[ISN] Retaliation for Antispam Success?

From: InfoSec News (isn@private)
Date: Tue May 02 2006 - 23:39:10 PDT


By Joanna Glasner
May, 02, 2006 

An unusual spam war has erupted on the net, pitting an apparently
irate spammer against an Israeli antispam firm that claims it's making
junk e-mailers think twice about bugging its customers.

Blue Security's controversial method uses reverse spam, if you will,
returning massive quantities of opt-out messages to companies it
identifies as spammers.

Apparently the companies on the receiving end don't like it one bit.

In an escalation of hostilities this week, Blue Security customers
began receiving thousands of messages demanding that members either
drop the company's service or continue to receive an avalanche of
unwanted e-mails. In addition, U.S. internet users were unable to
access Blue Security's website Tuesday. The company said it is still
investigating the cause, which may have been a distributed denial of
service attack.

"We have devised a method to retrieve your address from their
database," one message states. "So by signing up and remaining a Blue
Security user not only are you opening yourself up for this, you are
also potentially verifying your e-mail address through them to even
more spammers."

Blue Security's founder and CEO, Eran Reshef, called the spammer's
allegations of a security hole a baseless scare tactic. Bulk
e-mailers, he said, want to stifle the spread of Blue Frog, a tool
that customers install on their computers that automatically floods
spammers with opt-out messages.

"The best way to combat this is to continue running the Blue Frog,"  
Reshef said.

The spammer's counteroffensive comes as Blue Security, a 2-year-old
firm based in Israel, claims to be making dramatic progress in
stopping spam.

Three weeks ago, Blue Security said, the world's top junk mailer,
responsible for about 9 percent of all spam, stopped sending messages
to inboxes of its half-million registered users. On Monday, the
company said, the second-largest spammer started contacting its
affiliates and advising them not to contact Blue Frog users.

Blue Security's controversial spam-fighting approach is modeled as a
sort of e-mail version of the Federal Communications Commission's
national Do Not Call registry. Through its "Do Not Intrude Registry,"  
users send automated messages opting out of future mailings from
spammers, a right spelled out in the Can-Spam Act.

Not everyone is sold on the concept.

Critics of Blue Security's methodology say that by maintaining a list
of people who don't want spam, the company makes users vulnerable to
the kind of attack that occurred this week.

"The bad guys will be able to figure out who's on the list, and
they'll be able to play games like this," said John Levine, a board
member of the Coalition Against Unsolicited Commercial Email. "It's
the obvious counterattack of an annoyed spammer."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Wed May 03 2006 - 00:00:51 PDT