(or not, as the case may be — see the end of this article)
This is kind of an old story, but I just heard a discussion about a recent development in it, and remembered I hadn’t talked about it before on this blog.
Some of you may remember a product that was being talked about a while ago called “Blue Frog”, which was an attempt at fighting spam by turning the tables on the spammers. The basic idea was that you sign up with Blue Frog and then flag your spam mail, and Blue Frog will send massive amounts of unsubscribe messages back to the spammer’s address “on your behalf”. It was basically an attempted DOS (denial of service) against the spammers, with a loophole that technically made it legal.
I always thought that this was a stupid idea, for a number of reasons, and there was a major incident a couple months ago in which a guy going by the name of “PharmaMaster” illustrated one of the primary follies in Blue Frog’s approach by launching a retaliatory DDOS (distributed denial of service) against Blue Frog and eventually their hosting providers, etc. which ended up taking them down, even after a number of attempts were made to thwart and/or avoid the attacks. They should have known that they would never be able to beat these people by using their own means against them.
Some had always argued that it was unethical for Blue Frog to use the “spam-the-spammers” approach, but I’ve always argued that it doesn’t matter whether it was ethical, because it is ineffective anyway. One reason (among many) is that unless companies like Blue Frog are willing to go to the lengths that the spammers are, by creating bot net armies, etc., they will always be outgunned in a DOS battle. Not only can they not overpower the spammers, but other “innocent bystanders” will inevitably get caught in the crossfire, as certainly happened in this case.
Now they’ve come up with “Black Frog”, in another futile (IMHO) attempt to take the same tactics of spamming the spammers, but doing it using a peer-to-peer network so that they do not have a central point of failure that the spammers can target in response. Obviously, they didn’t learn from their mistakes last time. The only difference to this approach will be that the individual customers will be much easier for the spammers to counter-DDOS into oblivion; it isn’t that much more challenging for them to do than a focused attack on the Blue Security company.