Just when you thought the spam problem couldn’t get any worse, comes the news that spammers are fighting back against the pro-active anti-spam community approach using tit-for-tat Denial of Service attacks and intimidation.
The Blue Frog anti-spam approach is a relatively simple one of ‘hit them where it hurts’ and for the spammer that’s in the wallet. How the hitting is done is the controversial bit. Instead of the spammer, Blue Security targets the companies whose products are being marketed. It works like this: you add your email address to an encrypted Do Not Include Registry database, you report all spam you receive through the Blue Frog system, once confirmed as spam by Blue staff a complaint (one per spam) is posted at the website of the company whose product is being advertised asking them to stop spamming the Blue Community. Blue claim the ethical high ground by saying that it’s a strict one complaint per spam. However, these complaints may be posted via the shopping cart or customer services route online, anywhere that works. With a community of half a million the complaint volume can be enormous, and that starts to look suspiciously like a Denial of Service attack, or anti-spam vigilantism. To stop the complaints all the company has to do is get their spam agent to scrub their spam list using the Blue compliance tools which remove any addresses held in the Do Not Include Registry. Blue claim to have had great success already, with the most prolific junk mail company that accounts for nearly 10% of global spam already having removed the 500,000 Blue Community addresses from its lists.
So what went wrong? The short answer is everything, and all at once, in the figure of Blue Frog nemesis and prolific spammer ‘PharmaMaster’. Following warnings to Blue Security that their approach would not be tolerated, a double pronged attack emerged during the course of this week. Firstly many Blue Frog users received threatening emails warning them that “You signed up because you were expecting to receive a lesser amount of spam, unfortunately due to the tactics used by Blue Security you will end up receiving this message, or other nonsensical spams 20 to 40 times more than you would normally. We have devised a method to retrieve your address from their database. So by signing up and remaining a Blue Security user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers." The threat is finished off with the promise that they will check the Do Not Include Registry every 48 hours and remove addresses no longer on it from the list of people to receive the additional spam payload. Secondly, the Blue Security site itself has been subject to a Denial of Service attack that has made it inaccessible to users for most of this week.
Eran Reshef, CEO of Blue Security, last night told me that “6 out of the top 10 spammers worldwide have stopped sending spam to the Blue community. PharmaMaster is determined to prevent this change in the spam economy. The attacks started with a strike on the Internet backbone itself, causing the Blue Web site to become inaccessible to visitors outside Israel, while remaining available for Israeli visitors. How exactly this attack was carried out is still unresolved, but what is clear is that PharmaMaster boasted that it was he who was able to make a top-tier ISP's staff member block Blue Security's former IP address at the backbone routers. 30 minutes after Blue closed its Israeli site and posted a note on its blog site, PharmaMaster ordered a massive DDoS attack against any site associated with Blue. This attack caused five top-tier hosting providers in the U.S. and Canada, a major DNS provider and a popular blog site to go down for several hours." Reshef claims that PharmaMaster told Blue Security in an ICQ session that "Blue found the right solution to stop spam, and I can't let this continue" and that if he can’t send spam “there will be no Internet".
It is probably best to clear one thing up right away, the Do Not Include Registry list itself wasn’t compromised in the way that many of the news reports seem to suggest. The encryption wasn’t broken; all 500,000 email addresses were not extracted. Indeed, there are many Blue Frog users who have not received any of the spam threats during this attack. This is not to say that an important flaw in the Blue Frog system hasn’t been identified, it has. What the attacker did was to run his own spam list through the same encryption algorithm as used by Blue Frog, effectively scrubbing his own list of addresses contained within the Do Not Include Registry against the Blue compliance tools. Have you spotted the problem yet? Yep, by doing a before and after comparison it’s possible to see which addresses were removed and ipso facto which have signed up with Blue Frog. Well, sort of. Actually, it’s possible to see which of the addresses that the spammer already has are also on the Blue Frog list. If you weren’t in that spam database to start with your details remain hidden. If you were, you would have got the threatening emails.
Well known to those who keep an eye on such things, PharmaMaster is one of the most prolific of ‘illegal spammers’ active today. Which makes the attack all the more worrying not only for Blue Frog users whose names number amongst the half a million on the Do Not Include Registry, but for the law abiding Internet using community as a whole. In effect, they, we, you are being held hostage by the spamming industry. Take a pro-active approach to the problem and they will send you more spam, do nothing and they will send you more spam. Is global legislature really so impotent in the face of such a threat to our communications infrastructure that you are effectively spammed if you do, spammed if you don’t? One thing is for sure, it will be interesting to see if the Blue Frog can bounce back from this, or whether it’s the end of the toad for another anti-spam innovation…