Martin McKeay

Blue Security gone, its lessons already forgotten

By Martin McKeay
May 19, 2006 10:50 AM EDT
Blue Security is gone and the spammers are jumping up and down on its grave in glee.  I feel bad for the people who work there, but I have a feeling the company will come back from this somehow.  After all, no marketing person worth their salt is going to let the publicity they garnered go to waste.  But hopefully they won't come back with a re-hash of the same attack-back anti-spam technology that got them into trouble in the first place. 

This technology is exactly what has me concerned. There's some movement on creating an open-source, P2P version of Blue Security's product.  Called Black Frog, after Blue Security's Blue Frog, the idea is that if having a single source of unsubscribe traffic gives the spammers a target, if you just decentralize the traffic spammers won't have a target to attack.  But the organizer of Black Frog is missing the main point of Blue Security's whole experience: attack-back technologies are prone to misuse and abuse, and will get users attacked.

Spammers are going to figure out how to misuse this technology fairly quickly.  Off the top of my head, I can easily see spammers using the Black Frog technology to attack legitimate sites.  All they'd have to do is include bogus information in the unsubscribe links that point to a legitimate site, which would cause the software to flood the legitimate site with unsubscribe traffic.  I'm sure some of the spammers are much smarter than I am and can come up with much more devious misuses for the technology.

While the P2P aspect of this project will decentralize the unsubscribe mechanism, just being part of the Black Frog network will likely make any system a much bigger target for spammers.  It wouldn't take a lot for the spammers to filter through their unsubscribe traffic to figure out who's using Black Frog and raise the pain level of the participants.  In other words, becoming part of the Black Frog network could make you an big target for a DDoS attack.

There's got to be a solution to spam, but the Blue/Black Frog technology isn't the answer.  Unluckily, computer security has to be about defensive solutions, not offensive.  Taking the battle back to the spammers only leads to escalation, and the spammers have much bigger weapons at this point.  Which is why Blue Security has had to shut their doors.