Blue Security gives up, but others carry on the anti-spam fight
Fri, May 19 2006
A couple of weeks ago I wrote about the efforts of Blue Security to rid the world of spam by providing a simple mechanism called Blue Frog for users to send "unsubscribe" messages back to spammers. You probably remember that the purpose of the unsubscribe messages was not to have the spammers actually honour the request (they don't!) but to flood them with so many requests that sending out spam causes an immediate backlash that takes them off the air:
Spam recipients fight back
Well, it worked for a while. The group was successful in forcing spammers responsible for more than 25% of the world's spam to comply with a "Do Not Disturb" list, but then on Wednesday the group announced the disappointing news that they were shutting down their operations as a result of the incredible backlash from spammers. When the major spammers realised that the success of Blue Frog would mean the end of spam for good, some quietly backed down but a couple escalated the battle with direct threats, intimidation and extortion attempts against users and companies associated with Blue Security. The nearly 2 million websites knocked off the air a couple of weeks ago was just the start, and the violence of the reaction from a couple of the major Russian spammers shows just how serious and credible a threat Blue Frog was to spamming.
When Blue Security started the Blue Frog anti-spam campaign they willingly put themselves on the line, knowing that spammers would try to take them out with any means at their disposal - right up to and including physical violence. Attempting to stop the lucrative criminal operations of very rich and totally unscrupulous people is not good for your life expectancy!
What they didn't count on was the spammers going after everyone associated with them as well.
In the end Blue Security didn't feel they could morally continue the fight when it was other businesses and individuals that were taking the brunt of the counterattacks. In a statement on Wednesday the Blue Security team said they "cannot take the responsibility for an ever-escalating cyber war through our continued operations".
And so they shut down the servers running the Blue Frog system.
But all is not lost. Even if they could not carry on the fight personally, Blue Security did us all the huge service of proving that the Blue Frog concept is a feasible approach to preventing spam permanently. It also showed up a couple of technical problems with the approach: the centralised Blue Frog management servers themselves were a prime target for spammer counterattack, as were the DNS servers hosting the Blue Security domains.
Over the last 24 hours hundreds of programmers, system administrators, and Internet users have banded together to build decentralised Open Source projects to take the fight to the next level. Two projects in particular, "Black Frog" and "Okopipi" (named after a rare South American blue poison frog!) have started putting concrete plans in place to build systems that emulate the Blue Frog functionality but without the weaknesses seen in the original system: no central servers, all communications encrypted, no single domain name to attack, and all nodes acting as "peers" in a similar manner to the various file-sharing networks. It's quite likely that the two projects will merge and possibly build on the original Blue Frog source code rather than start from scratch. Things are changing by the hour so all we can do is wait and see, but for now I'll leave you with a quote from the original announcement of the Okopipi project:
"Blue Frog was a great idea. They showed us that we can bring pain to the spammers. But they could not keep up the pressure. They weren't ready for war. We are!"
Blue Frog is dead. Long live Blue Frog.