Spam War Takes Out Blog Services

munchola writes "Following on from the story about spammers attacking Blue Security's anti-spam system, CBR is reporting that Six Apart, which runs the popular LiveJournal and TypePad blogging services, has become a collateral victim. Six Apart told its millions of bloggers it had experienced 'intermittent and limited availability for TypePad, LiveJournal, TypeKey, sixapart.com, movabletype.org and movabletype.com', before resolving the issue in the early hours of Wednesday. '[The spammers are] trying to rip apart the internet just to make our community stop fighting back against spam,' Blue Security's chief executive Eran Reshef said, adding that he knows who's behind the attack."

Fighting abuse with abuse is bad

[Pig Hogger]

Fighting abuse with abuse is bad.

Swamping a spammer is not a good idea, because he can either redirect the attacks to an innocent third party, or simply pointless because they use stolen ressources, like trojaned computers that host illegal sites.

The best way to eradicate spammers would simply be to go after their clients.

Blame fest

[LiquidCoooled]

fta:
The spammer also launched a conventional bandwidth-consumption DDoS attack against bluesecurity.com. It was around this time that the company opened its new blog, which meant TypePad got whacked.

This blue security article has been running for a few days now and the site hasn't been responding any time I've tried recently.

Isn't it just another DDOS blame fest when in reality its just the news spreading around the world and all the collective users of all the collective news sites are clicking the links to try to read the story?

A total slashdotting/digging/farking and general newsing all at once.

It was the same when word spread about google going down.
"OMG have you heard, google is dead?"
*CLICK* "Yer, its not working here either" *CLICK* *CLICK* *CLICK*
*CLICK* "Hey, its loaded here." *CLICK* "Oh crap, its broken again now.."

We are all guilty of assisting this DDOS attack. shame on us.

It will ease up once something else comes and takes our attention away from it.

Kill the spammers

[pete6677]

I don't think spam will stop, or even slow down, until a spammer is seriously hurt or killed. Right now, they know there is no consequence to their actions. I'm not saying I personally advocate killing spammers, but it certainly wouldn't make me feel bad to hear about it being done. Spamming would be a lot riskier if there were an element of harm attached for the spammer.

Re:Fighting abuse with abuse is bad

[jtdennis]

isn't that counter to what you have in your signature?

Everyone keep's knocking blue...

[ZSpade]

But have they got any better suggestions. The federal government is a *Joke* about bringing any kind of justice down on this filth, and so the masses remained *outraged* and *victimized*. To me a (A computer tech) I see people's computers every day that have been turned into Zombies. Some so bad that they have to be reformated. They are bringing in their computers to me, and paying hard cash for me to fix it and prevent it from happening again. That's real money, real damages everyone is having to pay every day. I guess you could spin it in a positive light and say it's good for the tech industry, but not if people start becoming afraid to even get on the internet because of what might happen to their computer. This is theft, this is vandilism and the governements of the world are practically standing by and watching it happen.

So, do you have any better suggestions, if not then I kindly ask you to ommit your views until you can add something to the cause.

Opting out is *NOT* abuse!

[Spy der Mann]

All blue frog does is requesting to be opted out. One form send per spam received. No more, no less.

4 of the 10 major spammers had already excluded the blue security list from their mass mailings, and their problem was solved. But this particular spammer, instead of complying, shut down Blue Security.

Just because Blue Frog causes A SIDE EFFECT of disminishing the bandwidth of the spammer's website, is not Blue Security's fault. (It is our LEGAL RIGHT to request for opt-out, and to keep requesting it UNTIL IT IS FULFILLED).

To say opting out is abuse, is nothing but legitimizing illegal (non CAN-SPAM complying) spam.

Re:Kill the spammers

[OrangeTide]

I'm not sure I would like an internet where my online activities could result in physical bodily harm. I would never become a spammer, but still I don't like the idea. If you hate spam so much that you want to commit assault or murder you could just sign off, quit using email, etc.

I know you were just kidding, but some people aren't :(

Re:Kill the spammers

[future assassin]

I dont think hurting spammers will do anything. In fact this would make spamming more lucritive as the price would go up because of the danger/fine factor. All of a sudden if its worth enough and its more dangerous more fishy/criminal organizations would get into it.

I think going after companies and websites advertised in SPAM woudld do more damage. Get a 1 mil dollar fine and they wont be making the same mistake twice.

Taking away the source of funds/content for spammers will at least minimize spam.

Breaking point

[Stray1]

Speaking as one of the people who helped start the last bluesecurity article, I think we've all had enough time to reflect and debate on the 'fight fire with fire' technique that blusecurity has enacted. What this new DDOS attack has brought to the table is something a little different. Before the attack, Bluesecurity would send an equal amount of opt out requests as spam. THIS DDOS attack on bluesecurity, which is clearly illegal, is the breaking point. I'm not sure WHAT going to break, (of than someones ISP) but it has shed light on spammers intentions. Spam artists have always relied on the fact that their activities arent spefically illegal. With this attack they have really crossed the line- This event could be the event that got some sort of anti spam- legislation rolling, (or it might have the opposite effect). Something should come out of this though, if only to be remembered the 'bluesecurity incident'. Personally I was pretty pissed having some jackass hold my gmail account for ransom, especially since bluesec. was so ridiculously effective. FYI, despite the threats, I have recieved no greater amount of spam than when I was first threatened on monday (sunday). I dont think their database was compromised despite what joe spammer tells us.

Take them out

[Anonymous Coward]

The spammer is in Russia. Let's hire the mafia nd take him out. Blue security has 500,000 members. If we all put in $1.00 each, we should manage to hire someone to take the spammer out. He won't be a problem after that, and he won't send any more spam.

Blue Security are idiots

[Anonymous Coward]

Let's review, shall we?

First, these idiots set up an "anti-spam" service whose response to abuse is...abuse.

Second, they use a fraudulent corporate name. (Use Google and search Usenet.)

Third, they locate themselves on a network also happens to house one of the scummiest spammers on the planet.

Fourth, they decide to redirect an incoming attack at an innocent third party.

The only surprising thing is how many morons have actually DEFENDED these idiots.

Recommendations:

1. Permanently blacklist their domain(s).
2. Firewall off their network.

Re:Blame fest

[forevermore]

the site hasn't been responding any time I've tried recently.

That would be because SixApart got the registrar/dns host to point bluesecurity.com to localhost (127.0.0.1) so unless you're running a webserver on your own box, you won't get anything.

The main news behind this story isn't that a spammer is attacking SixApart, but that bluesecurity, which claims to be a consumer-friendly anti-spam service, in its time of crisis chose not to just take the hit, but instead shared their misfortune with a huge community of unrelated people. Their solution was to repoint the DNS entry for bluesecurity.com to their blog. They did not ask, the didn't even inform SixApart that it would be happening. They completely took out the network of an uninvolved company for 4 hours, and until SixApart got the bluesecurity DNS record changed, service for their customers was minimal at best.

I don't care what the motives were behind bluesecurity's stunt. Anyone dumb enough to pull a trick like this deserves whatever they have coming to them from SixApart's lawyers.

Re:Fighting abuse with abuse is bad

[deroby]

Actually, I very much doubt that the BS client (aka 'the frog') is causing all the traffic. Most likely it's the spammer's bot-net (aka zombies) that's responsible for all the traffic causing the DDOS. Not quite like it's costing the spammer a lot , but on the other hand he probably would rather have that infrastructure being used for other things.

Don't know why but there seems to be a lot of posts going around pointing at BS as if they're /Modus Operandi/ is to DDOS other sites. I'd like to repeat : IT ISN'T ! Simply put : a user gets a spam mail in his in-box, forwards it to the BS-server and BS finds out which company is being promoted. Next, the user has a client running that downloads the name of the relevant website and a script on how to fill in the opt-out request and executes it. That's it. A simple 1 to 1 relation.

All this could easily be done manually, but it would take quite a lot of time for the user. Automating it like Blue Security did makes it so that more people will end up actually sending the opt-out request (rather than simply letting out a sigh and pressing the delete button) and hence the owners of given websites will hopefully start to understand that they rather should revert to different strategies than spam for making money. Apparantly these websites are usually hosted on low-cost infrastructure that is not happy receiving hundreds, thousands, if not ten-thousands opt-out requests the day after one of there spam-puppets send out a couple of million emails.

My 2 cents

PS: I've been using the BS client for quite some time now and I'm very pleased with it actually. Like on of the posters said : "If the spammers are starting to feel it enough to react, than BS must be doing something right.." Couldn't agree more.

To Stop Spam

[plaid_piper]

As always needs mentioned, Spam would not exist if it didn't have a market. The base problem is, as it has always been, that people respond to this.

People could stop clicking, but that is unlikely to happen. Especially in America, people are always looking for the easier path: be it cheaper medication, promises of enhanced "performance," tales of rapid weight loss while sitting on your couch, or the constant get-rich-quick scheme.

If people actually thought... yes, used higher brain functions... they may realize that it is virtually all just BS.

It could also be that the general masses don't realize that everytime they click on a link or reply to an email, someone is making money. And that is a problem with awareness of how the internet works. Most seem happy to just know that it works.

Why not...

[spyingwind]

Just pull the plug on the web server... or
redirct the domain name to 127.0.0.1(taking up to 24-48 hours to update) as one of the other posters posted...

Why I ask is because where I work we had a similar problem and sence I maintain our web server we had no choice but to unpluge the network cable. Waited 5 minutes and pluged it back in and vwala! no more DOS.
My best guess was that as soon as the DOS'er saw that our site was "down" they/it thought that there task was completed.

It is almost( but not quite the same) as if some one took a ethernet cable and created a loop on the same pair of switchs. (i.e. two switches are connected to each other. Then some random idiot looks at them and plugs in a spare cable in to both, creating a network loop.)

BlueSecurity on holiday? Unacceptable

[Animats]

Six Apart mitigated the attack to the point where it was no longer causing major availability problems, but had been unable to contact Blue. The anti-spam firm is headquartered in Israel, where May 3 was a public holiday.

This is a 24/7 business. A serious online service vendor can't have company holidays. Least of all in the security business.

Re:Shifting attack

[anagama]

Does Bluesecurity have a linux or mac client yet? Spammer is an idiot. 1) he raises awareness of what bluesecurity does. 2) he makes it look like BS works -- why else would he waste resources he could be using to spam or extort people, it must be hurting him. Effectively, this is great for PR Bluesecurity -- how much would a worldwide advertising campaign have cost?

Re:Fighting abuse with abuse is bad

[bezzeb]

Guys, I'm growing tired of the high moral argument that "it's not right to fight abuse with abuse" or "eye for an eye still leaves you blind".

War and drama asside: I keep waiting for someone to make this point but I'm not seeing it yet.

Spam is a solicitation to contact the advertised party in the hopes that you will give them money. Otherwise known as an advertisement. THEY CONTACT US. It's called the free market. In turn we all have the right to use the communication path they supply to request that they leave us alone.

Is it illegal to contact some company you see on a billboard or in a TV commercial? What absurdity! What is this world coming to where everyone gets sucked into DDoS drama at every chance? Blue Froggers are just doing business within the realm of the law. No stretching the rules. No sensationalism.

The only reason spammer servers crash is because they aren't prepared and are poorly designed. They have two options:
1. Seriously upgrade their infrastructure to handle whatever degree of responses their advertisements generate & hire more staff to process the hits their ad generates.
=or=
2. Seriously decrease their advertisements to be in line with their capacity to manage their generated trafic.

It's just economics and common sense. This DDoS talk is a waste of time - the Blue Frog client is much nicer to the spammers than they are to us. And this huge amount of anger directed at Blue Frog is proof that it bites into their freedom to be irresponsible.

They can keep their pill pushing sites - I don't care if there are suckers out there dumb enough to give them money. I just want them to stop bothering ME. They will never get one red hot cent from me. They WILL get endless trouble from me as long as they continue to disrespect my privacy.

All the best folks!
B.

Re:Kill the spammers

[Just Some Guy]

You're not SERIOUSLY saying that hitting the delete key, or any amount of bandwidth, is actually equal in value to a person's life, are you?

I'm certainly not. I want to see them in PMITA prison and destitute, but not dead.

However. According to a report from 2004 [spamfo.co.uk], spammers sent about 12.4 billion messages per day. If it takes one second per email to delete, then that consumes 393 person-years to remove from our collective inboxes. Assuming an average lifespan of 75, that means spammers use the entire lives of over five people each and every day.

Put in the context that they're effectively killing 1900 unwilling people per year, that proposal doesn't seem quite as unthinkable.

Again, I don't encourage violence against spammers. Still, I can see the point of people who do, even though I don't reach the same conclusion.

Re:Everyone keep's knocking blue...

[Kelson]

So, do you have any better suggestions, if not then I kindly ask you to ommit your views until you can add something to the cause.

OK. Here's one. Summary execution for spammers and their families. It would solve the problem more effectively than anything else we've got.

You don't have any better suggestions? Then don't you dare criticize this one!

Sorry for the Modest Proposal (I do not advocate killing people over spam!), but the point I'm trying to make is: it's entirely legitimate to criticize an idea without suggesting an alternative. Unless you're making a split-second decision, it's worth looking at the downside before you implement a plan. Sometimes you'll decide it's worth it, at least for now, and other times you'll decide you're better off going back to the drawing board.

Re:Guilty of what?

[Anonymous Coward]

"Is it unethical to redirect the DDoS you are getting hit with? Yep, I'd say so if you do it intentionally.
Is it illegal? Nope, not in any sense of the word."

Well, I *could* call it "aiding and abedding". Someone does not need to be a robber to be tried as one (think of the guy driving the getaway car).

And I can surely see a case where the provider of the packets causing a DDos would be convicted, and another conviction for someone who directed the flow of those packets to a known party ....

Maybe you could look at it like this : You might get hit by a large quantity of water, which threatens to damage your property. You are surely permitted to try to get rid of that water. But to transfer the water to a known other person, resulting in his property getting damaged like you where afraid it would do yours is premeditation.

The second, damaged person is then surely within his rights to claim damages. And if the judge is willing, he won't permit the redirector of that water to re-claim those damages from the person who send it in the first place.