of a bot, and the system admin could be notified and the system checked.
We are all just people.
The CIA would go after spammers, if the spammers publically spoke against Bush's policy or exposes Bush's lies.
Far fetched? What is Valerie Plame Wilson doing now? Of course it had nothing to do with her husband accusing Bush of lying.
Fight Spammers!
This is why when I wander out and about in the world, I fix thier computers for free, I install AV amd anti spyware, clean sweep, patch etc. Then I intall a firewall, firefox & thunderbird, and configure thier services to get rid of the shit, takes me 3-5 hours every time. But gives me enormous satisfaction. I went home recently and updated the parents PC, I was amazed by how little work it needed. You want to make a difference, do it one PC at a time.
If we could reduce spam, we'd hopefully reduce the "need" (or desire) for zombie computers, and thus decrease the number of trojans/viruses/worms. Zombies are useful for spam and DDOS, and cutting the spammers out of the picture cuts the number of new viruses trying to make botnets.
The Spammers can thank Microsoft for the army of zombies they used to counter-attack.
Once again Microsoft ruins the internet.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
There is much irony in the quote that appears at the bottom of the page as I read the comments:
It would seem that evil retreats when forcibly confronted. -- Yarnek of Excalbia, "The Savage Curtain", stardate 5906.5
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
That may be, but the REAL problem is that email was never designed to prevent its users from shitting into the communal water supply."
You both just said the same thing. Your *opposing* argument is not opposing at all. Even IF we had a new protocol, there still would be mass marketers out there trying to abuse it. You don't get telemarketers calling you at home? People knocking at your door at least once a week. SPAMS to your pager? Leaflets left on your car when you're buying groceries? Why do you feel that eMail should be any different? The REAL problem is scumbags that have no concept of when to STOP getting in our face.
A new protocol will help greatly, but it won't stop the REAL problem which is people shitting in communal waters. BUT... you both are right, just don't act like this is such a one sided thing and that the tech is "Dead". The tech certainly isnt' dead, or no one would be using email at all. Since email usage is still growing, I think eMail is very far from dead.
Scott
Slashdot.. where people join together in deliberate ignorance.
Come on guys!!, let me join the battle the next time, please?
There's nothing stopping me shitting in the reservoir. Does this mean that tapwater is dead?
If you do that sort of thing enough, you will be tracked down and (if caught) prosecuted.
The same apparently cannot be said of spammers - or at least, not the ones that pick on individuals. I imagine that the story would be different if they chose to forge addresses from amazon, google, microsoft, etc.
It's official. Most of you are morons.
An increasing amount of spam in my inbox comes from people advertising "the next great company" to invest in. No website is given. This is a cute tactic as it allows them to speculatively invest in the company (or perhaps own it), then pump up stock prices but without putting a web presence out there that people can visit, opt out of or whatever. Even a few cents increase (and I suspect its working (I'll use "its" anyway I please, thank you)) can result in nice profits. And of course the company's owners can always (and effectively) deny that they had anything to do with it.
I'd been thinking about joining before the attacks happened. When they did, I joined as soon as I could. I thought, "This must really work." The community was patting itself on the back for survivng the attacks. They were bringing stuff back online and reporting their progress in a little box on their website.
This makes no fscking sense. One minute they're bulletproof antispam gods, the only ones with a winning solution, and the next they've shut down the entire website for good, and I have to read about it in the Post?
I thought it was pretty much over. Didn't they set up a new firewall, or get a different host, or something? Sorry, but that's exactly what I signed on for. So,
What the hell?
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
It is clear that the one we use now is broken. So why is there no alternative yet?
The larger emailers like Google, AOL and what not could accept both. Using the new protocol will go as fast as it goes now. Using the old protocol takes 1 hour (to begin with).
People will ask why and the answer is that it takes so much time to check if it is actually spam, but if their server uses the new protocol, the delay will be gone.
Peopl will start asking their providers/IT department why they don't use the new protocol and start preasuring them to use it.
It is clear that the way we go now can not last.It is also clear that switching everybody at 00:00GMT on day X won't work either. It should also be clear that nothing will remove Spam completely.
Don't fight for your country, if your country does not fight for you.
I'd say, that 99 per cent of company networks are not filtering outgoing traffic. This is one of the biggest problems. If they would start to block outgoing traffic from their clients and only allow connections to servers in the DMZ (mail, proxy, whatever), we would have a lot less SPAM. "Why?" you ask? Because almost every spambot sends out spam mails with its own SMTP engine and even if the spambot would use the configured local SMTP server, it would be easier to figure out that something is going on.
Next time you want to go all vigilante on spammers, use a baseball bat. -GiH
If I were Microsoft, I'd go right in and buy up Blue Security and take over where they left off. Microsoft surely has the infrastructure to withstand these types of attacks and having them do something good in the fight against spam would certainly increase my respect for them. I'm willing to bet that a lot of people here would also have some newfound respect for MS if they did this.
The world does not completely operate based on the overly simplistic profit-motive-is-everything assumption.
Sometimes 100,000 motivated people can do more than a few people with hundreds of thousands of dollars.
"The innovative approach in the fight
against spam caught the attention of
investors in 2004 when Blue Security
received more than $4 million in
venture capital"
A commercial effort will quit when there isn't enough money to be made. A grass-roots effort ends when the
problem goes away or little interest remains. Spam hasn't gone away, and most people are still pissed about it.
There are low-cost solutions from sufficiently organized/motivated consumers. Pay with money or with effort.
Google makes a lot of money off spammers. They don't want the industry to go away. If disreputable everchanging entities aren't trying to outbid each other Google loses money.
Man, you really need that seminar!
This is really the only thing that could work. Add some kind of interface for adding and removing public keys of trusted parties, and you're in business...
except, of course, for the small problem of what to do when spammers decide to send spam advertising random companies. Any solution for that one?
Russian Police Claim Biggest Spammers Murder Solved
. shtml
The police also examined another lead suggesting that Kushnir could have been attacked by robbers.
On Sunday the Moscow criminal investigation directorate detained a group of young people on suspicion of murdering Kushnir with a view to rob him. The investigators believe that a 15-year-old girl and two boys, 18 and 17 years of age, along with a 27-year-old accomplice had broke into Kushnirs apartment.
One of the boys wielded a baseball bat which he used to beat the man to death. The detainees insist Kushnir had invited them to his place himself where he made passes at the girl by the name of Vika. Her friends tried to stop him, then Kushnir grabbed a knife and the young men hit the man with an empty bottle on the head in order to defend themselves.
http://mosnews.com/news/2005/08/15/kushnirinquiry
Teasing the nobles, and rightfully so!
Catchall accounts are so much fun when a spammer decides to phonebook your site. Abby@yoursite.com, Abby.Adams@ yoursite.com, Abby.Alda@yoursite.com, Adelaide@yoursite.com, Adelaide.Adams@yoursite.com, and so forth, just send email to every-name-in-the-phonebook@yoursite.com and some are bound to get through, right? One of my clients got 40-50 thousand emails in one day this way.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Too bad! This must have actually been working. If you boil it down to money, in order for the SPAM industry to spend time & money to attack, it HAD to have been costing them something (or posing a threat). I think this merely validates this type of response. Good job BLUE! Maybe someone with more guts will pick up the baton.
SpamKing: Stop the blue frogging!
BlueFrog: No. We're doing good here. Our users know we're doing good and they'd know we were doing bad if we caved in to your petty demands.
SpamKing: You can stop it and save face if you tell your users that you realized you were doing wrong and you're closing your doors for ethical reasons.
BlueFrog: No.
SpamKing: Stop it or we'll threaten your users.
BlueFrog: So? If our users are smart enough to use the blue frog, they're smart enough to see thru your threats.
SpamKing: Stop it or we'll kill you after we kill everyone you love.
BlueFrog: Hmmm... Okay.
Support the FairTax
A new protocol will help greatly, but it won't stop the REAL problem which is people shitting in communal waters.
Interesting metaphor. Fact is that public waters tend to be full of shit, and there's nothing we can do about it. Reservoirs are routinely colonized by fish, waterfowl and aquatic arthropods, which eat the plants and each other and shit out the waste. Water supplies can only minimize this; they can't prevent it. So, rather than fighting a hopeless battle and delivering contaminated water, they accept the situation. They try to keep the reservoir somewhat clean, but they also filter and sterilize the water while delivering it.
It's likely that the same situation with email is permanent. Attacks can cut down somewhat on spammers, but like the insect larvae in the reservoirs, there will always be spammers in the internet. Delivering clean email will require filtering and decontamination software. We already have lots of it in place, and it's likely that we will always need it.
There will always be hucksters and scammers out there trying to separate us from our money.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Ironport management finally decided they couldn't play both sides of the street, sold off Bonded Spammer to ReturnPath, and discontinued the "A-series". The A-series supposedly reaches end of life at the end of 2006, so there are probably still supported Ironport engines out there spamming away. After that, the community can consider whether Ironport is a white hat or not.
The users who didn't "sign up for this kind of thing" can quit themselves. I, for one, did sign up for it, and I'm more than a tad pissed that the one obviously functional way to thwart spammers has been removed from my arsenal.
I can think of four possibilities for the real reason Blue Security is offline now:
1) It's a ruse, perpetrated either by BlueSecurity for unknown purposes, or by someone posing as BlueSecurity. http://www.bluesecurity.com/ is still down, so I'm going to wait and see what shakes out.
2) Reshef received enough serious threats against his person, family, friends to be forced out. This is absolutely possible when someone is the spearhead of stopping a less than legitimate flow of money.
3) Reshef took a payoff from the spammer(s). One would hope this wasn't the case, but it has to be considered as a possibility.
4) BlueSecurity's business model wasn't profitable. It costs a lot of money for hosting and internet services, especially when you're the target of DDoS all the time. BlueSecurity could have run out of money.
In any event - someone with big cohones and a crapload of mon-ay, please pick up the ball and run with it.
Web 2.0 == Giant Blogspam Circle Jerk
It's the spammers' CLIENTS that Blue Security is going after.
This is why they got so pissed off in the first place.
Sorry if someone already suggested this, but, why not penalize the companies whose services are advertised in the spam e-mail? Obviously this won't work with the Nigerian scams, but any legitimate company who shows up in spam could be fined. Or in cases of egregious abuse, company officers jailed. Kill the market for spam, and it should be reduced.
The problem of course, is getting worldwide buy-in.
I'm with you! Spam drives me nuts... and I want to do something about... even it's not legal.
Meh.
I'd like to see Google go on the offensive, too. It should cost too much for Spammers to send out thier emails, mostly in bandwidth costs. Isn't there a way to blacklist IPs that send spam? We need a realtime blacklist, and just not allow them to talk on the Internet.
Google, you already have minions of spam haters that aren't on your staff. Use us like a clue-by-four with sharp nails sticking out of one end: make it part of Adsense.
Zhrodague.net - I do projects and stuff too.
Exactly the spammer bots can generate more emails than the advertised site can handle. Those advertised sites are usually setup on the cheapest hosting account possible, because they expect to get a small number of page hits compared to the actual number of emails sent.
If you must!
The ISPs should just close port 25 by default unless they get a phone request.
Is that so hard to do?
Pin a medal on their chests! Thats one less piece of shit filling my inbox.
My patience is infinite, my time is not.
Bastards! They deleted the source files!
Damn guys. You won. Did you have to salt the earth too?
but spam is a problem of traffic
NO! SPAM is a problem of bandwidth STEALING! Spammers are using OUR bandwidth to GAIN MONEY.
Remove one of the two (our bandwith, or their money) and we'll solve the problem.
We can only hope that politicians in all countries can be shamed into doing SOMETHING REAL about the problem. For one thing any individual that is willing to wage a cyber war of this magnitude should be taken out permanently. Surly the Russian government knows how to do that.
The race isn't always to the swift... but that's the way to bet!
SPAM is _NOT_ a fact of life! It's the symptom of a very serious problem: Lack of computer security, and a bad mail protocol.
If you give up now, you'll end up admitting that stealing, raping, kidnapping and murdering is a fact of life.
It's not. Crimes are to be FOUGHT and our AUTHORITIES are doing NOTHING about it.
All he did was show the spammers that in the end they always WIN. He should have started the war. Period. This spamming crap won't stop until it crashes the net and governments start throwing people in jail for it.
If you're not prepared to go big, don't go at all!
The problem with opening up draconian measures for spam is that it would become the new kiddie porn -- you don't like someone? Plant kiddie porn on their machine, send a tip to the FBI and presto, if they manage to avoid pound-me-in-the-ass prison somehow, they'll be dogged by a ruined reputation for the rest of their lives.
But hey, why stop there if you can whip whole populations into a literally murderous frenzy by getting someone tarred as a spammer?
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
They reportedly were also DNS blackholed first, which isn't good either.
This does not seem to me to be a difficult technical problem
It's not. It's a difficult social problem: getting end users to secure their machines properly. The technical parts of the problem are all pretty easy. It's the meatware that needs upgrading.
//Information does not want to be free; it wants to breed.
It is more plausible that Blue Security just ran out of money. They raised $3m in 2004 - it is entirely plausible, even likely, they burned through all of it. It is a dis-service on their part to spin it as some chivalrous act "for the net". They make it sound like the spammers won when it was just VC funding that ran out.
Netcraft confirms it. No, really.
Full details of why can be found here:/ i/its.html
http://dictionary.reference.com/help/faq/language
If you must!
Now they have a huge list of emails to sell.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
> I have a catch-all email address set up on my domain - so $anything@$mydomain gets to me.
> [...] a few months ago, some [...] decided to use my domain name in forged From: addresses.
> I now receive on the order of a thousand spams, bounces and assorted related crap per day.
> [...] (Yes, I could switch off the catch-all addressing, but I actually find it useful,
> inconsiderate wankers trying to ruin the entire net for everyone not withstanding)
I use a Fastmail account.
The Sieve filtering is pretty good so I don't usually get more than a couple of spam messages/day while still being conservative about false positives.
However, the "secondary" spam -- mostly automated replies to forged addresses -- are getting quite annoying.
We will have spam as long as we rely on on an email system that relies on the good citizenship of senders. The only fix is a new system where you can't create a new identity just by modifying your email header.
Your argument is flawed, because you have changed the argument; equating "hate" with "admonition" and "love" with "permissiveness". If I correct my child, it does not mean I don't love him or her. Indeed, it's usually the opposite. While some people express their views with hate, others do so because they are genuinely concerned. It is possible to tell someone you think they are doing something wrong without hating them!
Gamingmuseum.com: Give your 3D accelerator a rest.
but it does suggest that this is *one* tactic that *did* hurt the spammers. could we build a distributed system of email boxes that will virally fight back spam? what if all the google, ms, yahoo and other *major* mail servers/softwares agree on one common point: to send back the mail to the originator if it is a junk mail. you might want to mess up with the source address to avoid getting urself validated and added in the :active mailboxes list: though.
but seriously imagine that if all the mailboxes in the world emailed back all junk mail; then the spammers would have one mother lode to take care of.
PharmaMaster is in Russia, right? We create a pay-pal account for donations to the Russian mob to correct the problem. Better yet, the Russian Goverment.
In God we trust, all others require data.
No shit! We need to start up a "legal defense*" fund for these kids.
*retroactive bounty
It's not offtopic, dumbass. It's orthogonal.
Yes indeed, if you correct your child, then you have a point. If you'll reread my above post, you'll find that I have no problem with god correcting someone's misunderstandings.
My problem is with people who think they understand god's mind better than god does. Who are they to judge? Are they not mortal and falliable? In their own minds, the answer is clearly no, which is all kinds of pride and hubris.
(Sorry for the OT thread hijack, but I've got Karma to burn, and I don't feel like letting this one pass)
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Comment removed based on user account deletion
Possibly true, if the bot is on a per-use line, the ISP doesn't have as much reason to care. However, that isn't the norm. The preferred hack victim is on an unlimited usage high speed connection (which most are). The ideal victim has an asymmetric UP-preferred line, but those are NOT common. Unlimited-high-speed is practically one word in most of the ads I've seen here on the East Coast.
Since the bot tends to be a high-bandwidth user, ISPs do have a strong interest to shut such down when they notice them on an unlimited use line: it's cutting into their profit margin, and benefitting neither the ISP nor their customer. Ideally, they first try less intrusive methods than cutting off the connection for letting a customer know they've been hacked (EG: a phone call, as others have noted). The full ROI is pretty good.
And as you said: Business is Business.
I also think you're too blase about end users dismissing notification that they've been hacked. If an notice apparently from the ISP also says "increased risk of identity theft", most users demonstrably sit up and pay attention. (Admittedly, they don't check whether it really comes from the ISP often enough....)
//Information does not want to be free; it wants to breed.
This was doomed from the start when the service would basically ask the spammers to "stop nicely".
....
These fuckers are pond scum - we need to fight back and fight back with a vengence. Non-stop DDOS I say
There has to be a penalty for this behavior - asking nicely is not an option
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
Does the federal government remember how to kill a men (or group of men). It is time to start getting Gitmo bay on these bastards and podcast the video out to others...this is how the US deals with terrorist spammers. HAHAHA. Nothing is wrong with murder and torture as long its intentions are good.
Junk email is *mostly* free. That is, you usually don't have to pay someone real money to send 1 email vs. 100,000 emails. So let's make spamming be a theft of services offense at the very minimum, but preferably a felony (grand-theft-bandwidth?). Since it is an international problem, get countries to sign treaties allowing the extradition of potential offenders (with the appropriate documentation, of course). Then have the CIA set up a third world country to handle the court system and prisons for this type of offense prosecution and incarceration, with humanitarian aid from the US and other countries to fund the infrastructure. I think that most spammers would be hestitant to spam if it meant 8 to 20 years of hard labor in a Turkish prison.
My first reaction was to email all the TV news outlets in my area with a link to the Washington Post article and a summary of what's been going on, asking them to educate the public as to what is going on. I'd encourage other slashdotters to do likewise.
If people don't see that 1) not doing anything about a virus on their computer and 2) the internet operating more slowly are connected, we'll never get rid of spam/spam-bots.
JGG
What can we do now?
My guess at this point is that some physical threat was made to the owners/operators of the company. Probably surveillance photos of their houses/kids/spouses or something along those lines. They seemed so gung ho right up to this point, and I cannot imagine what changed so suddenly to reverse their position.
Spammers and organized crime have been in bed together for quite a while, would this really be a surprise?
Finkployd
Or the lack of public outrage may indicate that /. is juat full of whining, bored nerds looking for some moral ranterbation.
They can have my command prompt when they pry it from my cold dead fingers.
I bet most people wouldn't know this seemingly urban myth...that water is NOT always good to fight fire with, particularly when:
1. the accelerant base is excessively fluid, in which water would
only spread the fire.
2. In vacuum or space, water gets vaporized. Fire-fighting in space must be a new science here.
3. In deep ocean, nothing burns for too long.
4. fire is WAY WAY too hot (not normally found in nature, but magnesium fire is one), in that case, the water BECOMES the fuel with continuous splitting of water molecules at that ultra-hot zone plus recombinant energy from refusion in colder zone.
Hey NASA? Would that make a new jet engine using compressed (deep ocean) water as a compacted, cheap and efficient fuel storage? Need to kickstart this, somehow? Oh, wait, its called Tomahawk fusion... drat...
NB: This message is more or less a scratchpad of my thoughts about this subject. I don't think I have attacked your problem properly, but it does propose some countermeasures against rampant DDoSing.
;-))
With bluefrog:
You send all your spam to a central authority (bluesecurity). They do some stuff to group spammails into clusters. Those clusters are then analysed by hand. The spammer is warned. The cluster gets a URL of the spammers server attached to submit complaints to. When the spammer doesn't comply within X days, everybody who sent a mail for that spammail-cluster is told the URL and how many mails they sent. These people then send as many complaints to that URL as they received spams (1 spam -> 1 complaint).
The latter part is handled by the personal(!) bluefrog client on behalf of the people that use bluefrog. The first part of the chain is either initiated by the user or an automated spamfilter, so this is also on the user side.
With a P2P approach:
The middle part was centralised, and therefor attack-prone. I have been thinking about ways of decentralising the spammail clustering. There ought to be a way for a client to learn what other clients have recieved the same spam-message. For example by doing DHT lookups on hashes of chunks of spam messages (doh!).
Attaching a URL to send complaints to could then be handled by requesting several users in the cluster to find an appropriate form on the spammers website. Clients that have concluded that they are talking about the same spam mails could then use this URL too (that's somewhat the dangerous part, indeed..). If the verification of mail similarity is done right, a spammer that wants to use the the network to DDoS can only generate as much complaints as that he is sending spams. Which means that spoofed complaint URLs have less of a bad effect on innocent bystanders, though it does cripple the effectiveness of the network.
But how do you handle malicious clients that try to overload the lookup network, try to spoof wrong complaint URLs into the network, etc. etc. I know there has been done lots of research in this area. It's not an easy thing to tackle. Basicly (*cough*) you need to code the clients so it tries to maintain goodness in the social network.
There are already several companies that track the spammyness of websites. You could use that to weed out bad complaint URLs (measure of badness). And good complaint URLs are probably URLs in the same domain as URLs mentioned in the spam. Or the complaint webpage should contain (the same) spammy words as the ones in the mail (measure of goodness).
Hmm, I think I forgot the central authority needed for the do-no-intrude registry. Are there algorithms to build a large list whereby nobody understands other parts until everything is brought together? Which comes to the point that if everyone in your cluster is an attacker, they will know it was you anyways. Which isn't even that bad, because they already knew you were the only non-attacker.
Or you just trust on the fact that a centralised do-no-intrude registry is so loosely coupled with the succes of the anti-spam network that it won't be attacked..
Conclusion: Blah.. whatever.. probably imposible to fully decentralise.. (or ask the freenet developers
As I read the article it occured to me that the spammers won mostly because of one thing. Blue Security was centralized. If a similar service operated in a manner similar to a BitTorrent where each client was also a mini-server could attack succeed? The problem that I see here is that the mini-servers would still need to be controlled and would need to have some sort of remote update ability. It would I suppose also be difficult to keep them all adequately sinchronized - bout would these problems be insurmountable? I'd think not but I am no expert. I'd think the old Kaazza client would be a good example to start from...
The possibility that it would be difficult to profit from something like this may be more of a problem than the technical challenges. Maybe this makes it an ideal candidate for open source? Again, I am no expert. I really am hoping to spur some discussion more than anything else.
"I don't know how the new one should work, but I'm sure a lot of people have ideas on how to do it."
Will the lot of people with ideas please come forward? We have some work for you.
I like toast!
This wasn't their business model. They were a front for spammers, helping them listwash. The whole DDoS thing was just a way to get publicity, get more addresses and an excuse to get out before they were caught.
No, I don't really believe that, but who's to say?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
The question is, are you giving them the way out, or are you leading them into damnation? You're assuming that your interpretation is the only possible true interpretation, and that therefore you have the right & duty to enforce that interpretation on people who disagree with you. That is incredible hubris.
In the modern day, we see a lot of people judging and throwing stones, and claiming that they're right to do so. Now, I'm no biblical scholar, but I'm pretty sure that both the OT and the NT are pretty specific about people usurping the perogatives that belong to god.
Let me be blunt: It is not given to you to be judge and jury to your fellow man. No one appointed you the sole keeper of god's laws, and nothing makes your interpretation of those laws superior to anothers.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
[raised specter of attacking a non-spammer victim by] whip[ping] whole populations into a literally murderous frenzy by getting someone tarred as a spammer?
Criminal justice STARTS from vigilantism and revenge: In the absense of effective law enforcement and the presence of repeat offenders, people will act individually or in groups to hunt down the repeat offenders and punish or kill them, to create a disincentive to commission of more offenses (at least in that area and to those victime), or eliminate the offender.
(Note that this is distinct from self-defense resistance to a crime in progress. Self-defense becomes vigalantism once the perpetrator is out of sight.)
But such do-it-yourself activity has downsides. Sometimes the wrong person is targeted - especially if the crime was heinous and emotions are high. Sometimes penalties are excessive. Sometimes some "leader" uses the mechanism to commit crimes of his own. And always there's an uncertainty about exactly what constitutes enough of a "crime" t0 rouse the hue and cry.
So governments formalize the process. They establish a list of what's permitted and what's not. They establish rules for identifying and accusing perpetrators. The may designate people to do this, and/or define how much of the process designated and ordinary people may do. They establish mechanisms for determining guilt or innocense - and may designate people to perform this. They establish schedules of punishments.
And they generally claim a monopoly on this, forbidding the freelance form.
People will generally go along with this as long as it's working at least moderately well. Though a particluar government's version of this formalized vigilantism may have any or all the problems of the ad-hoc sort, it tends to have less of them - and it's out in the open so it can be debugged.
But when someone is repeatedly imposing damage on others, government refuses to do anything about it, and the problem keeps recurring and escalating, people will fall back on the informal form of "justice".
That's the situation we have now, with spam.
Now government is apparently keeping its hands off mainly to try to avoid regulating the internet - because it has recognized that this flock of geese is laying a MOUNTAIN of golden eggs and they don't want to risk killing it. So the regulators are foot-dragging as much as possible, to see if some non-regulatory solution can be achieved.
Unfortunately, the organized spam/malware gangs are a pack of predators that are starting to decimate the flock.
So don't be surprised if a continued governmental hands-off of this problem leads to vigilantism - in increasing amounts and number of forms - first in the virtual world, then in the real one.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
That's one. It will take at least two.
(Given that the police are saying this one may be unrelated to spamming, it may take at least two MORE.)
Hiroshima showed Japan that the US COULD make and deliver a nuclear bomb.
The Japanese generals knew what it was, because they were working on one themselves. At that point, many of them thought the war was lost, and were prepared to surrender. But some of them argued that collecting and processing the necessary materials was such an effort that the US probably only HAD one and wouldn't have a second for a long time.
Nagasaki showed Japan that we had more than one. This left open the possibility that the US might be able to keep this up - once a month, once a week, once a day, once an hour - until Japan was all rubble and slag. So enough of the rest threw in the towel, too, for Japan to submit without total loss of honor - and thus drastically cut the loss of life on both sides.
A deterrent doesn't deter until there is reasonable expectation that it may occur. One dead spammer - who may be dead for other reasons than spamming - might make them think a little. But it will take at least two dead spammers - unambiguously dead because of their spamming - to provide enough datapoints for the intelligent among the pack to start including it in their cost-benefit analyses.
Please note that I'm NOT advocating the wholesale and gory murder of spammers. I'm just noting that, if that DOES end up being the solution (or even a component of it), it won't be limited to one bloody corpse.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The article should have said, "The spammer, with the help and complicity of Microsoft via it's legions of insecure computers, launched a DOS attack."
When I first heard about Blue Security's idea it sounded very cool. ... in order to fill the database with crap.
Blue Security's idea is to submit bogus entries for input fields like name, address,
However, what do you do if the website has a captcha on the oder form?
You are pretty much f*cked up.
I wanted to check it out with real life spam.
So, I opened my spam folder and choose the first spam email from this list.
Visited the website adverstised here and looked for the order form.
And here it was: a really hard captcha.
Use digital signatures and throw out all unsigned mail and all mail signed by anyone you don't trust.
Unsigned email will disappear, and I bet it will happen in a 6 month window some time in the next 3 years.
In Free America, Spammers legislate to get the shit beat out of angry citizens!
I can't honestly say that I feel saddened by this. It's a shame they didn't simply crush his hands or something though. Let him live a miserable life without the ability to control a computer with ease.
If Em believes that his interpretation a) asserts itself to be the only true interpretation (possibly true? wtf do you mean by that? It is either true or it is not.) and b) demands that he act in a certain manner, whether or not some other people see his actions as "enforcing his interpretation on others", then it would be bloody stupid for him not to act in that particular manner.
If you're going to argue against a particular set of beliefs, you must begin with all the assumptions, moral and otherwise, of that set of beliefs. Taking a set of beliefs which calls for evangelism as a virtue to be practiced, and denouncing it on the grounds that "You're enforcing your beliefs on someone else!!" is just bad reasoning. Someone who holds that set of beliefs obviously doesn't think that enforcing his/her beliefs is wrong. You might try persuading him/her that enforcing beliefs is wrong, but just saying it doesn't make it so.
On the other hand, it would appear that you do think that enforcing beliefs is wrong. Thus, you prohibit yourself from telling the first person (who perhaps thinks enforcing beliefs is right) to stop, because that would be enforcing your own beliefs on him/her. Now then, of course, if your beliefs include some double standard, which is perfectly plausible, although rare, then that is fine, you are perfectly consistent. For that matter, you could exclude the double standard, so long as you also excluded the principle of non-contradiction. That is perfectly fine.
I just wanted to make sure that you had thought about things and were certain that your system of morals, which appears to tell you that anyone enforcing their beliefs on someone else is wrong, does not condemn your own actions.
nothing makes your interpretation of those laws superior to anothers.
So what makes whatever interpretation of "those laws" that allows you to say this superior to his?
One more question: Does this come under the heading of me enforcing my beliefs on you, or me enforcing your beliefs on you?
SIGSEGV caught, terminating
wait... not that kind of sig.
I admire their plan of spamming back spammers, but the spammer body is bigger than Blue Security's. They died honorably for this cause.
Opt out a single request (your blurry-hashed e-mail). This way the P2P network can concentrate on the logic of "if" and "how" a server should be requested.
In my journal (see below) we're discussing approaches to decentralize blue frog.
Looks like the spammers are continuing their attacks against Blue Security, even after it threw in the towel. This from The Post's Security Fix blog:
"Hours after anti-spam company Blue Security pulled the plug on its spam-fighting Blue Frog software and service, the spammers whose attack caused the company to wave the white flag have escalated their assault, knocking Blue Security's farewell message and thousands more Web sites offline.
Just before midnight ET, Blue Security posted a notice on its home page that it was bowing out of the anti-spam business due to concerted attacks against its Web site that took millions of other sites and blogs with it. Within minutes of that online posting, bluesecurity.com went down and remains inaccessible at the time of this writing.
According to information obtained by Security Fix, the reason is that the attackers were hellbent on taking down Blue Security's site again, but had trouble because the company had signed up with Prolexic, which specializes in protecting Web sites from "distributed denial-of-service" (DDoS) attacks."
More here.
...because you never know who you're dealing with.
I'm sorry but BS wasn't solving the problem, despite your desire that it would
The evidence simply doesn't support your assertion - unless you are claiming that the spammers retaliated against Blue Security despite the fact that BS's activities were not affecting the spammers.
My next sig will be ready soon, but subscribers can beat the rush
Interesting point. I am not, as you seem to be suggesting, an ethical relativist. On the other hand, Christian dogma is so amazingly fragmented it would be difficult to attribute anything like a consistency of belief across the whole of the religion.
My point, thus, is that, where there is doubt, there should be circumspection. I've never heard a defense of murder, for example, that would appeal to a rational audience. On the other hand, biblical passages have in times past been used to justify murder, for example, the Salem Witch Trials.
Now while I hold that anyone who feels strongly that witches should be burned has every right to that belief, I strongly object when they try to impose that belief on a world that disagrees. Likewise with the modern evangelical tradition of deciding, arbitrarily, on what constitues the truth, and then attempting to force that belief on all and sundry. They would certainly expect their beliefs to be honored...indeed recent history can be conclusively shown to demonstrate a tendency on the part of evangelical christians to hysterically denounce any and every action that they feel impinges on the fullness of their belief (e.g The "Holiday Tree" debate, and others).
Now, historically, there has been a way around this impasse of beliefs that I'm going to refer to as laws, which, for the purposes of discussion, we can think of as "enforcable beliefs" that are agreed on by people who otherwise have different belief structures. Now recently, the evangelical types have taken to thinking of any "belief" (be it legal, moral, logical, or scientific) that runs a counter to their own beliefs as less valid, and, indeed, a purely personal attack on their correct beliefs.
Now my argument, if you would call it thus, is simply to point out that, with so much disagreement on the fine points as it were, of their beliefs, it would be wise for them to accept, with some Christ-style holy humility, that other people are also entitled to beliefs, before their hysterical intolerance breeds domestically the very same problems we see all over the world.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
The basic problem with most anti-spam systems is that they allow by default, and have a list of things to block, instead of blocking all, and a list of things to allow.
A shared whitelist system would be better, where you can share your whitelist with your contacts, or download whitelist catalogs from authenticated sources. In the p2p whitelist, each step of propegation would increment a counter so that it could only spread 'N' degrees, while the whitelist catalogs would have digital signatures for the package. and of coarse the list wouldn't contain actual e-mail addresses, but instead hashes of them.
Yes, the Whitelist would be huge, but, it would be much smaller than the Blacklist!
another way would be to start a private mail network; large corporations that send mail to each other would probably appreciate a special authentication, when an employee of Dell sends an e-mail to an employee of Microsoft, the businesses could afford a seperate e-mail 'universe' unconnected to the general internet (Which would help protect trade secrets, special deals, etc from prying eyes) entry to the system would be by posting a multi-thousand dollar bond to an escrow fund, which may be forfeit if the exclusive semi-private network is abused, but refunded if the organization leaves on good terms.
Another easy system would combine whitelists with a small challenge, such as requiring the sending computer to determine the square root or factors of a 1000 digit number, or some other task that requires a few seconds of CPU effort, to slow down spam a lot. and if the senders e-mail software can't handle it, a human readable CAPTCHA image as an auto-reply, with a correct answer allowing access.
His post was much more articulate. Also, I would have to say that, if you were trying to say the same thing, you failed utterly.
His point was that my point contained a logical inconsistency, whereas your point, and correct me if I'm wrong here, was that preaching to everyone who one would happen to meet on the streets was a moral imperative, and the refusal of the passerby to listen would necessarily encompass the destruction of their nation, or a 40' drop, depending.
While I view his post as a bit of a logical nit-pick, as he is clearly willfully missing my point of tolerance, I view your post as a good example of the sort of obstinate "I'm right and you're wrong" arrogant, and intractible belief system that I'm talking about. God very clearly spelled out his command to Israel in the OT, and they skipped it, and paid the price. Well and good.
I am unaware of any modern commands so explicitly laid out. All modern imperatives, in fact, seem to be originating with a group of intolerant demagogues who remind me much more of Pharisees than Christians, who preach out of temples with built-in ATMs and gift shoppes, while claiming, with no sense of shame, to be in complete understanding of the mind of god.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Laws only help if the spammers all live within the same jurisdiction as the lawmakers, can't move around much, and are easy to trace. They don't, and they're not, and the Internet and cheap foreign corporations make it easy to move to anywhere in the world without leaving home so that even if they do get caught, the perp that gets caught is just a paper shell corporation in a file-drawer, not the cracker in his double-wide who's the stockholder.
Spam laws mainly let politicians claim to be Doing Something, and they at best encourage spammers to do a better job of hiding, so it's harder to identify and block their stuff (though filters and blocklists do the same thing.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The real subtle nasty DDOS attacks, of course, are the ones that use the structure of the target's site, e.g. filling out the target's forms with bogus information, which takes much less bandwidth to make a much bigger impact than simple shutdown. This is what Blue was doing - I hope now that they've had to stop, that they'll at least publish a good story about it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Where do we send the payment? Somebody needs to setup a website for this.
Meh.
If you re-read my post, you'll notice that I never said I agreed with it, just that it was a solid argument within the worldview it was espousing.
And for the record, I tend to agree with you on your last paragraph. For Bible-based Christians, the last imperatives were: "Love YWH your God with all your heart," "Love your neighbour as yourself" and "Go and make disciples of all nations, baptizing them in the name of the Father, the Son, and the Holy Spirit." Anything extrapolated beyond that is open to debate.
Plus, if you don't believe the Bible is the Voice of God, then EVERYTHING in that world view is open to debate. Including tolerance being the right solution.
Darn it, I submitted the story to SlashDot last night around 1am EST (May 17th) but guess my copy writing was not good enough (sigh)
Help poke pirates in the eyepatch, arr.
I have a simple, foolproof idea to help eliminate spam.
Email certification.
If you want to be able to send Certified Email (CE), you apply for Certification from the company that gives you internet connectivity. They check you out, and 'Certify' you as being a legitimate emailer (ie: not a spammer). Then, you generate a private/public key pair and give them the public one. In the headers of all your email, is their certification, and an encrypted header line that's createdusing your private key.
When email arrives at the recipients server (or this could be done at the client level, as well), the server sees the certification, and connects to the certifying server to get your public key. It attempts to decrypt the header line. If it does it marks the email as 'certified', if it cannot, it marks the email as 'uncertified', and the email client can be programmed to filter messages based on that.
Due to the public/private key cryptography, there can be no certified email spoofing. (Assuming the private keys are secure, the keys are of decent length, etc.) All emails are traceable back to the originating server. CORRECTION- all CERTIFIED emails are traceable. Anonymous email is still possible. People can still set up email servers for mailing lists without "having" to get them certified. And people can still receive non-certified mail.
If an email server sends out spam, the complaints go to it's certifier. They can drop the certification, deleting the public key from their server. When this happens, ALL the email from the spamming server is now 'uncertified', and gets handled accordingly by email clients. If nothing is done, complaints go to THEIR upstream, etc. Individuals and groups can keep their own blacklists, if they wish, and anyone can choose to filter emails according to those lists.
Now, I've looked over that 'form email' that people like to post to shoot down anti-spam ideas. And nothing applies to this idea. (If something seems to apply, it's because I either left out details, or explained something wrong.) This idea does NOT need to be universally adopted, nor does it need to be adopted by everyone all at once. It's primarily a way of reliably tracing (certified) emails back to their originating server. The anti-spam part comes later: if you receive certified spam, complain and get the server un-certified. If you receive un-certified spam... well, just have your email client dump all uncertified emails in the trash. (Not nessisarilly, you could just use it's un-certifedness as a factor in filtering your email.)
This idea does not require anything be changed with SMTP. It simply requires a second connection be made to the certifying server. Now, before you bitch about the extra bandwidth, I'd like to remind you that, once this idea catches on, spam will be greatly reduced. This reduction will MORE than make up for the slight increase in bandwidth created in querying the certifying servers. Also, the certifying servers can set time limits on when the certifications expire, and need to be re-downloaded (kind of like DHCP leases). A 'new' company that just applied for certification might have it's certificate set to expire almost instantly. This way, every email they send requires a download of the certificate. This allows the certificate to be pulled rapidly if they start spamming. After a month or two, it could be set to expire weekly or monthly.
To sum up: Email Certification is reliable way of tracing the certified emails back to their originating server. This allows spammers to be identified unequivocally, and have their certification pulled. Email servers are NOT required to be certified, and anonymous email is still possible. Email recipients can, if they choose, set up their client to send uncertified emails to the trash, or to handle them however they wish. White lists and black lists are still possible. 'Hobby mailing lists' are still possible, certified or not. The extra bandwidth is minimal, and easily overshadowed by the reduction in spam being send once spammers realize no one is even seeing, much less reading or replying to their spam.
someone got paid.
What if you made the ISP through which an email is sent automatically sign each email? That removes the burden from the uninitiated user. The ISP could even have a different key per MAC address. Now you plunk any email that is not automatically signed, or is signed with a key that has been voted on as being an infected machine. Google or yahoo or each ISP could do that for you too. How many botted machines are there in the world? 100k? 500k? Not so many that you couldn't do this.
Then the question is would the ISP's make money from this (ie be motivate to make this effort)? Charge a little extra for the verification, and access to the latest votes on who is a source of spam. ISP's would be motivated to opt into the system to get more customers, and to make it possible for their customers to send trustable emails.
Who is harmed? Only guys that have infected machines. They will wonder why they can't seem to send anyone emails. Or they send it from their yahoo account.
Maybe the do not spam list guys should sponsor such a system.
And how do you propose to make this certification relevent? If, say, only 50% of the people you want to receive emails from have got certified by their ISP, then dropping spam based on that method, even with massive (50% of relevent end users) deployment, dropping emails based on this would give a 50% false-positive rate. Given that false positives are much more costly than false negatives, and that most companies need to receive emails from a relatively wide segment of the population, this seems that it would be harmful for most corporate users.
In addition, it would seem to lock out users who have to spoof their from field when sending from a corporate account through their residential ISP.
Additionally, many users would find the burden of obtaining personal certification and configuring signing in their mailclient to be beyond them, while many others would simply find that their mail client does not support the protocol. Remember, a lot of people still use hotmail, so you can't just pull the plug on a large service at will.
Then there are organizations that also offer webmail access - they would have to store both public and private keys on their server, which is just a plain silly thing to do with an asymmetric encryption system.
Also, you've got the minor issue of all of those certified senders that just don't know that they're sending out massive amounts of certified spam because they're running a bot that uses their own mail settings.
Oh, and of course there is the minor problem of just who would issue the certifications. Passing the buck on to the ISP is convenient, until you realize two things: first, that the ISP already has the ability to TOS spammers, and second, that if an ISP won't do this, they're not likely to bother pulling the user's certification. This, of course, only leads up to the other question of whether you intend that every mailserver be its own signing authority, in which case the whole system is just a broken designated-sender system, or if you intend, as it appears, a system of delegated certification, in which there must logically be one or more authoritative root signing authorities. In the latter case, you'd have to justify the cost of running the signing authorities, and the cost of this certification that would gain next to nothing, and find a way that, should spammers actually be inconvenienced by this, they wouldn't just set up a fake entity, buy a certificate from Thawte, Verisign, etc. or their equivalent, and sign for a whole slew of their friends?
Plus, of course, there's the fact that you would need to avoid action on false reporting, or someone might just complain about your own doman. Gee, nec.com is suddenly no longer certified?
In conclusion:
Your post advocates a
(*) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(*) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(*) It will stop spam for two weeks and then we'll be stuck with it
(*) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
(*) Requires too much cooperation from spammers
(*) Requires immediate total cooperation from everybody at once
(*) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(*) Lack of centrally controlling authority for email
You are standing in an open server west of a blue house, with a boarded front door. There is an Exchange mailbox here.
Well, yay.
Terrorist thugs get themselves shut down. No one cries.
These people were not solving spam; they were making the problem worse in a way that let people delude themselves into thinking it mattered. They were not contributing, and the essential problems with their model were first sorted out and identified probably in 1997 or so. Maybe 1998. It wasn't a new idea, and it wasn't a good idea. I am very glad that they are gone.
Please don't reinvent it. You can't fix the fundamental problems, all you can do is waste more bandwidth accomplishing nothing.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
it costs X to send out physical mail, so X x number of mails sent has to be recouped.
If income from sales of Y promoted by the physical mailings does cover this value and then the company sending the mailings wins (by how much is another topic).
If it cost X to send an email and X = 0 and you can send millions then if one person responds and the spammer gets any amount greater than 0 then they have won.
ERR 411[Max number of witty sigs reached]
Terry Bowden, from CastleCops warned: My urgent recommendation. Remove the Blue Frog Application NOW. We have witnessed the destruction of Blue Security from a wave of different attacks. First the spam wave, second the DDOS wave. There is a strong reason to believe that the third wave takes control of the frog to launch both spam attacks and DDOS attacks. http://castlecops.com/modules.php?name=Forums&file =viewtopic&p=768501/
Below is today's spam report from our mail server. Now take a good look at the numbers and tell me something needs to be done. This is money from the company I work for pocket. Filtering is NOT the solution. vigilantism DOES work. Look at this incident. It sure got a rise out of them.
Back in the early days this is how we kept spam off the net. It wasn't until people got this attiude of being nice to the person robbing that things got so carried away.
Personally I am very sad to see them shut down.
This is your daily traffic report from the Barracuda Spam Firewall at XXX.XXX.XXX.XXX for 05/17/06.
Breakdown of traffic per hour:
Hour |Blocked | Blocked: Virus | Quarantined | Allowed: Tagged | Allowed | Total Received
Total | 10368 | 1 | 39 | 77 | 1419 | 11904
Yes take a good hard look at these numbers. The number of accepted or good mail stays about the same over the months but the number of blocked messages continues to grom on a DAILY basis. Over 10,000 pieces of spam to get less than 1,500 that the people wanted. What is wrong with the pitcure and you say you only get one a day.
Personally I hope some one with big enough balls picks up this idea and runs with it. Think about this is the FIRST time such a rise has come out of the spamming community. You see filters DON'T effect their business. They still get paid because the mail may have been filtered but it was delivered. They get paid for DELIVERED! mail. Yea come do my job for a bit if you think spam is not a problem.
Nah. He'd have found a way to get around that with accessibility measures and continue spamming. Most of it is no doubt highly automated.
== Jez ==
Do you miss Firefox? Try Pale Moon.
Go and sign the petition to bring back Blue Security and its fight against spammers:
t ml/
http://www.petitiononline.com/bbbsp101/petition.h
To: The former Blue Security group.
Dear Blue Security,
We, the computer users who will always see you as idols in the struggle against spam, wish that you would come back and continue to fight back against spammers by our sides.
If that is not possible, please help us create an open source version of Blue Frog so that we may create a distributed network of spam resistance founded on the principles you have set.
We understand that you were digitally attacked a brainless tool with at least enough of an adolescent taste to take the handle "Pharmamaster" and matching stupidity to make a website in his name, and we sympathize. In fact, we respect you immensely for not deciding for us whether we would be your troops in a war against these rabid dogs who relish and profit in their own filth (spammers) and the tails that get wagged by them (black hats like "PharmaMaster").
Indeed, it is the mindfulness and benevolence you have shown that cements Blue Security's desirable place in digital history no matter what happens now.
Again though, we are coming to you requesting that you raise high the Blue Frog flag or make it possible to honor your legacy by creating an open source distributed network of spam resistance.
Sincerely,
The Undersigned
Imagine If everyone run this-alike tool on the spamvertized links...
http://slashdot.org/~piotru/journal/135829
Think of spamvertizer's costs. We don't need anyone to do it for us. Fight!
There are OS X botnets
They key is, if you run malicious software, the malicious software owns your computer. Period. There are ways to get around this, of course, but anything that has any sort of startup or auto-run format, and allows software to be installed on the system is not "internet ready"
The spammers' attack for such a system could be any of these:
Using a dedicated P2P network for this could make it an easier target, so it might be wise to use an existing P2P network, perhaps something like Gnutella. All that would be needed is for the trusted party to post a file named in a certain way every so often, and then the peers could search for and download this file, and then verify that it was signed by the right key. The trusted party could inject the file at any peer, so the only way to stop the file from being injected would be to take down the whole network.
Of course, the spammers could then poison the network with files that are named the same way and have the same file size. That could result in a lot of peers wasting their time downloading invalid files, but it wouldn't result in attacking the wrong targets. The solution to that would be a "fake system," that could automatically tell the P2P network which files have not been signed and are invalid, which would then be rated low by the system, and then not downloaded by any more peers. Such systems already exist on some networks, although I don't know how effective they are.
The spammers could also attack individual peers that have the files. After all, how do you tell a good peer from an undercover-spammer peer that's looking for peers that have the files? 20,000 zombies hitting 100,000 peers can still hurt. In fact, it could hurt *worse* than their attack on BlueSecurity, because it might be trivial for the bad guys to DDoS the peers that are participating in the anti-spam network, and then you have 100,000 individual people getting their ISP accounts shut off.
20,000 zombies all grinding away at the key in a SETI-like fashion would eventually crack it; perhaps they'd even get lucky and crack it sooner than expected. Then the spammer could quickly use the system to attack the wrong targets, getting lots of people in lots of trouble, and causing the system to be shut off ASAP. This would also destroy the reptutation of the system and any future similar systems.
A solution to this would be to frequently change the key, by posting a message signed with the previously-valid key, containing the new key. However, any clients that missed this message, but continued to receive the attack instructions, could still end up hitting the wrong targets.
All software has bugs, and all network-aware software has security holes at some point. No matter how big, widely-used, inspected, trusted, and open-sourced, the security notices still get posted for things like Apache, the Linux kernel, etc. Any software used in such a system would have to be thoroughly audited on a regular basis, and thoroughly tested against attack by experienced people. Even then, people running such software would still take a risk of their systems attacking the wrong targets and getting themselves in trouble.
Despite all that, such a system might work quite well. There could be more than one trusted party doing what BlueSecurity did, and adding them to the system could be as simple as adding their key to the software's keyring. And using non-P2P bands for passing the instructions could make it even more resiliant. I guess, in the end, no one has really seen a cyber war on the scale on which such a scenario could take place.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
I understand the reasons for the only-hit-spammers-that-spammed-you approach, but I dislike it. It's simply reverse extortion. "Stop spamming me and I'll stop spamming you. But you can keep spamming other people all you want; as long as you don't spam me, I won't spam you." If the spammers do opt-out all the blackfrogs, you've only reduced spam by 1% (if that much). Everyone else on the Net keeps getting spammed.
One should not have to become a blackfrog to get one's received spam to stop. Spam should stop because spam is wrong.
(We should really call it White Frog or Gray Frog, because these frogs are supposed to be the good guys; like white hat or gray hat vs. black hat.)
The message to the spammers should be, "Stop spamming, because it's wrong. And stop spamming everyone, not just those who take the time to complain." And the goal should be to eradicate all spam, not to merely stop oneself from receiving spam.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Each spammer's email server would autoreply to the 20 on the list which would then autoreply and so on. That was truly fun until they started to hijack other people's computers.
just Slashdot pharma master !
I had this idea several years ago, but I couldn't find a way to make it profitable or feasable. It has many weaknesses, but I wanted to be proactive, not reactive and this idea relies on spammers following the law, which we have seen many times before just isn't the case. In a perfect world that allowed spammers to punch you until you objected, and they have to remove you from their list when you fill out their form (or whatever).. here is my idea: "My" company collects opt-out urls, email addresses, and other schemes used by spammers to fullfill their obligation to provide you with a way to refuse future spam. This database is then shared with all its "members". Each member has a client that pre-emptively fills out the do-not-send mechanism as the database is updated. Essentially allowing it's members to opt out BEFORE receiving the junk. The database, or database updates could be posted to Usenet, emailed, downloaded, or bit-torrented. There is no master email list that spammers could use to hard target members. The down-side is of course that by filling out an opt-out, you may be confirming your email address and opening up to more spam than before. (I don't know if it is illegal for spammers to take your confirmed opt-out email address and then sell that to other spammers.) Maybe, If I had a perfect list of all spammers though, and sent an opt out to every single one, they wouldn't be able to send me junk (legally) because I have already opt-ed out from everyone's list and it wouldn't matter that everyone had my email address. Of course this scheme does nothing to prevent illegal spam. An Additional feature could provide mechanisms to remember which sites have been filled out so that legal action can be placed against those who send disregarding the opt out action. Possible sending automated emails to the fair trade commission so they can follow up on illegal spam (because we know they are short on leads).
http://www.prolexic.com/spam/spam-051706.php
-=[ place
http://wiki.okopipi.org/wiki/Main_Page
-=[ place
The point is NOT to build a DDoS machine (and that's not what BF was). That would be illegal, and I understand that everyone is pissed off about spam and so on, but if we want a solution that will really make a difference it MUST be totally above board so that major corporations, media, etc. can back it once it gains some momentum.
Blue Frog just facilitated the complaint process for an individual. One complaint per spam, sent FROM the individual that got the spam. We aren't building a DDoS army. If people aren't getting spam, their client won't be doing a damned thing. If they ARE getting spam, they don't need a central directing authority telling them where to complain (hint: it's in the email they just marked "spam"). They just need a helpful script telling their client how to complain, exactly. That's where the P2P network comes in.
Sorry for being severe about this, but every time someone makes a comment like "we'll DDoS them!" -- and of course there's much worse out there -- the coverage any eventual tool is going to get goes negative one notch, and our chances of coming up with a real solution that the general public will use (and understand to be legal and moral) go down.
I really can't believe that this is happening. I only found out about this situation today, after hearing about the attack earlier. The service provided by BlueSecurity was invaluable, and probably even more so to those users who are even less computer oriented than us IT people. I understand and respect with the decisions of BlueSecurity and its CEO. However, I do not believe that BlueSecurity and the BlueFrog application should be allowed to shut down. All this has managed to do is show that if someone tries to stand in the way of spammers, then spammers are both justified and encouraged to attack them like criminals. Spam is an annoying blight on the Internet and BlueSecurity was one of the few groups out there that took an active stance against it. Now they are gone, thanks to a pathetic group of idiotic ingrates who piss people off as badly as stupid drivers. In the end, I think those of us who greatly appreciated the services of BlueSecurity should do something to keep the company alive. While I understand that they wanted to avert a potential "cyberwar" that only us users could condone, I personally feel that if those slug spammers wanted to risk a cyberwar, then we should at least let them feel that their loss is both deserving and painful. In the end, it is those of us who use the Internet, loathe spam, and appreciated and respected the services and goals of groups like BlueSecurity who have the power and responsibilty to let the spammers know that they were wrong to attack these groups and that they are not welcome anymore. I would like to know if there is anyone out there who would like to support me in this quest, just to get an idea if it is possible to do so, or if pacifistic apathy really has begun to take root in too many places.