For your convenience in reading: Subject lines are printed in RED and
Moderator replies when issued appear in BROWN.
Previous Issue (just one)
TD Extra News
Add this Digest to your personal
or 
For your convenience in reading: Subject lines are printed in RED and
Moderator replies when issued appear in BROWN.
Previous Issue (just one)
TD Extra News
Add this Digest to your personal
or
TELECOM Digest Thu, 21 Jul 2005 20:21:00 EDT Volume 24 : Issue 334
Inside This Issue: Editor: Patrick A. Townson
A Do-Not-Spam Registry That Might Work (Kevin Murphy)
Blue Plans to Overload Spam Web Sites (Greff Keizer)
Phishers Get Personal (Joris Evers)
Ethics of Deterrence (Erin Reshef)
Join us in Fighting Spam at http://www.bluesecurity.com (Erin Reshef)
Re: Spam Fighting Technique Fought by Some Netizens (jmeissen)
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Patrick Townson and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using -any name or email address-
included herein for -any- reason other than responding to an article
herein, you agree to pay a hundred dollars to the recipients of the
email.
===========================
Addresses herein are not to be added to any mailing list, nor to be
sold or given away without explicit written consent. Chain letters,
viruses, porn, spam, and miscellaneous junk are definitely unwelcome.
We must fight spam for the same reason we fight crime: not because we
are naive enough to believe that we will ever stamp it out, but because
we do not want the kind of world that results when no one stands
against crime. Geoffrey Welsh
===========================
See the bottom of this issue for subscription and archive details
and the name of our lawyer; other stuff of interest.
----------------------------------------------------------------------
From: Kevin Murphy <murphy@telecom-digest.org>
Subject: A Do-Not-Spam Registry That Might Work
Date: Thu, 21 Jul 2005 14:43:41 -0500
By Kevin Murphy
Blue Security Inc has come up with a novel twist on the do-not-call
registry to fight spam that seems to address many of the problems
inherent to previous attempts.
The company will today launch its Do Not Intrude registry, which
marries the ideas of spam honeypot accounts and automated complaint
software that could create denial-of-service effects on spamvertised
web sites.
Blue chief executive Eran Reshef told ComputerWire that the system is
ethical, hard for spammers to evade, and does not allow spammers to
farm the list for email addresses, which has been the major drawback
of previous notional do-not-spam registries.
When users sign up for the new service, their genuine email address is
added to a list. Blue also creates a phony honeypot address for them,
which is published somewhere on the web where spammers can find
it. This address is added to the same list.
Users install some software called Blue Frog on their computers.
Whenever their honeypot account receives a spam email, Blue Frog sends
a single complaint to the web site being advertised in the spam.
The idea is that spamvertised sites will be hit by so many complaints
that they will be unable to transact their regular business,
compelling them to download the Do Not Intrude registry and remove the
listed addresses from their mailing list.
The idea of a do-not-spam registry has been touted in the past. The US
CAN-SPAM Act instructed the Federal Trade Commission to explore the
idea, and the FTC concluded that it "would be a waste of time, and
worse, would probably be a 'do spam' registry".
Blue plans to avoid this problem by only making encrypted addresses
available to the spammers, so they can never farm addresses that they
are not already aware of from the list, according to Reshef.
When a spammer decides to honor the registry, they download some
software and a list of hashed addresses. This software runs the same
hash operation on the spammer's own mailing list, and cleans it of
addresses that are on the Do Not Intrude registry.
Reshef, without going into details about how the honeypot accounts are
created and publicized, said that it would be "very hard" for the
spammers to distinguish between the genuine addresses on the list and
the honeypots.
But why would spammers sign up for the registry in the first place?
Because Blue Frog users, if there are enough of them, could cripple
the spamvertised sites with their automated complaints.
The software does not send an email complaint. Rather, it
automatically visits the spam web site and fills out any HTML form it
finds with a complaint along the lines of "Your site was advertised in
spam" with a link to the Blue Security site.
"The only thing that works in most spamvertised web sites in the bit
where you enter your contact or credit card details," Reshef said.
Each user complains once for each spam they get. Collectively, that
could amount to a distributed denial-of-service effect on the
offending web site, but Reshef said he believes the system to be
ethical.
"It's not a DDoS, people are exercising their right to complain about
spam they get," he said. "We're not trying to do anything illegal or
unethical. We're only doing ethical things, but we are being active."
In theory, this kind of system, if it were fully automated, could be
used to execute a "joe job" attack on an innocent party. By
spamvertising a legitimate site, the software would complain and cause
the DDoS effect.
But Reshef said this is avoided by the fact that Blue Security's
researchers are manually blacklisting and whitelisting sites, based on
their knowledge of what sites are currently in use by certain groups
of known spammers.
Currently, Blue is tracking 65 spam groups that Reshef estimates are
responsible for 90% of the spam received. The manual review element
means it would not be possible to joe-job, say, google.com, he
claimed.
Blue Security, which is backed by $3m of venture capital financing
from Benchmark Capital, has its corporate headquarters in Menlo Park,
California and its R&D lab in Herzliya Pituach on Israel's Silicon
Coast.
The company plans to give the software and service away for free to
consumers. After the public beta, launched today at
http://www.bluesecurity.com, the company will start to offer it to
enterprise users for a fee.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Blue Security.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
------------------------------
From: Greff Keizer <keizer@techwebnews.com>
Subject: Blue Security Plans to Overload Spammer Web Sites
Date: Thu, 21 Jul 2005 14:53:12 -0500
Blue Security plans to overwhelm spammers with complaints and
unsubscribe requests.
The company's intention is to take the fight to spammers by enlisting
end users to create what's called a Do-Not-Intrude registry whose
purpose is to make it too painful for junk mailers to operate.
If a spammer sends you spam, you have a right to complain, said Eran
Reshef, the chief executive of Menlo Park, Calif.-based Blue Security.
If they send you one spam, you complain one time. If they send you a
thousand spams, you can complain a thousand times, but I know that is
not considered politically correct by a few of the more vocal netizens.
It's the volume on which spam operates and Blue Security's plan
hinges.
Starting Monday, users can download Blue Security's Blue Frog client
and sign up with the Do-Not-Intrude registry. Once the software's
installed, users can register up to three e-mail addresses to monitor
for spam. Blue Security, however, watches not only those addresses but
up to a dozen accounts it sets up for that act as additional
"honeypots," or accounts designed to attract spam.
Blue Security analyzes the messages it receives from the users'
accounts (as well as all others who sign up), then follows the links
inside the spam to (hopefully) the originating site where, for
instance, products or services pitched by the junk mail are
sold. There, forms are identified that accept text -- an order form,
perhaps, or a customer service form -- and its fields are
automatically filled with a message demanding that the e-mail
account's address be removed from the spammer's list.
"I kindly ask that you cease sending me or other registered users
spam," the message reads.
The idea, said Reshef, is to punish the spammer for his actions.
Although the scheme doesn't generate mail to the spammer -- spam for
spam, so to speak -- the volume of Web traffic should be enough to
cripple the spammer's Web site.
"The sheer amount of complaints going to the spammer's site is going
to make it hard [for that site] to do anything else, said Reshef.
Spam is analyzed by Blue Security staff, said Reshef, who investigate
the spam, verify that it violates the federal CAN-SPAM Act, trace the
message to a Web site, and pinpoint a form on the site that can be
used to complain. The Blue Frog handles everything else for the
end-user.
The opt-out complaints are synchronized, so that all users whose
accounts are monitored file simultaneously.
Although Reshef repeatedly said that the practice was not illegal, the
end result is very close to a denial-of-service attack, in which a
collection of computers simultaneously try to access a Web server with
the intention of bringing it down under the sheet volume of traffic.
Reshef aggressively defended the concept and rejected the idea that it
was a DoS in disguise. "We have a right to complain," he said. "The
spammers have the right to send us spam, and we cant say anything? No,
thats not right.
"We're not creating any harm. Were not trying to shut down any Web
sites. But we have the right to complain, one for one," he added.
Other fight-back tactics against spammers have failed in the
past. Last year, Lycos Europe rolled out a screensaver that conducted
DoS attacks against known spammers. Within days, however, Lycos
buckled under pressure from security groups -- which called it
vigilantism -- and ISPs, who worried that attacks originating from
their members would make them liable to legal action on the part of
spammers.
"Our effort is completely different from what Lycos did," said
Reshef. "Lycos used a hit list of spammers. We're only responding to
actual spam. And each user is responding only to the spam he or she
received."
Some may see it as a difference in semantics. But Reshef sees it as
effective.
"We've already seen it work," he said. "The spammers don't like what
we're doing, and some of them during our tests tried to modify their
site on the fly to keep out complaints." Two other sites that he
declined to name, he said, have agreed to stop sending spam to the
real and honeypot accounts.
"We need a critical mass of users for this to work," Reshef
acknowledged. "If enough people abandon the idea of passively
filtering spam and realize that unrelenting action is required, we can
together stand up for our online rights."
Once its built up a sufficient community of users to ding spammers'
Web sites, Blue Security plans to offer the service to enterprises for
a fee.
The Blue Frog client can be downloaded free of charge from the Blue
Security Web site. http://www.bluesecurity.com
Copyright 2005 CMP Media LLC.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, CMP Media LLC.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
------------------------------
From: Joris Evers <newswire@telecom-digest.org>
Subject: Phishers Get Personal
Date: Thu, 21 Jul 2005 14:51:20 -0500
http://www.news.com/
By Joris Evers
http://news.com.com/Phishers+get+personal/2100-7349_3-5720672.html
Spammers and phishers are learning more about potential victims to
better hone their attacks. Web sites that use e-mail addresses as
identifiers for password reminders and registration are open to
exploitation by scammers to generate detailed profiles of people,
security company Blue Security said this week in a research
report.
In the technique described in the report, spammers and phishers
automatically run thousands of e-mail addresses through Web site
registration and password-reminder tools. Because many online
businesses return a specific message when an e-mail address is
registered with the site, attackers can find out whether that address
represents a valid customer.
Web sites that use e-mail addresses in their password-reminder and
registration process could enable scammers to generate detailed
profiles of people. Bottom line: The more malicious e-mail gets
tailored to the recipient, the more careful Internet users may have to
become -- an added burden on them.
Using information gathered from a number of sites, they can tailor
malicious e-mail to the recipient. That makes it more difficult for
Internet users to distinguish real messages from those that are junk
or part of a cyberscam. Also, customized messages are less likely to
be caught by spam filters, experts said.
"Phishing attacks fairly recently have started getting more
personalized and targeted," said Dave Jevans, chairman of the
Anti-Phishing Working Group. Such fraud-related messages now include
the recipient's name or e-mail address, or have even more information
about the receiver, Jevans said.
Phishing is a prevalent type of online fraud that attempts to steal
sensitive information such as user names, passwords and credit card
numbers. The thieves then sell the information or use it to commit
identity theft. The schemes typically combine spam e-mail and
fraudulent Web pages that look like legitimate sites.
Scammers usually have lists of e-mail addresses, either invented,
bought or collected online using harvesting tools.
The trick in the registration or password reminder attack is in the
response. Many online businesses return a specific message -- such as
"This address is already subscribed" -- when an e-mail address is
registered with the site. If an attacker gets that response, they know
that address represents a valid customer.
How does profiling work?
This example illustrates how cybervillains could build up profiles of a
potential victims, to better target their scams.
.. An attacker obtains a list of e-mail addresses. The scammer can
buy a list, collect addresses from the Internet using harvesting
tools, make up e-mail addresses, or use other means.
.. A script is written to automatically run the e-mail addresses
against the registration and password-reminder features of Web sites.
.. Responses let the attacker know if an address is registered with the
site. The data is used to compile profiles.
.. Profiles are used to target spam and phishing e-mails.
Source: Blue Security
By matching e-mail addresses with Web sites, cybercriminals can
uncover the gender, sexual preference, political orientation,
geographic location, hobbies and the online stores that have been used
by the person behind an e-mail address, Blue Security CEO Eran Reshef
said.
"Imagine that somebody knows all the Web sites you ever registered
with, and think about what one can infer from that," Reshef said. "By
aggregating all this information you create a very detailed profile of
the person, not just snippets of information."
As a result, attacks could have a higher success rate, because the
e-mail presents unsuspecting recipients with accurate information in a
message that looks like legitimate correspondence. For example, an
e-mail purporting to come from a bank or credit card company could
name the recipient and refer to an online store that the recipient
actually uses.
Blue Security has found that a majority of the most popular U.S. Web
sites allow "hostile profiling" by phishers and spammers.
Additionally, many smaller Web sites, including online stores, sports
teams' Web sites, political organizations and other groups are
vulnerable, Reshef said.
However, hostile profiling does not seem to have become widespread
yet, according to Blue Security's research.
Some Web site operators -- major banks, for example -- appear to be
aware of the problem, Reshef said. These sites don't let people
register with their e-mail addresses as their login name, he
said. They also require additional information for registration or
password reminders, or use other security measures.
Have you ever been phished?
Check here to see whether an e-mail that appears to be from your bank
or an online merchant is actually an attempt to defraud you. eBay is
one online business that does not allow registration and password
reminder attacks. The auction Web site stopped using e-mail addresses
as user IDs before phishing became an issue, and it has taken other
protective measures in its registration and password-reminder process,
said Scott Shipman, senior counsel for eBay's global privacy practice.
"It is all designed to prevent the unauthorized disclosure of
information, be it the simplest piece of information, such as whether
or not that e-mail address or user id is actually a valid user ID on
the site," Shipman said.
In eBay's case, the reminder feature for user IDs gives the same
response, regardless of whether the e-mail address is registered with
the site. "The language of the error message will not tell you whether
or not it was a valid account," Shipman said.
What will foil the attacks?
Attacks work only if sites generate a different response depending on
whether an e-mail address is registered with the site or not.
.. A registration feature can only be exploited if the Web site
uses e-mail addresses to register users and does not require a
hard-to-fake personal detail, such as a credit card number. Other
security features, such as requiring a new registrant to solve a
graphical challenge, will also prevent an attack.
.. A reminder feature can only be exploited if it does not require
personal information in addition to an e-mail address. A graphical
challenge also counters an attack. Designing a Web site to not leak
information about users is what all site operators should do, the eBay
executive added. "It is an example of a type of practice that is a
best practice," he said.
Hostile profiling is only one way phishing messages are getting more
targeted. Earlier this month, security researchers reported that
stolen consumer data was used in phishing scams to rip off individual
account holders at specific banks.
Jevans at the Anti-Phishing Working Group said that Blue Security's
study highlights an emerging phishing threat, and agreed that online
organizations should take steps to eliminate vulnerable registration
and password-reminder features.
"I think the research is real. You can certainly code your site to not
do that, and you probably should," he said.
Copyright 1995-2005 CNET Networks, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, CNET Networks, Inc.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
------------------------------
From: Eren Reshef <eren@telecom-digest.org>
Subject: Ethics of Deterrence
Date: Thu, 21 Jul 2005 16:20:46 -0500
The trackback URL for this blog entry is:
http://community.bluesecurity.com/.3c3e9cca/trackback
The Ethics of Deterrence
Some bloggers have recently claimed our fight is morally flawed. Now,
the usual thing to do when bloggers make such accusations is to either
ignore them or to deny the charges without giving details. I
disagree. I believe the best answer to any accusation is the
truth. And that's what I'd like to share with you now.
These bloggers claim we mount distributed denial of service attacks
against spammers' sites. Is this illegal? Is this morally wrong? I say
yes, it is illegal, morally wrong and also disgraceful -- if our
community really was involved in a DDoS.
The facts are very simple. It is legal, right and honorable to
complain about spam you receive. I bet each and every one of those
bloggers sent such a complaint at some point in time. And this is
exactly what each member of our community is doing -- complaining about
spam messages that reach them. I want to make this crystal clear: we
just complain about spam messages reaching us.
Some of you will rightly say "How is having a large number of people
complaining different from a DDoS?" There are several key differences.
First, a DDoS target cannot choose whether to be attacked or not. In
our case, if a spammer wishes not to receive even one single
complaint, that spammer can simply cease sending us spam. We provide
free compliance tools for spammers, so they can effortlessly stop
spamming us.
Second, DDoS targets do not receive warnings. Our community tries to
warn spammers before we start submitting complaints. We attempt to
contact the spammer's ISP, its web sites and any other contact point
we can identify. By the way, most spammers make it impossible to send
them anything but your credit card number, so from time to time our
warnings simply cannot be delivered.
Third, each zombie computer participating in a DDoS sends out as many
packets as possible to the DDoS target. In our community, every member
complains once per each spam message received by a honeypot account
owned by that member. We do forward messages among honeypot accounts,
but we hope no one seriously claims that email forwarding is immoral.
Fourth, DDoS attackers couldn't care less about inflicting damage on
third parties, such as ISPs. We measure and synchronize the complaints
of our members, in order to minimize any negative impact on third
parties. We also vigorously verify spam messages we receive to avoid
joe-jobs.
I know that this is not the last time we'd hear such accusations. But
we will continue our struggle to reclaim our Internet. Even if some
bloggers advocate turning the other cheek, we will not sit ideally
while spammers take away our dream of a peaceful Internet.
Posted by Eran Reshef Jul 18, 2005 13:18
==============================
A Response by Dave D - Jul 19, 2005 07:38 (#1 Total: 10)
Vigilante justice
Folks,
You might be well intentioned, but this system is doomed to fail, just
as the Lycos attempt to DDOS spammers was doomed to fail a few months
back.
Reasons:
1) Does your system make any distinction between a knowing spammer IP
and an infected Windows host running on a broadband connection, that
happened to send out some open proxy spam?
2) What about laptops at Wi-Fi cafe's and such. Or universities. If
they bring an infected host onto the LAN, it spams, it leaves ... and
a day later your system launches a beat-down on the IP. By now, the
owner of the cafe has scanned his machines, and put up better
firewalling. Presumably he's no longer guilty. Yet he didn't reply in
time. You unleash the hounds of 10,000 DDOS'ers.
3) Network administrators tend to frown on deliberate DDOS. Will you
defend users of your product who are banned permanently upon their ISP
or network admin finding out they willingly participated in a DDOS,
even a DDOS for 'moral' purposes?
4) The spammers get wind of your antics. They begin to launch strikes
against your site, and users of your software (if a signature can be
found, which should be simple, you make your client available to
inspect). Will you fix it so spammers cannot launch pre-emptive DDOS
against people that use your client?
5) What you are building is what the law calls a 'malicious botnet.'
Participation in a malicious botnet may well be against local laws and
be defined as a felony. Will your Terms of Service exonerate any local
user from prosecution as a net criminal?
6) As the owner of a LAN, if you list my IP and send me a flood of
data, can I sue you to recoup losses to my business, if it is shown
that I provided due dilligence to fix the open-proxy spam issue I had
with my LAN? Suppose your network decides to attack me anyway, because
your "due dilligence" does not match that of the law's?
These are just a few objections -- I am sure there are more. Starting
with, maliciously using the internet is just a dumb idea. DUMB.
But by all means go ahead. It's also a free market economy, you
certainly have a right to launch the dumbest idea I've seen lately.
Kind regards,
Dave D
==============================
A response by Eran Aloni - Jul 19, 2005 08:39 (#2 Total: 10)
Dave,
The concerns and reservations listed in your comment seem like a
result of a misunderstanding of our service.
Most of your comments are based on the misconception that the Blue
Community posts complaints at the computers used by spammers to send
spam. Obviously, since spammers regularly use botnets and zombie
networks to send unsolicited bulk email, there's no point in trying to
complain there.
The Do Not Intrude Registry takes a totally different approach. Blue
Community members complain about spam messages they receive by posting
complaints on web sites advertised by spam -- a single complaint for
each spam message they receive. Clearly, community members have every
right to complain about spam they receive.
These spam sites are the root cause for spam -- they are the ones
paying spammers to flood our Inboxes and they are the ones making
money from spam. The Do Not Intrude Registry disrupts their business
model while making sure no innocent third parties are affected.
Complaints are posted only as a reaction to receiving spam messages
and only after both site owner and the hosting ISP are warned and
asked to stop sending spam to the community. Advertisers and spammers
can easily avoid receiving complaints by cleaning their mailing lists
using the tools we provide and avoid sending spam to the community.
Best regards,
Eran Aloni
Director of Marketing, Blue Security.
==============================
A response from RiBiNiN - Jul 20, 2005 02:32 (#3 Total: 10)
Dave D fails reading comprehension
You have done what I wanted to do, automate a response, not to the
mail but to the website. If I complain about each e-mail I receive
manually nobody could complain. You have just automated the process.
Also, Dave D could be a spammer who is afraid that you have something
that really will work.
I have downloaded the code and am looking forward to reading it in
detail.
==============================
A response once again from Dave D - Jul 20, 2005 02:32 (#4 Total: 10)
Sure, but ... we've seen this approach fail in the past.
Reporting actors can misidentify mail. They can report mail they don't
like. I've seen mail from aunt mabel be reported as spam, because
someone hit the 'report spam' button to delete. It happens.
What really frightens me is your system (run by humans, thus capable
of flaw) is not taking a passive "block IP" approach, which would be
acceptable, but instead is taking an active "attack the bad IP"
approach.
Which, even if it wasn't illegal, would still be stupid as hell.
I predict you're going to find a frosty reception for your
little invention among
1) Network admins that carry your traffic
2) Hosting providers that have to absorb the retaliation
attacks at your site
3) ISP abuse desks, who will be dealing with the fallout from
your users (their customers) running your product, which no matter how
you explain it away, is still an excuse to participate in a botnet
DDOS.
Keep sprinkling on the sugar. You might eventually convince some
people that this is a donut.
But DDOS for hire is what the criminals on the net do, and no matter
how you sugar coat it, what you are proposing is a DDOS for hire.
Just for "white hat" purposes (questionable). Just because you think
its white hat, does not by any stretch mean the net community will, or
the law will.
Kind regards,
Dave D
==============================
A response from RiBiNiN - Jul 20, 2005 02:32 (#5 Total: 10)
Dave D fails reading comprehension
I am wondering if Dave is a spammer. He has distorted the method to
make it seem like the beginning of a slippery slope to anarchy. It is
merely doing what we all want to do, get off mailing lists without
exposing ourselves to these toxic websites.
==============================
Dave D - Jul 20, 2005 11:16 (#6 Total: 10)
Dave D once again: Well, blaming the messenger is what your system is
all about.
A spammer. Thats a laugh. Now you're falsely attacking the
messenger. Sounds like a harbinger of things to come from this system.
Rather than be a spammer, I work on the other side -- I work trying to
prevent spam for customers.
One of our biggest headaches is not spam, its guys that generate 'side
work' trying to fight spam.
Side work like DDOS's against mistaken targets.
Good luck with your endeavor, I know you mean well.
I remain unconvinced by this reported approach: DDOS'ing the perceived
spammer will fail, because you will misidentify targets, and because
some of those targets will sue or cause your upstream provider to take
corrective action ... not against them (if they are indeed spammers)
but rather against you ... for deliberately DDOSing.
Net traffic costs money and time. Malicious traffic is illegal.
Spammers need to be and are being prosecuted ... as well as a myriad
of blocking strategies being employed ... but to move from that to
actively abusing the net to attempt to get even with spammers ... this
will always fail. It's been tried before, the result is either
embarrassment or retreat.
Kind regards,
Dave D
==============================
Now, a different David responds: David - Jul 20, 2005 16:04 (#7 Total: 10)
Misintrepeted Facts
This tactic may indeed seem as a DDOS attack to one who has not read
the facts or fully understand the system.
Now would you say we have a right to complain, is complaining about
bad customer service malicious traffic, is complaining about a bad
business malicious traffic, is complaining about privacy intrusion
malicious traffic, is it illegal/immoral, I hope not otherwise I'd be
in jail 10 years ago.
Simply put we are exercising our right to the First Amendment of the
US Constitution, but it is in a controlled manner, first off is that
they try to warn the spammer and their (the SPAMMER's) ISP/Web host
about the complaints before they are sent, second if the warnings are
ignored we match the SPAM they sent to us with equal amounts of
complaints by the ones who received it but NOT ALL AT THE SAME TIME to
AVOID the possible DDOS attack.
Now about the use of the report SPAM to delete is rather simple, first
for reporting the SPAM here there's no button, second it doesn't
delete it, third is why they have actual Humans to check to make sure
it's actual SPAM that's not CANSPAM ACT of 2003 complaint and not just
a "case of mistaken identity".
Now about the humans capable of flaw, let me ask you this are you a
human, do you work with and for humans? Even if it was all computers,
we all are capable of mistakes even computers just as humans. Simply
put if every one complained just by themselves about every SPAM
message they recieve (now is that so wrong, illegal, immoral?) the
chances of it appearing as a DDOS attack would be higher since most
SPAMMER's send all their messages at once, and some would be likely to
read and complain at the same time.
Let's put it as this, let's say this was a Car Alarm (meant to keep
your privacy of the car, as this is to keep your privacy of your
e-mail) Now a Car Alarm is not illegal, and it has a lot of mistaken
identities, i.e a cat wanting a nap on a warm surface, somebody
shutting a heavy door, now imagine if you had a couple thousand car
alarms at the same place is that illegal, immoral?. Simply put it's a
car alarm for your e-mail. Or we could compare it to a "No
Trespassing" sign, they trespass on our property we tell them to get
out or well call the police, now is that illegal, immoral? I hope
not. Or if you don't like those comparisons, let's compare a SPAMMER
to a Burglar and your E-mail Box to a House, if the burglar broke into
your house would not tell him to leave untill he does, or call the
police he would do the same but with more drastic measures some times,
is that illegal, immoral? Get my point?
This is not abuse this is exercising our rights, just as it is to
execise our right to defend ourselve against an attacker, i.e spraying
Pepperspray (The Blue Frog Security Program) to the attacker
(SPAMMER).
To sum it up, we have a right to complain (last time I looked
complaining was perfectly legal, moral, and ethical), this is not a
DDOS attack since the complaints are monitored and controlled so that
does not happen and for every one who recieved a SPAM message they'll
complain about but only once per message recieved untill the SPAMMERS
stop sending messages (Trespasser Trespassing, Burglar breaking into
your house etc... We have the right to protecet our propety, defend
our lives, we have the right to control who can come onto our property
(ie. homes, car, e-mails), I hope these thing aren't illegal otherwise
I'm in deep trouble, along with the majority of the population.
Also Two SPAMMERS have stopped SPAMMING the Blue Community from our
efforts, thus if we don't get any bad static this program will very
well might work.
A brilliant anti-spam model ...
Before joining the project I spent a few days carefully reviewing the
concept on the Blue Security site, studying the FAQ, reading
independent news stories popping up all over the net, and visiting
several related blogs.
It seems to me that while Dave D raises important concerns -- many of
which crossed my mind while researching the project -- these concerns
are already clearly handled. I believe Dave D means well and has a
handle on the technical and ethical issues. His somewhat -- what's the
word I want? -- passive / aggressive writing style sort of put me off
at first, but I took it in with a grain of salt (or maybe sugar? -
grin).
I've come to the conclusion that Blue Frog is a brilliant anti-spam
model... easily the best approach I've seen since I joined Project
Honeypot last year (see: projecthoneypot.org).
Eran's "Join us" post of 17 July hit home with me on many levels. I
first went online in 1994. In those ancient times, I couldn't wait to
wake up every day and get to work. The net made it possible to expand
the reach of my art and design across the globe, visit with longtime
friends, make new friends, and keep in touch with family.
The Internet is easily the most important advance in human
communication since the invention of moveable type and the printing
press (even more important than radio or TV, since it's a two-way
interactive media). It's now highjacked by a tiny minority of
ethically challenged, money-grubbing psychopaths. Spammers are the
online equivalent of home invasion gangs.
Filtering spam is a knee-jerk response that doesn't address the core
issue. Current US federal anti-spam legislation is worse than
useless. The federal Can Spam act, with its inane 'opt-out' nonsense
is fatally flawed -- thanks to well-funded lobbyists from groups like
the DMA (Direct Marketing Association) and technically challenged,
eager-to-please (and get reelected) politicians. It's a paper tiger,
signed into law with great fanfare and no real teeth or moral
underpinnings. Can Spam basically legalized spam in the United
States ... exactly the opposite of what its proponents said it would
do. It's a stunning example of George Orwell's 1984 "doublespeak" in a
real-world 21st century application.
Oops. Sorry. I'm venting.
What I'm trying to get at here is that filtering isn't working and
conventional legislation is compromised by commercial and political
interests. Meanwhile, millions of decent people all over the world
continue to be assaulted every day by ads for drugs, porn, and all
manner of of scams they did not ask for, do not want, and which cost
them time and money to simply receive. All this spam arrives 'postage
due.'
Dave D - and other well-meaning detractors of the Blue Frog model --
might want to consider offering methods to improve it instead of
merely dumping on it. While we sit here reading posts and squabbling
about the best way to stop spam, spammers smack their lips and shove
their crap all around the world.
=================================
An anonymous poster replies: Anonymous - Jul 21, 2005 06:01 (#9 Total: 10)
Do not Intrude Registry
So what you're envisioning is that people will give you their e-mail
addresses and you'll make a list of them, and distribute this list to
(roughly) whomever wants it.
This list would of course be a valuable prize for spammers, so you
encrypt it with a one-way hash. You intend for spammers to generate
hashes of their spam list, then obtain your obfuscated 'Do Not
Intrude' list and compare the two. If there's a match, that's a sign
that the e-mail is likely valid. I don't see how your list is not a
bonanza for spammers. It offers them a very easy method of "cleaning"
their lists.
You say that you'll put some false positives (honeypot addresses) in
the list you distribute, but who really cares? It doesn't cost a
spammer anything to send e-mail to those addresses as well.
But then there's your threat of a DDoS attack. While I admire it on a
gut level, there are a host of legal questions involved. Do you take
full legal responsibility for the actions of your Blue Frog agent? (I
read the legal info and I didn't see anything to make me think the
answer is 'yes'.)
If I install it and find myself named in a lawsuit, will you pay my
legal bills?
What if I go to jail because a jury decided that my Blue Frog broke
the law? Will you support my family?
More likely, what if I install it at work and my employer terminates
me because the Blue Frog tried to access sites known for adult or
other not-safe-for-work content? Will you help me find a new job with
an employer that doesn't care if their employees are participating in
DDoS attacks?
For anyone that's interested, I recommend reading the findings of the
FTC's report to Congress about the feasability of a do-not-email list:
http://www.ftc.gov/reports/dneregistry/report.pdf (Thanks to Suresh
Ramasubramanian for posting the link.)
There is no way I'd put my e-mail address on your list. There are too
many ways this can go wrong.
Regards,
Anonymous
===========================
A final response by Eran Aloni - Jul 21, 2005 06:18 (#10 Total: 10)
The Do Not Intrude Registry is a legal and ethical
solutions allowing users to complain about spam they receive -- a single
complaint for each spam message received.
You have a legal and ethical right to complain about spam you
receive. You can do it manually by visiting the sites advertised by
spam and, or you may sign up with the Do Not Intrude Registry which
performs the exact same procedure in an automated and safe manner.
------------------------------
From: Eren Reshef <reshef@telecom-digest.org>
Subject: Join us at http://www.bluesecurity.com
Date: Thu, 21 Jul 2005 16:26:37 -0500
The trackback URL for this blog entry is:
http://community.bluesecurity.com/.3c3e9cc4/trackback
Join us
When I was a kid, I used to go through my emails using my Apple IIe
and a modem. I only received real emails, from real people. No
refinancing, no drugs, no porno, no scams, no spam. Just real email
messages from my pals around the world. Do you remember how it was?
When every email was an email from a friend? And we all thought this
peaceful, friendly cyberspace would last forever.
A few hundred spammers have ruined our dream. They've clogged our
mailboxes with filth. Already, 80% of email traffic is made up of
spam. Let us no longer blind ourselves to the irrefutable facts:
current measures have failed to stop spammers. The experience of the
past several years has proven that passive measures are just not the
answer.
Deterrence is the only real answer to spam. We need to deter spammers
from sending us junk. We can reclaim our email experience. All we need
is decisive action to establish deterrence in the mind of spammers.
We must not underestimate the magnitude of the task which lies before
us. We are fighting for the future of the Internet. What we need to do
now is get as many users as possible into our community -- have as
many computers working together to induce commercial loss on
spammers. If you haven't signed up with the registry and installed a
blue frog yet, please sign up now. If your friends have not yet joined
us, convince them to do so.
Let's stop filtering spam, and start deterring spammers. Together, we
CAN reclaim the Internet.
Posted by Eran Reshef Jul 17, 2005 08:19
==============================
A Response from Philippe - Jul 20, 2005 02:32 (#1 Total: 1)
Great idea for a company
More detail on how to use this effectively is needed.
Where can you forward your unsolicited spam to? How many complaints have
been submitted for you (like a tally? I hope this expands into a great
thing. I think a key factor will be explaining to someone when they join
what they need to do and the steps they should go through. Make it
dummyproof.
------------------------------
From: jmeissen@aracnet.com
Subject: Re: Spam Fighting Technique Fought by Some Netizens
Date: 21 Jul 2005 21:12:37 GMT
Organization: http://extra.newsguy.com
In article <telecom24.333.3@telecom-digest.org>, Our Esteemed Editor
wrote:
> It is not okay to adopt a very simple challenge system in order to be
> assured that real human beings, no matter how whacky some of their
> ideas are reach the Digest but the spammers do not?
Challenge-response systems don't work, and only serve to annoy
innocent bystanders. The only challenges I've ever recieved were in
response to spam that had forged my return address. Of course, to
avoid future "challenge spam" from those domains in the future I
always responded in the positive, which renders them that much more
ineffective.
Any system that tries to rely on sender identity or content analysis
after accepting delivery from the sending system is not going to be
effective. It's bad enough when poorly configured mail systems try to
bounce messages to assumed sender addresses rather than rejecting them
before accepting delivery. Don't add another layer of abuse on top of
it. Just because you got spam is no reason to be sending email to me.
John Meissen jmeissen@aracnet.com
[TELECOM Digest Editor's Note: But I do the essence of challenge
response right now, as many other mailing list publishers do. You
(or some spammer or other idiot) writes to me. When it gets here if
Spam Assassin detirmines it to be spam it goes into one file. The
allegedly _legitimate_ letter writers get back an auto-ack from me,
but since Spam Assassin lets so much garbage through, a lot of
spammers get an auto-ack also.
Because of my personal experience with this for a few years now, the
auto-ack begins with the assumption you _are a spammer_ also. It asks
you to (1) remove this email address from your list. (2) It tells you
we are not interested at all ... (3) then it goes on to say "If you
were not the writer of what I received, then someone apparently took
control of your computer; please get help as needed in cleaning out
the viruses, etc.
Then after a couple paragraphs at least of addressing you as though
you are the spammer, or the idiot with the zombified computer, it
goes on to conclude (4) "for everyone else, good netizens who wrote
to me, your letter is being read and evaluated and readied for use
in the Digest. Thank you for writing me." Now, is the complaint I
make in (1),(2) and (3) too much of an imposition to read? I very
strongly support the work of http://www.bluesecurity.com and hope
all readers will at least review it and decide from there. PAT]
------------------------------
TELECOM Digest is an electronic journal devoted mostly but not
exclusively to telecommunications topics. It is circulated anywhere
there is email, in addition to various telecom forums on a variety of
networks such as Compuserve and America On Line, Yahoo Groups, and
other forums. It is also gatewayed to Usenet where it appears as the
moderated newsgroup 'comp.dcom.telecom'.
TELECOM Digest is a not-for-profit, mostly non-commercial educational
service offered to the Internet by Patrick Townson. All the contents
of the Digest are compilation-copyrighted. You may reprint articles in
some other media on an occasional basis, but please attribute my work
and that of the original author.
Contact information: Patrick Townson/TELECOM Digest
Post Office Box 50
Independence, KS 67301
Phone: 620-402-0134
Fax 1: 775-255-9970
Fax 2: 530-309-7234
Fax 3: 208-692-5145
Email: editor@telecom-digest.org
Subscribe: telecom-subscribe@telecom-digest.org
Unsubscribe:telecom-unsubscribe@telecom-digest.org
This Digest is the oldest continuing e-journal about telecomm-
unications on the Internet, having been founded in August, 1981 and
published continuously since then. Our archives are available for
your review/research. We believe we are the oldest e-zine/mailing list
on the internet in any category!
URL information: http://telecom-digest.org
Anonymous FTP: mirror.lcs.mit.edu/telecom-archives/archives/
(or use our mirror site: ftp.epix.net/pub/telecom-archives)
RSS Syndication of TELECOM Digest: http://telecom-digest.org/rss.html
For syndication examples see http://www.feedrollpro.com/syndicate.php?id=308
and also http://feeds.feedburner.com/TelecomDigest
*************************************************************************
* TELECOM Digest is partially funded by a grant from *
* Judith Oppenheimer, President of ICB Inc. and purveyor of accurate *
* 800 & Dot Com News, Intelligence, Analysis, and Consulting. *
* http://ICBTollFree.com, http://1800TheExpert.com *
* Views expressed herein should not be construed as representing *
* views of Judith Oppenheimer or ICB Inc. *
*************************************************************************
ICB Toll Free News. Contact information is not sold, rented or leased.
One click a day feeds a person a meal. Go to http://www.thehungersite.com
Copyright 2004 ICB, Inc. and TELECOM Digest. All rights reserved.
Our attorney is Bill Levant, of Blue Bell, PA.
************************
DIRECTORY ASSISTANCE JUST 65 CENTS ONE OR TWO INQUIRIES CHARGED TO
YOUR CREDIT CARD! REAL TIME, UP TO DATE! SPONSORED BY TELECOM DIGEST
AND EASY411.COM SIGN UP AT http://www.easy411.com/telecomdigest !
************************
Visit http://www.mstm.okstate.edu and take the next step in your
career with a Master of Science in Telecommunications Management
(MSTM) degree from Oklahoma State University (OSU). This 35
credit-hour interdisciplinary program is designed to give you the
skills necessary to manage telecommunications networks, including
data, video, and voice networks.
The MSTM degree draws on the expertise of the OSU's College
of Business Administration; the College of Arts and Sciences; and the
College of Engineering, Architecture and Technology. The program has
state-of-the-art lab facilities on the Stillwater and Tulsa campus
offering hands-on learning to enhance the program curriculum. Classes
are available in Stillwater, Tulsa, or through distance learning.
Please contact Jay Boyington for additional information at
405-744-9000, mstm-osu@okstate.edu, or visit the MSTM web site at
http://www.mstm.okstate.edu
************************
---------------------------------------------------------------
Finally, the Digest is funded by gifts from generous readers such as
yourself who provide funding in amounts deemed appropriate. Your help
is important and appreciated. A suggested donation of fifty dollars
per year per reader is considered appropriate. See our address above.
Please make at least a single donation to cover the cost of processing
your name to the mailing list.
All opinions expressed herein are deemed to be those of the
author. Any organizations listed are for identification purposes only
and messages should not be considered any official expression by the
organization.
End of TELECOM Digest V24 #334
******************************
| |