For your convenience in reading: Subject lines are printed in RED and
Moderator replies when issued appear in BROWN.
Previous Issue (just one)
TD Extra News
Add this Digest to your personal
or  
TELECOM Digest Thu, 21 Jul 2005 20:21:00 EDT Volume 24 : Issue 334 Inside This Issue: Editor: Patrick A. Townson A Do-Not-Spam Registry That Might Work (Kevin Murphy) Blue Plans to Overload Spam Web Sites (Greff Keizer) Phishers Get Personal (Joris Evers) Ethics of Deterrence (Erin Reshef) Join us in Fighting Spam at http://www.bluesecurity.com (Erin Reshef) Re: Spam Fighting Technique Fought by Some Netizens (jmeissen) Telecom and VOIP (Voice over Internet Protocol) Digest for the Internet. All contents here are copyrighted by Patrick Townson and the individual writers/correspondents. Articles may be used in other journals or newsgroups, provided the writer's name and the Digest are included in the fair use quote. By using -any name or email address- included herein for -any- reason other than responding to an article herein, you agree to pay a hundred dollars to the recipients of the email. =========================== Addresses herein are not to be added to any mailing list, nor to be sold or given away without explicit written consent. Chain letters, viruses, porn, spam, and miscellaneous junk are definitely unwelcome. We must fight spam for the same reason we fight crime: not because we are naive enough to believe that we will ever stamp it out, but because we do not want the kind of world that results when no one stands against crime. Geoffrey Welsh =========================== See the bottom of this issue for subscription and archive details and the name of our lawyer; other stuff of interest. ---------------------------------------------------------------------- From: Kevin Murphy <murphy@telecom-digest.org> Subject: A Do-Not-Spam Registry That Might Work Date: Thu, 21 Jul 2005 14:43:41 -0500 By Kevin Murphy Blue Security Inc has come up with a novel twist on the do-not-call registry to fight spam that seems to address many of the problems inherent to previous attempts. The company will today launch its Do Not Intrude registry, which marries the ideas of spam honeypot accounts and automated complaint software that could create denial-of-service effects on spamvertised web sites. Blue chief executive Eran Reshef told ComputerWire that the system is ethical, hard for spammers to evade, and does not allow spammers to farm the list for email addresses, which has been the major drawback of previous notional do-not-spam registries. When users sign up for the new service, their genuine email address is added to a list. Blue also creates a phony honeypot address for them, which is published somewhere on the web where spammers can find it. This address is added to the same list. Users install some software called Blue Frog on their computers. Whenever their honeypot account receives a spam email, Blue Frog sends a single complaint to the web site being advertised in the spam. The idea is that spamvertised sites will be hit by so many complaints that they will be unable to transact their regular business, compelling them to download the Do Not Intrude registry and remove the listed addresses from their mailing list. The idea of a do-not-spam registry has been touted in the past. The US CAN-SPAM Act instructed the Federal Trade Commission to explore the idea, and the FTC concluded that it "would be a waste of time, and worse, would probably be a 'do spam' registry". Blue plans to avoid this problem by only making encrypted addresses available to the spammers, so they can never farm addresses that they are not already aware of from the list, according to Reshef. When a spammer decides to honor the registry, they download some software and a list of hashed addresses. This software runs the same hash operation on the spammer's own mailing list, and cleans it of addresses that are on the Do Not Intrude registry. Reshef, without going into details about how the honeypot accounts are created and publicized, said that it would be "very hard" for the spammers to distinguish between the genuine addresses on the list and the honeypots. But why would spammers sign up for the registry in the first place? Because Blue Frog users, if there are enough of them, could cripple the spamvertised sites with their automated complaints. The software does not send an email complaint. Rather, it automatically visits the spam web site and fills out any HTML form it finds with a complaint along the lines of "Your site was advertised in spam" with a link to the Blue Security site. "The only thing that works in most spamvertised web sites in the bit where you enter your contact or credit card details," Reshef said. Each user complains once for each spam they get. Collectively, that could amount to a distributed denial-of-service effect on the offending web site, but Reshef said he believes the system to be ethical. "It's not a DDoS, people are exercising their right to complain about spam they get," he said. "We're not trying to do anything illegal or unethical. We're only doing ethical things, but we are being active." In theory, this kind of system, if it were fully automated, could be used to execute a "joe job" attack on an innocent party. By spamvertising a legitimate site, the software would complain and cause the DDoS effect. But Reshef said this is avoided by the fact that Blue Security's researchers are manually blacklisting and whitelisting sites, based on their knowledge of what sites are currently in use by certain groups of known spammers. Currently, Blue is tracking 65 spam groups that Reshef estimates are responsible for 90% of the spam received. The manual review element means it would not be possible to joe-job, say, google.com, he claimed. Blue Security, which is backed by $3m of venture capital financing from Benchmark Capital, has its corporate headquarters in Menlo Park, California and its R&D lab in Herzliya Pituach on Israel's Silicon Coast. The company plans to give the software and service away for free to consumers. After the public beta, launched today at http://www.bluesecurity.com, the company will start to offer it to enterprise users for a fee. NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at http://telecom-digest.org/td-extra/more-news.html . Hundreds of new articles daily. *** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, Blue Security. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ------------------------------ From: Greff Keizer <keizer@techwebnews.com> Subject: Blue Security Plans to Overload Spammer Web Sites Date: Thu, 21 Jul 2005 14:53:12 -0500 Blue Security plans to overwhelm spammers with complaints and unsubscribe requests. The company's intention is to take the fight to spammers by enlisting end users to create what's called a Do-Not-Intrude registry whose purpose is to make it too painful for junk mailers to operate. If a spammer sends you spam, you have a right to complain, said Eran Reshef, the chief executive of Menlo Park, Calif.-based Blue Security. If they send you one spam, you complain one time. If they send you a thousand spams, you can complain a thousand times, but I know that is not considered politically correct by a few of the more vocal netizens. It's the volume on which spam operates and Blue Security's plan hinges. Starting Monday, users can download Blue Security's Blue Frog client and sign up with the Do-Not-Intrude registry. Once the software's installed, users can register up to three e-mail addresses to monitor for spam. Blue Security, however, watches not only those addresses but up to a dozen accounts it sets up for that act as additional "honeypots," or accounts designed to attract spam. Blue Security analyzes the messages it receives from the users' accounts (as well as all others who sign up), then follows the links inside the spam to (hopefully) the originating site where, for instance, products or services pitched by the junk mail are sold. There, forms are identified that accept text -- an order form, perhaps, or a customer service form -- and its fields are automatically filled with a message demanding that the e-mail account's address be removed from the spammer's list. "I kindly ask that you cease sending me or other registered users spam," the message reads. The idea, said Reshef, is to punish the spammer for his actions. Although the scheme doesn't generate mail to the spammer -- spam for spam, so to speak -- the volume of Web traffic should be enough to cripple the spammer's Web site. "The sheer amount of complaints going to the spammer's site is going to make it hard [for that site] to do anything else, said Reshef. Spam is analyzed by Blue Security staff, said Reshef, who investigate the spam, verify that it violates the federal CAN-SPAM Act, trace the message to a Web site, and pinpoint a form on the site that can be used to complain. The Blue Frog handles everything else for the end-user. The opt-out complaints are synchronized, so that all users whose accounts are monitored file simultaneously. Although Reshef repeatedly said that the practice was not illegal, the end result is very close to a denial-of-service attack, in which a collection of computers simultaneously try to access a Web server with the intention of bringing it down under the sheet volume of traffic. Reshef aggressively defended the concept and rejected the idea that it was a DoS in disguise. "We have a right to complain," he said. "The spammers have the right to send us spam, and we cant say anything? No, thats not right. "We're not creating any harm. Were not trying to shut down any Web sites. But we have the right to complain, one for one," he added. Other fight-back tactics against spammers have failed in the past. Last year, Lycos Europe rolled out a screensaver that conducted DoS attacks against known spammers. Within days, however, Lycos buckled under pressure from security groups -- which called it vigilantism -- and ISPs, who worried that attacks originating from their members would make them liable to legal action on the part of spammers. "Our effort is completely different from what Lycos did," said Reshef. "Lycos used a hit list of spammers. We're only responding to actual spam. And each user is responding only to the spam he or she received." Some may see it as a difference in semantics. But Reshef sees it as effective. "We've already seen it work," he said. "The spammers don't like what we're doing, and some of them during our tests tried to modify their site on the fly to keep out complaints." Two other sites that he declined to name, he said, have agreed to stop sending spam to the real and honeypot accounts. "We need a critical mass of users for this to work," Reshef acknowledged. "If enough people abandon the idea of passively filtering spam and realize that unrelenting action is required, we can together stand up for our online rights." Once its built up a sufficient community of users to ding spammers' Web sites, Blue Security plans to offer the service to enterprises for a fee. The Blue Frog client can be downloaded free of charge from the Blue Security Web site. http://www.bluesecurity.com Copyright 2005 CMP Media LLC. NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at http://telecom-digest.org/td-extra/more-news.html . Hundreds of new articles daily. *** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, CMP Media LLC. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ------------------------------ From: Joris Evers <newswire@telecom-digest.org> Subject: Phishers Get Personal Date: Thu, 21 Jul 2005 14:51:20 -0500 http://www.news.com/ By Joris Evers http://news.com.com/Phishers+get+personal/2100-7349_3-5720672.html Spammers and phishers are learning more about potential victims to better hone their attacks. Web sites that use e-mail addresses as identifiers for password reminders and registration are open to exploitation by scammers to generate detailed profiles of people, security company Blue Security said this week in a research report. In the technique described in the report, spammers and phishers automatically run thousands of e-mail addresses through Web site registration and password-reminder tools. Because many online businesses return a specific message when an e-mail address is registered with the site, attackers can find out whether that address represents a valid customer. Web sites that use e-mail addresses in their password-reminder and registration process could enable scammers to generate detailed profiles of people. Bottom line: The more malicious e-mail gets tailored to the recipient, the more careful Internet users may have to become -- an added burden on them. Using information gathered from a number of sites, they can tailor malicious e-mail to the recipient. That makes it more difficult for Internet users to distinguish real messages from those that are junk or part of a cyberscam. Also, customized messages are less likely to be caught by spam filters, experts said. "Phishing attacks fairly recently have started getting more personalized and targeted," said Dave Jevans, chairman of the Anti-Phishing Working Group. Such fraud-related messages now include the recipient's name or e-mail address, or have even more information about the receiver, Jevans said. Phishing is a prevalent type of online fraud that attempts to steal sensitive information such as user names, passwords and credit card numbers. The thieves then sell the information or use it to commit identity theft. The schemes typically combine spam e-mail and fraudulent Web pages that look like legitimate sites. Scammers usually have lists of e-mail addresses, either invented, bought or collected online using harvesting tools. The trick in the registration or password reminder attack is in the response. Many online businesses return a specific message -- such as "This address is already subscribed" -- when an e-mail address is registered with the site. If an attacker gets that response, they know that address represents a valid customer. How does profiling work? This example illustrates how cybervillains could build up profiles of a potential victims, to better target their scams. .. An attacker obtains a list of e-mail addresses. The scammer can buy a list, collect addresses from the Internet using harvesting tools, make up e-mail addresses, or use other means. .. A script is written to automatically run the e-mail addresses against the registration and password-reminder features of Web sites. .. Responses let the attacker know if an address is registered with the site. The data is used to compile profiles. .. Profiles are used to target spam and phishing e-mails. Source: Blue Security By matching e-mail addresses with Web sites, cybercriminals can uncover the gender, sexual preference, political orientation, geographic location, hobbies and the online stores that have been used by the person behind an e-mail address, Blue Security CEO Eran Reshef said. "Imagine that somebody knows all the Web sites you ever registered with, and think about what one can infer from that," Reshef said. "By aggregating all this information you create a very detailed profile of the person, not just snippets of information." As a result, attacks could have a higher success rate, because the e-mail presents unsuspecting recipients with accurate information in a message that looks like legitimate correspondence. For example, an e-mail purporting to come from a bank or credit card company could name the recipient and refer to an online store that the recipient actually uses. Blue Security has found that a majority of the most popular U.S. Web sites allow "hostile profiling" by phishers and spammers. Additionally, many smaller Web sites, including online stores, sports teams' Web sites, political organizations and other groups are vulnerable, Reshef said. However, hostile profiling does not seem to have become widespread yet, according to Blue Security's research. Some Web site operators -- major banks, for example -- appear to be aware of the problem, Reshef said. These sites don't let people register with their e-mail addresses as their login name, he said. They also require additional information for registration or password reminders, or use other security measures. Have you ever been phished? Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you. eBay is one online business that does not allow registration and password reminder attacks. The auction Web site stopped using e-mail addresses as user IDs before phishing became an issue, and it has taken other protective measures in its registration and password-reminder process, said Scott Shipman, senior counsel for eBay's global privacy practice. "It is all designed to prevent the unauthorized disclosure of information, be it the simplest piece of information, such as whether or not that e-mail address or user id is actually a valid user ID on the site," Shipman said. In eBay's case, the reminder feature for user IDs gives the same response, regardless of whether the e-mail address is registered with the site. "The language of the error message will not tell you whether or not it was a valid account," Shipman said. What will foil the attacks? Attacks work only if sites generate a different response depending on whether an e-mail address is registered with the site or not. .. A registration feature can only be exploited if the Web site uses e-mail addresses to register users and does not require a hard-to-fake personal detail, such as a credit card number. Other security features, such as requiring a new registrant to solve a graphical challenge, will also prevent an attack. .. A reminder feature can only be exploited if it does not require personal information in addition to an e-mail address. A graphical challenge also counters an attack. Designing a Web site to not leak information about users is what all site operators should do, the eBay executive added. "It is an example of a type of practice that is a best practice," he said. Hostile profiling is only one way phishing messages are getting more targeted. Earlier this month, security researchers reported that stolen consumer data was used in phishing scams to rip off individual account holders at specific banks. Jevans at the Anti-Phishing Working Group said that Blue Security's study highlights an emerging phishing threat, and agreed that online organizations should take steps to eliminate vulnerable registration and password-reminder features. "I think the research is real. You can certainly code your site to not do that, and you probably should," he said. Copyright 1995-2005 CNET Networks, Inc. NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at http://telecom-digest.org/td-extra/more-news.html . Hundreds of new articles daily. *** FAIR USE NOTICE. This message contains copyrighted material the use of which has not been specifically authorized by the copyright owner. This Internet discussion group is making it available without profit to group members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of literary, educational, political, and economic issues, for non-profit research and educational purposes only. I believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner, in this instance, CNET Networks, Inc. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ------------------------------ From: Eren Reshef <eren@telecom-digest.org> Subject: Ethics of Deterrence Date: Thu, 21 Jul 2005 16:20:46 -0500 The trackback URL for this blog entry is: http://community.bluesecurity.com/.3c3e9cca/trackback The Ethics of Deterrence Some bloggers have recently claimed our fight is morally flawed. Now, the usual thing to do when bloggers make such accusations is to either ignore them or to deny the charges without giving details. I disagree. I believe the best answer to any accusation is the truth. And that's what I'd like to share with you now. These bloggers claim we mount distributed denial of service attacks against spammers' sites. Is this illegal? Is this morally wrong? I say yes, it is illegal, morally wrong and also disgraceful -- if our community really was involved in a DDoS. The facts are very simple. It is legal, right and honorable to complain about spam you receive. I bet each and every one of those bloggers sent such a complaint at some point in time. And this is exactly what each member of our community is doing -- complaining about spam messages that reach them. I want to make this crystal clear: we just complain about spam messages reaching us. Some of you will rightly say "How is having a large number of people complaining different from a DDoS?" There are several key differences. First, a DDoS target cannot choose whether to be attacked or not. In our case, if a spammer wishes not to receive even one single complaint, that spammer can simply cease sending us spam. We provide free compliance tools for spammers, so they can effortlessly stop spamming us. Second, DDoS targets do not receive warnings. Our community tries to warn spammers before we start submitting complaints. We attempt to contact the spammer's ISP, its web sites and any other contact point we can identify. By the way, most spammers make it impossible to send them anything but your credit card number, so from time to time our warnings simply cannot be delivered. Third, each zombie computer participating in a DDoS sends out as many packets as possible to the DDoS target. In our community, every member complains once per each spam message received by a honeypot account owned by that member. We do forward messages among honeypot accounts, but we hope no one seriously claims that email forwarding is immoral. Fourth, DDoS attackers couldn't care less about inflicting damage on third parties, such as ISPs. We measure and synchronize the complaints of our members, in order to minimize any negative impact on third parties. We also vigorously verify spam messages we receive to avoid joe-jobs. I know that this is not the last time we'd hear such accusations. But we will continue our struggle to reclaim our Internet. Even if some bloggers advocate turning the other cheek, we will not sit ideally while spammers take away our dream of a peaceful Internet. Posted by Eran Reshef Jul 18, 2005 13:18 ============================== A Response by Dave D - Jul 19, 2005 07:38 (#1 Total: 10) Vigilante justice Folks, You might be well intentioned, but this system is doomed to fail, just as the Lycos attempt to DDOS spammers was doomed to fail a few months back. Reasons: 1) Does your system make any distinction between a knowing spammer IP and an infected Windows host running on a broadband connection, that happened to send out some open proxy spam? 2) What about laptops at Wi-Fi cafe's and such. Or universities. If they bring an infected host onto the LAN, it spams, it leaves ... and a day later your system launches a beat-down on the IP. By now, the owner of the cafe has scanned his machines, and put up better firewalling. Presumably he's no longer guilty. Yet he didn't reply in time. You unleash the hounds of 10,000 DDOS'ers. 3) Network administrators tend to frown on deliberate DDOS. Will you defend users of your product who are banned permanently upon their ISP or network admin finding out they willingly participated in a DDOS, even a DDOS for 'moral' purposes? 4) The spammers get wind of your antics. They begin to launch strikes against your site, and users of your software (if a signature can be found, which should be simple, you make your client available to inspect). Will you fix it so spammers cannot launch pre-emptive DDOS against people that use your client? 5) What you are building is what the law calls a 'malicious botnet.' Participation in a malicious botnet may well be against local laws and be defined as a felony. Will your Terms of Service exonerate any local user from prosecution as a net criminal? 6) As the owner of a LAN, if you list my IP and send me a flood of data, can I sue you to recoup losses to my business, if it is shown that I provided due dilligence to fix the open-proxy spam issue I had with my LAN? Suppose your network decides to attack me anyway, because your "due dilligence" does not match that of the law's? These are just a few objections -- I am sure there are more. Starting with, maliciously using the internet is just a dumb idea. DUMB. But by all means go ahead. It's also a free market economy, you certainly have a right to launch the dumbest idea I've seen lately. Kind regards, Dave D ============================== A response by Eran Aloni - Jul 19, 2005 08:39 (#2 Total: 10) Dave, The concerns and reservations listed in your comment seem like a result of a misunderstanding of our service. Most of your comments are based on the misconception that the Blue Community posts complaints at the computers used by spammers to send spam. Obviously, since spammers regularly use botnets and zombie networks to send unsolicited bulk email, there's no point in trying to complain there. The Do Not Intrude Registry takes a totally different approach. Blue Community members complain about spam messages they receive by posting complaints on web sites advertised by spam -- a single complaint for each spam message they receive. Clearly, community members have every right to complain about spam they receive. These spam sites are the root cause for spam -- they are the ones paying spammers to flood our Inboxes and they are the ones making money from spam. The Do Not Intrude Registry disrupts their business model while making sure no innocent third parties are affected. Complaints are posted only as a reaction to receiving spam messages and only after both site owner and the hosting ISP are warned and asked to stop sending spam to the community. Advertisers and spammers can easily avoid receiving complaints by cleaning their mailing lists using the tools we provide and avoid sending spam to the community. Best regards, Eran Aloni Director of Marketing, Blue Security. ============================== A response from RiBiNiN - Jul 20, 2005 02:32 (#3 Total: 10) Dave D fails reading comprehension You have done what I wanted to do, automate a response, not to the mail but to the website. If I complain about each e-mail I receive manually nobody could complain. You have just automated the process. Also, Dave D could be a spammer who is afraid that you have something that really will work. I have downloaded the code and am looking forward to reading it in detail. ============================== A response once again from Dave D - Jul 20, 2005 02:32 (#4 Total: 10) Sure, but ... we've seen this approach fail in the past. Reporting actors can misidentify mail. They can report mail they don't like. I've seen mail from aunt mabel be reported as spam, because someone hit the 'report spam' button to delete. It happens. What really frightens me is your system (run by humans, thus capable of flaw) is not taking a passive "block IP" approach, which would be acceptable, but instead is taking an active "attack the bad IP" approach. Which, even if it wasn't illegal, would still be stupid as hell. I predict you're going to find a frosty reception for your little invention among 1) Network admins that carry your traffic 2) Hosting providers that have to absorb the retaliation attacks at your site 3) ISP abuse desks, who will be dealing with the fallout from your users (their customers) running your product, which no matter how you explain it away, is still an excuse to participate in a botnet DDOS. Keep sprinkling on the sugar. You might eventually convince some people that this is a donut. But DDOS for hire is what the criminals on the net do, and no matter how you sugar coat it, what you are proposing is a DDOS for hire. Just for "white hat" purposes (questionable). Just because you think its white hat, does not by any stretch mean the net community will, or the law will. Kind regards, Dave D ============================== A response from RiBiNiN - Jul 20, 2005 02:32 (#5 Total: 10) Dave D fails reading comprehension I am wondering if Dave is a spammer. He has distorted the method to make it seem like the beginning of a slippery slope to anarchy. It is merely doing what we all want to do, get off mailing lists without exposing ourselves to these toxic websites. ============================== Dave D - Jul 20, 2005 11:16 (#6 Total: 10) Dave D once again: Well, blaming the messenger is what your system is all about. A spammer. Thats a laugh. Now you're falsely attacking the messenger. Sounds like a harbinger of things to come from this system. Rather than be a spammer, I work on the other side -- I work trying to prevent spam for customers. One of our biggest headaches is not spam, its guys that generate 'side work' trying to fight spam. Side work like DDOS's against mistaken targets. Good luck with your endeavor, I know you mean well. I remain unconvinced by this reported approach: DDOS'ing the perceived spammer will fail, because you will misidentify targets, and because some of those targets will sue or cause your upstream provider to take corrective action ... not against them (if they are indeed spammers) but rather against you ... for deliberately DDOSing. Net traffic costs money and time. Malicious traffic is illegal. Spammers need to be and are being prosecuted ... as well as a myriad of blocking strategies being employed ... but to move from that to actively abusing the net to attempt to get even with spammers ... this will always fail. It's been tried before, the result is either embarrassment or retreat. Kind regards, Dave D ============================== Now, a different David responds: David - Jul 20, 2005 16:04 (#7 Total: 10) Misintrepeted Facts This tactic may indeed seem as a DDOS attack to one who has not read the facts or fully understand the system. Now would you say we have a right to complain, is complaining about bad customer service malicious traffic, is complaining about a bad business malicious traffic, is complaining about privacy intrusion malicious traffic, is it illegal/immoral, I hope not otherwise I'd be in jail 10 years ago. Simply put we are exercising our right to the First Amendment of the US Constitution, but it is in a controlled manner, first off is that they try to warn the spammer and their (the SPAMMER's) ISP/Web host about the complaints before they are sent, second if the warnings are ignored we match the SPAM they sent to us with equal amounts of complaints by the ones who received it but NOT ALL AT THE SAME TIME to AVOID the possible DDOS attack. Now about the use of the report SPAM to delete is rather simple, first for reporting the SPAM here there's no button, second it doesn't delete it, third is why they have actual Humans to check to make sure it's actual SPAM that's not CANSPAM ACT of 2003 complaint and not just a "case of mistaken identity". Now about the humans capable of flaw, let me ask you this are you a human, do you work with and for humans? Even if it was all computers, we all are capable of mistakes even computers just as humans. Simply put if every one complained just by themselves about every SPAM message they recieve (now is that so wrong, illegal, immoral?) the chances of it appearing as a DDOS attack would be higher since most SPAMMER's send all their messages at once, and some would be likely to read and complain at the same time. Let's put it as this, let's say this was a Car Alarm (meant to keep your privacy of the car, as this is to keep your privacy of your e-mail) Now a Car Alarm is not illegal, and it has a lot of mistaken identities, i.e a cat wanting a nap on a warm surface, somebody shutting a heavy door, now imagine if you had a couple thousand car alarms at the same place is that illegal, immoral?. Simply put it's a car alarm for your e-mail. Or we could compare it to a "No Trespassing" sign, they trespass on our property we tell them to get out or well call the police, now is that illegal, immoral? I hope not. Or if you don't like those comparisons, let's compare a SPAMMER to a Burglar and your E-mail Box to a House, if the burglar broke into your house would not tell him to leave untill he does, or call the police he would do the same but with more drastic measures some times, is that illegal, immoral? Get my point? This is not abuse this is exercising our rights, just as it is to execise our right to defend ourselve against an attacker, i.e spraying Pepperspray (The Blue Frog Security Program) to the attacker (SPAMMER). To sum it up, we have a right to complain (last time I looked complaining was perfectly legal, moral, and ethical), this is not a DDOS attack since the complaints are monitored and controlled so that does not happen and for every one who recieved a SPAM message they'll complain about but only once per message recieved untill the SPAMMERS stop sending messages (Trespasser Trespassing, Burglar breaking into your house etc... We have the right to protecet our propety, defend our lives, we have the right to control who can come onto our property (ie. homes, car, e-mails), I hope these thing aren't illegal otherwise I'm in deep trouble, along with the majority of the population. Also Two SPAMMERS have stopped SPAMMING the Blue Community from our efforts, thus if we don't get any bad static this program will very well might work. A brilliant anti-spam model ... Before joining the project I spent a few days carefully reviewing the concept on the Blue Security site, studying the FAQ, reading independent news stories popping up all over the net, and visiting several related blogs. It seems to me that while Dave D raises important concerns -- many of which crossed my mind while researching the project -- these concerns are already clearly handled. I believe Dave D means well and has a handle on the technical and ethical issues. His somewhat -- what's the word I want? -- passive / aggressive writing style sort of put me off at first, but I took it in with a grain of salt (or maybe sugar? - grin). I've come to the conclusion that Blue Frog is a brilliant anti-spam model... easily the best approach I've seen since I joined Project Honeypot last year (see: projecthoneypot.org). Eran's "Join us" post of 17 July hit home with me on many levels. I first went online in 1994. In those ancient times, I couldn't wait to wake up every day and get to work. The net made it possible to expand the reach of my art and design across the globe, visit with longtime friends, make new friends, and keep in touch with family. The Internet is easily the most important advance in human communication since the invention of moveable type and the printing press (even more important than radio or TV, since it's a two-way interactive media). It's now highjacked by a tiny minority of ethically challenged, money-grubbing psychopaths. Spammers are the online equivalent of home invasion gangs. Filtering spam is a knee-jerk response that doesn't address the core issue. Current US federal anti-spam legislation is worse than useless. The federal Can Spam act, with its inane 'opt-out' nonsense is fatally flawed -- thanks to well-funded lobbyists from groups like the DMA (Direct Marketing Association) and technically challenged, eager-to-please (and get reelected) politicians. It's a paper tiger, signed into law with great fanfare and no real teeth or moral underpinnings. Can Spam basically legalized spam in the United States ... exactly the opposite of what its proponents said it would do. It's a stunning example of George Orwell's 1984 "doublespeak" in a real-world 21st century application. Oops. Sorry. I'm venting. What I'm trying to get at here is that filtering isn't working and conventional legislation is compromised by commercial and political interests. Meanwhile, millions of decent people all over the world continue to be assaulted every day by ads for drugs, porn, and all manner of of scams they did not ask for, do not want, and which cost them time and money to simply receive. All this spam arrives 'postage due.' Dave D - and other well-meaning detractors of the Blue Frog model -- might want to consider offering methods to improve it instead of merely dumping on it. While we sit here reading posts and squabbling about the best way to stop spam, spammers smack their lips and shove their crap all around the world. ================================= An anonymous poster replies: Anonymous - Jul 21, 2005 06:01 (#9 Total: 10) Do not Intrude Registry So what you're envisioning is that people will give you their e-mail addresses and you'll make a list of them, and distribute this list to (roughly) whomever wants it. This list would of course be a valuable prize for spammers, so you encrypt it with a one-way hash. You intend for spammers to generate hashes of their spam list, then obtain your obfuscated 'Do Not Intrude' list and compare the two. If there's a match, that's a sign that the e-mail is likely valid. I don't see how your list is not a bonanza for spammers. It offers them a very easy method of "cleaning" their lists. You say that you'll put some false positives (honeypot addresses) in the list you distribute, but who really cares? It doesn't cost a spammer anything to send e-mail to those addresses as well. But then there's your threat of a DDoS attack. While I admire it on a gut level, there are a host of legal questions involved. Do you take full legal responsibility for the actions of your Blue Frog agent? (I read the legal info and I didn't see anything to make me think the answer is 'yes'.) If I install it and find myself named in a lawsuit, will you pay my legal bills? What if I go to jail because a jury decided that my Blue Frog broke the law? Will you support my family? More likely, what if I install it at work and my employer terminates me because the Blue Frog tried to access sites known for adult or other not-safe-for-work content? Will you help me find a new job with an employer that doesn't care if their employees are participating in DDoS attacks? For anyone that's interested, I recommend reading the findings of the FTC's report to Congress about the feasability of a do-not-email list: http://www.ftc.gov/reports/dneregistry/report.pdf (Thanks to Suresh Ramasubramanian for posting the link.) There is no way I'd put my e-mail address on your list. There are too many ways this can go wrong. Regards, Anonymous =========================== A final response by Eran Aloni - Jul 21, 2005 06:18 (#10 Total: 10) The Do Not Intrude Registry is a legal and ethical solutions allowing users to complain about spam they receive -- a single complaint for each spam message received. You have a legal and ethical right to complain about spam you receive. You can do it manually by visiting the sites advertised by spam and, or you may sign up with the Do Not Intrude Registry which performs the exact same procedure in an automated and safe manner. ------------------------------ From: Eren Reshef <reshef@telecom-digest.org> Subject: Join us at http://www.bluesecurity.com Date: Thu, 21 Jul 2005 16:26:37 -0500 The trackback URL for this blog entry is: http://community.bluesecurity.com/.3c3e9cc4/trackback Join us When I was a kid, I used to go through my emails using my Apple IIe and a modem. I only received real emails, from real people. No refinancing, no drugs, no porno, no scams, no spam. Just real email messages from my pals around the world. Do you remember how it was? When every email was an email from a friend? And we all thought this peaceful, friendly cyberspace would last forever. A few hundred spammers have ruined our dream. They've clogged our mailboxes with filth. Already, 80% of email traffic is made up of spam. Let us no longer blind ourselves to the irrefutable facts: current measures have failed to stop spammers. The experience of the past several years has proven that passive measures are just not the answer. Deterrence is the only real answer to spam. We need to deter spammers from sending us junk. We can reclaim our email experience. All we need is decisive action to establish deterrence in the mind of spammers. We must not underestimate the magnitude of the task which lies before us. We are fighting for the future of the Internet. What we need to do now is get as many users as possible into our community -- have as many computers working together to induce commercial loss on spammers. If you haven't signed up with the registry and installed a blue frog yet, please sign up now. If your friends have not yet joined us, convince them to do so. Let's stop filtering spam, and start deterring spammers. Together, we CAN reclaim the Internet. Posted by Eran Reshef Jul 17, 2005 08:19 ============================== A Response from Philippe - Jul 20, 2005 02:32 (#1 Total: 1) Great idea for a company More detail on how to use this effectively is needed. Where can you forward your unsolicited spam to? How many complaints have been submitted for you (like a tally? I hope this expands into a great thing. I think a key factor will be explaining to someone when they join what they need to do and the steps they should go through. Make it dummyproof. ------------------------------ From: jmeissen@aracnet.com Subject: Re: Spam Fighting Technique Fought by Some Netizens Date: 21 Jul 2005 21:12:37 GMT Organization: http://extra.newsguy.com In article <telecom24.333.3@telecom-digest.org>, Our Esteemed Editor wrote: > It is not okay to adopt a very simple challenge system in order to be > assured that real human beings, no matter how whacky some of their > ideas are reach the Digest but the spammers do not? Challenge-response systems don't work, and only serve to annoy innocent bystanders. The only challenges I've ever recieved were in response to spam that had forged my return address. Of course, to avoid future "challenge spam" from those domains in the future I always responded in the positive, which renders them that much more ineffective. Any system that tries to rely on sender identity or content analysis after accepting delivery from the sending system is not going to be effective. It's bad enough when poorly configured mail systems try to bounce messages to assumed sender addresses rather than rejecting them before accepting delivery. Don't add another layer of abuse on top of it. Just because you got spam is no reason to be sending email to me. John Meissen jmeissen@aracnet.com [TELECOM Digest Editor's Note: But I do the essence of challenge response right now, as many other mailing list publishers do. You (or some spammer or other idiot) writes to me. When it gets here if Spam Assassin detirmines it to be spam it goes into one file. The allegedly _legitimate_ letter writers get back an auto-ack from me, but since Spam Assassin lets so much garbage through, a lot of spammers get an auto-ack also. Because of my personal experience with this for a few years now, the auto-ack begins with the assumption you _are a spammer_ also. It asks you to (1) remove this email address from your list. (2) It tells you we are not interested at all ... (3) then it goes on to say "If you were not the writer of what I received, then someone apparently took control of your computer; please get help as needed in cleaning out the viruses, etc. Then after a couple paragraphs at least of addressing you as though you are the spammer, or the idiot with the zombified computer, it goes on to conclude (4) "for everyone else, good netizens who wrote to me, your letter is being read and evaluated and readied for use in the Digest. Thank you for writing me." Now, is the complaint I make in (1),(2) and (3) too much of an imposition to read? I very strongly support the work of http://www.bluesecurity.com and hope all readers will at least review it and decide from there. PAT] ------------------------------ TELECOM Digest is an electronic journal devoted mostly but not exclusively to telecommunications topics. It is circulated anywhere there is email, in addition to various telecom forums on a variety of networks such as Compuserve and America On Line, Yahoo Groups, and other forums. It is also gatewayed to Usenet where it appears as the moderated newsgroup 'comp.dcom.telecom'. TELECOM Digest is a not-for-profit, mostly non-commercial educational service offered to the Internet by Patrick Townson. All the contents of the Digest are compilation-copyrighted. You may reprint articles in some other media on an occasional basis, but please attribute my work and that of the original author. Contact information: Patrick Townson/TELECOM Digest Post Office Box 50 Independence, KS 67301 Phone: 620-402-0134 Fax 1: 775-255-9970 Fax 2: 530-309-7234 Fax 3: 208-692-5145 Email: editor@telecom-digest.org Subscribe: telecom-subscribe@telecom-digest.org Unsubscribe:telecom-unsubscribe@telecom-digest.org This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Anonymous FTP: mirror.lcs.mit.edu/telecom-archives/archives/ (or use our mirror site: ftp.epix.net/pub/telecom-archives) RSS Syndication of TELECOM Digest: http://telecom-digest.org/rss.html For syndication examples see http://www.feedrollpro.com/syndicate.php?id=308 and also http://feeds.feedburner.com/TelecomDigest ************************************************************************* * TELECOM Digest is partially funded by a grant from * * Judith Oppenheimer, President of ICB Inc. and purveyor of accurate * * 800 & Dot Com News, Intelligence, Analysis, and Consulting. * * http://ICBTollFree.com, http://1800TheExpert.com * * Views expressed herein should not be construed as representing * * views of Judith Oppenheimer or ICB Inc. * ************************************************************************* ICB Toll Free News. Contact information is not sold, rented or leased. One click a day feeds a person a meal. Go to http://www.thehungersite.com Copyright 2004 ICB, Inc. and TELECOM Digest. All rights reserved. Our attorney is Bill Levant, of Blue Bell, PA. ************************ DIRECTORY ASSISTANCE JUST 65 CENTS ONE OR TWO INQUIRIES CHARGED TO YOUR CREDIT CARD! REAL TIME, UP TO DATE! SPONSORED BY TELECOM DIGEST AND EASY411.COM SIGN UP AT http://www.easy411.com/telecomdigest ! ************************ Visit http://www.mstm.okstate.edu and take the next step in your career with a Master of Science in Telecommunications Management (MSTM) degree from Oklahoma State University (OSU). This 35 credit-hour interdisciplinary program is designed to give you the skills necessary to manage telecommunications networks, including data, video, and voice networks. The MSTM degree draws on the expertise of the OSU's College of Business Administration; the College of Arts and Sciences; and the College of Engineering, Architecture and Technology. The program has state-of-the-art lab facilities on the Stillwater and Tulsa campus offering hands-on learning to enhance the program curriculum. Classes are available in Stillwater, Tulsa, or through distance learning. Please contact Jay Boyington for additional information at 405-744-9000, mstm-osu@okstate.edu, or visit the MSTM web site at http://www.mstm.okstate.edu ************************ --------------------------------------------------------------- Finally, the Digest is funded by gifts from generous readers such as yourself who provide funding in amounts deemed appropriate. Your help is important and appreciated. A suggested donation of fifty dollars per year per reader is considered appropriate. See our address above. Please make at least a single donation to cover the cost of processing your name to the mailing list. All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization. End of TELECOM Digest V24 #334 ****************************** | |