Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

Blue Security and the Blue Frog

Blog entries, it seems to me, are like busses. You wait ages until you have something interesting you want to say to the world, then two come along all at once.

Blue Security LogoWell there’s been something of a storm (see here, here and here for starters) about an Israeli company called Blue Security. Their idea is very simple; the reason spam is easy to do is that most people don’t respond to it. Everyone knows that sending opt-out requests to spammers just confirms your e-mail address and means they can sell it on for more money.

Well, Blue Security came up with the idea of running a service to do the tedious job of posting complaints on your behalf. You send them your spam and they contact the owners of the websites advertised in it, as well as their ISPs and any law-enforcement agencies that may be relevant to complain and ask that all members of their “Do Not Intrude Registry” (the “Blue Community”). So far, so good.

The sting in the tail is this; every member of the Blue Community runs a program called “Blue Frog”. If a spammer refuses to comply with Blue Security’s requests for their members to be removed and continues to send spam to Blue Community members, Blue Security’s technical department write a script for the Blue Frog that causes it to go to the spamvertised website and fill-in forms with complaints demanding removal. For every spam sent, one complaint is generated, but because this happens all at the same time, the volume of complaints received can be tremendous.

Some people complain that this is basically a Distributed Denial of Service attack on the spammer, and that all attacks should be banned. But the reality is that the typical spammer is woefully under-provisioned by comparison to the number of spams they send out. If all of the people who receive a typical spam decided to respond in any way, most spammers would be swamped. It isn’t Blue Security that’s responsible for the spammer’s under-provisioning, it’s the spammer, and it’s what makes spam profitable. If you had to have a huge data centre all of your own in order to handle the traffic from a single spam, nobody would bother.

Moreover, because the people who work at Blue Security are technically literate, their solution doesn’t require the general public to understand how to track down the actual spammer and avoid pounding innocent people with e-mails about spam they never sent. Spammers often forge details and have even been known to mount attacks on others by sending spam purporting to come from them, so it’s very important that you take care to complain to the right people.

The point is this: all Blue Security are doing is making it easy to complain effectively and with a significantly reduced risk of “collateral damage”. Spammers are warned that they will receive bulk complaints if they don’t comply with the initial request, but the level of bulk that they receive is far smaller than the level that they send. There’s nothing unfair or immoral about it.

As for the fact that Six Apart were knocked over, well, that’s very unfortunate. We all like Six Apart and a lot of people use their services to run their blogs, so Blue Security have attracted a lot of flak from bloggers for moving their site over to LiveJournal. But look at it this way; Blue Security knew they were being targetted, but only in the same way that an Iraqi policeman knows that he is a target for terrorists. Do you blame the policeman if they blow-up a shop he frequents, killing innocent people? Do you say that policemen should only shop in special shops, away from everyone else, just in case? No, you blame the terrorist and rightly so. That’s what happened in this case, and we should blame the spammer; it was his fault and he almost certainly knew full well that he was attacking Six Apart.