Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

What Happened to Blue Security

Hemos posted more than 8 years ago | from the bad-news-for-anti-spam dept.

293

shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."

cancel ×

293 comments

"operational system" (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#15285220)

well, if it's still operational, then what's the problem?

Re:"operational system" (0, Redundant)

plague3106 (71849) | more than 8 years ago | (#15285301)

I signed up over the weekend, but never got a confirmation email. I'd like to use them, but I can't forward emails until I get a conformation.

Re:"operational system" (1)

NtroP (649992) | more than 8 years ago | (#15285358)

That service is not operational yet. They said it should be "soon".

Yup, this sucks. (-1, Troll)

BecomingLumberg (949374) | more than 8 years ago | (#15285229)

Yeah, I got boatloads of emails saying that I shoudl withdraw my subscription to Blue Security. I have never used them, but apparantly I am in the bad boat now.

Good to know Blue is doing so much to protect us from the spammers.... especially letting an email list be leaked such that it can be used against their community.

Re:Yup, this sucks. (4, Insightful)

jtogel (840879) | more than 8 years ago | (#15285242)

Come on, if you have never used Bluesecurity, then you were obviously not in their database, and your email could not have been leaked to the spammers! Obviously, the spammers just sent out these FUD spam mails to everyone, just like spammers generally do.

Re:Yup, this sucks. (0, Redundant)

BecomingLumberg (949374) | more than 8 years ago | (#15285273)

See- that is the rub. When I heard about the company, I emailed their techs a few times to learn about the project. I decided not to use them simply because I feared this type of event, and didnt want my email box doomed to this kind of fate. Good thing they saved my email address for later use.

Re:Yup, this sucks. (1)

Anonymous Coward | more than 8 years ago | (#15285251)

Have you even been following this issue? They didn't have a list leaked...

Re:Yup, this sucks. (4, Insightful)

Rob T Firefly (844560) | more than 8 years ago | (#15285257)

Isn't the fact that you, a non-user, got the email proof enough that nothing was leaked? Unless the spammer "hacked" your address from a list it wasn't on (which would be a neat trick) he or she was just spamming everyone available, hoping to get Bluesecurity's users along with it.

Re:Yup, this sucks. (0, Redundant)

BecomingLumberg (949374) | more than 8 years ago | (#15285286)

Yeah. I emailed their techs twice to ask some questions, but decided not to use the software to avoid exactly this. Good thing they saved my email.

Re:Yup, this sucks. (1)

stony3k (709718) | more than 8 years ago | (#15285323)

Yup, really good thing that people like you give in so easily to the spammers. You make me sick!

Re:Yup, this sucks. (1)

celardore (844933) | more than 8 years ago | (#15285355)

The Blue Security gang apparently never give out email addresses, just md5'd strings of the email addresses to be excluded.

Re:Yup, this sucks. (5, Informative)

ZachPruckowski (918562) | more than 8 years ago | (#15285271)

Someone used their tool to clean a list, then compared the clean list to a "pre-scrub" list, which means they didn't gain any email addresses, they just learned something about the emails they already had been sending spam to.

Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).

Re:Yup, this sucks. (0)

Anonymous Coward | more than 8 years ago | (#15285306)

You're an idiot. No one "gave" anybody an email list. If you signed up with Blue you agreed to have them submit "opt-out" requests on your behalf at spam sites.

Read before you type, moron.

Client List NOT Compromised!!! (5, Interesting)

cyberscan (676092) | more than 8 years ago | (#15285319)

What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed. He then sent the threatening emails to any email address that was purged from the original list.

Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper [plaza1.net] .

The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?

Re:Client List NOT Compromised!!! (2, Interesting)

macz (797860) | more than 8 years ago | (#15285512)

I like the idea of slapping spammers, but isn't this giving them what they want (Traffic)? Is the idea here do DDoS the spam sites if enough people use this?

Re:Client List NOT Compromised!!! (2, Informative)

meringuoid (568297) | more than 8 years ago | (#15285550)

What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed.

This is what annoys me. What are they thinking? They're helping spammers listwash. The fact that a spammer can simply use a diff of his lists before vs. after to find out who's using the service is trivial; the larger point is that even after the list has been purged of BlueSecurity users, the spammer is still spamming. It's addressing only a symptom, not the cause.

They should say to the spammers 'if you continue to spam the addresses of our subscribers, we will continue to jam your unsubscribe addresses and drop boxes with garbage messages, one per spam email received. No, we're not telling you which addresses these are. Stop sending all mail to all addresses for which you do not have a confirmed opt-in, and you will have no further trouble from us.'

That way they're not helping the spammers continue to spam, and I'd feel a lot better about them.

Re:Client List NOT Compromised!!! (1)

VikingThunder (924574) | more than 8 years ago | (#15285594)

I believe the whole point of allowing them to clean their lists was to be more... "ethical." However the heck you measure that.

Re:Client List NOT Compromised!!! (1)

Thaelon (250687) | more than 8 years ago | (#15285696)

This is why I have not signed up for their service....yet.

If the spammers have your address already (and if you get spam, they do) all they have to do is diff their cleaned list against their uncleaned one in it and they know who on Blue Security's list is also a valid address on their list.

However, continuing to send more spam to those addresses is utter fucking stupidity by the spammers.

If you're on Blue Security's list then you obviously hate spam and will not buy anything advertised that way. Therefore it's a waste of the spammers' resources to send you any spam! Some of the spammers complied with Blue Security (I was reading a lot about this yesterday via Digg) were actually smart enough to see this I think...

It's actually better for everybody including the spammers to scrub their lists against Blue Security's database. Sending more spam to verified Blue Security addresses is childish, and more importantly down right stupid.

For the lazy :) (4, Informative)

Spy der Mann (805235) | more than 8 years ago | (#15285244)

Powered by Copy-Paste (TM).


Timeline (all times in GMT)
[May 2nd 13:42 GMT]
PharmaMaster Works to Block Traffic to Blue's Corporate Web Site

One of the world's largest spammer's, 'PharmaMaster', sends Blue Security an ICQ message stating that he will block traffic to Blue's corporate website, www.bluesecurity.com

        * ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
        * "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)"

[May 2nd 14:47 GMT]
BlueSecurity.com Can't be Accessed Outside of Israel

Blue Security receives another ICQ message from PharmaMaster stating that Blue's corporate Web site cannot be accessed from outside of Israel.

        * ICQ Message: "bluesecurity.com cant be open from outside of israel oh i feel sorry for the company really :)"

[May 2nd 15:30 GMT]
Blue Security's Dedicated Servers - NOT Corporate Website - Under Attack

Blue Security's operational servers - NOT www.bluesecurity.com - suffers from DDoS attacks.
[ May 2nd 16:30 GMT]
Corporate Website Receives 2 Hits/Min

Blue employees notice that there is no load on the corporate website, www.bluesecurity.com (2 hits per minute) and that most visitors originate from Israel.
[May 2nd 17:07 GMT]
PharmaMaster Sends Message: Website Can't be Accessed Around World

Blue receives another ICQ message from PharmaMaster stating the company's corporate Web site can not be accessed around the world.
[May 2nd 20:17 GMT]
Blue Performs Technical Analysis: Confirms Website Cannot be Accessed Abroad

Blue's technical analysis team determines that its corporate website can still be accessed from Israel, but cannot be accessed abroad.
[May 2nd 21:17 GMT]
Blue Reports More Symptoms: "Blackhole filtering" Confirmed

Blue's operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level). Still, there is no sign that there was a DDoS attack on Blue's website.
[May 2nd 22:45 GMT]
Blue Security Decides to Update Blue Community

Blue Security decides to update the Blue community about the situation by reverting to Blue's pre-launch "Blue Zone" Blog, hosted on Typepad.
[May 2nd 23:20 GMT]
BlueSecurity.com Redirected to TypePad

www.bluesecurity.com is redirected to Blue Security's blog. Many community members can receive real time information about the attack.
[May 2nd 23:27 GMT]
First Comment Posted on the Blue Blog

Blog site at TypePad functional. The first comment is posted on the Blue blog by a user.
[May 2nd 23:57 GMT]
Last comment Posted on the Blue Blog Before DDoS Begins

TypePad blog site still functional. The last comment is posted thirty minutes later on the Blue blog just before the new DDoS attack occurs. (If there had been an initial DDoS attack on Blue's corporate site, the blog site would have been hit)
[May 3rd 00:00 GMT]
PharmaMaster Starts Attacking Typepad

A fierce and ruthless DDoS on Typepad begins. Blue is not aware of the DDoS due to the late hour in Israel (2 AM local time). Typepad continues to carry Blue Security's blog and help Blue keep our community aware of the situation.
[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success

Almost 24 hours later, PharmaMaster boasts success in another ICQ message

        * ICQ Message: "pharma master: you know i feel sorry for you and all the world 9000 servers are down because of your company :)
        * "pharma master: world cant resolv
        * "pharma master: all the biggest isps been emailed that all this of bluesecurity.com and lets see how they would love you to be able to push trafic from them :)
        * "pharma master: good luck anyway"

[May 4th 13:00 GMT]
Blue Security partially restores its services

Blue Security's web site and some of its operational servers are functioning again.

Re:For the lazy :) (-1, Troll)

jo42 (227475) | more than 8 years ago | (#15285435)

> www.bluesecurity.com is redirected to Blue Security's blog

This was truly lame and inexcusable - redirecting the attack from themselves to someone else.

Re:For the lazy :) (3, Interesting)

jefu (53450) | more than 8 years ago | (#15285516)

But!

Reading the account in TFA reveals that Blue Security was not undergoing a DDOS attack and that the DDOS attack on Typepad starts well after the address is redirected. Then the spammer seems to have widened the attack to bring down as many people as possible to make it look like Blue Security is at fault (which, at least according to their story - be nice to hear PharmaMaster's account, if he/they are not too cowardly to say anything) they were not.

I'm not a Blue Security user, but if they've managed to make a spammer this cranky, I'm going to seriously consider it.

Re:For the lazy :) (5, Informative)

Anonymous Coward | more than 8 years ago | (#15285527)

FFS, RTFA. They clearly say that they were blackholed (*NOT* under a DDoS attack) when they redirected their DNS record to point to their blog. It was only after 'PharmaMaster' realized that the record had changed that the DDoS was launched.

PharmaMaster went forth with the DDoS with the full knowledge that he was going to hit Six Apart's servers. That was the entire point -- he wanted BlueSecurity off the net entirely and was willing to step on anyone to get it done.

This was not malicious on BlueSecurity's part.

Not technically accurate... (3, Interesting)

Spy der Mann (805235) | more than 8 years ago | (#15285534)

This was truly lame and inexcusable - redirecting the attack from themselves to someone else.

Notice that the bluesecurity.com website was *NOT* being flooded with packets. On the countrary, it was routed to null for all the internet except Israel. In summary, there were 4 different DOS attacks:

* Packet flooding (lots of traffic) the operational servers (the ones doing the opt-outs)
* Null routing blue's www (no traffic)
* Packet flooding the redirected www at Six Apart (lots of traffic)
* Packet flooding Tucow's DNS servers (lots of traffic)

So, technically, blue security didn't redirect the attack.

Re:Not technically accurate... (1)

Zaphod2016 (971897) | more than 8 years ago | (#15285976)

Mr. Spiderman, sir:

Huga fan of your work and movies.

I've been following your posts on the DDoS for the past few days, and I wanted to know if you worked for the company, or were simply a super-fan?

Re:For the lazy :) (3, Interesting)

shish (588640) | more than 8 years ago | (#15285674)

This was truly lame and inexcusable - redirecting the attack from themselves to someone else.

If I'm reading correctly -- Up to that point, the DDoS was on BS's dedicated machines, the site itself was blackholed rather than under attack; hence they weren't redirecting an attack, just redirecting users who wanted to know what was going on.

Also, I note the URL you have on your post...

Re:For the lazy :) (1)

darkmeridian (119044) | more than 8 years ago | (#15285593)

I don't know about you guys, but I just downloaded the Blue Frog client to return fire at the spammers. Yes, there is the risk of personally being spammed to heck. However, these guys have to be put in their place. We cannot cave into this houliganism. Imagine all the spam they have been sending with the botnet they used to dDOS TypePad and Tucows. We have to kick some spammer ass.

And how the heck did they do that "black hole" thing? Did that require rooting the tier one ISP or is it a truly "outside" attack akin to a DDOS? Because if it wasn't the ISP's fault, then the Internet has problems.

Re:For the lazy :) (0)

Anonymous Coward | more than 8 years ago | (#15285945)

Smells like they bribed an internal admin.

Question about what Blue Security does (1)

AEton (654737) | more than 8 years ago | (#15285864)

Hi,
I haven't really paid attention to the "attack actual spam messages" front.

How is this any different from forwarding my email to myspamaddress@spamcop.net?

DNS Vulnerabilities (4, Informative)

Billosaur (927319) | more than 8 years ago | (#15285250)

[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.

And it was't all that long ago that DNS vulnerabilities [slashdot.org] were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

Re:DNS Vulnerabilities (5, Insightful)

Rob T Firefly (844560) | more than 8 years ago | (#15285284)

imagine the PR campaign that Blue Security is going to have to wage to get any credibility back

Considering who Bluesecurity are and what they do, this whole thing has actually seemed to me to serve as pretty good PR for them. It pisses off lots of people, but once the facts were out there pretty much everyone I know got pissed at the spammer, not Bluesecurity. Everyone hates spam, but now they see a spammer taking things to the next level of evil, which really strengthens the image of the "good guys." People who never heard of Bluesecurity before are becomeing ready to do what they can to work against this spammer.

Re:DNS Vulnerabilities (4, Interesting)

mikeisme77 (938209) | more than 8 years ago | (#15285330)

Amen to that. I had never heard of BlueSecurity before this fiasco, but now that I've heard how much trouble they can give these jackass spammers and that they stick to their guns (no matter the cost), I'd like to support them in some way (although I probably won't join the network, as I don't agree with their methods of stopping spam).

Re:DNS Vulnerabilities (1)

robertobobengo (783989) | more than 8 years ago | (#15285841)

I'm one of those who didn't know about Blue Security. Thanks to the spammer and to the attacks that serve the promotion of this program !

Re:DNS Vulnerabilities (1)

Billosaur (927319) | more than 8 years ago | (#15285851)

Considering who Bluesecurity are and what they do, this whole thing has actually seemed to me to serve as pretty good PR for them. It pisses off lots of people, but once the facts were out there pretty much everyone I know got pissed at the spammer, not Bluesecurity. Everyone hates spam, but now they see a spammer taking things to the next level of evil, which really strengthens the image of the "good guys." People who never heard of Bluesecurity before are becomeing ready to do what they can to work against this spammer.

I'm considering it from the knee-jerk standpoint. Your stie goes down, you complain to Tucows, Tucows says it was due to a DDoS against Blue Security and next thing you know a whole bunch of smaller sites are not happy with Blue Security. I doubt most of those Tucows sites were "major" sites, but they didn't have to be to inconvenience people.

I suspect that eventually any furor will die down. A lot of sites will begin to wonder about Tucows, given the apparent ease with which their DNS server went down. I'm not sure this whole thing will cause a mad rush to Blue Security but it may cause a move away from Tucows. We'll know the full import after a couple of weeks. In the meantime, bounty on the spammer's head anyone?

Re:DNS Vulnerabilities (0)

Anonymous Coward | more than 8 years ago | (#15285318)

"Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back."

Excuse me - are you a spammer as well? Why should blue security have to do PR to get their credibility back? Isn't the fact that they were targeted by one of the top 5 spammer outfits a sign that their service is effective? Let me get this straight, they get attacked yet they have to do PR to repair their image?

Re:DNS Vulnerabilities (0)

Anonymous Coward | more than 8 years ago | (#15285341)

Isn't that amazing though?
A performs an illegal and ethically corrupt attack on B and C is caught in caught by stray bullets, shrapnel etc. Then, as often as not, people blames B for the actions of A. I never did manage to figure out what planet the people that reason this way comes from.

Re:DNS Vulnerabilities-- not Blue Security's fault (1)

erbmjw (903229) | more than 8 years ago | (#15285342)

The DNS vulnerabilities are not hurting Blue Security's credibility!

That a hacker had to use a sledgehammer to cause them signifigant harm shows that Blue Security was/is doing something correctly.

The group that will need to gain back credibility, are the organizations that are the operating these vulnerable DNS servers because it's their vulnerability that allowed such signifigant collateral damage.

Re:DNS Vulnerabilities (5, Interesting)

Spy der Mann (805235) | more than 8 years ago | (#15285372)

...and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

Um, how about "no such thing as bad publicity"?

In my journal i commented that the attack on Six Apart was the web equivalent of Pearl Harbor [slashdot.org] . It not only (possibly) called the attention of the authorities towards PharmaMaster, it also became worldwide famous: I've been searching blogs [google.com] for "blue security" and I've seen a lot of comments from people wanting to sign up when they're back online. One blogger in particular (forgot the url) said that "Blue Security" became the top technorati search during the attacks.

Re:DNS Vulnerabilities (1)

RedHat Rocky (94208) | more than 8 years ago | (#15285522)

Notice that, as I mentioned in the DNS story, causing such collateral damage serves to bring much unwanted attention to the attacker. Would we be discussing this if only Blue Security had been affected?

publicity! (4, Interesting)

celardore (844933) | more than 8 years ago | (#15285268)

Even if the servers were temporarily downed, the publicity generated from this incident surely got quite a few new members.

Heck, I even signed up; shall have to wait and see if it's worth it though.

Re:publicity! (2, Interesting)

ltwally (313043) | more than 8 years ago | (#15285378)

Agreed. I'd never heard of Blue Security until this story hit the news. Now I'm a member, too. I'd be willing to bet that we're not the only ones, either. Blue Security probably just doubled its membership with this story.

Looks to me like this Pharma dude really shot himself in the foot.

Re:publicity! (1)

British (51765) | more than 8 years ago | (#15285969)

I think Blue Security should name their headquarters "Zion city". They seem to be being attacked by numerous Agent Smiths(PharmaMasters?) and their associated tendril robots.

I want names and addresses! (1, Funny)

Anonymous Coward | more than 8 years ago | (#15285272)

What is the name and location of PharmaMaster? I'd like to see him DDOS his way out of a crowd of angry villagers carrying torches and pitchforks.

Re:I want names and addresses! (4, Informative)

ZachPruckowski (918562) | more than 8 years ago | (#15285312)

The forum that organized (or at least helped in) the attack is located here [specialham.com] , but I think it's still down. It was nailed by a deliberate vigilante DDoS from about a hundred or so Digg members yesterday/last night. They hacked a university to host it after the first host got nailed. Not sure what happened after that.

I would like to thank him! (1)

XSforMe (446716) | more than 8 years ago | (#15285984)

I had almost dismissed bluefrog as yet another spam control tool. Now I now I know it is really hurting them. Signed on as soon as their servers allowed me. I can't wait until they get fully online again to finish generation of my account.

Thanks Pharma!

Pharma master identity (1, Interesting)

Anonymous Coward | more than 8 years ago | (#15285280)

So who is Pharma master? With all the info that's been compiled on the top spammers, isn't this guy in ROKSO yet?

Lets find him and show him some "affection".

Re:Pharma master identity (1)

Spy der Mann (805235) | more than 8 years ago | (#15285449)

Maybe he is there already [spamhaus.org] . There are about 10 famous spammers from Russia. I'm betting that the nickname "PharmaMaster" is only an alias for one of those guys.

Unfortunately, the only witness account of PharmaMaster comes from BlueSecurity themselves, I wonder if the feds could subpoena ICQ to give details of the conversation and see which IP it came from.

Ehm the FBI? (1)

SmallFurryCreature (593017) | more than 8 years ago | (#15285707)

They are based in Israel so this spammer doesn't need to worry about the might of the FBI. Lets see, what do I know of Israel, its security agencies and their methods. MMm, some group called "mosad" lets see, oh yeah. The kind of people who don't give a fuck when it comes to getting their man because when you are a country surrounded by enemies one more or less don't matter.

Not that I think that they would bother with a spammer but a guy can dream can't he?

Re:Ehm the FBI? (2, Funny)

nuzak (959558) | more than 8 years ago | (#15285804)

Man, what are you, 13 years old? Mossad does not go after spammers. Believe it or not, the Israeli state has worse enemies.

Re:Ehm the FBI? (0)

Anonymous Coward | more than 8 years ago | (#15285819)

What are you, twelve? Eleven?

Re:Ehm the FBI? (1)

Iphtashu Fitz (263795) | more than 8 years ago | (#15285897)

They are based in Israel so this spammer doesn't need to worry about the might of the FBI.

Not true. Since the idiot spammer DDoS'd the Tucows DNS server it affected thousands of sites all over the world. If either the Tucows server or one of those sites whose DNS is hosted by Tucows is located in the US then the FBI has all the jurisdiction they would need to launch an investigation. Of course just because they can doesn't necessarially mean they will. But if any of those customers is big enough they just might.

Re:Pharma master identity (1)

Ohreally_factor (593551) | more than 8 years ago | (#15285958)

Since it was the target of a criminal attack, BS could subpoena ICQ for the IP without US law enforcement agency intervention. However, I think it's doubtful that the IP will be anything other than a dead end, unless Pharma was especially reckless.

Tier 1 ISP (1)

Joe U (443617) | more than 8 years ago | (#15285290)

So, which Tier-1 ISP is having their name withheld? Any ideas?

Re:Tier 1 ISP (0)

Anonymous Coward | more than 8 years ago | (#15285401)

Telia, I think.

Re:Tier 1 ISP (2, Insightful)

btpier (587890) | more than 8 years ago | (#15285460)

Yeah, I was wondering the same thing. Which Tier-1 ISP was willing to help this guy out. I do believe that the Blue Security method of whacking spammer's websites probably looks a lot like a DDoS (which in effect it is). But which ISP was foolish enough to take logs from a know major spammer and use them to Blackhole Filter packets going TO a legitimate site (filtering packets from maybe, but to?).

Maybe UUNET, maybe not (3, Informative)

JohnQPublic (158027) | more than 8 years ago | (#15285957)

An InfoWorld article [infoworld.com] from May 4th quoted Blue Security CEO Eran Reshef as saying:

Among other things, Reshef said that pharmamaster claimed to have a contact at UUNET who would do his bidding. Rather than launch a denial of service attack against BlueSecurity.com, the spammer instructed the contact to alter the routing tables so that traffic from outside Israel would not reach the company's servers.
Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:
  1. The spammer lied and it wasn't UUNET.
  2. UUNET threatened Blue Security and they caved.
  3. Blue Security doesn't want to be threatened.

Looks like its working (1)

frenchie323 (726478) | more than 8 years ago | (#15285291)

It seems that, with more people using bluefrog, the defense will become more effective.

Tucow bad behavior? (5, Insightful)

stry_cat (558859) | more than 8 years ago | (#15285292)

Looks like Tucow really behaved badly. They cancled an account of a legimite user instead of defeating the attack. The should never have given into the spammer's demands.

Re:Tucow bad behavior? (1, Insightful)

a16 (783096) | more than 8 years ago | (#15285695)

I have no idea of how Blue Security operate their network, but presuming that Tucows only provide the domain registration and DNS services, they are probably earning what - $20 a year from Blue Security?

I understand that in an ideal world a company should stand by a client suffering a DDoS attack, and there are many companies out there that do (but they advertise the service specially, and you pay thousands for it). But I don't think we can really say that a company providing budget services to the masses has to sustain hundreds of thousands of dollars in losses to sustain one $20 client.

It's not ideal, but that's how the web works - and why DDoS attacks are so nasty, it's easy to end up in a situation where you've done nothing wrong, but nobody will host you.

Look at it this way - if you had a small company, or even a big company, and your entire network was down due to a client who gives you $20 a year - what would you do? Keep the client out of honour, but go out of business anyway?

Of course, if Blue Security pay Tucows for a $5,000/month DoS prevention plan that I'm not aware Tucows offer anway, ignore this post ;)

Re:Tucow bad behavior? (3, Interesting)

drinkypoo (153816) | more than 8 years ago | (#15285966)

Look at it this way - if you had a small company, or even a big company, and your entire network was down due to a client who gives you $20 a year - what would you do? Keep the client out of honour, but go out of business anyway?

Look at it this way - are you going to forget that Tucows turned off a legitimate client? Me neither. Are you going to consider Tucows next time you need a corporate provider? Me either.

This isn't just between PharmaMaster & Bluefro (5, Interesting)

DigDuality (918867) | more than 8 years ago | (#15285294)

Apparently spammers are lining up to help out Pharmamaster from the SpecialHam forums. Digg.com users yesterday attempted lauching multiple types of bandwidth vampirism and DDOS attacks on SpecialHam yesterday as well. http://digg.com/technology/SPAMmers_really_pissed_ off_at_bluesecurity,_read_their_message_board [digg.com]

Re:This isn't just between PharmaMaster & Blue (1)

ZachPruckowski (918562) | more than 8 years ago | (#15285556)

They were pretty successful at it, they got it really slow before the rehosting at a University. They also made the forum cancel registrations and blanked a few gateway pages, which had to be a bit of a nuisance to the spammers. See it here. [specialham.com]

Backbone level blackholing? (4, Interesting)

ladybugfi (110420) | more than 8 years ago | (#15285299)

>Blue?s operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level).

No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.

Re:Backbone level blackholing? (0)

Anonymous Coward | more than 8 years ago | (#15285345)

That's very easy. It's called social engineering.

Re:Backbone level blackholing? (4, Interesting)

Anonymous Coward | more than 8 years ago | (#15285354)

Sounds like they paid off some people...

"
* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)""

This was more clear on some other article, but I can't find it at the moment. The spammers supposedly have an engineer on a backbone helping them. All I want to know is how the engineer expected not to be caught (I'm assuming he is caught... or there is a whole heck of lot more corruption out there than I thought)

Re:Backbone level blackholing? (1)

Joe U (443617) | more than 8 years ago | (#15285458)

That's what I was thinking actually. Is the backbone that messed up?

On another note, why hasn't some greyhat decided, 'enough with these fucking botnets' and just start mass-formatting drives? I mean, the bots have root access, you CAN take the systems down.

Re:Backbone level blackholing? (2, Interesting)

Moqui (940533) | more than 8 years ago | (#15285463)

Or PharmaMaster is said Engineer at a backbone provider.

Re:Backbone level blackholing? (1)

VikingThunder (924574) | more than 8 years ago | (#15285652)

That would have been great if he was... would have been easy for him to get nailed...

What is? (2, Interesting)

towsonu2003 (928663) | more than 8 years ago | (#15285327)

What's "blackhole filtering"?

A router equivalent of /dev/null (1)

3.5 stripes (578410) | more than 8 years ago | (#15285402)

at least, that's the way it seems to be described.

Re:A router equivalent of /dev/null (1)

d_jedi (773213) | more than 8 years ago | (#15285712)

OK.. and what's a /dev/null?

Nothing (1)

SmallFurryCreature (593017) | more than 8 years ago | (#15285773)

It comes from unix. On unix systems all devices from the vidcard to the mouse are mounted on the filesystem. By standard under /dev/ (devices). There are in many ways files, some readable, some writable and some both.

/dev/null is a special device and it is nothing. If you write to it it goes nowhere just disappears.

Common joke is that you backedup to /dev/null because it had plenty of space.

I don't think windows has a similar function readily available.

So what do you use it for? Well when you have something that needs to output to something and you don't want it. Commonly used in scripts that run automatically to throw away unneeded messages.

As for how and why routers should have this. No idea. Sounds odd that you could get a router to discard its data.

Re:Nothing (0)

Anonymous Coward | more than 8 years ago | (#15285818)

Under Windows it's NUL:

Re:Nothing (1)

nuzak (959558) | more than 8 years ago | (#15285981)

> I don't think windows has a similar function readily available.

\Devices\Null in NT, more frequently accessed with the annoying DOS legacy "magic filename" NUL (yet another file you can't create). NUL is just a symbolic link in the "global" directory (a DOS compatibility hack basically) but it should be possible to use IoRegisterDeviceInterface to create an actual /dev/null path and get rid of \Global??\NUL and all the other hardwired DOS filenames. God knows what you'd break if you did the latter though.

Re:Nothing (2, Informative)

operagost (62405) | more than 8 years ago | (#15285991)

I don't think windows has a similar function readily available.
NUL

Re:A router equivalent of /dev/null (1)

-sublimity- (964447) | more than 8 years ago | (#15285779)

Someone will come along with a more technical explanation but basically its the *nix version of a trashcan. For example, if you want to run a job but really don't care about the output logs, you could redirect them to /dev/null.

Re:What is? (1, Informative)

Anonymous Coward | more than 8 years ago | (#15285454)

My thoughts exactly.

A Google search showed this slide: http://www.soi.wide.ad.jp/class/20040013/slides/11 /23.html [wide.ad.jp]

Based on that slide, I think that Israeli BGP routers were hacked, adding a null route for the BleuSecurity IPs.

I could be wrong (in fact, I'd bet I am).

Could anyone sign up? (1)

Fanro (130986) | more than 8 years ago | (#15285336)

I tried downloading their software and signing up with them over the last week.
Figured if a spammer is that pissed off at them they must be doing something right.
The sign up site was often down, but when it was up I always seemed to fail their captcha.
Did anyone have more luck?

Re:Could anyone sign up? (1)

spyrochaete (707033) | more than 8 years ago | (#15285661)

Signups are working but their SMTP server is down, so they're not sending any validation emails. Just be patient.

Re:Could anyone sign up? (1)

Sinister Stairs (25573) | more than 8 years ago | (#15285752)

I just wanted to confirm what spyrochaete said: I was able to register, but I didn't get the confirmation email. When I try checking my account's email/domain page, it says:

Currently unavailable due to problems with our email service

Here's a link to their New User registration [bluesecurity.com] page, it should have been easier to find.

DDoS Extortionists (5, Interesting)

Council (514577) | more than 8 years ago | (#15285340)

this [csoonline.com] is a really cool story about how a company handled a DDoS attack by organized crime.

Re:DDoS Extortionists (0)

Anonymous Coward | more than 8 years ago | (#15285994)

Yeah, wish I could find the link, it only happened a couple months ago, but Prolexic got hit with a 6gig attack and couldn't handle it. So, I wouldn't put too much faith in them. Although a nifty story none-the-less.

link to information week's article (3, Informative)

DisplacedJoshua (919071) | more than 8 years ago | (#15285410)

shameless from digg, but an easy redirect for /.ers without having to read digg's stuff: information week's take on it makes it seem less, well, amazing on the part of the spammers. http://www.informationweek.com/story/showArticle.j html?articleID=187200875 [informationweek.com]

Sad state of backbone administration (2, Interesting)

Anonymous Coward | more than 8 years ago | (#15285423)

When you read Blue Security's press releases, it seems obvious they are a little on the desperate side, trying to figure out how to deal with this Pharmamaster character who has reduced their network to its knees. What's unfortunate about the situation is that it calls the light the sad state of backbone administration where the major providers can't or won't do anything about the situation, and a company is left trying to appeal to the general public to do something about it.

Of course if the attack had occurred against a company like General Electric or Eli Lilly, the perpetrator would be in jail right now.

It seems obvious the perp is an American. It shouldn't be that difficult to track him down, especially since he's IM'ing the victims.

Re:Sad state of backbone administration (2)

PrescriptionWarning (932687) | more than 8 years ago | (#15285451)

well for an American he sure doesn't know how to form correct sentences. Maybe this is why spam emails appear to be written by a 5 year old...

Blue Security works (0)

Anonymous Coward | more than 8 years ago | (#15285734)

I've signed up with them about four months ago and saw the spam on my "protected" accounts go down by about 50%. It doesn't kill all the spam, but every bit helps.

_Detailed_ timeline? (4, Interesting)

Whizard (25579) | more than 8 years ago | (#15285453)

Wow, if this is a detailed timeline, I'd hate to see the summary.

"Some shit happened."

As a security guy, this could have been really interesting, but it's not.

Poor response (5, Insightful)

Grand Facade (35180) | more than 8 years ago | (#15285479)

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success


Tucows is a company I will never recommend or use to host any of my domains.
Caving in to a spammer/hacker retaliation will not garner much support.

http://www.joker.com/ [joker.com] serves my needs well

Pharma Master (4, Insightful)

jefu (53450) | more than 8 years ago | (#15285533)

So, just who is this PharmaMaster guy anyway.

Enquiring minds (and all that) want to know.

Re:Pharma Master (3, Informative)

ZachPruckowski (918562) | more than 8 years ago | (#15285802)

PharmaMaster is an IM and forum handle. He's a major spammer, and probably responsible for at least some of that junk in my google mailbox's junk folder right now. He is apparently working with a cartel of spammers to try to crush anti-spam attempts. Interesting reading about their planning on the specialham.com spammer's forum was mirrored online somewhere yesterday, but got taken down for some reason.

Re:Pharma Master (0)

Anonymous Coward | more than 8 years ago | (#15285859)

I've said it before and I'll say it again, he's your typical Russian criminal. They are all like that. Have you ever had to either work with one or encounter one at a business, usually a computer business who will try to screw you over every time.

Slashdot army unite! (5, Insightful)

spyrochaete (707033) | more than 8 years ago | (#15285603)

This ferocious attack on Blue Security as well as Typepad and TUCOWS is proof that Blue Security's tactics are working. Spammers are scared to death of Blue Frog because it forces them to comply with the spirit of CANSPAM (since it is worthless in practise). They are so desperate that they are damaging the internet backbone to slightly increase the limited time that spam will be profitable.

Do not listen to FUD-spreading ignoramuses who will no doubt leave many /. comments urging you to stay away from Blue Frog. Spammers do not have Blue Security's member lists - they are simply DIFFing their entire lists with the opt-outs sent by Blue Frog and sharing their filters with the "mailer community". Yes, some members (not me) have been threatened with, and temporarily recieved, more spam. However, this can't last since spammers who do this are simply fighting fire with gasoline! The more spam Blue Frog users get, the more opt-outs the spammer and client recieve which costs them time and money! Plus, regarding threats to leave Blue Frog, does it make sense that a spammer would remove ANY working email address for ANY reason?

Who do you trust to solve your spam problem? Microsoft? Your government? If they really cared, wouldn't the problem have have been solved long before spam encompassed 90% of all email? Blue Security offers a realistic, fair, assertive, and EFFECTIVE means of hitting spammers where it hurts - in the database and in the pocketbook. They need your help to make spam an unprofitable, inconvenient vehicle for advertisers.

I urge each and every /.er to sign up for a Blue Frog account RIGHT NOW (or whenever they're not getting DOSed) and simply forward your spam to yourusername@reports.bluesecurity.com. You can wait a day or two and send many spams as attachments in one email, or you can let the resident client do it for you. It's so easy and the headlines prove that it really does make a difference.

Spammers are childishly thrashing around the internet like a bull in a china shop, having a flailing temper tantrum because people dare to stand up for their privacy. It is the duty of /.ers, as an informed userbase, to stand up for those internet users who don't know how to stand up for themselves.

We have the numbers and the motivation. Aren't you sick and tired of these rich criminals wasting our time, defrauding our elders, and endangering our children day after day? If we stand together, just as the spammers stand together to attack Blue Security, then we WILL win.

Sign up for a Blue Frog account ASAP and encourage your friends and family to do the same, as I have. And if you think it's possible to reason with spammers, check out this CastleCops forum thread [castlecops.com] that shows inside conversations from a spammer message board.

Re:Slashdot army unite! (1)

NoWhereMan (3539) | more than 8 years ago | (#15285916)

I urge each and every /.er to sign up for a Blue Frog account RIGHT NOW (or whenever they're not getting DOSed) and simply forward your spam to yourusername@reports.bluesecurity.com. You can wait a day or two and send many spams as attachments in one email, or you can let the resident client do it for you. It's so easy and the headlines prove that it really does make a difference.

They are not ready yet to accept new accounts. It has been days and I still have not gotten their validation email. They do have their forums working where you can check status and read comments from the community.

Sign up for a Blue Frog account ASAP and encourage your friends and family to do the same, as I have.

It may be possible to sign up now, but you cannot validate your email address. I have already informed them that it leaves a bad first impression letting someone download the software without the ability to use it. If they are really having networks problems (as opposed to configuration issues), it would make sense for them to conserve resources by not downloading software they cannot currently support.

While we are waiting for Blue Security to get back on their feet, we probably should complain to TUCOWS. If enough people tell them they will never be considered because of this willingness to dump a legitimate customer, they may get the message.

Re:Slashdot army unite! (1)

dbc001 (541033) | more than 8 years ago | (#15285926)

I would sign up, but I run my own email server and haven't given out a real email address in years (I use aliases to forward all my email to the real account). I haven't seen SPAM in 2 or 3 years.

Blackmail tactics (3, Informative)

taupter (139818) | more than 8 years ago | (#15285605)

Those spammers will threat e-mails if you unsubscribe or not, so don't unsubscribe. They're doing this because it's hurting it in their pocket. Big deal. I don't give a damn if a spammer can't buy a new humvee limo, and I don't have to support those scumbags. So if they want to fill my mailbox with with their trash, so be it. I will not bend over to them. I will not unsubscribe. I will not let those fscking bastards tell me what I should do.

Re:Blackmail tactics (5, Funny)

Urusai (865560) | more than 8 years ago | (#15285719)

"...we'll fight them at the routers, we'll fight them on the backbone, we'll fight them at the ISP, we'll fight them at the firewall; we shall never surrender."

If they were attacked... (5, Funny)

The MAZZTer (911996) | more than 8 years ago | (#15285641)

...they must be doing something right! I'm signing up.

Thanks PharmaMaster for referring me!

?H?uh??? (0, Interesting)

Anonymous Coward | more than 8 years ago | (#15285790)

One of the world?s largest spammer?s, ?PharmaMaster?

This was from IE 6.0.2800. As I'm at work I haven't looked in Firefox to see if it's equally retarded..

If they can't write HTML that will display properly in all browsers, particularly with the one 80% of surfers use, can they really be "good with computers?"

And if the question mark in "spammer?s" is supposed to be an apostrophe, they're not only incompetent but illiterate.

Perhaps the spammer took them on because they were an easy mark? These folks should hire a web designer that knows HTML and what it's for (hint: conveying information), and if that one question mark is supposed to be an apostrophe, a copyrighter who isn't a retarded illiterate.

However, the fact that they were complicit in the spammer's taking blogs down also shows their lack of competence.

That said, who is this "PharmaMaster?" I'd like a real name and meatspece home address so I can forward all of my snail junk mail to him and encourage arsonists to burn his house down preferably with him in it. It's time for a little bloody vigilantism, folks. Lets kill some spammers. Blue Security, who is this guy and why are you helping him stay anonymous?

The only solution to spam... (3, Insightful)

Dog-Cow (21281) | more than 8 years ago | (#15285837)

Is to kill the spammers. Obviously the death penalty doesn't resolve the issue forever, or we'd not have as much crime as we do in the world, but it will deter most spammers.

We put down rabid dogs because they have the potential to harm human beings despite having no intention to do so. Why is it less humane to remove life that actively and maliciously harms others?

I'd love to meet that spammer... (3, Funny)

eno2001 (527078) | more than 8 years ago | (#15285920)

...and show him my SIG. [DUKE NUKEM MODE]Come get some[/DUKE NUKEM MODE]
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...