[ISN] Spam Slayer

From: InfoSec News (isn@private)
Date: Mon Jul 25 2005 - 22:40:33 PDT


http://pcworld.com/news/article/0,aid,121841,00.asp

Tom Spring
PC World
July 18, 2005

In a novel if potentially controversial effort to fight spam, a firm
called Blue Security this week begins distributing the beta of a free
program that, once installed on your PC, makes it part of a community
that works to cripple Web sites run by spammers.
  
"Most spam fighting tools that filter or block spam are never going to
stop spammers from sending more spam," says Eran Reshef, founder and
chief executive officer of Blue Security. He believes that fighting
back by "inducing loss" against spammers is the only way to eventually
stop spam.


Hit Them Where It Hurts

Here is how Blue Security's Blue Frog software and antispam initiative
works: When you sign up for a Blue Frog account, you install a piece
of software on your PC and get to submit up to three e-mail addresses
to Blue Security's Do-Not-Intrude Registry. The company then opens up
multiple e-mail accounts on your behalf--accounts you technically own,
but never use. Those e-mail accounts are managed by Blue Security and
are designed to attract spam.

Blue Frog analyzes the spam that goes into your Blue Frog e-mail
accounts (and those of other community members) and identifies
messages that are not compliant with the federal Controlling the
Assault of Non-Solicited Pornography and Marketing Act (known as
CAN-SPAM). These include unsolicited marketing messages that don't
provide an opt-out option or that have an invalid return address.

Blue Security says it will attempt to warn noncompliant spammers to
stop sending e-mail to the accounts it has set up for you, as well as
to the real e-mail addresses you provided during registration. If Blue
Security can't contact the spammer, or the spam doesn't stop, things
start getting nasty.

Blue Security follows the links inside the body of the spam message,
which typically lead to a site that wants to sell you prescription
medications, porn, a get-rich-quick scheme, or the like. It then
identifies the form fields at the spammer's site (where you're asked
to input credit card data, for example) and then uses the software you
installed to direct your PC to insert in those fields a request to
unsubscribe you from the site's mailing list. Also included in the
form fields is an invitation to spammers to download a Do-Not-Intrude
Registry compliance tool from Blue Security's Web site.

Now, the spammer wouldn't care if only one person did this. Even if a
thousand Blue Frog users followed suit, the spammer still might not
care. But Blue Frog's software causes all of its connected users to
submit the request/complaint simultaneously--and repeatedly--for a
period of time.

You would likely not notice these unsubscribe requests going out
because it all happens behind the scenes on your PC. Blue Security
says that each of its members' computers would likely be sending out
requests a few thousand times a day. In my test of the beta program
there was no perceptible impact on my computer usage or any slowing
down of my Internet browsing.

The influx of tens of thousands of requests exactly at the same time
floods the spammers' Web site, causing it to become inoperable. And
because spammers typically must pay for the bandwidth of traffic to
and from their sites, the massive flood of complaints means higher
bills to keep the sites running, Blue Security argues.


Fair Warning

Blue Security says that before it takes these drastic measures it will
do everything it can to contact the people who send out the spam and
those who run the Web sites those messages link to, asking them to
stop spamming its Do-Not-Intrude Registry members. If that doesn't
work, Blue Security will attempt to contact the Internet service
provider hosting the site and warn it of the impending flood of
requests.

To comply with Blue Security's demands in order to stop and/or prevent
the massive influx of requests, spammers must use the company's
compliance tool to remove your real e-mail address and your dummy Blue
e-mail accounts from their mailing lists. The Blue Security registry
list is encrypted, so spammers never see your addresses: The
compliance tool merely lets spammers check to make sure your real and
decoy e-mail addresses aren't on their mailing list. And because Blue
Security's registry list contains so many decoy e-mail addresses as
well as real ones, any spammer who used Blue Security's registry to
identify real e-mail addresses to spam would only be hit harder by
bounced e-mail.

This technique of flooding a Web site with information in order to
cripple it may be effective, but it's arguably very similar to a
distributed denial of service attack in which a hacker uses hundreds
of zombie computers to shut down Web sites. Launching a distributed
denial of service attack is illegal in the U.S. and in most European
countries.

Blue Security's Reshef bristles at the notion that his firm is
involved with any type of DDoS attack. "We aren't trying to shut down
any Web sites. We are just trying to slow these sites down so much the
spammers can't earn money," Reshef says. He adds that members of the
Blue Frog community have a right to complain about the spam they get.


Looking for a Lawsuit?

Reshef says he is going after the worst offenders, spammers who are
responsible for 90 percent of unwanted e-mail that isn't CAN-SPAM
compliant.

Blue Security warns that this method of fighting spam won't lesson the
flow of spam into your inbox in the short run. Over time, however,
spammers will be forced to stop e-mailing Do-Not-Intrude registrants
in order to remain in business. Once the registry hits a critical mass
in size, the company believes the threat of a shutdown will intimidate
spammers.

Blue Security's approach is not without precedent--but judging from
the precedent, the company might run into problems. In December 2004,
Lycos Europe pulled a controversial antispam screen saver from its
site after coming under fire from both security experts and the
spammers themselves.

Much like Blue Security, Lycos Europe offered to turn the tables on
spammers by overwhelming their Web sites with Web page requests
submitted by its "Make Love Not Spam" screen saver. The security
community argued that Lycos Europe was engaging in vigilantism and had
crossed a line by launching what were essentially DDoS attacks on
spammers' sites.

Some ISPs even blocked access to the Make Love Not Spam site,
supposedly because the screen saver generated a lot of unnecessary
traffic on their networks or violated their rules on DDoS attacks.  
Note that a DDoS attack can bring down an entire ISP--including
legitimate sites that happen to use the same hosting service as a
spammer's business.

Blue Security will definitely raise eyebrows in the security
community. But even if it survives legal scrutiny (or retaliation from
angry targets), the big question is whether Blue Security can recruit
enough consumers to join its army of serial complainers.



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 23:01:55 PDT