Welcome to the Church of SQRLS Web Site!

By the The SQRLSy One

( Email me at SQRLSy_1@ChurchofSQRLS.com )

Sub-Site SASSI@Home; SASSI is Saturation Attacks to Spam the Spammers Infinitely

 

The below idea is submitted to any and all software developers, in hopes that some-one, somewhere, will implement it.  By putting it up for all to see on this web site here, I am “defensively publishing” it, so that no one will gum up the works of software development (and the public good) by excessive “patent trolling”, and by getting patents for vague and nebulous ideas alone (without great detail and showing a working product).  The ideas below, then, are intentionally being thrown into the public domain.

 

PROJECT NAME (And Why)

          First off, we need a catchy program name.  SASSI could be Saturation Attacks to Spam the Spammers Infinitely, or SASSSI@Home is Spamming Against Spam, Spam, Spam Intruders (or Invaders or Infestations or some such).  It is reminiscent of the well-know “SETI@Home” program, and being “Sassy” (“Sassing” the spammers and phishers), and a well-known Monty Python skit about “spam”.

 

WHAT IT WOULD BE, SUMMARY

          Obviously, there are existing lists (maintained by various companies, especially IM security companies) of know “phishing” web sites.  SOME company or individual SOMEWHERE (maybe YOU!?!) should develop some fairly simple programs, and a web site where an up-to-date such list of web sites is maintained.  Users could hit this web site, download several thousand offending web-site addresses, and then the user’s PC and Internet connection can donate their free, spare cycles to conducting “denial of service”-style attacks on the offending web sites.  Inundate the offending web sites with page requests, that is.  Such attacks may or may not involve having the user’s PC cycling through different IP addresses, to prevent counter-measures by the targeted web sites.  If enough users donate their spare cycles to these attacks, from a large database of offending web sites, such IP-address-cycling would not even be needed.  That is, the web-page requests to the offending web sites would look very “natural” (diffuse, widely spread), so counter-measures (by the offenders) would be hard to devise.

 

SUMMARY OF BENEFITS / PLUSSES

          This would simply create a LOT of “positive buzz” and goodwill towards whatever company paid for it, if such company paid for this, maintained the web site, and made sure that the software is clearly XYZ branded.  I personally have had my home email hijacked by “phishers” recently, and so I can tell you, there has got to be a LARGE amount of anger out there towards the spammers and phishers.  Customers will be more happy to buy XYZ goods and services, knowing that XYZ Company is on the fore-front in the battle against these offenders.  And in the long run, such a strategy will “take the wind out of the sails” of these offenders, perhaps even to the point where spamming and phishing simply do not pay off, any more, at all.

 

SUMMRY OF COSTS / MINUSSES

          Internet users whose businesses depend on spamming and phishing will perhaps be less likely to buy XYZ Company products, but, with any luck at all, their influence will be out-weighed by those far more plentiful users who are highly resentful of spammers and phishers.  And yes, XYZ’s legal department will have to carefully research what is legal, and what is not, in various jurisdictions, before providing such a service to users.  Then of course there will be the costs of developing the software, and maintaining a web site.

 

OTHER MISC. INFORMATION, CONSIDERATIONS, ETC.

          See http://setiathome.berkeley.edu/ for the well-known “SETI@Home” that is similar to the program envisioned here, or see http://boinc.berkeley.edu/ for the super-set of such programs, which includes the SETI project.  Now, the SASSI@Home project proposed here, could perhaps involve ONLY web sites that engage in “phishing”, in which case things are kept fairly simple.  We always have to be aware of unintended consequences, or of users who would abuse the system which we would provide.  XYZ users could use our program to attack web sites that are NOT offenders, just because of their personal agendas.  The counter-measure against this is fairly simple:  The XYZ web site that provides the web addresses to be attacked, provides target web site addresses in a highly encrypted fashion.  XYZ software on the user’s PC parses the encrypted targets seamlessly, allowing no user intervention.  Users who want to substitute their own personal victim addresses, would have to know the encryption password, at the very least.  If each and every individual with a SASSI@home-type program was allowed to pick his or her own victims, then we can all imagine some bad possible consequences…  Bandwidth saturation by Democrats hitting the Republican web sites, and vice versa, and so on.  So I for one really do hope that this idea will be used appropriately and responsibly…

          With some amount of extra effort…  Perhaps at most, the full-time workload of a single XYZ Company employee…  Users would be allowed to submit the web sites of offenders, to include not just phishers, but spammers as well.  The XYZ employee would then carefully “vet” the web sites of such offenders (who clutter up many victims’ emails with “spam”, trying to attract attention to their web sites).  XYZ Company would have to be careful here to now allow politics to cloud the picture…  Adding (or not adding) web sites addresses on any basis other than the offenses of spamming or phishing, would be dangerous to XYZ’s image.

          An additional desirable feature would be to allow the user to select (or not select) an option to limit the amount of Internet bandwidth that this program will use up.  Some ISPs (Internet Service Providers) charge according to how much bandwidth one uses up, of course.  Some users will be, and some will not be, willing to pay extra, for extra bandwidth, just to “fight the good fight” against spammers.  Ideally, what would be REALLY nice, would be for this application to track just HOW much bandwidth the user has used up, and fill up un-used bandwidth (Internet access) as the user pays for, standard, and then, no more.  So the software envisioned here would ideally tie together with the ISP software, and figure all of this out.

          If no one can be persuaded to develop this idea and provide it for FREE, then I for one can tell you, I would be HAPPY to pay $5 or $10 per month, to access the services of an XYZ Company providing the SASSI@Home software, in the name of charity and doing good for the public!  I cannot STAND the hackers and spammers and phishers who intrude on me, and (worst case) turn my PC into a spam-bot!

          If the Government Almighty of the USA prohibits such software from being written in the (supposedly freedom-loving) US of A, despite such Government Almighty obviously NOT effectively enforcing the laws against phishing and spamming, the evil here targeted…  Then this software should be written in (and provided from a basis in) an internet-freedom-friendly nation such as Iceland, see http://en.wikipedia.org/wiki/Internet_in_Iceland

 

          There’s the idea…  Please consider it carefully.

 

          Thanks!   -SQRLSY One  SQRLSy_1@ChurchofSQRLS.com

 

UPDATE AND ADDITIONAL ASSOCIATED IDEAS

 

          With special thanks to Arthur Wilkinson at Emsisoft, I now understand the dynamics of this whole situation a bit better.  It seems that Governments Almighty, world-wide, including certainly the USA with its toothless and counter-productive “Can-SPAM” act, prevent us collectively from fighting back against the spammers!  Read his email, his provided link, and contents thereof, below.

          Quoting from the link’s contents, While spammers cost companies an estimated $20 billion, they only netted roughly $20 million to $30 million in profits in 2003,.  So the spammers make $1 for every $1,000 they cost us as customers of legitimate businesses?  And lawyers, governments, courts, and other crooks twist the laws to punish the anti-spammers rather than the spammers?  If you will read the below, we’ve got public-policy wonks telling us that using an automated service to allow us to send opt-out email request to spammers who have, themselves, spammed us, is, itself, spam!!!  WHY cannot Governments Almighty effectively fight for the good guys rather than the bad guys?  Well, I have a theory:  Think about it.  As things are now, more money is spent, by spammers and anti-spammers fighting each other, AND by their having to pay many-many lawyers to help them all fight about it.  And all of us customers have to spend lots of money buying anti-spammers and anti-hackers software.  LOTS of money moves around, LOTS of taxes get collected.  If Government Almighty actually found an efficient way to shut the spammers down (or merely allowed us as private businesses and users, to do it for ourselves, and got out of our way), then they’d collect less taxes.  Quite simple!

Not a “smoke-filled room” conspiracy, I am not a follower of such silliness…  But unconsciously if not consciously, “we all know which side our bread is buttered on”.  And that is for SURE true of Governments Almighty, and their employees!

So here are refinements of the above ideas, in light of the below.  Not only should a Blue-Frog (or SASSI@Home) base itself in Iceland (one of the few places not run by the utter idiocy of Government Almighty, at least in the Internet freedoms category), such a company should take further measures:

‘1)  All of their paying customers…  Yes, I can see that anyone doing this “for free” cannot collect off of public goodwill towards their brand, since the hacking evil-doers will retaliate and swamp their websites, and ALL big businesses today have to have a web site…  Then the paying customers should, once a week (or so), have the providing company EMAIL them the refreshed list of spammers.  These outgoing emails can NOT be directly responded to; they come from a server that is set up for outgoing traffic only (cannot be targeted by denial of service attacks).

‘2)  For attracting new paying customers, the providing company relies purely on word of mouth, and on having enthusiastic customers who will spread their executable program by posting it on (perhaps literally) on millions of web sites, facebook pages, etc..  Or even passed around on USB key drives…  The criminal bot-net operators cannot spam us ALL to death!

‘3)  To enable this system to pay for itself, the providing company sends out the once-per-week emailed (updated) list of spammers and phishers, ONLY to paying customers, who pay via check, pay-pal, etc.

 

That’s it!    -SQRLSY One

 

From Arthur Wilkinson:

Hello, and thank you for contacting Emsisoft Support.

A similar idea was attempted in the anti-spam industry by a company known as Blue Security. You can read about what happened to them at the link below:
http://www.securityfocus.com/news/11392

Unfortunately, the idea wouldn't be possible for a company to execute, as it would break too many laws.

Best regards,

Arthur Wilkinson
Customer Support

--
Emsisoft GmbH - www.emsisoft.com
Mamoosweg 14, 5303 Thalgau, Austria
Tel. +49-180-590066-2, Fax. +43-6235-20053
Commercial register: FN238178m, VAT-ID: ATU57263749

 

_________End imported email____________

 

          Now here I, the SQRLSy One, will do something I would normally not do at all…  Import an entire section of text from some-one else’s web site.  “The Google” doesn’t like that sort of thing, you know; they will demote your web site in their rankings, the more and more that you do that…  You have little unique content, and you are just parroting other people?  Demotion for you!  And, I say, good for “the Google” on that one!

          But the link http://www.securityfocus.com/news/11392 is so extremely highly relevant here, AND I would sure hate to see that link go dead and content be lost, that below it is, for your reference and reading pleasure:

 

Blue Security folds under spammer's wrath
Robert Lemos, SecurityFocus 2006-05-17

Israeli anti-spam startup Blue Security decided on Tuesday to shutter its aggressive anti-spam service, citing threats of further--and more malicious--attacks on its service and users.

The company's service, Blue Frog, enabled nearly a half million users to automatically opt-out of unsolicited bulk e-mail messages, or spam, by each sending a single message back to the advertiser. Collectively, the automated opt-out messages inundated the clients of spammers forcing six of the top-10 bulk e-mail groups to agree to use the company's filtering software to cleanse their mass-mailing lists of any Blue Frog users, according to the firm.

However, one spammer decided to attack back instead. Starting May 1, the spammers--who Blue Security identified as PharmaMaster--attacked the company's Web site and spammed Blue Frog users with even more mass mailings. The attacks not only disrupted Blue Security's operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.

While the company had started recovering from the initial attacks, the spammer promised more to come, said one company source. Those threats and the collateral damage led the firm to decide to shutdown its service.

"We cannot take the responsibility for an ever-escalating cyberwar through our continued operations," Eran Reshef, CEO and founder of Blue Security, said in an e-mail to SecurityFocus. "As we cannot build the Blue Security business on the foundation we originally envisioned, we are discontinuing all of our anti-spam activities and are exploring other, non spam-related avenues for our technological developments."

The closure marks a sudden end to a controversial service and highlights the importance of spam as a source of cash for the underground Internet economy. In December 2005, spam e-mail message accounted for half of all e-mail sent, according to security firm Symantec. (SecurityFocus is owned by Symantec.) While spammers cost companies an estimated $20 billion, they only netted roughly $20 million to $30 million in profits in 2003, according to estimates by analyst firm Ferris Research.

The attacks also underscore the power that criminals can still wield on the Internet, especially through large networks of compromised computers known as bot nets. Bots have become the tool of choice for many online criminals to extort money from legitimate companies by threatening a hard-to-stop denial-of-service (DoS) attack; other criminals use the controller software to install adware on the compromised PCs to earn affiliate fees from the advertising networks.

The success of the attacks also reveals that, despite e-commerce companies' assertions that the Internet has become safe for business, the worldwide network has progressed merely from the Wild West to the equivalent of the 1920s mob-controlled urban centers, said Peter Swire, a law professor at Ohio State University and a member of the advisory board of Blue Security. To fight the online gangs of the Digital Age will take concerted efforts on behalf the U.S. government and other countries, he said.

"This attack was from an organized crime ring on the Internet," Swire said. "The rising amount of extortion on the Internet is a symptom of under-enforcement. It takes concentrated effort to break up any mob, and legitimate companies are at risk of extortion attacks unless enforcement and other cybersecurity measures improve."

Until the beginning of May, Blue Security's Reshef believed his company's service looked ready for explosive growth.

The firm's Blue Frog service had gathered about 450,000 subscribers. Each user, who in general tended to have strong anti-spam feelings, had downloaded the free software agent to their computer and subscribed to the service.

The Blue Frog agent, which integrates with Yahoo! Mail, GMail and Hotmail, uses a central database to check incoming e-mail messages for known spam. When a match is found, the software selects a form from the site advertised in the e-mail message, and submits a message asking to be removed from the spammer's list. Because Blue Security had nearly a half million user signed up, companies who use spam lists will likely have their Web sites inundated with tens of thousands of messages.

In a way, Blue Security was following the money.

"If you look at the spam economy, there are the people that spam and then there are their clients--the sponsors," Reshef said. "We are going after the sponsors."

Some critics have charged the service with essentially being a denial-of-service (DoS) attack.

"They were causing a large number of individual packets to be sent with the intent of slowing a spammer's site down," said Anne Mitchell, president of the Institute for Spam and Internet Public Policy. "The intention was to take the server down; the intention was not to cause the user to be opted out."

Reshef denied that the massive submission of opt-out messages could be legally construed as a denial-of-service attack.

"Under the CAN-SPAM Act, the user has a right to send an opt out," Reshef said during a recent interview with SecurityFocus. "We were taking this right and automating it."

The strategy paid off, both for the company and its users. By the end of April, Blue Security had noticed that six of the top-10 spammers had used the firm's filtering service to remove any of its subscribers from the bulk e-mailers' lists, Reshef said.

"In April, we hit this critical mass," he said. "It was like a snowball. We had spammers responsible for 25 percent of the spam on the Net complying or starting to comply with our list."

At least one spammer decided not to comply. The bulk e-mailer, using the moniker PharmaMaster, used a simple technique to divine some of the names on Blue Security's opt-out list: The spammer took a very large list of e-mail addresses, used Blue Security's filter on the list, and compared the results. Any e-mail address on the first list that was not on the filtered list belonged to a Blue Frog user.

On Monday, May 1, a subset of the company's users started getting ten to twenty times the amount of spam they normally received. The messages contained numerous allegations, claiming that the Blue Frog client was illegal, that it took control of people's PCs, and that the subscribers would be criminally prosecuted.

"BlueSecurity was illegally attacking email marketers, and doing so with your help," read a portion of one message, replete with typos. "Many websites have been targeted and hit, including non-spam sites. BlueSecurity's software has been fully analyzed, and contains an abundance of malicious code... YOU CANNOT PARTICIPATE IN ILLEGAL ACTIVITIES and expect to get away with it."

PharmaMaster is a well-known purveyor of generic and fake Viagra and other drugs and herbal remedies, Resehef said, denying the allegations in the e-mail messages. The company posted a note to its site warning its users about the attack and trumpeting the turn of events as a sign of success.

On Tuesday, May 2, however, the company's Web site suddenly went dark, and with it, the company's future as an anti-spam service.

In the early afternoon on May 2, the company received an ICQ message from PharmaMaster, claiming that an administrator for a top-level Internet service provider would start blocking traffic to the company's Web site, according to a timeline posted on the company's site. Soon after, the company verified that its home page became inaccessible to anyone outside of Israel.

The attack came as a surprise, Reshef said.

"We didn't expect a criminal would be able to exercise any control over the backbone," he said.

It's uncertain what exactly happened to Blue Security's site. The IP address for the Web site comes from a block owned by Alternet, which is a backbone network run by the former UUNet, bought by telecommunications company MCI Worldcom, and--as of February 2005--a part of Verizon. However, a representative of the telecommunications company said that Blue Security is not a customer and none of Verizon's administrators would filter out traffic--known as blackholing--to a Web site.

The filtered traffic marked only the beginning. Within a couple of hours, Blue Security's operations--separate from its Web site--came under denial-of-service attack, flooded with anywhere between 2 gigabits and 10 gigabits per second of traffic from tens of thousands of sources.

By then, the company was attempting to get back online. To workaround the backbone filtering that blocked access to its home page, Blue Security decided to change its domain name system (DNS) entries to point to its former blog, hosted by Typepad. A half an hour later, an attacker leveled a flood of packets at bluesecurity.com, but because of the DNS change, the flood did not hit Blue Security's servers but the servers of blog hosting service Six Apart. In what Six Apart called a "sophisticated attack," the company's two blog services--LiveJournal and TypePad--as well as several other portals--such as MovableType.com and SixApart.com--became inaccessible for nearly 8 hours.

"This has affected all of Six Apart's sites, causing intermittent and limited availability," the company said in a statement posted at the time. "Our network operations staff is working around the clock with our Internet access providers to resolve the issue."

Six Apart foiled the attack on its servers early in the morning on May 3 GMT, and the attacker shifted to Blue Security's domain name service provider, Tucows. That attack took out various services offered by the Internet service provider for nearly 12 hours, with its domain name service hit hardest, said Elliot Noss, CEO for Tucows.

"We deal with attacks on a regular basis, and this was an order of magnitude larger than what we are used to seeing," Noss said. "For the first part of the attack, this was seen as a network problem, because it caused connectivity issues for two of our three upstream providers."

Tucows final solution was to "duck away from the problem"--in Noss's words--essentially removing Blue Security's DNS records from its system. The move essentially made Tucows' DNS servers disappear for any computer looking up the address for bluesecurity.com, blunting the attack but also foiling any legitimate user that wanted to find bluesecurity.com.

Blue Security's Reshef, who praised Six Apart for keeping his company's Web page online and accessible, had stern words for Tucows strategy.

"Tucows took us down," he said. "Rather than standing up with us in the fight, they deserted us. They didn't even call us."

Last week, Blue Security hired well-known DoS-defense firm Prolexic to bring its sites back online. While its home page returned to the Internet, consistent service to the Blue Frog clients remained elusive. In an e-mail message sent last week, Reshef indicated the company fully intended to continue to take the fight to spammers.

Then the situation again changed drastically: PharmaMaster took the battle to the company's paying subscribers.

The online battle between PharmaMaster and Blue Security had already had a number of casualties: Internet services, consumer users and the company itself.

The spammer, seeing the success of the attacks, apparently decided that more threatening attacks could win the war. Specifically, PharmaMaster used Blue Security's own tactic against it: The spammer went for the money.

Blue Security built its business model around providing free service for consumers--whose greater number of computers could launch a meaningful attack against spammers--but requiring businesses to pay to protect entire domains.

In a significant shift in the attacks, PharmaMaster began targeting the paying customers, according to sources familiar with the attacks. People at the companies supposedly protected by the Blue Frog system, instead found their systems in greater danger. The spammer hit their networks with denial-of-service attacks and sent e-mail messages laced with computer viruses to their addresses.

For the Israeli company, the attack trumped any of its defenses.

"Blue Security realized that they weren't helping their customers by continuing the fight with the spammers," said Keith Laslop, vice president of business development for Prolexic, the company hired to protect Blue Security's service. "So they have decided to exit the anti-spam business."

The anti-spam company said that it does not blame anyone but the spammer for the turn of events. So far, no lawsuits have been filed by Blue Security or against the company, CEO Reshef said. On Wednesday, the main Web page for the company, bluesecurity.com, could not be accessed by SecurityFocus.

Prolexic itself came under attack soon after taking Blue Security on as a client, according to the company.

"Prolexic Technologies, has been fending malicious cyber attacks from one or more criminal spammers attempting to intimidate the firm, subsequent to Prolexic deploying its system to defend a recent customer," the company stated on its Web site. "These attacks have included a barrage of defamatory spam emails about Prolexic, multi-gigabit DDoS attacks, and mail bombs."

Six Apart, the only other U.S. company substantially affected by the attacks, is currently working with the FBI on an investigation, but the U.S. law enforcement agency would not comment on the investigation.

To advisory board member Swire, the incident represents that the safety of the Internet is only a thin veneer, and that true threats to businesses, like this one, only get lip service from the Bush Administration.

"This shows how vulnerable the Internet infrastructure really is," Swire said. "I'm concerned that cybersecurity has been downgraded in the U.S. government from a White House issue to an issue that gets relatively little support in the Department of Homeland Security."

The outcome of the episode left a bad taste in the mouths of even some critics of Blue Security's service.

"I find the closure of their business very sad," said ISIPP's Mitchell. "I would rather they had tightened up their system and made it legal, than have it closed down."

CORRECTION: The article originally cited the wrong title for Keith Laslop of Prolexic Technologies. He is the vice president of business development. In addition, the article was update with the statement regarding attacks against Prolexic.