If you don't follow the Utah Open Source Planet or Aaron Toponce's blog, this post may mean nothing to you.
Aaron's been spamming -- for lack of a better word -- the Utah Open Souce Planet with post after post about something called "Blue Frog" from a company called Blue Security. I responded to his first post on his site, but my comment never showed up. I guess Aaron wants to keep all the feedback on his site positive and complementary to his views. ;-)
Anyway- this Blue Frog business is really shady stuff- fighting spam with tactics that really add up to abuse of network resources. It's possible Aaron is too young to remember when network abuse was a far more serious topic -- when the Internet wasn't quite as as robust as it is today and a concentration of traffic, malicious or not, could bring down networks for an entire educational institution or geographic region.
The flaw with Blue Security's tactic is that it will only work against spammers that are semi-legitimate -- who have their own mail servers, mail administrators, etc. Of course, these spammers may not be spammers at all. These organizations may be perfectly legitimate companies sending out targetted e-mail to interested parties. It's a grey area, but these organizations aren't the ones trying to get you to buy smallcap stocks, viagra, or kiddie porn.
The spammers that, in my opinion, are the plague of the Internet, won't be stopped by Blue Frog, Polkadot Frog, or Aaron The Frog because they operate covertly using free or compromised accounts, spambots, or compromised websites or e-mail servers. Targeting the source of these kinds of spam messages with many opt-out requests is useless. Not only this, but Blue Security forgets that bandwidth still costs money: The ISPs between Blue Frog and these spam sources are all on the line - providing bandwidth in an honor-type agreement with each other.
If more Blue Security-like tactics begin to appear, the trust agreements between Internet backbone providers will likely begin to disintegrate.
Iodynamics' clients don't really get much spam. Their mail servers use a combination of SpamAssassin, MIMEDefang, and a greylisting milter for Sendmail.
Greylisting is, perhaps, one of the most interesting ways of stopping spam from reaching its intended recipients and it works based on a principle that also makes Blue Security's tactics worthless: Spammers don't use real SMTP servers.
When greylisting is in effect, it postpones delivery of messages from upstream addresses it hasn't dealt with before. If the upstream server attempts to deliver the message again, the address is then whitelisted. Many spamming systems don't honor these postponement requests and, as a result, they simply don't attempt to redeliver the messages. For the same reason, they will be completely oblivious to opt-out requests.
In closing, I think I may speak for the entire Utah Open Source Planet readership in saying that I hope this is the last time we have to read about Blue Security or Aaron's Frog issues.
Doran,
I decided that it was worth creating an account on your system to respond to this blog. (If you want more comments, I would recommend implenting a CAPTCHA system)
I want to start by reminding everyone one that we are all on the same side. We are all victims of SPAM, and we are interested in taking measures to prevent SPAM from wasting our resources (time, bandwidth, processing).
There are many effective ways to prevent our users from getting SPAM messages. Doran mentioned several good ones, and I will include MailScanner (which implements multiple anti-SPAM, anti-virus, and anti-phishing detections). While these methods prevent the wasting of our users' time, it does nothing to reduce the quantity of SPAM that we receive and are forced to process.
Currently, Greylisting is an effective way to reduce SPAM and wasted resources. However, I would not underestimate the spammers and their ability to adapt to this technique, if grelisting became used widely enough to harm their business.
Let me tell you about some systems that did harm the spamming industry, enough for them to take action. First, there was the RBL (Realtime Black List) Osirusoft, which was DDoSSed off the internet. He couldn't afford the resources to fight the DDoS attack, and he was getting personal threats, so he was forced to relent and stop fighting SPAM.
I have another example of an effective anti-spam system that was DDoS attacked by spammers. This is the case of the Monkeys.com RBL. I would recommend reading that link, so see what is really happening.
I have only recently learned of BlueFrog since it has been under attack. Since then, I have been highly intrigued by the unique techniques used by BlueSecurity. I have reviewed the methods they use, and considered the ethics of these methods. My conclusion is that the BlueSecurity methods are ethical, and they are effective in reducing SPAM in the long-term. (Traditional anti-spam methods do not have this long-term effect).
I have a feeling that many people do not understand how BlueFrog works, and I recommend that anyone interested in this debate read the information about Active Deterrence on the BlueSecurity website.
Here is my summary of what the Blue Frog application does. BlueFrog allows you to visit the website of every SPAM message that you receive and to use the forms on those websites (usually order forms) to request that you no longer receive email messages from that company. This is a one-for-one response, for every SPAM email you receive, you post an opt-out message on that website. The BlueFrog application simply automates what you could do by hand.
Before you get worried about false-positives or joe-job attacks, you should know that all reported SPAM messages are verified using traditional anti-SPAM techniques and by human review. You should also know that BlueSecurity first tries to contact the company to request that BlueFrog users be taken off of their mailing lists.
I recommend for everyone to sign-up to use the BlueFrog application to report SPAM, and thereby make a real difference in the battle against SPAM.
As a closing thought, I would like to encourage people who post to the Utah Planet to do so in way that is respectful of the other posters.