http://www.wired.com/news/technology/0,70913-0.html By Ryan Singel May, 16, 2006 A startup whose aggressive antispam measures drew a blistering counterattack from spammers two weeks ago that brought down the company's servers along with a wide swath of the internet is shuttering its program that targets junk e-mailers. In an interview with Wired News, Blue Security CEO Eran Reshef said the Israel-based company was closing its service Wednesday since he did not want to be responsible for an ever-escalating war that could bring down internet service providers and websites around the world and subject its users to denial-of-service attacks from a well-organized group in control of a massive army of computer drones. "Our community would very much like us to continue on the fight against spam, and our community has grown over the last week," Reshef said. "But at the end of the day if we continue doing so, within a few days, major websites will go down. I don't feel that this is something I can be responsible for. I cannot go ahead and rip up the internet to make Blue Security work. This is not the decision a commercial entity can make." The abrupt decision ends a high-profile standoff between spammers and a tiny startup whose unorthodox methods had seemingly stymied some of the most prolific purveyors of junk e-mail in the world, if only temporarily. For a few intense days, the fight showed with shocking clarity the lengths to which some spammers will go to protect their businesses, and the devastating arsenals at their command. The lesson to be learned, Reshef said, is that large ISPs and governments need to recognize that spammers are connected to criminal syndicates and that they, not a small startup, are the only ones who can shut down these networks. Blue Security's 500,000 users had been successful in convincing six of the top 10 spam operations in the world to use its open-source mailing-list scrubber, which Reshef said proved that Blue Security's technology and approach was effective. But other spammers responded differently. Starting May 2, a spammer known as PharmaMaster used a massive network of zombie computers to flood Blue Security's database servers with fake traffic and hijacked a little-known Cisco Systems router feature known as "blackhole filtering" to block anyone outside Israel from accessing Blue Security's homepage. The spammer also unleashed a torrent of spam targeted to a subset of Blue Security users, which the spammer had likely gotten by scrubbing an e-mail list and then comparing the old list with the new list. Any addresses removed from the old list could be identified as Blue Security users. The distributed-denial-of-service attack brought down the databases, and the collateral damage included hundreds of thousands of websites and mail servers hosted by Tucows, according to Elliot Noss, president and CEO of Tucows, the internet's largest domain registrar. "Just in terms of pure scale, it's pretty safe to call it massive," Noss said. "I think that really the most interesting observation was how distributed it was. We sampled IP addresses and over 70 percent were unique." Blogging software provider Movable Type's hosted service, TypePad, also fell victim to PharmaMaster's bot network, after Blue Security realized that no one could reach its homepage and posted a message to its users on its old blog. Thirty minutes later, PharmaMaster started an attack that brought down thousands of blogs. Blue Security's Blue Frog antispam tool worked by having customers install a small piece of software in their browsers that they used to report spam. After aggregating the reports, Blue Security would try to contact the spammers, the websites of companies being advertised and their ISPs to try to convince the spammers to clean their lists of e-mail accounts on the company's Do Not Intrude list. If that did not work, Blue Security would write a custom script that spam recipients could use to send an opt-out request to the advertised website. In practice, that meant that hundreds of thousands of Blue Frog users could attempt to opt out at once. In addition, the software would fill in online order forms with the opt-out request if there was no other way to communicate with a spammer-advertised website. This tactic, which Blue Security says is legal under the Can-Spam Act, was controversial with spammers and some antispammers alike. Spammers complained in internet forums that the opt-out requests were simply a denial-of-service attack. Anne P. Mitchell, president and CEO of the Institute for Spam and Internet Public Policy, is also a vocal critic of Blue Security's tactics who thinks the company was breaking computer crime laws by having its members fill in order forms with opt-out requests. "Do you think Blue Frog cares if they are knowingly causing customers to break the law of their own home country?" Mitchell asked. "They don't care because they are sitting in Israel." But Peter Swire, a law professor and former head privacy official for the Clinton administration, looked into the company's operations, found them legitimate and innovative, and signed onto the company's advisory board earlier this year. "I get one spam e-mail and my computer sends one opt-out request," Swire said. "That is exactly what Can-Spam gives me the right to do." Swire says he understands why Reshef has decided to shutter the service, because these levels of attacks are too much for a small company to withstand. But he says the company showed that this tactic can work. "If little Blue Security can affect 25 percent of spam, then this approach shows great promise if the big boys get involved," Swire said. "If there is a concerted effort by the big ISPs or by the government, the Can-Spam Act provably is the basis for reducing spam." Eric Benhamou, chairman and CEO of Benhamou Global Ventures and one of Blue Security's lead investors, said he knew going in that Blue Security's task was difficult. Benhamou is not writing off Blue Security, whose technology he says has other uses, but he supports the company's decision to shut down in order to avoid more collateral damage. "We knew it would get really serious when the adversary was wounded," he said. "There were no surprises on my part. When I first did my due diligence, Eran and Amir (Hirsch) told me clearly that they knew how to build the technology to accomplish this but weren't sure of the overall business proposition. I said that's fine, because I want to explore something that hasn't been done before and before there were only clever filters. This was totally innovative." _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue May 16 2006 - 23:13:34 PDT