Thursday, May 04, 2006

Brain vs. Brawn

According to an Associated Press report , spammers have figured out a way to identify email addresses registered to anti-spam service Blue Security’s “do-not-spam” list. Individuals owning those addresses have been getting spammed more heavily as a result. Blue Security offers this service to consumers and, non-complying spammers may be subject to a bombardment of replies to the spammer's host, potentially resulting in a shut-down. Think of it as a reverse denial of service attack. As you might imagine, Blue Security has been the target of denial of service attacks from those who don't like what they are doing.

The approach taken by the spammers to defeat Blue Security's plan is simple: run addresses through Blue Security’s encrypted checklist and then correlate the matches against the spammer's original list. Technically, Blue Security’s list has not been hacked, but over time, spammers have been able to compile a fairly extensive list. It's a logical and simple work-around. Spammers are at work trying to punish those with email addresses registered through Blue Security with aggressive and frequent emails threatening even more spam.

This incident demonstrates the difficulties involved in controlling, policing, and otherwise regulating the online world.

In 2003, the US Congress passed legislation creating the Do Not Call Registry. Do Not Call would prove to be hugely successful and wildly popular with the general public. Some lawmakers, ignorant of the fundamental differences between telephone service and email as a means of communication, decided that they might win public approval if they authored similar legislation aimed at stopping spam. A "Do Not Spam" registry was floated, but ultimately wiser minds prevailed. The FTC and other federal authorities have taken to prosecuting US-based spammers through existing law, such as those designed to prevent fraud and deceptive business practices.

Observations: I don’t have specific communications recommendations for this piece of news apart from pointing out the challenges of dealing with spam and making bold, absolute claims if you are in the business of stopping spam. I’ll point out, however, that for all of Blue Security’s technical acumen, the spammers’ work-around here is decidedly low tech. That’s typical, and we’ve seen time and again how digital miscreants will use cunning techniques such as social engineering to defeat even the most sophisticated security systems. People are often the weakest link in the security chain – especially if they are ignored when implementing programs. Proper training and awareness programs can fix this problem.


Post a Comment

Links to this post:

Create a Link

<< Home