The trackback URL for this blog entry is:The Ethics of Deterrence
Some bloggers have recently claimed our fight is morally flawed. Now, the usual thing to do when bloggers make such accusations is to either ignore them or to deny the charges without giving details. I disagree. I believe the best answer to any accusation is the truth. And that's what I'd like to share with you now.
These bloggers claim we mount distributed denial of service attacks against spammers' sites. Is this illegal? Is this morally wrong? I say yes, it is illegal, morally wrong and also disgraceful -- if our community really was involved in a DDoS.
The facts are very simple. It is legal, right and honorable to complain about spam you receive. I bet each and every one of those bloggers sent such a complaint at some point in time. And this is exactly what each member of our community is doing -- complaining about spam messages that reach them. I want to make this crystal clear: we just complain about spam messages reaching us.
Some of you will rightly say "How is having a large number of people complaining different from a DDoS?" There are several key differences.
First, a DDoS target cannot choose whether to be attacked or not. In our case, if a spammer wishes not to receive even one single complaint, that spammer can simply cease sending us spam. We provide free compliance tools for spammers, so they can effortlessly stop spamming us.
Second, DDoS targets do not receive warnings. Our community tries to warn spammers before we start submitting complaints. We attempt to contact the spammer's ISP, its web sites and any other contact point we can identify. By the way, most spammers make it impossible to send them anything but your credit card number, so from time to time our warnings simply cannot be delivered.
Third, each zombie computer participating in a DDoS sends out as many packets as possible to the DDoS target. In our community, every member complains once per each spam message received by a honeypot account owned by that member. We do forward messages among honeypot accounts, but we hope no one seriously claims that email forwarding is immoral.
Fourth, DDoS attackers couldn't care less about inflicting damage on third parties, such as ISPs. We measure and synchronize the complaints of our members, in order to minimize any negative impact on third parties. We also vigorously verify spam messages we receive to avoid joe-jobs.
I know that this is not the last time we'd hear such accusations. But we will continue our struggle to reclaim our Internet. Even if some bloggers advocate turning the other cheek, we will not sit ideally while spammers take away our dream of a peaceful Internet.
Posted by Eran Reshef Jul 18, 2005 13:18
A Response by Dave D - Jul 19, 2005 07:38 (#1 Total: 10)
You might be well intentioned, but this system is doomed to fail, just as the Lycos attempt to DDOS spammers was doomed to fail a few months back.
Reasons:1) Does your system make any distinction between a knowing spammer IP and an infected Windows host running on a broadband connection, that happened to send out some open proxy spam?
2) What about laptops at Wi-Fi cafe's and such. Or universities. If they bring an infected host onto the LAN, it spams, it leaves ... and a day later your system launches a beat-down on the IP. By now, the owner of the cafe has scanned his machines, and put up better firewalling. Presumably he's no longer guilty. Yet he didn't reply in time. You unleash the hounds of 10,000 DDOS'ers.3) Network administrators tend to frown on deliberate DDOS. Will you defend users of your product who are banned permanently upon their ISP or network admin finding out they willingly participated in a DDOS, even a DDOS for 'moral' purposes?
4) The spammers get wind of your antics. They begin to launch strikes against your site, and users of your software (if a signature can be found, which should be simple, you make your client available to inspect). Will you fix it so spammers cannot launch pre-emptive DDOS against people that use your client?5) What you are building is what the law calls a 'malicious botnet.' Participation in a malicious botnet may well be against local laws and be defined as a felony. Will your Terms of Service exonerate any local user from prosecution as a net criminal?
6) As the owner of a LAN, if you list my IP and send me a flood of data, can I sue you to recoup losses to my business, if it is shown that I provided due dilligence to fix the open-proxy spam issue I had with my LAN? Suppose your network decides to attack me anyway, because your "due dilligence" does not match that of the law's?
These are just a few objections -- I am sure there are more. Starting with, maliciously using the internet is just a dumb idea. DUMB.
But by all means go ahead. It's also a free market economy, you certainly have a right to launch the dumbest idea I've seen lately.
A response by Eran Aloni - Jul 19, 2005 08:39 (#2 Total: 10)
The concerns and reservations listed in your comment seem like a result of a misunderstanding of our service.
Most of your comments are based on the misconception that the Blue Community posts complaints at the computers used by spammers to send spam. Obviously, since spammers regularly use botnets and zombie networks to send unsolicited bulk email, there's no point in trying to complain there.
The Do Not Intrude Registry takes a totally different approach. Blue Community members complain about spam messages they receive by posting complaints on web sites advertised by spam -- a single complaint for each spam message they receive. Clearly, community members have every right to complain about spam they receive.
These spam sites are the root cause for spam -- they are the ones paying spammers to flood our Inboxes and they are the ones making money from spam. The Do Not Intrude Registry disrupts their business model while making sure no innocent third parties are affected.
Complaints are posted only as a reaction to receiving spam messages and only after both site owner and the hosting ISP are warned and asked to stop sending spam to the community. Advertisers and spammers can easily avoid receiving complaints by cleaning their mailing lists using the tools we provide and avoid sending spam to the community.
Eran Aloni Director of Marketing, Blue Security.
A response from RiBiNiN - Jul 20, 2005 02:32 (#3 Total: 10)
Dave D fails reading comprehension
You have done what I wanted to do, automate a response, not to the mail but to the website. If I complain about each e-mail I receive manually nobody could complain. You have just automated the process. Also, Dave D could be a spammer who is afraid that you have something that really will work.
I have downloaded the code and am looking forward to reading it in detail.
A response once again from Dave D - Jul 20, 2005 02:32 (#4 Total: 10)
Sure, but ... we've seen this approach fail in the past.
Reporting actors can misidentify mail. They can report mail they don't like. I've seen mail from aunt mabel be reported as spam, because someone hit the 'report spam' button to delete. It happens.
What really frightens me is your system (run by humans, thus capable of flaw) is not taking a passive "block IP" approach, which would be acceptable, but instead is taking an active "attack the bad IP" approach.
Which, even if it wasn't illegal, would still be stupid as hell.
I predict you're going to find a frosty reception for your little invention among1) Network admins that carry your traffic 2) Hosting providers that have to absorb the retaliation attacks at your site 3) ISP abuse desks, who will be dealing with the fallout from your users (their customers) running your product, which no matter how you explain it away, is still an excuse to participate in a botnet DDOS.
Keep sprinkling on the sugar. You might eventually convince some people that this is a donut.
But DDOS for hire is what the criminals on the net do, and no matter how you sugar coat it, what you are proposing is a DDOS for hire. Just for "white hat" purposes (questionable). Just because you think its white hat, does not by any stretch mean the net community will, or the law will.
A response from RiBiNiN - Jul 20, 2005 02:32 (#5 Total: 10)
Dave D fails reading comprehension
I am wondering if Dave is a spammer. He has distorted the method to make it seem like the beginning of a slippery slope to anarchy. It is merely doing what we all want to do, get off mailing lists without exposing ourselves to these toxic websites.
Dave D - Jul 20, 2005 11:16 (#6 Total: 10)
Dave D once again: Well, blaming the messenger is what your system is all about.
A spammer. Thats a laugh. Now you're falsely attacking the messenger. Sounds like a harbinger of things to come from this system.
Rather than be a spammer, I work on the other side -- I work trying to prevent spam for customers.
One of our biggest headaches is not spam, its guys that generate 'side work' trying to fight spam.
Side work like DDOS's against mistaken targets.
Good luck with your endeavor, I know you mean well.
I remain unconvinced by this reported approach: DDOS'ing the perceived spammer will fail, because you will misidentify targets, and because some of those targets will sue or cause your upstream provider to take corrective action ... not against them (if they are indeed spammers) but rather against you ... for deliberately DDOSing.
Net traffic costs money and time. Malicious traffic is illegal. Spammers need to be and are being prosecuted ... as well as a myriad of blocking strategies being employed ... but to move from that to actively abusing the net to attempt to get even with spammers ... this will always fail. It's been tried before, the result is either embarrassment or retreat.
Now, a different David responds: David - Jul 20, 2005 16:04 (#7 Total: 10)
This tactic may indeed seem as a DDOS attack to one who has not read the facts or fully understand the system.
Now would you say we have a right to complain, is complaining about bad customer service malicious traffic, is complaining about a bad business malicious traffic, is complaining about privacy intrusion malicious traffic, is it illegal/immoral, I hope not otherwise I'd be in jail 10 years ago.
Simply put we are exercising our right to the First Amendment of the US Constitution, but it is in a controlled manner, first off is that they try to warn the spammer and their (the SPAMMER's) ISP/Web host about the complaints before they are sent, second if the warnings are ignored we match the SPAM they sent to us with equal amounts of complaints by the ones who received it but NOT ALL AT THE SAME TIME to AVOID the possible DDOS attack.
Now about the use of the report SPAM to delete is rather simple, first for reporting the SPAM here there's no button, second it doesn't delete it, third is why they have actual Humans to check to make sure it's actual SPAM that's not CANSPAM ACT of 2003 complaint and not just a "case of mistaken identity".
Now about the humans capable of flaw, let me ask you this are you a human, do you work with and for humans? Even if it was all computers, we all are capable of mistakes even computers just as humans. Simply put if every one complained just by themselves about every SPAM message they recieve (now is that so wrong, illegal, immoral?) the chances of it appearing as a DDOS attack would be higher since most SPAMMER's send all their messages at once, and some would be likely to read and complain at the same time.
Let's put it as this, let's say this was a Car Alarm (meant to keep your privacy of the car, as this is to keep your privacy of your e-mail) Now a Car Alarm is not illegal, and it has a lot of mistaken identities, i.e a cat wanting a nap on a warm surface, somebody shutting a heavy door, now imagine if you had a couple thousand car alarms at the same place is that illegal, immoral?. Simply put it's a car alarm for your e-mail. Or we could compare it to a "No Trespassing" sign, they trespass on our property we tell them to get out or well call the police, now is that illegal, immoral? I hope not. Or if you don't like those comparisons, let's compare a SPAMMER to a Burglar and your E-mail Box to a House, if the burglar broke into your house would not tell him to leave untill he does, or call the police he would do the same but with more drastic measures some times, is that illegal, immoral? Get my point?
This is not abuse this is exercising our rights, just as it is to execise our right to defend ourselve against an attacker, i.e spraying Pepperspray (The Blue Frog Security Program) to the attacker (SPAMMER).
To sum it up, we have a right to complain (last time I looked complaining was perfectly legal, moral, and ethical), this is not a DDOS attack since the complaints are monitored and controlled so that does not happen and for every one who recieved a SPAM message they'll complain about but only once per message recieved untill the SPAMMERS stop sending messages (Trespasser Trespassing, Burglar breaking into your house etc... We have the right to protecet our propety, defend our lives, we have the right to control who can come onto our property (ie. homes, car, e-mails), I hope these thing aren't illegal otherwise I'm in deep trouble, along with the majority of the population.
Also Two SPAMMERS have stopped SPAMMING the Blue Community from our efforts, thus if we don't get any bad static this program will very well might work.
A brilliant anti-spam model ...
Before joining the project I spent a few days carefully reviewing the concept on the Blue Security site, studying the FAQ, reading independent news stories popping up all over the net, and visiting several related blogs.
It seems to me that while Dave D raises important concerns -- many of which crossed my mind while researching the project -- these concerns are already clearly handled. I believe Dave D means well and has a handle on the technical and ethical issues. His somewhat -- what's the word I want? -- passive / aggressive writing style sort of put me off at first, but I took it in with a grain of salt (or maybe sugar? - grin).
I've come to the conclusion that Blue Frog is a brilliant anti-spam model... easily the best approach I've seen since I joined Project Honeypot last year (see: projecthoneypot.org).
Eran's "Join us" post of 17 July hit home with me on many levels. I first went online in 1994. In those ancient times, I couldn't wait to wake up every day and get to work. The net made it possible to expand the reach of my art and design across the globe, visit with longtime friends, make new friends, and keep in touch with family.
The Internet is easily the most important advance in human communication since the invention of moveable type and the printing press (even more important than radio or TV, since it's a two-way interactive media). It's now highjacked by a tiny minority of ethically challenged, money-grubbing psychopaths. Spammers are the online equivalent of home invasion gangs.
Filtering spam is a knee-jerk response that doesn't address the core issue. Current US federal anti-spam legislation is worse than useless. The federal Can Spam act, with its inane 'opt-out' nonsense is fatally flawed -- thanks to well-funded lobbyists from groups like the DMA (Direct Marketing Association) and technically challenged, eager-to-please (and get reelected) politicians. It's a paper tiger, signed into law with great fanfare and no real teeth or moral underpinnings. Can Spam basically legalized spam in the United States ... exactly the opposite of what its proponents said it would do. It's a stunning example of George Orwell's 1984 "doublespeak" in a real-world 21st century application.
Oops. Sorry. I'm venting.
What I'm trying to get at here is that filtering isn't working and conventional legislation is compromised by commercial and political interests. Meanwhile, millions of decent people all over the world continue to be assaulted every day by ads for drugs, porn, and all manner of of scams they did not ask for, do not want, and which cost them time and money to simply receive. All this spam arrives 'postage due.'
Dave D - and other well-meaning detractors of the Blue Frog model -- might want to consider offering methods to improve it instead of merely dumping on it. While we sit here reading posts and squabbling about the best way to stop spam, spammers smack their lips and shove their crap all around the world.
An anonymous poster replies: Anonymous - Jul 21, 2005 06:01 (#9 Total: 10)
Do not Intrude Registry
So what you're envisioning is that people will give you their e-mail addresses and you'll make a list of them, and distribute this list to (roughly) whomever wants it.
This list would of course be a valuable prize for spammers, so you encrypt it with a one-way hash. You intend for spammers to generate hashes of their spam list, then obtain your obfuscated 'Do Not Intrude' list and compare the two. If there's a match, that's a sign that the e-mail is likely valid. I don't see how your list is not a bonanza for spammers. It offers them a very easy method of "cleaning" their lists.
You say that you'll put some false positives (honeypot addresses) in the list you distribute, but who really cares? It doesn't cost a spammer anything to send e-mail to those addresses as well.
But then there's your threat of a DDoS attack. While I admire it on a gut level, there are a host of legal questions involved. Do you take full legal responsibility for the actions of your Blue Frog agent? (I read the legal info and I didn't see anything to make me think the answer is 'yes'.)
If I install it and find myself named in a lawsuit, will you pay my legal bills?
What if I go to jail because a jury decided that my Blue Frog broke the law? Will you support my family?
More likely, what if I install it at work and my employer terminates me because the Blue Frog tried to access sites known for adult or other not-safe-for-work content? Will you help me find a new job with an employer that doesn't care if their employees are participating in DDoS attacks?
For anyone that's interested, I recommend reading the findings of the FTC's report to Congress about the feasability of a do-not-email list:(Thanks to Suresh Ramasubramanian for posting the link.)
There is no way I'd put my e-mail address on your list. There are too many ways this can go wrong.
A final response by Eran Aloni - Jul 21, 2005 06:18 (#10 Total: 10)
The Do Not Intrude Registry is a legal and ethical solutions allowing users to complain about spam they receive -- a single complaint for each spam message received.
You have a legal and ethical right to complain about spam you receive. You can do it manually by visiting the sites advertised by spam and, or you may sign up with the Do Not Intrude Registry which performs the exact same procedure in an automated and safe manner.