Spam recipients fight back
Fri, May 5 2006
Over the last week the net has been rocked by a tale that sounds so much like a B-grade soap opera that it's hard to believe it's all true.
I've written about the spam problem many times in the past, and in particular the concept of killing off spam by making it uneconomical. The problem is that previously proposed economic approaches such as the concept of a very cheap "sender fee" on email are extremely hard to implement universally and cause collateral damage in the form of added cost for responsible net users as well as spammers. For a quick memory-refresher have a look at this piece from February:
Would you pay a postage fee to send email?
But a small Israeli group called Blue Security have devised a scheme designed to make spamming uneconomical without impacting responsible users.
Blue Security's service could well be the most significant development in the entire history of spam prevention. It's a scheme that sounds so crazy that at first you wouldn't believe it can possibly work. But work it has, and better than just about anyone could have predicted. The violence of the reaction from the spam industry over the last week has been stunning, with large-scale distributed denial-of-service (DDOS) attacks against Blue Security's servers and simultaneous "Joe Job" smear campaigns to intimidate users into abandoning the service. At the same time there has been a flurry of inuendo and argument amongst the spammers themselves, with six of the ten largest spammers in the world agreeing to comply with Blue Security's terms and the other four taking the opposite stance and fighting tooth and nail to try to kill off the company as fast as possible.
The threats and rhetoric have been flying thick and fast, and Netcraft reports that 1.8 million bloggers were caught in the crossfire on Tuesday when a denial-of-service attack took down the entire LiveJournal hosting network in an attempt by spammers to silence a Blue Security blog. As a result the fight has been thrust into the public eye and what was merely a significant development has turned into a seismic event with millions of internet users suddenly becoming aware of the work Blue Security is doing. The spammer's efforts to kill the group have totally backfired and given Blue Security far more publicity than they could ever have achieved on their own.
Blue Security's system works by allowing users to submit their email address to a "Do Not Intrude" list, similar to a telemarketing "Do Not Call" list. Spammers are then given the option of pre-filtering their delivery lists to remove all of Blue Security's subscribers, saving those subscribers from receiving any spam from spammers who comply with the list.
At first glance that seems insane: after all, why should spammers comply with the list? Doesn't this just give them a handy list of known-good addresses to send even more spam to?
But that's not where it ends. Blue Security subscribers each download a piece of software called a "Frog" which runs on their computer and provides automated reporting of any spam delivered to them. Each time a piece of spam is reported the Frog sends an "unsubscribe" request back to the original spammer. Of course spammers never have any intention of honouring unsubscribe requests and generally all they do is confirm that your address is real so they can send you even more spam, but the whole point of the Blue Security system is that it makes it so trivial to send an unsubscribe request for every piece of spam you receive that the spammers are inundated with a flood of responses, swamping their systems and effectively turning their own spam against them. Every time they send out a flood of spam they have a flood thrown straight back at them.
There have been many proposals in the past to take the fight to the spammers with large scale denial-of-service attacks against the spammers themselves, but the major problem has always been that it's using illegal tactics - stooping to the spammer's level, in effect. The beauty of the Blue Security approach is that each individual user is doing one very simple and perfectly legal thing: responding just once and requesting they be unsubscribed from the spammer's list. The users aren't doing anything wrong individually. In fact they're doing exactly what the spammers say they should do, giving spammers absolutely no legal recourse to stop them.
But collectively the effect is devastating. It may even have a big enough impact that spam will virtually become a thing of the past.
And that's something we can all look forward to.