In article <telecom24.335.14@telecom-digest.org>, Steve Sobol
<sjsobol@JustThe.net> wrote:
> Eren Reshef wrote:
>> Some bloggers have recently claimed our fight is morally flawed.
> I'll go further and tell you you're a criminal.
> It's trivially easy for someone to put an URL of a website I own into
> a spam.
> And if you attack my website in response, and I had nothing to do with
> the original spam, you will have law enforcement knocking on your
> door.
> [TELECOM Digest Editor's Note: Well Steve, you are forgetting a couple
> of important factors: although yes, it is 'trivially easy' to put
> someone else's URL (for a web page) into spam a third party wants to
> send out, if you have a web page, your web page would have to have
> one or more 'forms' on it for people to use to fill in their credit
> card numbers in order for other folks to come along and deface your
> web site, wouldn't it? Wouldn't it be quite a coincidence if you,
> the innocent web site owner happened to have forms all over your
> web page which related to the product or service being spammed by
> some other person, _and_ through some 'human error' your web site
> got chosen? I really have to wonder if you read any of the FAQ on
> how the BlueSecurity.com system works ... let's say for example, I
> am offended by a piece of spam I recieve; I forward it to BlueSecurity;
> someone there who has a modicum of intelligence (about as much
> intelligence as the people who write up filtering software) looks at
> it, quickly finds mid the HTML crap on the source page an IP address
> which _appears to be_ the offender. He (the investigator) goes to
> the URL; is it in fact the product or service being spammed? If not,
> then he junks it. If it is the product being spammed, and it has
> 'forms' around the page for things like credit card numbers, comments
> or names/addresses, etc then it gets put somewhere. Now the investi-
> gtor finds a thousand more pieces from the same spammer, referring
> to the same URL, then acts on it. It is not a willy-nilly process
> where 'you' sent me spam so I 'crash your system'. They only release
> the 'do not spam me further' notices (which simply goes to that URL
> and fills in the aforementioned, already located 'forms') once they
> have discovered the _actual offender_, not some innocent bystander.
You have just described a legitimate online business..
ie: a site, offering product(s), and providing a means to order those
products online. There are thousands of these types of businesses, and
the majority of them are legitimate.
Lets use Online_Vendor_A as an example, we'll refer to them as
'_target_', and we will refer to the person(s) attacking them as
'_attacker_'.
Just because _target_ is being advertised via spam, does not mean that
_target_ is responsible for the spam. It is certainly possible that
_attacker_ does not like _target_ for some reason or another, and
decides that the easiest way to attack them is to send out a few
million spam emails, advertising the _target_ site. Well guess what,
Blue Frog is here, ready to launch a DDOS attack against the _target_
site on behalf of all the people who just got spammed, adding yet
another layer of shielding between the _attacker_, and _target_.
Do you really want to know how many phishing spam I get that have the
URL of the real website somewhere in the spam?
> They got a lot of money from somewhere to put investigators to work
> tracking down _good_ URLs of spammers. Admittedly they cannot get
> anywhere with much of the crap which comes to them, but they do find
> some of them. And it is _not_ DDOS since the spammer is first given
> ample warning, and assistance as needed in cleaning his list.
In the example above _target_ IS NOT the spammer, and DOES NOT hold
the list, or even have knowledge of the existance of the list, nor do
they have any control over it, or contact with anybody who does. While
_target_ may appear to benefit from the spam, the opposite is true,
since the false accusations, and DDOS attacks have the effect of
placing a undue burden on _target_'s legitimate business, and
computing resources..
This is a Joe-Job, and unfortunately there is no easy way to determine
if _target_ is being subjected to a Joe-Job without asking _attacker_
or _target_. Now, if you ask _target_, but assume that _target_ is a
spammer, and refuse to believe their answer, then you are back to step
1.
> Oh, I know ICANN would not approve of it, nor would many of the old-
> time netizens who prefer being in denial about spam/scam, etc. ICANN
> tolerates it since it does the dirty work they don't have to do;
> driving small web site owners and netizens off of 'their' network,
> then when anyone like Blue Security gets a sum of money for their
> 'start up costs' and proceeds to catch and punish eve a few of the
> spammers, the ICANN-favored users start chanting against it, with all
> sorts of warnings: it won't work; even it does a little it is a stupid
> thing; those spammers may claim _their_ First Amendment rights and
> get _you_ in trouble, yada yada yada ad nauseum ...
I do not like spam one bit, but I feel that this method is targeting
the wrong issue. Complaining to the spam source based on IP address is
one thing, complaining to the website mentioned in the spam, unless
properly verified >by human analysis< is another, and in many cases it
will simply be impossible to determine if the two are connected.
This method might be effective against phishing spams, and spams
advertising obviously illegal products, but beyond that is is worse
than useless.
By providing the mechanism with which to facilitate the DDOS attack,
Blue Security is opening themselves up to some serious liability
problems in the likely event of a attack on an innocent site, using
Blue Frog as a proxy.
-- Welcome My Son, Welcome To The Machine --
Bob Vaughan | techie @ tantivy.net |
| P.O. Box 19792, Stanford, Ca 94309 |
-- I am Me, I am only Me, And no one else is Me, What could be simpler? --
[TELECOM Digest Editor's Note: Have you been following the discussion?
Blue Security does absolutely _nothing_ until they are 99.7 percent
sure they have the right party, and even the, the right party is given
a chance to respond (not me, it was a joe-job, etc) or clean up his
mailing list, or subscribe to a list instead of using dictionary attacks
etc. Only when there is absolutely no response from the offender, or a
very casual 'too hell with the net' answer, then is the 'one
complaint for one spam' process started. PAT]
Bob Vaughan (techie@tantivy.tantivy.net)