Will people never learn? Apparently not, as California’s Blue Security brings us Blue Frog, YADDASP (Yet Another DDOSing Anti-Spam Program).
The underpinning of start-up Blue Security’s Blue Frog is the “Do Not Intrude” registry. Users register up to three email addresses with the registry, and when spam comes to a registered address, the program looks up the spamvertised website, finds forms on the site which can be filled out (say an order form, or an email contact form) and for each spam received, the system fills out one of the forms on the site – not with an order, but with a demand to stop sending spam.
Of course, in enough volume such form-submissions can easily cripple a webserver, and that’s exactly the intention of Blue Frog.
In otherwords, to create a DDOS (distributed denial of service) attack.
Blue Security’s CEO, Eran Reshef, offers a fair amount of doubletalk around the subject. In the course of one interview he said both that the “amount of complaints going to the spammer’s site is going to make it hard [for that site] to do anything else,” and that Blue Security is “not creating any harm. We’re not trying to shut down any web sites. But we have the right to complain, one for one.”
But regardless of how Reshef may try to backpedal under the growing storm of denouncement coming from even those in the anti-spam community, the Blue Frog FAQ makes their desire to hurt spammers by abusing their system clear:
“Rogue advertisers pay spammers to launch their campaigns, and are therefore the root cause of spam. These advertisers must make sure potential buyers know where to purchase their products. Hence, unlike spammers, they cannot hide their identity because this renders their mass mailing campaign totally ineffective. Blue Security makes non-compliant advertisers lose money, forcing them to make sure their spam campaigns are Blue-compliant.”
Now, Aunty would be the first to agree with making the advertisers who use the services of spammers culpable. That’s what the McCain amendment portion of CAN-SPAM is all about. But abuse is abuse, and it’s just not ok to use abuse to fight abuse.
The concept of crippling a spammer with a distributed attack on their resources is nothing new. It has been tried, and failed miserably, before, most notably with with Lycos’ aborted “Make Love, Not Spam” campaign, and more recently with the controversial Mugu Marauder campaign.
But perhaps most amazing of all in terms of the “what, they did it again?!” factor is that Blue Security has actually secured $3million dollars in funding from VC firm Benchmark Capital.
When will they ever learn?
[Ed. note: based on several responses in the comments below, it’s pretty clear that people who sign up for Blue Frog really don’t get what they are signing on to. Did you not read the following before you gave them your email address, and let them start using your computer as part of a distributed attack against machines which may not even know they are harbouring spammers (much like you may not know you are using your computer to attack what may be innocent machines?)
This is from Blue Frog’s own website (read it all):
“Opt-out requests are posted by the Blue Frog client application used by consumers that added their personal e-mail addresses to the Registry through Blue Security’s free consumer offering.
Requests are not posted by Businesses and organizations that added their e-mail domains to the Do Not Intrude Registry through Blue Security’s paid business offering.
For each site advertised by spam, Blue Security develops a script for the Blue Frog client, instructing it how to submit an opt-out request on that site.
Each user’s Blue Frog client retrieves the scripts from Blue Security servers and posts the opt-out requests. A single opt-out request is posted per each spam message received by that user.
Complaints are posted in a manner similar to the way a user would manually try to opt-out of spam – Blue Frog opens an HTTP session with the spamvertised site, visits the site according to the flow of instructions included in the script and posts the opt-out text in forms found on the Web site, such as registration or purchase forms.
Opt-out requests do not contain any information that may jeopardize the users’ privacy. The Request encourages the merchant, email marketers and spammers to download the Registry Compliance Tools, remove all e-mail addresses listed in the Registry from their mailing lists and stop sending spam to Blue Security customers.”
Now, before you rush to your own and their defense, really read what this says. It says that it takes information and populates webforms. It doesn’t submit a real opt-out request, and if it did, it wouldn’t do any good, because spammers don’t honour opt-out requests.
Instead it goes to whatever website is there, and finds whatever webforms it can, and puts “unsubscribe me” language in that webform, no matter what that webform is, no matter to whom it actually belongs.
Your own computer may only send a few to each site, but to how many sites is it sending? And combined with however many others are being sent at the same time to the same site from the thousands that Blue Frog claims, that is the very definition of a DDOS.]
|Get notified of new Internet Patrol articles!