[ISN] Under Attack, Spam Fighter Folds

From: InfoSec News (isn@private)
Date: Tue May 16 2006 - 22:46:04 PDT


By Ryan Singel
May, 16, 2006

A startup whose aggressive antispam measures drew a blistering
counterattack from spammers two weeks ago that brought down the
company's servers along with a wide swath of the internet is
shuttering its program that targets junk e-mailers.

In an interview with Wired News, Blue Security CEO Eran Reshef said
the Israel-based company was closing its service Wednesday since he
did not want to be responsible for an ever-escalating war that could
bring down internet service providers and websites around the world
and subject its users to denial-of-service attacks from a
well-organized group in control of a massive army of computer drones.

"Our community would very much like us to continue on the fight
against spam, and our community has grown over the last week," Reshef
said. "But at the end of the day if we continue doing so, within a few
days, major websites will go down. I don't feel that this is something
I can be responsible for. I cannot go ahead and rip up the internet to
make Blue Security work. This is not the decision a commercial entity
can make."

The abrupt decision ends a high-profile standoff between spammers and
a tiny startup whose unorthodox methods had seemingly stymied some of
the most prolific purveyors of junk e-mail in the world, if only
temporarily. For a few intense days, the fight showed with shocking
clarity the lengths to which some spammers will go to protect their
businesses, and the devastating arsenals at their command.

The lesson to be learned, Reshef said, is that large ISPs and
governments need to recognize that spammers are connected to criminal
syndicates and that they, not a small startup, are the only ones who
can shut down these networks.

Blue Security's 500,000 users had been successful in convincing six of
the top 10 spam operations in the world to use its open-source
mailing-list scrubber, which Reshef said proved that Blue Security's
technology and approach was effective.

But other spammers responded differently.

Starting May 2, a spammer known as PharmaMaster used a massive network
of zombie computers to flood Blue Security's database servers with
fake traffic and hijacked a little-known Cisco Systems router feature
known as "blackhole filtering" to block anyone outside Israel from
accessing Blue Security's homepage.

The spammer also unleashed a torrent of spam targeted to a subset of
Blue Security users, which the spammer had likely gotten by scrubbing
an e-mail list and then comparing the old list with the new list. Any
addresses removed from the old list could be identified as Blue
Security users.

The distributed-denial-of-service attack brought down the databases,
and the collateral damage included hundreds of thousands of websites
and mail servers hosted by Tucows, according to Elliot Noss, president
and CEO of Tucows, the internet's largest domain registrar.

"Just in terms of pure scale, it's pretty safe to call it massive,"
Noss said. "I think that really the most interesting observation was
how distributed it was. We sampled IP addresses and over 70 percent
were unique."

Blogging software provider Movable Type's hosted service, TypePad,
also fell victim to PharmaMaster's bot network, after Blue Security
realized that no one could reach its homepage and posted a message to
its users on its old blog. Thirty minutes later, PharmaMaster started
an attack that brought down thousands of blogs.

Blue Security's Blue Frog antispam tool worked by having customers
install a small piece of software in their browsers that they used to
report spam. After aggregating the reports, Blue Security would try to
contact the spammers, the websites of companies being advertised and
their ISPs to try to convince the spammers to clean their lists of
e-mail accounts on the company's Do Not Intrude list.

If that did not work, Blue Security would write a custom script that
spam recipients could use to send an opt-out request to the advertised
website. In practice, that meant that hundreds of thousands of Blue
Frog users could attempt to opt out at once. In addition, the software
would fill in online order forms with the opt-out request if there was
no other way to communicate with a spammer-advertised website.

This tactic, which Blue Security says is legal under the Can-Spam Act,
was controversial with spammers and some antispammers alike.

Spammers complained in internet forums that the opt-out requests were
simply a denial-of-service attack.

Anne P. Mitchell, president and CEO of the Institute for Spam and
Internet Public Policy, is also a vocal critic of Blue Security's
tactics who thinks the company was breaking computer crime laws by
having its members fill in order forms with opt-out requests.

"Do you think Blue Frog cares if they are knowingly causing customers
to break the law of their own home country?" Mitchell asked. "They
don't care because they are sitting in Israel."

But Peter Swire, a law professor and former head privacy official for
the Clinton administration, looked into the company's operations,
found them legitimate and innovative, and signed onto the company's
advisory board earlier this year.

"I get one spam e-mail and my computer sends one opt-out request,"
Swire said. "That is exactly what Can-Spam gives me the right to do."

Swire says he understands why Reshef has decided to shutter the
service, because these levels of attacks are too much for a small
company to withstand.

But he says the company showed that this tactic can work.

"If little Blue Security can affect 25 percent of spam, then this
approach shows great promise if the big boys get involved," Swire
said. "If there is a concerted effort by the big ISPs or by the
government, the Can-Spam Act provably is the basis for reducing spam."

Eric Benhamou, chairman and CEO of Benhamou Global Ventures and one of
Blue Security's lead investors, said he knew going in that Blue
Security's task was difficult. Benhamou is not writing off Blue
Security, whose technology he says has other uses, but he supports the
company's decision to shut down in order to avoid more collateral

"We knew it would get really serious when the adversary was wounded,"
he said. "There were no surprises on my part. When I first did my due
diligence, Eran and Amir (Hirsch) told me clearly that they knew how
to build the technology to accomplish this but weren't sure of the
overall business proposition. I said that's fine, because I want to
explore something that hasn't been done before and before there were
only clever filters. This was totally innovative."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue May 16 2006 - 23:13:34 PDT