Blue Frog Anti-Spam Initiative, Part III: Questionable Legality
Bringing Spammers to Their Knees
Tom Spring, PC World
Monday, July 18, 2005
[Full story]
In addition to its apparent problems (see previous post), this initiative has some aspects which may be potentially illegal:
*Distributed Denial of Service Attack
The influx of tens of thousands of requests exactly at the same time floods the spammers' Web site, causing it to become inoperable.In spite of what Mr. Reshef says, this description sounds very similar to a DDoS attack, even if he doesn't use the phrase. That's like a spammer calling herself a "high-volume email marketer." The result is the same: many computers accessing one site at the same time in order to disrupt its service. A spammer could potentially bring all the users who hit her into a huge lawsuit for this illegal action.
This technique of flooding a Web site with information in order to cripple it may be effective, but it's arguably very similar to a distributed denial of service attack in which a hacker uses hundreds of zombie computers to shut down Web sites. Launching a distributed denial of service attack is illegal in the U.S. and in most European countries.
Blue Security's Reshef bristles at the notion that his firm is involved with any type of DDoS attack. "We aren't trying to shut down any Web sites."...
Once the registry hits a critical mass in size, the company believes the threat of a shutdown will intimidate spammers.
*Most users not spammed
Blue Frog's software causes all of its connected users to submit the request/complaint simultaneously--and repeatedly--for a period of time.
Messages identified as spam are automatically forwarded... to all Blue Community members.... This forwarding technique allows each Community member to complain about all the spam messages received by any e-mail account listed in the Do Not Intrude Registry.... [1, p. 5]
[I]f the Community receives 20,000 messages advertising a certain site, and there are 300,000 Community members, the number of spam messages (and complaints) will amount to 20,000 x 300,000, or 6 billion complaints. [2, p. 7You can't complain if you didn't personally get an unwanted letter. This is an unethical technique which multiplies the attack on the spammer by sending messages back from people who didn't actually get any spam. Every Blue Frog member who didn't specifically receive a letter from a spammer becomes a spammer themselves.
Overall, I see Blue Frog as a spam-prevention idea with some good potential, but which uses methods that are as unethical as, if not more so than, those of the spammer being attacked. Its current problems make it potentially be harmful to the company and its users in spite of their good intentions.
Reference:
[1] BlueSecurity - Active Deterrence Technology (PDF)
~~~
UPDATE - July 21, 2005:
In a blog entry [June 20, 2005], Blue Security representatives responded to the issues I mentioned above. Apparently the company has decided to drop its technique of forwarding every spam and multiplying the reply rate. They also said that the responses are staggered to minimize the possibility of a DDoS attack from Blue Frog's network. These are favorable developments, but I'm still very wary of the concept.
0 Comments:
Post a Comment
<< Home