A piece of folk wisdom says that you should never enter into a pissing contest with a skunk, for obvious reasons. Apparently anti-spam company Blue Security hadn't heard that particular piece of advice and the results have been unpleasantly predictable.
Blue Security is known for their Blue Frog product, a free tool that you can download to your computer to submit data to forms on spammer's websites. This PC World article on Blue Security sketches the process and suggests that Blue Frog is little less than a tool for implementing a distributed denial of service (DDoS) attack.
After an initial buzz of controversy followed by a few months of silence, Blue Security is back in the news. Someone has apparently launched a DDoS attack on Blue Security's website. Simultaneously, a spammer seems to have identified the email addresses of at least a portion of Blue Frog's user base (some articles imply that the spammer 'hacked' Blue Security or 'reverse-engineered' their encrypted lists: in reality, they probably just tested their own spam lists against Blue Security's 'do not spam' registry and compiled a list of matches) and sent messages threatening them with more spam if they don't stop using Blue Frog. Apparently, someone is eager to convince Blue Security and its users of the inadvisability of engaging in pissing contests.
Hold that thought and take a breath. Let's switch track and look at what Blue Security is doing.
One of the repeated mantras of the anti-spam community is "Don't fight abuse with abuse". I agree with that principle, and not just for abstract reasons to do with owning the moral high ground (spammers can pretty much be relied upon to seize the moral low ground at every opportunity). The real problem with abuse is the likelihood of collateral or inadvertent damage. A DDoS tool that has a significant impact on a spammer will also affect legitimate network users in the spammer's virtual 'neighborhood'. An automated DDoS tool carries the risk that it can be subverted or misdirected with devastating results.
DDoS and other large-scale abuses will invite some predictable responses from spammers. If DDoS'ing spammers becomes current practice, spammers will simply distribute their network resources 'among the civilian population', like an under-funded third-world army shielding its tanks and guns from American airpower by putting them in the shadow of schools and hospitals. We can expect to see spam sites increasingly hosted on zombie PCs and inexpensive commercial hosting services, so that a tool like Blue Frog can't hurt the spammers without hurting innocents as well. We can also expect spammers to play DNS games: if they detect a Blue Frog-like attack ramping up, they can simply switch their DNS to temporarily redirect the requests towards a 'sacrificial' site elsewhere. I presume that the Blue Frog tool is smart enough not to accept non-authoritative results when resolving domain names; otherwise it would be trivial for spammers to use Blue Frog to DDoS anti-spam sites like Spamhaus or even Blue Security themselves.
So the question that comes next is, what constitutes 'abuse'? One test could be to say that it's anything you'd consider abusive if someone did it to you. A DDoS attack is definitely abuse. So too would be subscribing the spammer to other spammers' mailing lists, or populating their web forms with bogus data. Sending them misleading information, like the people at 419 Eater? Just possibly.
For many people, that test is too strong. The feeling is that spammers don't deserve the same consideration as other people because in a sense, 'they started it'. Spammers are crooks and fraudsters. They show no compunctions about lying to us, infecting our computers with their viruses, polluting our mailboxes and hammering our systems with their probes and dictionary attacks. Can we really compare lying to them or poisoning their databases with false information with doing the same thing to an honest Internet user?
Let's sidestep that issue and consider another test. Let's say that something that has a significant likelihood of having an impact on an innocent third-party, whether a hosting company or another user of the same servers, is definitely abuse. Cases where the damage is done by the spammer's countermeasures are included. It's not sufficient to say "Oh, but I only DDoS'd the spammer, he was the one who changed his DNS records so that my attack took down a different server". Spammers are scum. You must expect them to behave like scum, and if you don't take that into account when you plan your action, you're also responsible for any damage.
By this test, scambaiters aren't abusive because their retaliation is highly targeted. There's little likelihood of an innocent third party being affected. Similarly, filling in bogus data in a spammer's web form - if you choose your data appropriately - wouldn't normally be abuse. If you - and ten thousand other people - do it hundreds of times a minute, that's a different matter. And this appears to be exactly what Blue Frog does.
Blue Security say that their coordinated attacks are a last resort when all other options have failed and that they aim only to slow the spammer's website, not take it down. I find this latter claim questionable, as it will always be hard to gauge the effect of their actions. In any case, it seems likely that a Blue Frog attack will have an impact on anyone who shares network resources with the spammer. On that basis, it would meet the definition of an abusive response.
Blue Security want you to believe that their approach does not constitute abuse. The spammers, on the other hand, want to pretend that it's Blue Security's abusive behavior that has invited retaliation and imply that if Blue Security hadn't crossed the line they wouldn't be under attack. There's no reason to believe this either. Spammers have launched DDoS attacks on some definitely non-abusive anti-spam sites such as Spamhaus and SORBS before. Given the means, a spammer will attack any anti-spam operation that threatens his business. Greed, not righteous indignation, is the usual motivation.
Does it follow therefore that Blue Frog has achieved its goal of making it hard for spammers to earn money? It's possible, but not certain. Many spammers are vindictive and take as much delight in attacking anti-spammers as anti-spammers do in attacking spammers. The pointless Hipcrime floods of news.admin.net-abuse.email are an example of an action that seems to be purely provocative. It's easy to imagine a spammer deciding to 'punish' Blue Security for their temerity in challenging the spammer's right to spew where he pleases long before their activities actually had any real effect. Moreover, a high-profile attack like this could be a form of calculated terrorism, aimed at convincing recipients to shut up and eat their spam. Don't make trouble, or this could be you. Blue Security, with their questionable methods, makes a better target for this demonstration than other, less controversial anti-spam sites.
Lately, the Blue Security saga seems to have taken a new turn. Allegedly, Blue Security played their own DNS games when they came under attack. It appears that they redirected the hostname 'www.bluesecurity.com' to their Typepad-hosted blog, thus transferring the incoming DDoS attack to SixApart's network. The network then buckled under the strain, shutting down SixApart's TypePad and LiveJournal services and the literally millions of blogs that they host. CEO Eran Reshef denies that Blue Security deliberately dumped the DDoS on SixApart. He might be telling the truth, but it's worth noting that the DDoS seems to have already been under way for more than 24 hours at the time that they changed their DNS. The best that can be said of Blue Security is that they were astonishingly irresponsible.
Don't enter into a pissing contest with a skunk. Spammers are skunks by nature, and their well-honed networks of compliant zombies make them unusually well-equipped to take part in pissing contests of this type. But it looks as if Blue Security may be a skunk too, and the results of the pissing contest they started threaten to stink up the network for everyone else.