May 17, 2006 6:06 PM PDT

Antispam advocate succumbs to spammer

A prominent crusader against unsolicited e-mail ads withdrew from an escalating cyberwar with spammers on Wednesday after his Web site and numerous others came under a massive retaliatory attack.

Blue Security, a company that provided antispam software and was widely praised for orchestrating a kind of do-it-yourself campaign to spam spammers, has "ceased all antispam operations," said Sandra Fathi, a spokeswoman for the company.

The surrender comes after the company's Web site, along with those of many of its partners, were hobbled by a denial-of-service attack earlier this month. The DoS attack, which used thousands of commandeered computers to overload the sites' servers with traffic, is believed to have originated with one Russia-based spammer, Fathi said.

The brazen show of power by the spammer is reflective of the defiant nature of these kinds of rogue advertisers. Almost as old as the Internet, unsolicited e-mail continues to swamp e-mail in-boxes and to clog servers, even as law enforcement agencies and regulatory bodies have tried to stop the practice.

Eran Reshef, Blue Security's CEO, thought he had the answer. He encouraged half a million of the company's customers to send replies to the spam they received. The combined traffic overloaded the spammers' servers and crippled their ability to send e-mails. This resulted in some well-known spam companies agreeing to stop e-mailing Blue Security's customers.

Blue Security's triumph was short-lived. Instead of capitulating, one spammer launched a denial-of-service attack earlier this month. According to security Web site SecurityFocus, the attacks overwhelmed several Web sites and Internet service providers. The spammer then threatened Blue Security.

The company could either shut down or the next attack would include a computer virus.

With innocent companies and Internet users potentially at risk, Reshef had no choice but to yield to the demands, Fathi said.

"The company is unable to fight this battle on its own," Fathi said. "This (spammer) has shown that he's willing to harm hundreds of innocent bystanders...(Reshef) didn't want to take the risk that these other businesses would come under attack."

Blue Security is now trying to determine whether there are other uses for its antispam technology, she said.

See more CNET content tagged:
spammer, anti-spam, denial of service, attack, security

36 comments

Join the conversation!
Add your comment
Unbelievable
It's kind of interesting that a company trying to help people of fighting spammers, has to yield to their threats.

I did try to visit their site several times in the last 10 days, and I kept on getting an error message on my browser.

This is pretty shameless that governments have no intention in protecting us from these criminals.
Posted by Dead Soulman (245 comments )
Reply Link Flag
Unbelievable
It's kind of interesting that a company trying to help people of fighting spammers, has to yield to their threats.

I did try to visit their site several times in the last 10 days, and I kept on getting an error message on my browser.

This is pretty shameless that governments have no intention in protecting us from these criminals.
Posted by Dead Soulman (245 comments )
Reply Link Flag
I wonder if...
Microsoft gets a cut from the spammer's profits.. after all...
without Windows.. this type of thing couldn't happen.

I get a little satisfaction. In Apple's Mail application, there is an
option to "Bounce to Sender"... I like doing this with the junk
mail I get. This way.. it is essentially the same thing thins guy is
proposing...but it also makes it seem like my address is not
valid.. so they stop sending me crap.

After doing this for a while.. I get very little junk mail on an
account that I have had for 4 years.. and use for everything.
Posted by Jesus#2 (127 comments )
Reply Link Flag
Not much sense
Um, your comments do not make any sense. For one, simply bouncing a message back to the sender does not make them think your email is invalid, quite the contrary it just confirms that it IS a valid email address. Plus, as was pointed out earlier, the spammer never uses a valid email address and more times than not it spoofs the IP as well, so bouncing a message back to sender does absolutly squat.
Posted by tanis143 (122 comments )
Link Flag
What?
What does Windows have to do with it? Spam isn't an OS problem, and it's not related to an OS, or any weakeness on an OS.
Even if you count MS apps, Outlook has had one of the best embedded antispam systems for a long time. So I don't see any meaning in your comment.
Are all Apple users this confused?
Posted by Hernys (744 comments )
Link Flag
I wonder if...
Microsoft gets a cut from the spammer's profits.. after all...
without Windows.. this type of thing couldn't happen.

I get a little satisfaction. In Apple's Mail application, there is an
option to "Bounce to Sender"... I like doing this with the junk
mail I get. This way.. it is essentially the same thing thins guy is
proposing...but it also makes it seem like my address is not
valid.. so they stop sending me crap.

After doing this for a while.. I get very little junk mail on an
account that I have had for 4 years.. and use for everything.
Posted by Jesus#2 (127 comments )
Reply Link Flag
Not much sense
Um, your comments do not make any sense. For one, simply bouncing a message back to the sender does not make them think your email is invalid, quite the contrary it just confirms that it IS a valid email address. Plus, as was pointed out earlier, the spammer never uses a valid email address and more times than not it spoofs the IP as well, so bouncing a message back to sender does absolutly squat.
Posted by tanis143 (122 comments )
Link Flag
What?
What does Windows have to do with it? Spam isn't an OS problem, and it's not related to an OS, or any weakeness on an OS.
Even if you count MS apps, Outlook has had one of the best embedded antispam systems for a long time. So I don't see any meaning in your comment.
Are all Apple users this confused?
Posted by Hernys (744 comments )
Link Flag
The one thing about this article that sticks out to me...
"encouraged half a million of the company's customers to send replies to the spam they received" - Assuming that statement is even partially accurate, it is an ineffective irresponsible and unintelligent concept. Except on the occasions that a few of the more professional spammers scrub their lists, noone sends junk with an even remotely valid reply address. It's rare enough for a spammer to even use their own mail realy.
Posted by blbk (2 comments )
Reply Link Flag
OMG!
Give me a break - don't you understand it's a bit more sophisticated than that??? Blue Frog would identify the resources being plugged in the spam itself and target those resources. They didn't just blindly send responses back to an obviously forged reply address.

And if the tactic wasn't effective, then Blue Security would NOT have come under attack.
Posted by ejevo (134 comments )
Link Flag
The one thing about this article that sticks out to me...
"encouraged half a million of the company's customers to send replies to the spam they received" - Assuming that statement is even partially accurate, it is an ineffective irresponsible and unintelligent concept. Except on the occasions that a few of the more professional spammers scrub their lists, noone sends junk with an even remotely valid reply address. It's rare enough for a spammer to even use their own mail realy.
Posted by blbk (2 comments )
Reply Link Flag
OMG!
Give me a break - don't you understand it's a bit more sophisticated than that??? Blue Frog would identify the resources being plugged in the spam itself and target those resources. They didn't just blindly send responses back to an obviously forged reply address.

And if the tactic wasn't effective, then Blue Security would NOT have come under attack.
Posted by ejevo (134 comments )
Link Flag
Wait a minute!
If these guys know who the threatening spammer is, why don't they, and their clients or whatever other parties were being targeted, simply stick a filter on the mail servers which simply deletes the messages? I don't know what characteristics would work best for this -- IP addy, country of origin? -- but I have at least three concrete ways to kill definable spam with no action on my part and I'm not running a mail server.

The same goes for viral messages. If it can be identified -- in this case most likely by the virus being used -- it can most likely be killed automatically.

This article is a little weird. And what's with them trying to find another use for their product? Huh?
Posted by rshew (44 comments )
Reply Link Flag
DOS attacks use thousands of zombie machines
infected with trojams, rather hard to filter
Posted by gubbord (171 comments )
Link Flag
A DDoS is not that simple
Clearly, this is a DDoS attack is not just being implemented by flooding the servers with spam. Web servers are almost certainaly being targeted by the botnet if the company's (and it affiliates) websites are down.

Secondly, the spammer would be spoofing the IP address of any packets (and emails) sent, so if the company used a filter, the spammer could just change the IP.

Thirdly, it is possible (actually probable given the magnitude of the botnet) that the spammer is conducting a R/ADDoS Attack (A Reflected or Amplified Distributed DoS). For instance, the spammer could be sending out spoofed ICMP Echo Requests to innocent servers so that the attack is reflected onto the company's servers. The attack could even be using DNSs to amplify the attack. Such an attack would be very difficult to prevent because blocking requests from a DNS renders the website largely unusable anyway, thus defeating the purpose of preventing the attack.

However, analysing the packets and emails for traits unique to the spammer MAY allow modification of router ACLs (Access Control Lists) or firewall rules to prevent the attack. Alternatively, changing the company's server IP addresses may also solve the problem (not the email flooding though).

Otherwise, the only other possible solution would be to increase bandwidth, upgrade servers and sit out the attack - this costs money though and is apparently the reason why they are giving up.

In the end, unless governments globally (especially Russia, former Eastern Block states and China) crack down on spammers and botnets there is not a lot companies can do.
Posted by a85 (104 comments )
Link Flag
A DDoS is not that simple
Clearly, this is a DDoS attack is not just being implemented by flooding the servers with spam. Web servers are almost certainaly being targeted by the botnet if the company's (and it affiliates) websites are down.

Secondly, the spammer would be spoofing the IP address of any packets (and emails) sent, so if the company used a filter, the spammer could just change the IP.

Thirdly, it is possible (actually probable given the magnitude of the botnet) that the spammer is conducting a R/ADDoS Attack (A Reflected or Amplified Distributed DoS). For instance, the spammer could be sending out spoofed ICMP Echo Requests to innocent servers so that the attack is reflected onto the company's servers. The attack could even be using DNSs to amplify the attack. Such an attack would be very difficult to prevent because blocking requests from a DNS renders the website largely unusable anyway, thus defeating the purpose of preventing the attack.

However, analysing the packets and emails for traits unique to the spammer MAY allow modification of router ACLs (Access Control Lists) or firewall rules to prevent the attack. Alternatively, changing the company's server IP addresses may also solve the problem (not the email flooding though).

Otherwise, the only other possible solution would be to increase bandwidth, upgrade servers and sit out the attack - this costs money though and is apparently the reason why they are giving up.

In the end, unless governments globally (especially Russia, former Eastern Block states and China) crack down on spammers and botnets there is not a lot companies can do.
Posted by a85 (104 comments )
Link Flag
It's not that simple
Clearly, this is a DDoS attack is not just being implemented by flooding the servers with spam. Web servers are almost certainaly being targeted by the botnet if the company's (and it affiliates) websites are down.

Secondly, the spammer would be spoofing the IP address of any packets (and emails) sent, so if the company used a filter, the spammer could just change the IP.

Thirdly, it is possible (actually probable given the magnitude of the botnet) that the spammer is conducting a R/ADDoS Attack (A Reflected or Amplified Distributed DoS). For instance, the spammer could be sending out spoofed ICMP Echo Requests to innocent servers so that the attack is reflected onto the company's servers. The attack could even be using DNSs to amplify the attack. Such an attack would be very difficult to prevent because blocking requests from a DNS renders the website largely unusable anyway, thus defeating the purpose of preventing the attack.

However, analysing the packets and emails for traits unique to the spammer MAY allow modification of router ACLs (Access Control Lists) or firewall rules to prevent the attack. Alternatively, changing the company's server IP addresses may also solve the problem (not the email flooding though).

Otherwise, the only other possible solution would be to increase bandwidth, upgrade servers and sit out the attack - this costs money though and is apparently the reason why they are giving up.

In the end, unless governments globally (especially Russia, former Eastern Block states and China) crack down on spammers and botnets there is not a lot companies can do.
Posted by a85 (104 comments )
Link Flag
Nobody can take it
DOS with thousand of zombie machine is something nobody can handle.

Forget the Bluebird secuirty, even google and microsoft had a hard time when DOS attack was done few month ago using such zombie machines.

~Shantanu
<a class="jive-link-external" href="http://godisnear.blogspot.com" target="_newWindow">http://godisnear.blogspot.com</a>
Posted by shantanu77 (4 comments )
Link Flag
Wait a minute!
If these guys know who the threatening spammer is, why don't they, and their clients or whatever other parties were being targeted, simply stick a filter on the mail servers which simply deletes the messages? I don't know what characteristics would work best for this -- IP addy, country of origin? -- but I have at least three concrete ways to kill definable spam with no action on my part and I'm not running a mail server.

The same goes for viral messages. If it can be identified -- in this case most likely by the virus being used -- it can most likely be killed automatically.

This article is a little weird. And what's with them trying to find another use for their product? Huh?
Posted by rshew (44 comments )
Reply Link Flag
DOS attacks use thousands of zombie machines
infected with trojams, rather hard to filter
Posted by gubbord (171 comments )
Link Flag
A DDoS is not that simple
Clearly, this is a DDoS attack is not just being implemented by flooding the servers with spam. Web servers are almost certainaly being targeted by the botnet if the company's (and it affiliates) websites are down.

Secondly, the spammer would be spoofing the IP address of any packets (and emails) sent, so if the company used a filter, the spammer could just change the IP.

Thirdly, it is possible (actually probable given the magnitude of the botnet) that the spammer is conducting a R/ADDoS Attack (A Reflected or Amplified Distributed DoS). For instance, the spammer could be sending out spoofed ICMP Echo Requests to innocent servers so that the attack is reflected onto the company's servers. The attack could even be using DNSs to amplify the attack. Such an attack would be very difficult to prevent because blocking requests from a DNS renders the website largely unusable anyway, thus defeating the purpose of preventing the attack.

However, analysing the packets and emails for traits unique to the spammer MAY allow modification of router ACLs (Access Control Lists) or firewall rules to prevent the attack. Alternatively, changing the company's server IP addresses may also solve the problem (not the email flooding though).

Otherwise, the only other possible solution would be to increase bandwidth, upgrade servers and sit out the attack - this costs money though and is apparently the reason why they are giving up.

In the end, unless governments globally (especially Russia, former Eastern Block states and China) crack down on spammers and botnets there is not a lot companies can do.
Posted by a85 (104 comments )
Link Flag
A DDoS is not that simple
Clearly, this is a DDoS attack is not just being implemented by flooding the servers with spam. Web servers are almost certainaly being targeted by the botnet if the company's (and it affiliates) websites are down.

Secondly, the spammer would be spoofing the IP address of any packets (and emails) sent, so if the company used a filter, the spammer could just change the IP.

Thirdly, it is possible (actually probable given the magnitude of the botnet) that the spammer is conducting a R/ADDoS Attack (A Reflected or Amplified Distributed DoS). For instance, the spammer could be sending out spoofed ICMP Echo Requests to innocent servers so that the attack is reflected onto the company's servers. The attack could even be using DNSs to amplify the attack. Such an attack would be very difficult to prevent because blocking requests from a DNS renders the website largely unusable anyway, thus defeating the purpose of preventing the attack.

However, analysing the packets and emails for traits unique to the spammer MAY allow modification of router ACLs (Access Control Lists) or firewall rules to prevent the attack. Alternatively, changing the company's server IP addresses may also solve the problem (not the email flooding though).

Otherwise, the only other possible solution would be to increase bandwidth, upgrade servers and sit out the attack - this costs money though and is apparently the reason why they are giving up.

In the end, unless governments globally (especially Russia, former Eastern Block states and China) crack down on spammers and botnets there is not a lot companies can do.
Posted by a85 (104 comments )
Link Flag
It's not that simple
Clearly, this is a DDoS attack is not just being implemented by flooding the servers with spam. Web servers are almost certainaly being targeted by the botnet if the company's (and it affiliates) websites are down.

Secondly, the spammer would be spoofing the IP address of any packets (and emails) sent, so if the company used a filter, the spammer could just change the IP.

Thirdly, it is possible (actually probable given the magnitude of the botnet) that the spammer is conducting a R/ADDoS Attack (A Reflected or Amplified Distributed DoS). For instance, the spammer could be sending out spoofed ICMP Echo Requests to innocent servers so that the attack is reflected onto the company's servers. The attack could even be using DNSs to amplify the attack. Such an attack would be very difficult to prevent because blocking requests from a DNS renders the website largely unusable anyway, thus defeating the purpose of preventing the attack.

However, analysing the packets and emails for traits unique to the spammer MAY allow modification of router ACLs (Access Control Lists) or firewall rules to prevent the attack. Alternatively, changing the company's server IP addresses may also solve the problem (not the email flooding though).

Otherwise, the only other possible solution would be to increase bandwidth, upgrade servers and sit out the attack - this costs money though and is apparently the reason why they are giving up.

In the end, unless governments globally (especially Russia, former Eastern Block states and China) crack down on spammers and botnets there is not a lot companies can do.
Posted by a85 (104 comments )
Link Flag
Nobody can take it
DOS with thousand of zombie machine is something nobody can handle.

Forget the Bluebird secuirty, even google and microsoft had a hard time when DOS attack was done few month ago using such zombie machines.

~Shantanu
<a class="jive-link-external" href="http://godisnear.blogspot.com" target="_newWindow">http://godisnear.blogspot.com</a>
Posted by shantanu77 (4 comments )
Link Flag
Yay! The cyber terrorists win!
I see the war online is going about as good as the war against terrorists in the real world.
Posted by ejevo (134 comments )
Reply Link Flag
Don't forget...
Let's not forget the drug war. That was a real winner.
Posted by Christopher Hall (1205 comments )
Link Flag
Yay! The cyber terrorists win!
I see the war online is going about as good as the war against terrorists in the real world.
Posted by ejevo (134 comments )
Reply Link Flag
Don't forget...
Let's not forget the drug war. That was a real winner.
Posted by Christopher Hall (1205 comments )
Link Flag
not how it works
Bot nets are WORLD WIDE. Just because numbnuts that lives in the former USSR is runing it dont mean jack.

If he has 1000 Bots in each of the 50 states AND bots all over the world what you gonna do to stop it?
Posted by mrchaos101 (7 comments )
Reply Link Flag
not how it works
Bot nets are WORLD WIDE. Just because numbnuts that lives in the former USSR is runing it dont mean jack.

If he has 1000 Bots in each of the 50 states AND bots all over the world what you gonna do to stop it?
Posted by mrchaos101 (7 comments )
Reply Link Flag
I say we give it a shot.
I may enter this fight myself.

It looks interesting. How do you fight an e-terrorist whose main weapons are DDOS attacks and email flooding?

Quite simply.....you eliminate your points of vulnerability.

You need to replace the most common nodes of information exchange (email and websites) with more public nodes that are much more difficult to bring down (think P2P and newsgroups for instance).

You also need to amass a small army of your own that is capable of getting the attention of the service providers (of the PCs being used in the attacks) who support the attacks by giving access via thier networks.

This is not to punish the serice provider, but to protect others. The service providers should be worked with closely to build a system in which it is easy to disable PC access to the internet of any PC participating in a DDOS attack.

The only way to stop DDOS attacks and spammers is to make it unprofitable to the ISPs that turn a blind eye to that activity on thier networks.

Unfortunately, the only way to do that is to make thier operation unprofitable until they remove the threat.

As unfortunate as it is, the only way to moderate these attacks is to force the ISPs to get involved - whether they want to or not.

If there is another way, please let me know.
Posted by Jim Hubbard (326 comments )
Reply Link Flag
I say we give it a shot.
I may enter this fight myself.

It looks interesting. How do you fight an e-terrorist whose main weapons are DDOS attacks and email flooding?

Quite simply.....you eliminate your points of vulnerability.

You need to replace the most common nodes of information exchange (email and websites) with more public nodes that are much more difficult to bring down (think P2P and newsgroups for instance).

You also need to amass a small army of your own that is capable of getting the attention of the service providers (of the PCs being used in the attacks) who support the attacks by giving access via thier networks.

This is not to punish the serice provider, but to protect others. The service providers should be worked with closely to build a system in which it is easy to disable PC access to the internet of any PC participating in a DDOS attack.

The only way to stop DDOS attacks and spammers is to make it unprofitable to the ISPs that turn a blind eye to that activity on thier networks.

Unfortunately, the only way to do that is to make thier operation unprofitable until they remove the threat.

As unfortunate as it is, the only way to moderate these attacks is to force the ISPs to get involved - whether they want to or not.

If there is another way, please let me know.
Posted by Jim Hubbard (326 comments )
Reply Link Flag
Russian Spammers and Organized Crime
It is generally thought that the West won the Cold War. While it is true the communist experiment in Russia failed, it is not true that our problems with Russia ended with the fall of the Iron Curtain. Remember, it was Russian spammers who fried Blue Frog's legs and served them up with caviar.

This little victory may be a point of pride to the spammers and criminals living there, but it is a set-back for the Russian people and the Russian government. Think about it. Who trusts a Russian web site? When the average person sees the designation ".ru" at the end of an address, don't you suppose that person hits the delete key with blinding speed? Any ".ru" address is immediately suspect.

The Russian economy is not built on spam. Spam money goes into the pockets of greedy criminals and organized Russian crime gangs. It doesn't float through the Russian economy.

Today, just as in the days of the Soviet Union, people do not trust the honesty and integrety of Russian businesses. That can only have a larger negative impact on the future of the Russian economy and a devasting trickle-down impact on the Russian people.

In the end it will have to be the Russian people and their government who put Russian spammers out of business and into prison. Russian justice is harsh and severe and that's exactly what those Russian spammers deserve.
Posted by dunnsanfrancisco (24 comments )
Reply Link Flag
Russian Spammers and Organized Crime
It is generally thought that the West won the Cold War. While it is true the communist experiment in Russia failed, it is not true that our problems with Russia ended with the fall of the Iron Curtain. Remember, it was Russian spammers who fried Blue Frog's legs and served them up with caviar.

This little victory may be a point of pride to the spammers and criminals living there, but it is a set-back for the Russian people and the Russian government. Think about it. Who trusts a Russian web site? When the average person sees the designation ".ru" at the end of an address, don't you suppose that person hits the delete key with blinding speed? Any ".ru" address is immediately suspect.

The Russian economy is not built on spam. Spam money goes into the pockets of greedy criminals and organized Russian crime gangs. It doesn't float through the Russian economy.

Today, just as in the days of the Soviet Union, people do not trust the honesty and integrety of Russian businesses. That can only have a larger negative impact on the future of the Russian economy and a devasting trickle-down impact on the Russian people.

In the end it will have to be the Russian people and their government who put Russian spammers out of business and into prison. Russian justice is harsh and severe and that's exactly what those Russian spammers deserve.
Posted by dunnsanfrancisco (24 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.