A good idea shot down in the battle to fight spam

[Lebenz]

Several of the places I work suffer from daily spam attacks, numbering into the thousands, with peaks of over 10 thousand per day. The tools to deal with this volume of junk mail has has gotten better but the spammers seem to be winning...

In the Fight Against Spam E-Mail, Goliath Wins Again

By Brian Krebs
Special to The Washington Post
Wednesday, May 17, 2006; Page A01

Eran Reshef had an idea in the battle against spam e-mail that seemed to be working: he fought spam with spam. Today, he'll give up the fight.

Reshef's Silicon Valley company, Blue Security Inc., simply asked the spammers to stop sending junk e-mail to his clients. But because those sort of requests tend to be ignored, Blue Security took them to a new level: it bombarded the spammers with requests from all 522,000 of its customers at the same time.

That led to a flood of Internet traffic so heavy that it disrupted the spammers' ability to send e-mails to other victims -- a crippling effect that caused a handful of known spammers to comply with the requests.

Then, earlier this month, a Russia-based spammer counterattacked, Reshef said. Using tens of thousands of hijacked computers, the spammer flooded Blue Security with so much Internet traffic that it blocked legitimate visitors from going to Bluesecurity.com, as well as to other Web sites. The spammer also sent another message: Cease operations or Blue Security customers will soon find themselves targeted with virus-filled attacks.

Today, Reshef will wave a virtual white flag and surrender. The company will shut down this morning and its Web site will display a message informing its customers about the closure.

"It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing."

Security experts say the move marks a disheartening development in the ongoing battle by computer users, online businesses and law enforcement against those who clutter e-mail inboxes with a continuous glut of ads for drugs, porn and get-rich-quick schemes. According to Symantec Corp., maker of the popular Norton antivirus software products, more than 50 percent of all e-mail sent in the latter half of 2005 was spam.

Alan Paller, director of research for the Bethesda-based SANS Institute, a computer security training group, said extortion attacks have exploded in the past few years. With Blue Security, Paller said, the attackers' extortionist demands were that the company merely stop interfering in a multimillion-dollar spam operation.

"We're hearing from federal law enforcement that they are getting more than one new case of online extortion each day," Paller said.

The spammer's counterattack generated so much Internet traffic that it also affected other sites, including Six Apart Ltd., a San Francisco-based company that runs millions of Web sites through its TypePad and LiveJournal blogging services. The attack also shut down operations for roughly 12 hours at Tucows Inc., a Toronto-based Internet services company that helped manage Blue Security's site.

Tucows chief executive Elliot Noss called the attack "by far the largest the company had ever seen," and said that only a handful of companies have the infrastructure in place to withstand such an assault, much less a more powerful one.

"This attack really was like trying to take out a mosquito with an atomic bomb," Noss said.

The FBI is investigating the attacks, according to Six Apart, but agency officials would not confirm a federal investigation yesterday.

Todd Underwood, chief of operations and security for Renesys Corp., a company that monitors Internet connectivity, called the attack against Blue Security "unsurprising but sad."

The innovative approach in the fight against spam caught the attention of investors in 2004, when Blue Security received more than $4 million in venture capital, but critics questioned whether the company could win such a massive battle.

"When the company's founders first approached the broader anti-spam community and asked them what they thought of the idea, everyone said this was a terrible idea and that they would eventually cause a lot of collateral damage," Underwood said. "But it's also extremely unfortunate, because it shows how much the spammers are winning this battle."

http://www.washingtonpost.com/wp-dyn/content/article/2006/05/16/AR2006051601873.html

[GermanStar]

Interesting piece. It's a shame that so many *********s show so little respect for the Internet. Spammers should be severely dealt with, although not until all telephone solicitors have been shot...

[boneheaddoctor]

I support castration as a punishment for spammers.

[Hatterasguy]

Why not just outlaw spam? It is so annoying and pointless just create a "no spaming list". CT has a no calling list that if you are on people can't call you trying to sell you stuff.

Create such a list for spam. Make the penalty $1m for each offense and no more problem.

[BobK]

Actually, I kinda liked the solution a few months back. From a newspaper story. Seems a big time Russian spammer was found dead in his apartment. Looks like someone simply beat him to death. Guess he spammed some Russian mobster's computer.

[Matt L]

You can't outlaw spam since there are no worldwide laws. A lot of it comes from overseas now.

What you can do is implement some sort of whitelist. I saw a system a few years ago that would reply to incoming messages requiring a human response, automatically whitelisting the sender and allowing the original message through.

I considered implementing something like that on my personal mail account, but instead just stopped using it for now. I get about 300 spams a day on it, and I'm sure the disk is full on that machine. I should check it...and change my account name while I'm at it.

[Lebenz]

Quote:

Originally Posted by Hatterasguy

Why not just outlaw spam? It is so annoying and pointless just create a "no spaming list". CT has a no calling list that if you are on people can't call you trying to sell you stuff.

Create such a list for spam. Make the penalty $1m for each offense and no more problem.

All very good ideas! There are substantial laws against spamming on the books. The problem is a lot of stuff comes from out of the country, and it seems no one will prosecute this kind of attack. Other stuff is scrubbed of its source information, which makes it hard to back track.

There are a lot of ways to combat spam, there are many many organizations which are devoted to providing and maintaining listing services for non-approved sources. There are lists which identify the source domain, there are those which identify the content, there are those which identify if the source has a recurrent characteristic, such as only having links to outside sources. There are adaptive analysis tools which build a database of good or approved mail as well as one of presumed spam senders. In total there are about 30-50 unique criteria for assessing spam. Each criteria may have hundreds of conditions. These all help. In fact they can catch between 80% to an estimated 98% of all spam. But if you’re getting 10,000 hits a day or more that 3% still leaves a lot of spam hitting desktops.

I know a number of people who have wanted to do what the company above did, but never thought it a smart idea due to the possibility of retaliation. This is like so many other combats where the opponent can call upon huge resources to counter attack any reasonable effort.

It’s because of this that many companies have gone to a closed system. Now unless you’re already on an approved sender’s list, your mail will likely be returned with instructions on what to do to be able so send mail.