If you don't follow the Utah Open Source Planet or Aaron Toponce's blog, this post may mean nothing to you.

Aaron's been spamming -- for lack of a better word -- the Utah Open Souce Planet with post after post about something called "Blue Frog" from a company called Blue Security. I responded to his first post on his site, but my comment never showed up. I guess Aaron wants to keep all the feedback on his site positive and complementary to his views. ;-)

Anyway- this Blue Frog business is really shady stuff- fighting spam with tactics that really add up to abuse of network resources. It's possible Aaron is too young to remember when network abuse was a far more serious topic -- when the Internet wasn't quite as as robust as it is today and a concentration of traffic, malicious or not, could bring down networks for an entire educational institution or geographic region.

The flaw with Blue Security's tactic is that it will only work against spammers that are semi-legitimate -- who have their own mail servers, mail administrators, etc. Of course, these spammers may not be spammers at all. These organizations may be perfectly legitimate companies sending out targetted e-mail to interested parties. It's a grey area, but these organizations aren't the ones trying to get you to buy smallcap stocks, viagra, or kiddie porn.

The spammers that, in my opinion, are the plague of the Internet, won't be stopped by Blue Frog, Polkadot Frog, or Aaron The Frog because they operate covertly using free or compromised accounts, spambots, or compromised websites or e-mail servers. Targeting the source of these kinds of spam messages with many opt-out requests is useless. Not only this, but Blue Security forgets that bandwidth still costs money: The ISPs between Blue Frog and these spam sources are all on the line - providing bandwidth in an honor-type agreement with each other.

If more Blue Security-like tactics begin to appear, the trust agreements between Internet backbone providers will likely begin to disintegrate.

Iodynamics' clients don't really get much spam. Their mail servers use a combination of SpamAssassin, MIMEDefang, and a greylisting milter for Sendmail.

Greylisting is, perhaps, one of the most interesting ways of stopping spam from reaching its intended recipients and it works based on a principle that also makes Blue Security's tactics worthless: Spammers don't use real SMTP servers.

When greylisting is in effect, it postpones delivery of messages from upstream addresses it hasn't dealt with before. If the upstream server attempts to deliver the message again, the address is then whitelisted. Many spamming systems don't honor these postponement requests and, as a result, they simply don't attempt to redeliver the messages. For the same reason, they will be completely oblivious to opt-out requests.

In closing, I think I may speak for the entire Utah Open Source Planet readership in saying that I hope this is the last time we have to read about Blue Security or Aaron's Frog issues.