What Happened to Blue Security

shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."

Coral Cache

They deserve a break. [nyud.net]

For the lazy :)

Powered by Copy-Paste (TM).

Timeline (all times in GMT)
[May 2nd 13:42 GMT]
PharmaMaster Works to Block Traffic to Blue's Corporate Web Site

One of the world's largest spammer's, 'PharmaMaster', sends Blue Security an ICQ message stating that he will block traffic to Blue's corporate website, www.bluesecurity.com

* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)"

[May 2nd 14:47 GMT]
BlueSecurity.com Can't be Accessed Outside of Israel

Blue Security receives another ICQ message from PharmaMaster stating that Blue's corporate Web site cannot be accessed from outside of Israel.

* ICQ Message: "bluesecurity.com cant be open from outside of israel oh i feel sorry for the company really :)"

[May 2nd 15:30 GMT]
Blue Security's Dedicated Servers - NOT Corporate Website - Under Attack

Blue Security's operational servers - NOT www.bluesecurity.com - suffers from DDoS attacks.
[ May 2nd 16:30 GMT]
Corporate Website Receives 2 Hits/Min

Blue employees notice that there is no load on the corporate website, www.bluesecurity.com (2 hits per minute) and that most visitors originate from Israel.
[May 2nd 17:07 GMT]
PharmaMaster Sends Message: Website Can't be Accessed Around World

Blue receives another ICQ message from PharmaMaster stating the company's corporate Web site can not be accessed around the world.
[May 2nd 20:17 GMT]
Blue Performs Technical Analysis: Confirms Website Cannot be Accessed Abroad

Blue's technical analysis team determines that its corporate website can still be accessed from Israel, but cannot be accessed abroad.
[May 2nd 21:17 GMT]
Blue Reports More Symptoms: "Blackhole filtering" Confirmed

Blue's operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level). Still, there is no sign that there was a DDoS attack on Blue's website.
[May 2nd 22:45 GMT]
Blue Security Decides to Update Blue Community

Blue Security decides to update the Blue community about the situation by reverting to Blue's pre-launch "Blue Zone" Blog, hosted on Typepad.
[May 2nd 23:20 GMT]
BlueSecurity.com Redirected to TypePad

www.bluesecurity.com is redirected to Blue Security's blog. Many community members can receive real time information about the attack.
[May 2nd 23:27 GMT]
First Comment Posted on the Blue Blog

Blog site at TypePad functional. The first comment is posted on the Blue blog by a user.
[May 2nd 23:57 GMT]
Last comment Posted on the Blue Blog Before DDoS Begins

TypePad blog site still functional. The last comment is posted thirty minutes later on the Blue blog just before the new DDoS attack occurs. (If there had been an initial DDoS attack on Blue's corporate site, the blog site would have been hit)
[May 3rd 00:00 GMT]
PharmaMaster Starts Attacking Typepad

A fierce and ruthless DDoS on Typepad begins. Blue is not aware of the DDoS due to the late hour in Israel (2 AM local time). Typepad continues to carry Blue Security's blog and help Blue keep our community aware of the situation.
[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success

Almost 24 hours later, PharmaMaster boasts success in another ICQ message

* ICQ Message: "pharma master: you know i feel sorry for you a

Re:For the lazy :)

But!

Reading the account in TFA reveals that Blue Security was not undergoing a DDOS attack and that the DDOS attack on Typepad starts well after the address is redirected. Then the spammer seems to have widened the attack to bring down as many people as possible to make it look like Blue Security is at fault (which, at least according to their story - be nice to hear PharmaMaster's account, if he/they are not too cowardly to say anything) they were not.

I'm not a Blue Security user, but if they've managed to make a spammer this cranky, I'm going to seriously consider it.

Re:For the lazy :)

FFS, RTFA. They clearly say that they were blackholed (*NOT* under a DDoS attack) when they redirected their DNS record to point to their blog. It was only after 'PharmaMaster' realized that the record had changed that the DDoS was launched.

PharmaMaster went forth with the DDoS with the full knowledge that he was going to hit Six Apart's servers. That was the entire point -- he wanted BlueSecurity off the net entirely and was willing to step on anyone to get it done.

This was not malicious on BlueSecurity's part.

Not technically accurate...

This was truly lame and inexcusable - redirecting the attack from themselves to someone else.

Notice that the bluesecurity.com website was *NOT* being flooded with packets. On the countrary, it was routed to null for all the internet except Israel. In summary, there were 4 different DOS attacks:

* Packet flooding (lots of traffic) the operational servers (the ones doing the opt-outs)
* Null routing blue's www (no traffic)
* Packet flooding the redirected www at Six Apart (lots of traffic)
* Packet flooding Tucow's DNS servers (lots of traffic)

So, technically, blue security didn't redirect the attack.

Re:For the lazy :)

This was truly lame and inexcusable - redirecting the attack from themselves to someone else.

If I'm reading correctly -- Up to that point, the DDoS was on BS's dedicated machines, the site itself was blackholed rather than under attack; hence they weren't redirecting an attack, just redirecting users who wanted to know what was going on.

Also, I note the URL you have on your post...

DNS Vulnerabilities

[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.

And it was't all that long ago that DNS vulnerabilities [slashdot.org] were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

Re:DNS Vulnerabilities

imagine the PR campaign that Blue Security is going to have to wage to get any credibility back

Considering who Bluesecurity are and what they do, this whole thing has actually seemed to me to serve as pretty good PR for them. It pisses off lots of people, but once the facts were out there pretty much everyone I know got pissed at the spammer, not Bluesecurity. Everyone hates spam, but now they see a spammer taking things to the next level of evil, which really strengthens the image of the "good guys." People who never heard of Bluesecurity before are becomeing ready to do what they can to work against this spammer.

Re:DNS Vulnerabilities

Amen to that. I had never heard of BlueSecurity before this fiasco, but now that I've heard how much trouble they can give these jackass spammers and that they stick to their guns (no matter the cost), I'd like to support them in some way (although I probably won't join the network, as I don't agree with their methods of stopping spam).

Re:DNS Vulnerabilities

What part of their methods do you not agree with? All they are doing is automating what you could do on your own. For each spam message you send them, they analyze it and set up a script to make ONE opt-out request on the spammer's website (where they are selling their product) and ONE message each to some and/or all of the upchain ISPs, government agencies that have jurisdiction over the crime, etc. They then forward that script to your BlueFrog client running on your system. If you are the only person that got that spam message, that one message is all that is sent to the spammer and the appropriate authorities.

Now if the spammer sends that message to 1000 BlueSecurity members, they will get 1000 messages generated and sent, one from each of the users they spammed. If they send it to 5000 users, well you get the idea. The more Blue people they spam, the more opt-out requests they get. One for one.

You have a right to do it by yourself, tracking filling out forms on the spammer's ordering site, forwarding a copy to the ISP of the originating IP and/or mail server, forwarding it to the FDA if it is a drug relates spam, etc. How long will that take you? You could easily spend a few hours a day or more doing that.

Enter BlueSecurity stage right. They hire staff to track down the senders of that spam message you just received, just like you would have done. The difference is they take that information and distribute it to everybody else they know received that spam as well.

The thing is, these spammers should understand they have absolutely 0% of a chance of selling that item to any of the members of the Blue community. Why are they bothering to do this when it has no chance whatsoever of giving them even a single cent of profit? They should be happy to have the chance to clean their leads list. I've done telephone sales in the past (calling existing members about renewals) and I was happy to remove people who didn't want to be called from the list. For every person I removed from the list, it meant one less guaranteed no-sale next time the membership list cycled. In the long run I made more sales, and actually helped more people save money (it was cheaper to renew via phone than via the normal process) on a product they wanted.

I understand the calling I was doing is completely different than the spamming in this topic, but the end result is the same. The more guaranteed "no" leads you remove, the higher you sales percentage will be, and the more profits in the long run.

I had heard about Blue before this mess, but never got around to checking into their methods and signing up. Now that I see they are effective, and feel comfortable on how their network and client works (I also thought they DDoS'd the sites until I looked into it,) I have signed up. Now I'm waiting for their system to become fully functionable again so I can verify my account and start kicking spammer tail!

Jeremy

Re:DNS Vulnerabilities

...and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

Um, how about "no such thing as bad publicity"?

In my journal i commented that the attack on Six Apart was the web equivalent of Pearl Harbor [slashdot.org]. It not only (possibly) called the attention of the authorities towards PharmaMaster, it also became worldwide famous: I've been searching blogs [google.com] for "blue security" and I've seen a lot of comments from people wanting to sign up when they're back online. One blogger in particular (forgot the url) said that "Blue Security" became the top technorati search during the attacks.

Tucows are cowards!

The fact that Tucows would kick one of their customers to the curb in a pathetic attempt to pacify a blackmailer/spammer/terrorist is shameful, short-sighted, and tragic.

While the spammer is clearly worthy or our scorn, I believe Tucows is even more deserving of public shame and disgrace. I expect a spammer to spam, I expect a hacker to hack, but I do not expect a (formerly) respectable business that takes my money to sell me out to criminals! Yes, I know they claim it was to protect their other customers, but tossing your baby to the lion to keep it from from attacking everyone else is reprehensible and I thought civilization had progressed beyond this.

I for one, will NEVER use any of their services or web properties again unless they issue a public apology for their actions. Not just to BlueSecurity, but to all of their customers, because this clearly sends a signal to all would-be DDoS attackers that Tucows customers are for sale for the price of a few million IP packets!

publicity!

Even if the servers were temporarily downed, the publicity generated from this incident surely got quite a few new members.

Heck, I even signed up; shall have to wait and see if it's worth it though.

I want names and addresses!

What is the name and location of PharmaMaster? I'd like to see him DDOS his way out of a crowd of angry villagers carrying torches and pitchforks.

Re:I want names and addresses!

The forum that organized (or at least helped in) the attack is located here [specialham.com], but I think it's still down. It was nailed by a deliberate vigilante DDoS from about a hundred or so Digg members yesterday/last night. They hacked a university to host it after the first host got nailed. Not sure what happened after that.

Pharma master identity

So who is Pharma master? With all the info that's been compiled on the top spammers, isn't this guy in ROKSO yet?

Lets find him and show him some "affection".

Tier 1 ISP

So, which Tier-1 ISP is having their name withheld? Any ideas?

Maybe UUNET, maybe not

An InfoWorld article [infoworld.com] from May 4th quoted Blue Security CEO Eran Reshef as saying:

Among other things, Reshef said that pharmamaster claimed to have a contact at UUNET who would do his bidding. Rather than launch a denial of service attack against BlueSecurity.com, the spammer instructed the contact to alter the routing tables so that traffic from outside Israel would not reach the company's servers.

Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:

1. The spammer lied and it wasn't UUNET.
2. UUNET threatened Blue Security and they caved.
3. Blue Security doesn't want to be threatened.

Re:Maybe UUNET, maybe not

Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:

4. They're going to be named in a lawsuit, and they don't want to prejudice it with media attention, or counter-suits of defamation.
5. They've contacted the ISP to resolve their issues and don't want to annoy them by publicising who they were.

Looks like its working

It seems that, with more people using bluefrog, the defense will become more effective.

Tucow bad behavior?

Looks like Tucow really behaved badly. They cancled an account of a legimite user instead of defeating the attack. The should never have given into the spammer's demands.

Re:Tucow bad behavior?

Look at it this way - if you had a small company, or even a big company, and your entire network was down due to a client who gives you $20 a year - what would you do? Keep the client out of honour, but go out of business anyway?

Look at it this way - are you going to forget that Tucows turned off a legitimate client? Me neither. Are you going to consider Tucows next time you need a corporate provider? Me either.

This isn't just between PharmaMaster & Bluefro

Apparently spammers are lining up to help out Pharmamaster from the SpecialHam forums. Digg.com users yesterday attempted lauching multiple types of bandwidth vampirism and DDOS attacks on SpecialHam yesterday as well. http://digg.com/technology/SPAMmers_really_pissed_ off_at_bluesecurity,_read_their_message_board [digg.com]

Backbone level blackholing?

>Blue?s operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level).

No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.

Re:Backbone level blackholing?

Sounds like they paid off some people...

"
* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)""

This was more clear on some other article, but I can't find it at the moment. The spammers supposedly have an engineer on a backbone helping them. All I want to know is how the engineer expected not to be caught (I'm assuming he is caught... or there is a whole heck of lot more corruption out there than I thought)

What is?

What's "blackhole filtering"?

Why null routing is critical

There are dozens of uses for null routing on ISP networks. For example you can use simple static routes to match all private (RFC1918), reserved for special purposes (RFC3330), and unassigned (Google for "BOGON") netblocks and route them to Null0 (a logical interface that basically drops the packets, much like the data bursts are dropped when sent to /dev/null. This is basic ingress/egress filtering that should be deployed on all border routers. You don't want to accept packets destined for your network that claim to be from a RFC1918 address because they are almost certainly spoofed (or another upstream ISP has an idiot for a netadm and your common carrier also employs idiots for not doing ingress filtering on customer access circuits). This is actually less CPU intensive than an access-list. Most mid to upper-end routers today can offload routing decisions to ASICs, whereas access-list decisions still bounce off of the CPU in many cases. You lose much of your logging capabilities with this method however.

A variation of this technique is to route packets to an internal "blackhole router" instead of to Null0. This consumes a little more resources than the Null0 option but still far less than an ACL. The blackhole router does nothing else other than null routing the traffic. It can also be used to route the traffic to a sniffing device to give the admin an opportunity to see what the malicious traffic really was. The blackhole router can also advertise internally the blackhole routes. This is useful when you network policy prohibits making changes to critical hardware such as a border router without sufficient peer review. Often when you must null route something you must do it in a hurry (ie, a customer is being attacked). Being able to make the changes on a non-critical box (the blackhole router) and having the routes changes propgate up to a critical piece of hardware (the border router(s)) is very useful.

Another reason to use them is to prevent routing loops. Lets say for example you have an access server terminating dialin customers. You've loaded out your AS with 192 modems. A /24 has been allocated for this AS. Your AS advertises that /24 with OSPF back into the core of your ISP network. However the AS's routing table doesn't contain a route for all 253 of the useable IPs in that /24. Instead individual routes are added as individual users dial in. Lets say a packet comes in that's destined for an IP that isn't in use. The AS looks at its routing table and says to itself that it doesn't have a route to that IP. It falls back on its default route which is the router upstream of the AS that just routed the packet to the AS. Rinse and repeat. A routing loop ensues.

Sometimes in BGP you have to have a static route to a given netblock to turn around and advertise it. You already have internal routes that would ultimately route the packet to the right destination. However to get BGP working you have to create a specific route. You can simply create a static route to that subnet via Null0 with a cost of 254 and make BGP happy.

There are dozens of examples of why you need null routing. Does that help? You can search on Cisco's website for additional references.

Could anyone sign up?

I tried downloading their software and signing up with them over the last week.
Figured if a spammer is that pissed off at them they must be doing something right.
The sign up site was often down, but when it was up I always seemed to fail their captcha.
Did anyone have more luck?

DDoS Extortionists

this [csoonline.com] is a really cool story about how a company handled a DDoS attack by organized crime.

link to information week's article

shameless from digg, but an easy redirect for /.ers without having to read digg's stuff: information week's take on it makes it seem less, well, amazing on the part of the spammers. http://www.informationweek.com/story/showArticle.j html?articleID=187200875 [informationweek.com]

Sad state of backbone administration

When you read Blue Security's press releases, it seems obvious they are a little on the desperate side, trying to figure out how to deal with this Pharmamaster character who has reduced their network to its knees. What's unfortunate about the situation is that it calls the light the sad state of backbone administration where the major providers can't or won't do anything about the situation, and a company is left trying to appeal to the general public to do something about it.

Of course if the attack had occurred against a company like General Electric or Eli Lilly, the perpetrator would be in jail right now.

It seems obvious the perp is an American. It shouldn't be that difficult to track him down, especially since he's IM'ing the victims.

_Detailed_ timeline?

Wow, if this is a detailed timeline, I'd hate to see the summary.

"Some shit happened."

As a security guy, this could have been really interesting, but it's not.

Poor response

PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success

Tucows is a company I will never recommend or use to host any of my domains.
Caving in to a spammer/hacker retaliation will not garner much support.

http://www.joker.com/ [joker.com] serves my needs well

Pharma Master

So, just who is this PharmaMaster guy anyway.

Enquiring minds (and all that) want to know.

Re:Pharma Master

PharmaMaster is an IM and forum handle. He's a major spammer, and probably responsible for at least some of that junk in my google mailbox's junk folder right now. He is apparently working with a cartel of spammers to try to crush anti-spam attempts. Interesting reading about their planning on the specialham.com spammer's forum was mirrored online somewhere yesterday, but got taken down for some reason.

Slashdot army unite!

This ferocious attack on Blue Security as well as Typepad and TUCOWS is proof that Blue Security's tactics are working. Spammers are scared to death of Blue Frog because it forces them to comply with the spirit of CANSPAM (since it is worthless in practise). They are so desperate that they are damaging the internet backbone to slightly increase the limited time that spam will be profitable.

Do not listen to FUD-spreading ignoramuses who will no doubt leave many /. comments urging you to stay away from Blue Frog. Spammers do not have Blue Security's member lists - they are simply DIFFing their entire lists with the opt-outs sent by Blue Frog and sharing their filters with the "mailer community". Yes, some members (not me) have been threatened with, and temporarily recieved, more spam. However, this can't last since spammers who do this are simply fighting fire with gasoline! The more spam Blue Frog users get, the more opt-outs the spammer and client recieve which costs them time and money! Plus, regarding threats to leave Blue Frog, does it make sense that a spammer would remove ANY working email address for ANY reason?

Who do you trust to solve your spam problem? Microsoft? Your government? If they really cared, wouldn't the problem have have been solved long before spam encompassed 90% of all email? Blue Security offers a realistic, fair, assertive, and EFFECTIVE means of hitting spammers where it hurts - in the database and in the pocketbook. They need your help to make spam an unprofitable, inconvenient vehicle for advertisers.

I urge each and every /.er to sign up for a Blue Frog account RIGHT NOW (or whenever they're not getting DOSed) and simply forward your spam to yourusername@reports.bluesecurity.com. You can wait a day or two and send many spams as attachments in one email, or you can let the resident client do it for you. It's so easy and the headlines prove that it really does make a difference.

Spammers are childishly thrashing around the internet like a bull in a china shop, having a flailing temper tantrum because people dare to stand up for their privacy. It is the duty of /.ers, as an informed userbase, to stand up for those internet users who don't know how to stand up for themselves.

We have the numbers and the motivation. Aren't you sick and tired of these rich criminals wasting our time, defrauding our elders, and endangering our children day after day? If we stand together, just as the spammers stand together to attack Blue Security, then we WILL win.

Sign up for a Blue Frog account ASAP and encourage your friends and family to do the same, as I have. And if you think it's possible to reason with spammers, check out this CastleCops forum thread [castlecops.com] that shows inside conversations from a spammer message board.

Blackmail tactics

Those spammers will threat e-mails if you unsubscribe or not, so don't unsubscribe. They're doing this because it's hurting it in their pocket. Big deal. I don't give a damn if a spammer can't buy a new humvee limo, and I don't have to support those scumbags. So if they want to fill my mailbox with with their trash, so be it. I will not bend over to them. I will not unsubscribe. I will not let those fscking bastards tell me what I should do.

Re:Blackmail tactics

"...we'll fight them at the routers, we'll fight them on the backbone, we'll fight them at the ISP, we'll fight them at the firewall; we shall never surrender."

If they were attacked...

...they must be doing something right! I'm signing up.

Thanks PharmaMaster for referring me!

The only solution to spam...

Is to kill the spammers. Obviously the death penalty doesn't resolve the issue forever, or we'd not have as much crime as we do in the world, but it will deter most spammers.

We put down rabid dogs because they have the potential to harm human beings despite having no intention to do so. Why is it less humane to remove life that actively and maliciously harms others?

I'd love to meet that spammer...

...and show him my SIG. [DUKE NUKEM MODE]Come get some[/DUKE NUKEM MODE]

this is black hole filtering:

From:http://72.14.207.104/search?q=cache:daxdV_-e7 aQJ:www.cisco.com/warp/public/732/Tech/security/do cs/blackhole.pdf+Blackhole+Filtering&hl=en&ct=clnk &cd=1 Benefits of Remotely Triggered Black Hole Filtering Black holes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been detected, black holing can be used to drop all attack traffic at the edge of an Internet service provide (ISP) network, based on either destination or source IP addresses. RTBH filtering is a technique that uses routing protocol updates to manipulate route tables at the network edge or anywhere else in the network to specifically drop undesirable traffic before it enters the service provider network. RTBH filtering provides a method for quickly dropping undesirable traffic at the edge of the network, based on either source addresses or destination addresses by forwarding it to a null0 interface. Null0 is a pseudointerface that is always up and can never forward or receive traffic. Forwarding packets to null0 is a common way to filter packets to a specific destination.

Summary for the lazy:

For those new to this whole "BlueFrog" story, unsure who is the "good guy":

Pro:

• Ignoring never serves to fix anything. Just ask my little sister.
• "If the spammers are pissed off, they must be doing something right." - /. & digg

Con:

• As I understand it, this company is backed with VC cash.
• We *might* be witnessing the most creative advertising campaign in the history of the Internet.

SUE the advertisers

Bottom line the advertisers know how their money is being spent. There's no excuse which allows them to claim ignorance. Once they are sued they'll look into it if they don't already know. The advertisers are funding this type of illegal behavior and so they should be held accountable. Large lawsuits or even criminal prosecution. These spammers and those illegally compromising the backbones are acting as agents of the advertisers, period.

What nonsense

Bluesecurity (BS) are either confused or misleading people.

There is no way that a single "backbone" provider could have installed a null route to block all traffic to their network. Bluesecurity is served by a Haifa-based provider called Netvision (Autonomous System number 1680). Netvision buys internet transit from four providers:

--UUnet/701 (uunet north america)
--UUnet/702 (uunet europe/middle east)
--btn/3491 (beyond the network)
--telia/1299 (telia sonera international backbone).

what the heck is BS claiming? that *all* of them installed a null route at once. do they even know what a null route is.

i'm getting annoyed enough at this nonsense to think about blogging about it in more detail over at www.renesys.com/blogs . perhaps later today.

foolishness.

Fully functional when?

Does anyone know when Blue Security will be fully functional again? There are still some services that don't work, as I'm writing this. Namely:

Coming Soon:
Validation emails
Online Statistics
Developers site
Outgoing email from
Blue Security

Partially working:
SMTP Spam reports

time for an apology from Typepad?

I wonder if Todd Underwood at Typepad will have the balls to apologize for the bull he was spreading about Blue Security deflecting a DDOS attck onto their servers as well as not believing that Blue Security had been blackhole filtered.

How about it Todd? Ready to blame the criminal and stop blaming the victim or what?

My letter to tucows

I'm mailing this via the postal service today:


May 8th, 2006

Tucows, Inc.
96 Mowat Avenue
Toronto, ON
Canada M6K 3M1

To whom it may concern,
I just wanted to express my extreme disappointment regarding your recent actions to disable Blue Security's account in an attempt to stop the attacks of a notorious spammer. I fully understand that the attacks were a technical nightmare for your team, however, it is unbelievable that you would rather give in to a criminal and follow their demands and step on an organization that aims to protect innocent citizens from around the globe. Regardless of what your motive was, this action clearly states that you are more interested in profit than you are about ethics. As a result, I am recommending that all contacts I have that use Tucow's services remove their accounts and utilize a service which supports consumer protection. It is my sincere hope that should a similar situation arise, you will think of the company that is trying to protect the Internet.

DIY Experiment

So here's a quick experiment to gauge the impact of the BlueSecurity nospam list. Create two email accounts and sign one of them up for Blue, and don't do anything with the second one including implying its existence. We already get spammed anyway, so what are they going to do to people that don't unsubscribe from Blue? More spam?

Lets call their bluff. Do this experiment yourself. And use Blue Frog.

Joe Jobbed as well

In addition to everything else, I've seen several spams claiming to be from parties associated with Blue Security in the past 24 hours, but which are clearly Joe-jobs [wikipedia.org]. Example text follows.

Skybox Security Solutions

Simulated DDoS Network Attacks and Network Intrusions

Customer Challenge:
Large corporations often hire consultants to conduct quarterly penetration (DDoS)
testing on specific segments of their corporate network. This testing can cost over
hundreds of thousands of dollars, and also exposes the network to many potential
disruptions. These disruptions are the result of the intense DDoS attacks testers
can impose on live networks in order to isolate vulnerabilities and weaknesses.
Since the network is constantly changing, and DDoS attacks are rarely dispersed
from a centralized location, the penetration test results often become nullified and
end up being limited to a small portion of the total network.

The Skybox Solution:
Skybox Security performs accurate and non-intrusive DDoS attacks across a larger
portion of the corporate network. The tests are modeled and analyzed through an
automated process via our large botnet network rather than manually performed on a
live network. As a result, the tests are repeated rigorously on a scheduled basis
without any fear of network disruption. Through DDoS attack and access simulation,
vulnerability exposures as well as security control weaknesses are revealed instantly.
DDoS attack simulation discovers all possible attack scenarios and reveals the step
by step process that an attacker or worm may follow. It illustrates specific vulnerabilities
to be exploited and network access traversed for each exploitable path. Access simulation
calculates network access privileges determined by firewall and routing configuration.
Our botnet helps characterize the interconnectivity between any two given points, reporting
not just whether access is possible, but also the detailed path to reach a final destination.
Based on these combined results, security personnel are able to determine what additional
DDoS attacks are necessary and where to deploy our organizations penetration testers.

Awards:
Info Security - Info Security Hot Companies 2006
The Wall Street Journal - One of the most innovative companies in 2005
Information Security Magazine - Product of the year
Network Magazine - Most Visionary Security Product
Network Magazine - Best of the Best in all categories
Secure Enterprise Magazine - Editors Choice
Gartner - " Cool Vendor " in the security & privacy space
SC Magazine Awards 2006 Winner - The Best Security Solution for Financial Services
IM2005 Award finalist - Information Security and Product of the Year

Company Profile:
Eran Reshef
Founder, Chairman & CEO of Blue Security ( www.bluesecurity.com [bluesecurity.com])

A serial entrepreneur, Eran is currently the founder, chairman & CEO of Blue Security,
the do-not-disturb registry pioneer. Prior to Blue, Eran co-founded Skybox Security and
served as its Chairman. Prior to Skybox Eran founded and managed Sanctum (acquired
by WatchFire), the leader in web application security. Eran holds a variety of security-
related patents that are based on his inventions.

Rina Shainski
General Partner at Carmel Ventures ( www.carmelventures.com [carmelventures.com])

Following a successful career leading business development and R&D operations in
high-growth software companies, Rina has been investing in software companies ever since.
Before joining Carmel she served as the VP Business Development at Clal Industries and
Investments where she was responsible for software investments. From 1989 to 1996, Rina
hel

DDoS

Isn't the DDoS tag a little bit redundant for a submission which appears in Slashdot?

Tucows down!

PharmaMaster Strikes Again, Takes Down Tucows

Phew! And I thought they were the big boys. They'd have enough checks in place to take care of a situation like this. Could they (Tucows) have actually done something to prevent this exploit? Or is it a weakness of the underlying system?

I remember reading another post on slashdot quite sometime ago where they described how partypoker.com (or some site like that) faced a DDoS hit.

PS: Any ideas if microsoft.com would be vunerable to an attack like this? If yes, they must be doling out ransom by the millions!

Spammers...bend over and say ahhhh!

Finally those B**tards are getting what they deserve, Blue has done something that no other company has been able to do... after reading this and the article at http://www.ezee.se/blog/ [www.ezee.se] I'm just waiting for them to accept my application to join the fight!

If the above does not work, try this:
http://www.ezee.se/blog/blog-2-BLUE_SECURITYS_BLUE _FROG_ILLEGALLY_SPAMMING_AND_DDOSING_INNOCENT_SITE S.html [www.ezee.se]

I finished downloading the frog and its installed....but not active because my application is still wait listed i guess.

Go frog go!

Usage of BS for those subbed before the attack

How many of you, who were already subscribed before the attack can still use you client without problems?
It seems like the member section of BS site is down ATM for maintanace. Check http://members.bluesecurity.com/cwa [bluesecurity.com]

Re:I want names and addresses!

Since quite a few people don't seem to know how BS/BF work I'm quoting a post I read on http://community.bluesecurity.com/webx?50@527.Rg3A aYm6mEY.0@.3c545f52 [bluesecurity.com]


Does Blue Frog Employ DDoS Attacks? Some points to consider.
One. When any man woman or child on earth receives an Unsolicited Bulk E-mail message, (UCE) it is essentially just an advertisement:
1a. The recipient has been -invited- to visit the advertised service and conduct business. Real Distributed Denial of Service (DDoS) attacks are never preceded by an -invitation- from the party that is to be allegedly attacked. By sending the advertisement, the advertiser is consenting to receive a response if the recipient feels so inclined. It is advertisers hope that visiting will yield them money. It's called a market economy.
1b. Dissatisfaction is a valid transaction. Advertisers may not just cherry pick the cash yielding sales. If an advertiser does something to insult or enrage their target audience, they can expect to get a lot of phone calls - this is a healthy market dynamic which drives improved business performance and customer satisfaction. If it works for broadcast and print media, why would UCE marketers be immune from this healthy form of feedback?
1c. The recipient of the advertisement is not prohibited by law to conduct business transactions with the advertised service - just as the service is not prohibited by law to advertise. Should the recipient be dissatisfied and not wish to receive future advertisements, a single request for distribution list removal each time an advertisement is received is a valid practice within the law. The advertiser bears some duty to comply with removal requests in good faith. 1 to 1 responses do not constitute a DDoS attack as the sender of the solicitation has direct control of the responses they will receive. No court of law would be convinced otherwise for the following reasons: Intent to disrupt is not present, the objective of the opt-out request is clearly stated in civil terms, the origin of the opt out request is not hidden (though rendered anonymous for practical reasons), no extortion, blackmail or other form of crime is involved in the request, the advertiser has a clear and simple method of avoiding this undesirable traffic and was given due time to conform. None of these conditions are true under a typical real denial of service attack which sets apart the Blue Security method.
1d. Prior to the existence of the Blue Security service, recipients were technically not able to respond in quantity or form equal to the advertisements received. Filtration was the only effective solution to conduct e-commerce and personal correspondence amidst a constant flood of UCE. Historically to respond to a UCE was often dangerous or caused retribution attacks against the unhappy recipient. (The UCE industry refers to vocal negative recipients as "antis".) Responding to UCE has now become safe and feasible via the Blue Security system. The underlying method employed by Blue Security whereby "Party A advertises - therefore Party B responds" remains both ethical and legal. Not an attack.
Two. Regarding why the services advertised in UCE might crash or fail as a result of Blue Frog Opt-out requests, there are exactly two possible causes:
2a. The advertising party did not sufficiently design their infrastructure to be capable of managing the traffic which was generated by their ad campaign.
2b. The advertising party did not decrease their ad campaign to be commensurate with their capacity to manage response traffic.
-- The issue of UCE advertised servers crashing has nothing to do with the recipients of the ad campaign or any imagined DDoS attack. It has everything to do with the UCE senders being irresponsible and unprepared for their own actions. In simple terms, it would seem that UCE marketers who target Blue Frog members end u

My 7 year old Gets PORN SPAM

He's a very bright boy and emails his teacher and his grand mother. I Will defend Blue Security and will offer money to help support them. I would defent them even if they went to this "Pharmamaster or what ever his/their name is and shot him. i just signed up here ( seems to be a great site ) but getting the password emailed to me was a hassle thanks to 64 spam emails coming along with it. Blue Security If you get any of this i also own many websites and would offer your traffic as long as you can develop a way to rotate the DNS so that one site doesn't carry all of the load !!! FIGHT BACK !!!

Re:Yup, this sucks.

Come on, if you have never used Bluesecurity, then you were obviously not in their database, and your email could not have been leaked to the spammers! Obviously, the spammers just sent out these FUD spam mails to everyone, just like spammers generally do.

Re:Yup, this sucks.

Have you even been following this issue? They didn't have a list leaked...

Re:Yup, this sucks.

Isn't the fact that you, a non-user, got the email proof enough that nothing was leaked? Unless the spammer "hacked" your address from a list it wasn't on (which would be a neat trick) he or she was just spamming everyone available, hoping to get Bluesecurity's users along with it.

Re:Yup, this sucks.

Someone used their tool to clean a list, then compared the clean list to a "pre-scrub" list, which means they didn't gain any email addresses, they just learned something about the emails they already had been sending spam to.

Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).

Client List NOT Compromised!!!

What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed. He then sent the threatening emails to any email address that was purged from the original list.

Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper [plaza1.net] .

The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?

Traffic Is NOT What Spamvertised Sitres Want

Most owners of spamvertised sites do NOT want traffic, they want money. They only want the .01% of spam victims who are stupid enough to buy their crap to visit their site to complete the sale. However, in order to get the orders for their profit, they have have a place where users can come to. This place is their website. Website owners have to PAY for bandwidth consumption. Traffic consumes bandwidth. Therefore traffic is an expense. What the website owners really want is orders that bring in money.

When a site receive traffic from those who do not buy, it is the same as a store which has 200 people just looking around (and not buying). These browsers cause wear and tear on the carpet, require the watchful eye of security, require resources to answer questions, and make it more crowded so that it is more difficult for paying customers to find what they are looking for and complete the transaction.

Right now, the ratio of revenue-generating traffic (those who come to a website to buy) verses the non revenue-generating traffic is high enough to justify having the website running and paying the spammers. When there is 8 gigs of traffic (non revenue generating) from spam haters for every byte of revenue producing traffic, then advertising a website via spam will be very UNPROFITABLE. When those who advertise by spam see loss instead of profits, they will quit paying spammers (or stop spamming themselves). This is why spammers hate the likes of Blue Security, SpammerSlapper, SpamFryer, and other retalitory tools.

What the spammers do not realize is that people who are ready to resort to using such antispammer tactics DO NOT like spamvertised websites nor will they buy crap from these websites. Blue Security is actually doing spammers a favor by pointing out the email receipients who do not want the spam and are willing to cause problems. If I were a spammer, I would want to listwash my sucker list and get rid of the email addresses of troublemakers and concentrate on the idiots who buy stuff advertised via spam. That way I would have to send out a lot less spam to get the sales I want. Spammers should go only after the suckers and leave the rest of us alone. When these nooby suckers decide that they are tired of being robbed and spammed into oblivion, they can then add their name and voice to the rest of the angry masses who have HAD ENOUGH.

Re:"operational system"

That service is not operational yet. They said it should be "soon".

Re:"operational system"

During the DDoS and Blackhole filtering it was only operational in Isreal. The rest of the world was cut off. There were also threatening emails sent to registered users. According to Blue Security their database was not comprimised and the spammer was actually using his own email list to send these email out. Since then I have been receiving 2-3 messages a day from the spammer which contains nothing but the DNS WHOIS record for bluesecurity.com. Here is a copy of the first message I recieved:

"Hey,You are recieving this email because you are a member of BlueSecurity (http://www.bluesecurity.com).

You signed up because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally.

How do you make it stop?

Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity's database, if you arent there.. you wont get this again.

We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result.

By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this.

Why are we doing this?

Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails, but do not believe for one second that we will stop this tirade of emails if you choose to stay with BlueSecurity. Just remember one thing when you read this, we didnt do this to you, BlueSecurity did.

If BlueSecurity decides to play fair, we will do the same.

We are quite sure you will think this will not continue, that we will not continue wasting our resources doing this, feel free to wait out the first 48, or the second, and see whether these stop, you will be quite suprised.

If you have another email under the protection of bluesecurity, and have not recieved this there, do not worry, you will soon enough.

We mightve had your email addresses before in our lists, but now, we are targetting YOU, because YOU are a bluesecurity user.

You might also notice, that the BlueSecurity site(http://www.bluesecurity.com) is down..

Just remove yourself from BlueSecurity, and make it easier on you.

Marta Tanner"

Re:"operational system"

I still haven't recieved mine either. However, I did install the client, and it seems to have created me an account. The password must be in the e-mail, but until then the client will log me in to the website. Also, it seems to keep track of the spam that I have forewarded it through both manual forewarding and the Firefox extension.

Re:?H?uh???

I didn't see what you are talking about on Bue Security's website in either Firefox or Opera. From what I understand, MSIE has a problem in that it does not properly implement the HTML tag which would cause the problem that you are seeing. The tag was present in the original version of HTML 4 and Microsoft Internet Explorer 6.0 is supposed to be HTML 4 compliant.

Pot, meet Kettle

a copyrighter who isn't a retarded illiterate

<sigh.> I presume you meant to say copywriter. Nice try though.

the fact that they were complicit in the spammer's taking blogs down also shows their lack of competence

<sigh> again. Read elsewhere in this thread -- they were blackholed to start, so shifting their record to another IP presented no immediate threat to wherever they were moving to. The DDoS only started after they shifted IPs.

My brain just crapped its skull.

I'd probably do that too if I were an astro-truffer for a sleazey spammer, instead I'm going to down-load the linux version of the bluefrog client and connect it to my spam account and let it run. In fact I'm probably going to engage in activities designed to get those accounts on as many spam lists as is humanly possible. I've got accounts at yahoo and gmail that get about 10 spams for every legit email, maybe I can get the clutter down to the point where they'll actually be usable again.

Re:Mac OS X

> Say Blue, if you ever have free time again, a Mac version would be grand.

Please, I'm begging you Mac users, stop spamming commenting systems with requests for a Mac version.

It's already bad enough when I'm looking at Skype plugins [skype.com], I don't need it here. When I'm browsing to look at some useful comments on some software, I browse through hundreds of "Make a mac version!" requests, just to find ONE comment on the actual software.

Stop using comments for MacOSX port requests, it's annoying. Thankyou.