The trackback URL for this blog entry is:
http://community.bluesecurity.com/.3c3e9cca/trackback
The Ethics of Deterrence
Some bloggers have recently claimed our fight is morally flawed. Now,
the usual thing to do when bloggers make such accusations is to either
ignore them or to deny the charges without giving details. I
disagree. I believe the best answer to any accusation is the
truth. And that's what I'd like to share with you now.
These bloggers claim we mount distributed denial of service attacks
against spammers' sites. Is this illegal? Is this morally wrong? I say
yes, it is illegal, morally wrong and also disgraceful -- if our
community really was involved in a DDoS.
The facts are very simple. It is legal, right and honorable to
complain about spam you receive. I bet each and every one of those
bloggers sent such a complaint at some point in time. And this is
exactly what each member of our community is doing -- complaining about
spam messages that reach them. I want to make this crystal clear: we
just complain about spam messages reaching us.
Some of you will rightly say "How is having a large number of people
complaining different from a DDoS?" There are several key differences.
First, a DDoS target cannot choose whether to be attacked or not. In
our case, if a spammer wishes not to receive even one single
complaint, that spammer can simply cease sending us spam. We provide
free compliance tools for spammers, so they can effortlessly stop
spamming us.
Second, DDoS targets do not receive warnings. Our community tries to
warn spammers before we start submitting complaints. We attempt to
contact the spammer's ISP, its web sites and any other contact point
we can identify. By the way, most spammers make it impossible to send
them anything but your credit card number, so from time to time our
warnings simply cannot be delivered.
Third, each zombie computer participating in a DDoS sends out as many
packets as possible to the DDoS target. In our community, every member
complains once per each spam message received by a honeypot account
owned by that member. We do forward messages among honeypot accounts,
but we hope no one seriously claims that email forwarding is immoral.
Fourth, DDoS attackers couldn't care less about inflicting damage on
third parties, such as ISPs. We measure and synchronize the complaints
of our members, in order to minimize any negative impact on third
parties. We also vigorously verify spam messages we receive to avoid
joe-jobs.
I know that this is not the last time we'd hear such accusations. But
we will continue our struggle to reclaim our Internet. Even if some
bloggers advocate turning the other cheek, we will not sit ideally
while spammers take away our dream of a peaceful Internet.
Posted by Eran Reshef Jul 18, 2005 13:18
==============================
A Response by Dave D - Jul 19, 2005 07:38 (#1 Total: 10)
Vigilante justice
Folks,
You might be well intentioned, but this system is doomed to fail, just
as the Lycos attempt to DDOS spammers was doomed to fail a few months
back.
Reasons:
1) Does your system make any distinction between a knowing spammer IP
and an infected Windows host running on a broadband connection, that
happened to send out some open proxy spam?
2) What about laptops at Wi-Fi cafe's and such. Or universities. If
they bring an infected host onto the LAN, it spams, it leaves ... and
a day later your system launches a beat-down on the IP. By now, the
owner of the cafe has scanned his machines, and put up better
firewalling. Presumably he's no longer guilty. Yet he didn't reply in
time. You unleash the hounds of 10,000 DDOS'ers.
3) Network administrators tend to frown on deliberate DDOS. Will you
defend users of your product who are banned permanently upon their ISP
or network admin finding out they willingly participated in a DDOS,
even a DDOS for 'moral' purposes?
4) The spammers get wind of your antics. They begin to launch strikes
against your site, and users of your software (if a signature can be
found, which should be simple, you make your client available to
inspect). Will you fix it so spammers cannot launch pre-emptive DDOS
against people that use your client?
5) What you are building is what the law calls a 'malicious botnet.'
Participation in a malicious botnet may well be against local laws and
be defined as a felony. Will your Terms of Service exonerate any local
user from prosecution as a net criminal?
6) As the owner of a LAN, if you list my IP and send me a flood of
data, can I sue you to recoup losses to my business, if it is shown
that I provided due dilligence to fix the open-proxy spam issue I had
with my LAN? Suppose your network decides to attack me anyway, because
your "due dilligence" does not match that of the law's?
These are just a few objections -- I am sure there are more. Starting
with, maliciously using the internet is just a dumb idea. DUMB.
But by all means go ahead. It's also a free market economy, you
certainly have a right to launch the dumbest idea I've seen lately.
Kind regards,
Dave D
==============================
A response by Eran Aloni - Jul 19, 2005 08:39 (#2 Total: 10)
Dave,
The concerns and reservations listed in your comment seem like a
result of a misunderstanding of our service.
Most of your comments are based on the misconception that the Blue
Community posts complaints at the computers used by spammers to send
spam. Obviously, since spammers regularly use botnets and zombie
networks to send unsolicited bulk email, there's no point in trying to
complain there.
The Do Not Intrude Registry takes a totally different approach. Blue
Community members complain about spam messages they receive by posting
complaints on web sites advertised by spam -- a single complaint for
each spam message they receive. Clearly, community members have every
right to complain about spam they receive.
These spam sites are the root cause for spam -- they are the ones
paying spammers to flood our Inboxes and they are the ones making
money from spam. The Do Not Intrude Registry disrupts their business
model while making sure no innocent third parties are affected.
Complaints are posted only as a reaction to receiving spam messages
and only after both site owner and the hosting ISP are warned and
asked to stop sending spam to the community. Advertisers and spammers
can easily avoid receiving complaints by cleaning their mailing lists
using the tools we provide and avoid sending spam to the community.
Best regards,
Eran Aloni
Director of Marketing, Blue Security.
==============================
A response from RiBiNiN - Jul 20, 2005 02:32 (#3 Total: 10)
Dave D fails reading comprehension
You have done what I wanted to do, automate a response, not to the
mail but to the website. If I complain about each e-mail I receive
manually nobody could complain. You have just automated the process.
Also, Dave D could be a spammer who is afraid that you have something
that really will work.
I have downloaded the code and am looking forward to reading it in
detail.
==============================
A response once again from Dave D - Jul 20, 2005 02:32 (#4 Total: 10)
Sure, but ... we've seen this approach fail in the past.
Reporting actors can misidentify mail. They can report mail they don't
like. I've seen mail from aunt mabel be reported as spam, because
someone hit the 'report spam' button to delete. It happens.
What really frightens me is your system (run by humans, thus capable
of flaw) is not taking a passive "block IP" approach, which would be
acceptable, but instead is taking an active "attack the bad IP"
approach.
Which, even if it wasn't illegal, would still be stupid as hell.
I predict you're going to find a frosty reception for your
little invention among
1) Network admins that carry your traffic
2) Hosting providers that have to absorb the retaliation
attacks at your site
3) ISP abuse desks, who will be dealing with the fallout from
your users (their customers) running your product, which no matter how
you explain it away, is still an excuse to participate in a botnet
DDOS.
Keep sprinkling on the sugar. You might eventually convince some
people that this is a donut.
But DDOS for hire is what the criminals on the net do, and no matter
how you sugar coat it, what you are proposing is a DDOS for hire.
Just for "white hat" purposes (questionable). Just because you think
its white hat, does not by any stretch mean the net community will, or
the law will.
Kind regards,
Dave D
==============================
A response from RiBiNiN - Jul 20, 2005 02:32 (#5 Total: 10)
Dave D fails reading comprehension
I am wondering if Dave is a spammer. He has distorted the method to
make it seem like the beginning of a slippery slope to anarchy. It is
merely doing what we all want to do, get off mailing lists without
exposing ourselves to these toxic websites.
==============================
Dave D - Jul 20, 2005 11:16 (#6 Total: 10)
Dave D once again: Well, blaming the messenger is what your system is
all about.
A spammer. Thats a laugh. Now you're falsely attacking the
messenger. Sounds like a harbinger of things to come from this system.
Rather than be a spammer, I work on the other side -- I work trying to
prevent spam for customers.
One of our biggest headaches is not spam, its guys that generate 'side
work' trying to fight spam.
Side work like DDOS's against mistaken targets.
Good luck with your endeavor, I know you mean well.
I remain unconvinced by this reported approach: DDOS'ing the perceived
spammer will fail, because you will misidentify targets, and because
some of those targets will sue or cause your upstream provider to take
corrective action ... not against them (if they are indeed spammers)
but rather against you ... for deliberately DDOSing.
Net traffic costs money and time. Malicious traffic is illegal.
Spammers need to be and are being prosecuted ... as well as a myriad
of blocking strategies being employed ... but to move from that to
actively abusing the net to attempt to get even with spammers ... this
will always fail. It's been tried before, the result is either
embarrassment or retreat.
Kind regards,
Dave D
==============================
Now, a different David responds: David - Jul 20, 2005 16:04 (#7 Total: 10)
Misintrepeted Facts
This tactic may indeed seem as a DDOS attack to one who has not read
the facts or fully understand the system.
Now would you say we have a right to complain, is complaining about
bad customer service malicious traffic, is complaining about a bad
business malicious traffic, is complaining about privacy intrusion
malicious traffic, is it illegal/immoral, I hope not otherwise I'd be
in jail 10 years ago.
Simply put we are exercising our right to the First Amendment of the
US Constitution, but it is in a controlled manner, first off is that
they try to warn the spammer and their (the SPAMMER's) ISP/Web host
about the complaints before they are sent, second if the warnings are
ignored we match the SPAM they sent to us with equal amounts of
complaints by the ones who received it but NOT ALL AT THE SAME TIME to
AVOID the possible DDOS attack.
Now about the use of the report SPAM to delete is rather simple, first
for reporting the SPAM here there's no button, second it doesn't
delete it, third is why they have actual Humans to check to make sure
it's actual SPAM that's not CANSPAM ACT of 2003 complaint and not just
a "case of mistaken identity".
Now about the humans capable of flaw, let me ask you this are you a
human, do you work with and for humans? Even if it was all computers,
we all are capable of mistakes even computers just as humans. Simply
put if every one complained just by themselves about every SPAM
message they recieve (now is that so wrong, illegal, immoral?) the
chances of it appearing as a DDOS attack would be higher since most
SPAMMER's send all their messages at once, and some would be likely to
read and complain at the same time.
Let's put it as this, let's say this was a Car Alarm (meant to keep
your privacy of the car, as this is to keep your privacy of your
e-mail) Now a Car Alarm is not illegal, and it has a lot of mistaken
identities, i.e a cat wanting a nap on a warm surface, somebody
shutting a heavy door, now imagine if you had a couple thousand car
alarms at the same place is that illegal, immoral?. Simply put it's a
car alarm for your e-mail. Or we could compare it to a "No
Trespassing" sign, they trespass on our property we tell them to get
out or well call the police, now is that illegal, immoral? I hope
not. Or if you don't like those comparisons, let's compare a SPAMMER
to a Burglar and your E-mail Box to a House, if the burglar broke into
your house would not tell him to leave untill he does, or call the
police he would do the same but with more drastic measures some times,
is that illegal, immoral? Get my point?
This is not abuse this is exercising our rights, just as it is to
execise our right to defend ourselve against an attacker, i.e spraying
Pepperspray (The Blue Frog Security Program) to the attacker
(SPAMMER).
To sum it up, we have a right to complain (last time I looked
complaining was perfectly legal, moral, and ethical), this is not a
DDOS attack since the complaints are monitored and controlled so that
does not happen and for every one who recieved a SPAM message they'll
complain about but only once per message recieved untill the SPAMMERS
stop sending messages (Trespasser Trespassing, Burglar breaking into
your house etc... We have the right to protecet our propety, defend
our lives, we have the right to control who can come onto our property
(ie. homes, car, e-mails), I hope these thing aren't illegal otherwise
I'm in deep trouble, along with the majority of the population.
Also Two SPAMMERS have stopped SPAMMING the Blue Community from our
efforts, thus if we don't get any bad static this program will very
well might work.
A brilliant anti-spam model ...
Before joining the project I spent a few days carefully reviewing the
concept on the Blue Security site, studying the FAQ, reading
independent news stories popping up all over the net, and visiting
several related blogs.
It seems to me that while Dave D raises important concerns -- many of
which crossed my mind while researching the project -- these concerns
are already clearly handled. I believe Dave D means well and has a
handle on the technical and ethical issues. His somewhat -- what's the
word I want? -- passive / aggressive writing style sort of put me off
at first, but I took it in with a grain of salt (or maybe sugar? -
grin).
I've come to the conclusion that Blue Frog is a brilliant anti-spam
model... easily the best approach I've seen since I joined Project
Honeypot last year (see: projecthoneypot.org).
Eran's "Join us" post of 17 July hit home with me on many levels. I
first went online in 1994. In those ancient times, I couldn't wait to
wake up every day and get to work. The net made it possible to expand
the reach of my art and design across the globe, visit with longtime
friends, make new friends, and keep in touch with family.
The Internet is easily the most important advance in human
communication since the invention of moveable type and the printing
press (even more important than radio or TV, since it's a two-way
interactive media). It's now highjacked by a tiny minority of
ethically challenged, money-grubbing psychopaths. Spammers are the
online equivalent of home invasion gangs.
Filtering spam is a knee-jerk response that doesn't address the core
issue. Current US federal anti-spam legislation is worse than
useless. The federal Can Spam act, with its inane 'opt-out' nonsense
is fatally flawed -- thanks to well-funded lobbyists from groups like
the DMA (Direct Marketing Association) and technically challenged,
eager-to-please (and get reelected) politicians. It's a paper tiger,
signed into law with great fanfare and no real teeth or moral
underpinnings. Can Spam basically legalized spam in the United
States ... exactly the opposite of what its proponents said it would
do. It's a stunning example of George Orwell's 1984 "doublespeak" in a
real-world 21st century application.
Oops. Sorry. I'm venting.
What I'm trying to get at here is that filtering isn't working and
conventional legislation is compromised by commercial and political
interests. Meanwhile, millions of decent people all over the world
continue to be assaulted every day by ads for drugs, porn, and all
manner of of scams they did not ask for, do not want, and which cost
them time and money to simply receive. All this spam arrives 'postage
due.'
Dave D - and other well-meaning detractors of the Blue Frog model --
might want to consider offering methods to improve it instead of
merely dumping on it. While we sit here reading posts and squabbling
about the best way to stop spam, spammers smack their lips and shove
their crap all around the world.
=================================
An anonymous poster replies: Anonymous - Jul 21, 2005 06:01 (#9 Total: 10)
Do not Intrude Registry
So what you're envisioning is that people will give you their e-mail
addresses and you'll make a list of them, and distribute this list to
(roughly) whomever wants it.
This list would of course be a valuable prize for spammers, so you
encrypt it with a one-way hash. You intend for spammers to generate
hashes of their spam list, then obtain your obfuscated 'Do Not
Intrude' list and compare the two. If there's a match, that's a sign
that the e-mail is likely valid. I don't see how your list is not a
bonanza for spammers. It offers them a very easy method of "cleaning"
their lists.
You say that you'll put some false positives (honeypot addresses) in
the list you distribute, but who really cares? It doesn't cost a
spammer anything to send e-mail to those addresses as well.
But then there's your threat of a DDoS attack. While I admire it on a
gut level, there are a host of legal questions involved. Do you take
full legal responsibility for the actions of your Blue Frog agent? (I
read the legal info and I didn't see anything to make me think the
answer is 'yes'.)
If I install it and find myself named in a lawsuit, will you pay my
legal bills?
What if I go to jail because a jury decided that my Blue Frog broke
the law? Will you support my family?
More likely, what if I install it at work and my employer terminates
me because the Blue Frog tried to access sites known for adult or
other not-safe-for-work content? Will you help me find a new job with
an employer that doesn't care if their employees are participating in
DDoS attacks?
For anyone that's interested, I recommend reading the findings of the
FTC's report to Congress about the feasability of a do-not-email list:
http://www.ftc.gov/reports/dneregistry/report.pdf (Thanks to Suresh
Ramasubramanian for posting the link.)
There is no way I'd put my e-mail address on your list. There are too
many ways this can go wrong.
Regards,
Anonymous
===========================
A final response by Eran Aloni - Jul 21, 2005 06:18 (#10 Total: 10)
The Do Not Intrude Registry is a legal and ethical
solutions allowing users to complain about spam they receive -- a single
complaint for each spam message received.
You have a legal and ethical right to complain about spam you
receive. You can do it manually by visiting the sites advertised by
spam and, or you may sign up with the Do Not Intrude Registry which
performs the exact same procedure in an automated and safe manner.
Eren Reshef (eren@telecom-digest.org)