Sunday, May 28, 2006

the merits of the blue security anti-spam approach

if you hire someone to send a million messages on your behalf, you better be prepared for a million responses...

that was the gist of blue security's blue frog anti-spam technology, and it's the approach that okopipi hopes to build upon... i posted about blue security going down for the count previously and i predicted that a group like okopipi would try and fill blue security's shoes (not through any sort of precience, mind you, but rather just because it would have fit an established pattern of human behaviour), but it seems okopipi have stirred up a hornet's nest of controversy in the process...

let's look at the criticisms... the one with the most technical merit concerns the anti-spam registry that the blue security approach had... essentially it was a list of hashes of email addresses that the spammers could use to remove blue frog users from their spam lists... the fact that email addresses were hashed (a non-reversible transformation) prevented spammers from finding any new addresses directly from the registry, however it did allow them to identify which addresses in their own spam lists were blue frog users and that allowed them to retaliate against those users... however there is no way to tell spammers which email addresses to remove without identifying those email addresses - the only alternative is to not offer the spammers any kind of remediation process at all and say "sucks to be you", which clearly would have had much worse chances of a productive outcome... a zero tolerance approach may be safer for the users, but it can't get their names removed from the spammers' lists - it's predicated on getting the spammers to give up their business entirely instead of simply adjusting their approach and i suspect that nobody is that persuasive...

another criticism is that the blue security approach could be used against innocent merchants... the idea was that if one sent out spam advertising a competitor, that competitor would then have to deal with a deluge of complaints they could do nothing about.... this rose out of the more general concern about whether it's possible for blue frog to target the wrong site and what happens then... the thing is, blue frog could only send complaints to sites that blue security enabled it to and blue security took pains to confirm that those sites were appropriate places to lodge complaints... the process they followed can be reviewed here...

[edited to add this paragraph] still another criticism is that sites are hosted on hacked machines and just move around from one hacked machine to another... that kind of thing can be detected, however, since blue security contacted the isp as well as the merchant site... also, a fly-by-night operation wouldn't have gone unnoticed with an examination period exceeding 10 days... if the site was one that didn't stick around for at least a couple days blue security would have had no reason to develop a script to send complaints to it...

there's also a criticism that sending opt-out requests to the merchant sites constituted a DDoS... this is a rather ridiculous thing to say - each person who receives a spam has a right to complain about it, and since the spammer was merely acting as an agent of the merchant when s/he sent out the spam (and since the spammers go to great lengths to not be reachable themselves) the merchant is the appropriate entity to address one's complaints to... at most one opt-out would be sent per spam the blue frog user received and each opt-out was a response to an incomming spam message... while that may result in service disruptions for the merchant, it's no different than if each spam recipient manually went to the merchant's site and complained (and lets face it, the spam invites each recipient to visit the merchant's site)... the blue frog cleint automated the process of filing a complaint initiated by the user, nothing more...

an even more outlandish claim is that the blue frog clients installed on user machines constituted a botnet... a botnet is ultimately controlled by a central controller, a bot master... the blue frog clients were operated by the blue frog users themselves, not blue security - blue security just sent out updates to those clients (which included instructions on how to send the complaints but not instructions to actually send them)... these kinds of claims by so-called security experts are pure FUD... those spreading the FUD appear to be parroting the opinions of others and simply claim there is universal agreement rather than actually backing up their claims - that kind of argumentation is fallacious and hopefully more people will be able to see that now...

blue security's approach was designed in such a way that the easiest way to resolve the problem was to remove the specified addresses from their spam lists (and they had safeguards in place to prevent their system from being abused to hurt legitimate merchants) - unfortunately while we as humans often take the easiest way out sometimes we don't and that manifested itself in this case in a significant DDoS attack against blue security (bringing down their website and service) and it's users (sending them orders of magnitude more junk mail than usual)... some spammers didn't like being told what to do and and had the means to retaliate and now blue security is no more... okopipi hopes to develop a similar system but one that is less prone to attack (though nothing is invulnerable)... i hope they employ equivalent safeguards against abuse and if so, more power to them...

0 comments: