What Happened to Blue Security

shadowknot writes "Blue Security has published a detailed account of the attack on their servers perpetrated by spammer "PharmaMaster". The attack included a DDoS attack on the Blue Security operational system and a Black Hole filtering attack on the Blue Security website. From the article: "The first attack was to block worldwide access to Blue Security's corporate website (www.bluesecurity.com) by tampering with the Internet backbone using a technique called "Blackhole Filtering". The Second attack was a DDoS attack on Blue Security's operational system."

publicity!

[celardore]

Even if the servers were temporarily downed, the publicity generated from this incident surely got quite a few new members.

Heck, I even signed up; shall have to wait and see if it's worth it though.

Pharma master identity

[Anonymous Coward]

So who is Pharma master? With all the info that's been compiled on the top spammers, isn't this guy in ROKSO yet?

Lets find him and show him some "affection".

This isn't just between PharmaMaster & Bluefro

[DigDuality]

Apparently spammers are lining up to help out Pharmamaster from the SpecialHam forums. Digg.com users yesterday attempted lauching multiple types of bandwidth vampirism and DDOS attacks on SpecialHam yesterday as well. http://digg.com/technology/SPAMmers_really_pissed_ off_at_bluesecurity,_read_their_message_board [digg.com]

Backbone level blackholing?

[ladybugfi]

>Blue?s operational team reports on more symptoms supporting PharmaMaster's claims that the backbone of the Internet was compromised (blackhole filtering at the backbone level).

No offence to the Blue guys' disrupted service, but I think this is the most interesting bit. I wonder whether this description is correct and if so, how the spammer achieved THAT.

Client List NOT Compromised!!!

[cyberscan]

What happened was that the spammer complied with instructions from Blue Security to download a program that washed Blue Security protected email addresses from the spammers' sucker list. When theis program was run on the spammer's email list Blue Security email addresses were purged. The spammer simply compared the purged list against his unpurged list and listed all the email addresses that were removed. He then sent the threatening emails to any email address that was purged from the original list.

Blue Security is up and running again. Not only will I continue to use the Blue Frog, I will also promote it now. I do not like bullies, and will do whatever I can to stop them. Blue Security and others that help people punch back against spammers should be commended. I myself have written a signed applet that also punishes spammers.
One can look at it by visiting http://www.plaza1.net/SpammerSlapper [plaza1.net] .

The applet is GPL, and the source code is embedded in the applet. If you do not want to actually punish spammers, do not accept the certificate. I am also thinking about creating a java application that works in a similar way to Blue Frog - only the complaint instructions will be distributed via a peer to peer protocol and cryptographically signed. Any ideas on this one?

What is?

[towsonu2003]

What's "blackhole filtering"?

Re:DNS Vulnerabilities

[mikeisme77]

Amen to that. I had never heard of BlueSecurity before this fiasco, but now that I've heard how much trouble they can give these jackass spammers and that they stick to their guns (no matter the cost), I'd like to support them in some way (although I probably won't join the network, as I don't agree with their methods of stopping spam).

DDoS Extortionists

[Council]

this [csoonline.com] is a really cool story about how a company handled a DDoS attack by organized crime.

Re:Backbone level blackholing?

[Anonymous Coward]

Sounds like they paid off some people...

"
* ICQ Message: "Support [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
* "[tier-1 ISP name withheld] will block traffic to your websites god i love this war :)""

This was more clear on some other article, but I can't find it at the moment. The spammers supposedly have an engineer on a backbone helping them. All I want to know is how the engineer expected not to be caught (I'm assuming he is caught... or there is a whole heck of lot more corruption out there than I thought)

Re:DNS Vulnerabilities

[Spy der Mann]

...and imagine the PR campaign that Blue Security is going to have to wage to get any credibility back.

Um, how about "no such thing as bad publicity"?

In my journal i commented that the attack on Six Apart was the web equivalent of Pearl Harbor [slashdot.org]. It not only (possibly) called the attention of the authorities towards PharmaMaster, it also became worldwide famous: I've been searching blogs [google.com] for "blue security" and I've seen a lot of comments from people wanting to sign up when they're back online. One blogger in particular (forgot the url) said that "Blue Security" became the top technorati search during the attacks.

Re:publicity!

[ltwally]

Agreed. I'd never heard of Blue Security until this story hit the news. Now I'm a member, too. I'd be willing to bet that we're not the only ones, either. Blue Security probably just doubled its membership with this story.

Looks to me like this Pharma dude really shot himself in the foot.

Sad state of backbone administration

[Anonymous Coward]

When you read Blue Security's press releases, it seems obvious they are a little on the desperate side, trying to figure out how to deal with this Pharmamaster character who has reduced their network to its knees. What's unfortunate about the situation is that it calls the light the sad state of backbone administration where the major providers can't or won't do anything about the situation, and a company is left trying to appeal to the general public to do something about it.

Of course if the attack had occurred against a company like General Electric or Eli Lilly, the perpetrator would be in jail right now.

It seems obvious the perp is an American. It shouldn't be that difficult to track him down, especially since he's IM'ing the victims.

_Detailed_ timeline?

[Whizard]

Wow, if this is a detailed timeline, I'd hate to see the summary.

"Some shit happened."

As a security guy, this could have been really interesting, but it's not.

Re:Backbone level blackholing?

[Moqui]

Or PharmaMaster is said Engineer at a backbone provider.

Re:Client List NOT Compromised!!!

[macz]

I like the idea of slapping spammers, but isn't this giving them what they want (Traffic)? Is the idea here do DDoS the spam sites if enough people use this?

Re:For the lazy :)

[jefu]

But!

Reading the account in TFA reveals that Blue Security was not undergoing a DDOS attack and that the DDOS attack on Typepad starts well after the address is redirected. Then the spammer seems to have widened the attack to bring down as many people as possible to make it look like Blue Security is at fault (which, at least according to their story - be nice to hear PharmaMaster's account, if he/they are not too cowardly to say anything) they were not.

I'm not a Blue Security user, but if they've managed to make a spammer this cranky, I'm going to seriously consider it.

Not technically accurate...

[Spy der Mann]

This was truly lame and inexcusable - redirecting the attack from themselves to someone else.

Notice that the bluesecurity.com website was *NOT* being flooded with packets. On the countrary, it was routed to null for all the internet except Israel. In summary, there were 4 different DOS attacks:

* Packet flooding (lots of traffic) the operational servers (the ones doing the opt-outs)
* Null routing blue's www (no traffic)
* Packet flooding the redirected www at Six Apart (lots of traffic)
* Packet flooding Tucow's DNS servers (lots of traffic)

So, technically, blue security didn't redirect the attack.

Re:For the lazy :)

[shish]

This was truly lame and inexcusable - redirecting the attack from themselves to someone else.

If I'm reading correctly -- Up to that point, the DDoS was on BS's dedicated machines, the site itself was blackholed rather than under attack; hence they weren't redirecting an attack, just redirecting users who wanted to know what was going on.

Also, I note the URL you have on your post...

?H?uh???

[Anonymous Coward]

One of the world?s largest spammer?s, ?PharmaMaster?

This was from IE 6.0.2800. As I'm at work I haven't looked in Firefox to see if it's equally retarded..

If they can't write HTML that will display properly in all browsers, particularly with the one 80% of surfers use, can they really be "good with computers?"

And if the question mark in "spammer?s" is supposed to be an apostrophe, they're not only incompetent but illiterate.

Perhaps the spammer took them on because they were an easy mark? These folks should hire a web designer that knows HTML and what it's for (hint: conveying information), and if that one question mark is supposed to be an apostrophe, a copyrighter who isn't a retarded illiterate.

However, the fact that they were complicit in the spammer's taking blogs down also shows their lack of competence.

That said, who is this "PharmaMaster?" I'd like a real name and meatspece home address so I can forward all of my snail junk mail to him and encourage arsonists to burn his house down preferably with him in it. It's time for a little bloody vigilantism, folks. Lets kill some spammers. Blue Security, who is this guy and why are you helping him stay anonymous?

Re:Tucow bad behavior?

[drinkypoo]

Look at it this way - if you had a small company, or even a big company, and your entire network was down due to a client who gives you $20 a year - what would you do? Keep the client out of honour, but go out of business anyway?

Look at it this way - are you going to forget that Tucows turned off a legitimate client? Me neither. Are you going to consider Tucows next time you need a corporate provider? Me either.

this is black hole filtering:

[Anonymous Coward]

From:http://72.14.207.104/search?q=cache:daxdV_-e7 aQJ:www.cisco.com/warp/public/732/Tech/security/do cs/blackhole.pdf+Blackhole+Filtering&hl=en&ct=clnk &cd=1 Benefits of Remotely Triggered Black Hole Filtering Black holes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been detected, black holing can be used to drop all attack traffic at the edge of an Internet service provide (ISP) network, based on either destination or source IP addresses. RTBH filtering is a technique that uses routing protocol updates to manipulate route tables at the network edge or anywhere else in the network to specifically drop undesirable traffic before it enters the service provider network. RTBH filtering provides a method for quickly dropping undesirable traffic at the edge of the network, based on either source addresses or destination addresses by forwarding it to a null0 interface. Null0 is a pseudointerface that is always up and can never forward or receive traffic. Forwarding packets to null0 is a common way to filter packets to a specific destination.

Re:This isn't just between PharmaMaster & Blue

[Kijori]

To help out with Digg's effort, visit this page: http://konspence.com/specialham/artistcopy.htm [konspence.com]. Just leave it running all day, you'll use a few hundred MB of bandwidth on your own.

Summary for the lazy:

[Zaphod2016]

For those new to this whole "BlueFrog" story, unsure who is the "good guy":

Pro:

• Ignoring never serves to fix anything. Just ask my little sister.
• "If the spammers are pissed off, they must be doing something right." - /. & digg

Con:

• As I understand it, this company is backed with VC cash.
• We *might* be witnessing the most creative advertising campaign in the history of the Internet.

Re:"operational system"

[HRogge]

Great... so by subscribing at blue security I can force the spammers to multiply their bandwidth by 20-40 ? Sounds like a DDoS for me. :)

time for an apology from Typepad?

[Anonymous Coward]

I wonder if Todd Underwood at Typepad will have the balls to apologize for the bull he was spreading about Blue Security deflecting a DDOS attck onto their servers as well as not believing that Blue Security had been blackhole filtered.

How about it Todd? Ready to blame the criminal and stop blaming the victim or what?

Re:What nonsense

[NeutronCowboy]

Nearly all traffic crosses UUNet backbones at some point. I've never heard of BTN (and I did worldwide network performance analysis for over two years not so long ago), so I can't imagine them carrying much traffic without routing through some other Tier-1 provider very soon. As for Telia, they don't carry much traffic. If PharmaMaster really managed to convince someone at UUNet to blackhole a website, it's very conceivable that no one outside of Israel would be able to access them.

My letter to tucows

[bblboy54]

I'm mailing this via the postal service today:


May 8th, 2006

Tucows, Inc.
96 Mowat Avenue
Toronto, ON
Canada M6K 3M1

To whom it may concern,
I just wanted to express my extreme disappointment regarding your recent actions to disable Blue Security's account in an attempt to stop the attacks of a notorious spammer. I fully understand that the attacks were a technical nightmare for your team, however, it is unbelievable that you would rather give in to a criminal and follow their demands and step on an organization that aims to protect innocent citizens from around the globe. Regardless of what your motive was, this action clearly states that you are more interested in profit than you are about ethics. As a result, I am recommending that all contacts I have that use Tucow's services remove their accounts and utilize a service which supports consumer protection. It is my sincere hope that should a similar situation arise, you will think of the company that is trying to protect the Internet.

Re:DNS Vulnerabilities

[jjhall]

What part of their methods do you not agree with? All they are doing is automating what you could do on your own. For each spam message you send them, they analyze it and set up a script to make ONE opt-out request on the spammer's website (where they are selling their product) and ONE message each to some and/or all of the upchain ISPs, government agencies that have jurisdiction over the crime, etc. They then forward that script to your BlueFrog client running on your system. If you are the only person that got that spam message, that one message is all that is sent to the spammer and the appropriate authorities.

Now if the spammer sends that message to 1000 BlueSecurity members, they will get 1000 messages generated and sent, one from each of the users they spammed. If they send it to 5000 users, well you get the idea. The more Blue people they spam, the more opt-out requests they get. One for one.

You have a right to do it by yourself, tracking filling out forms on the spammer's ordering site, forwarding a copy to the ISP of the originating IP and/or mail server, forwarding it to the FDA if it is a drug relates spam, etc. How long will that take you? You could easily spend a few hours a day or more doing that.

Enter BlueSecurity stage right. They hire staff to track down the senders of that spam message you just received, just like you would have done. The difference is they take that information and distribute it to everybody else they know received that spam as well.

The thing is, these spammers should understand they have absolutely 0% of a chance of selling that item to any of the members of the Blue community. Why are they bothering to do this when it has no chance whatsoever of giving them even a single cent of profit? They should be happy to have the chance to clean their leads list. I've done telephone sales in the past (calling existing members about renewals) and I was happy to remove people who didn't want to be called from the list. For every person I removed from the list, it meant one less guaranteed no-sale next time the membership list cycled. In the long run I made more sales, and actually helped more people save money (it was cheaper to renew via phone than via the normal process) on a product they wanted.

I understand the calling I was doing is completely different than the spamming in this topic, but the end result is the same. The more guaranteed "no" leads you remove, the higher you sales percentage will be, and the more profits in the long run.

I had heard about Blue before this mess, but never got around to checking into their methods and signing up. Now that I see they are effective, and feel comfortable on how their network and client works (I also thought they DDoS'd the sites until I looked into it,) I have signed up. Now I'm waiting for their system to become fully functionable again so I can verify my account and start kicking spammer tail!

Jeremy

Re:This isn't just between PharmaMaster & Blue

[budgenator]

These guys must be on an alternate plane of reality!

No software from Northworks Solutions Ltd. may be used for spamming activities. Any software from Northworks Solutions Ltd. that collects emails can only be used for information / database management purposes on legally-owned link / email addresses / servers and databases. The creator / distributor of any software from Northworks Solutions Ltd. can't be held responsible for any misuse of software from Northworks Solutions Ltd. for spamming or any other activity that may be considered illegal in the software users state / country. The creator / distributor doesn't support spamming. By using any product from Northworks Solutions Ltd., you agree to use them legally. No software from Northworks Solutions Ltd. can be considered spamware. ...
Using any software program from Northworks Solutions Ltd. you agree to comply with the laws of your current residency, the European Union, the United Kingdom and the United Kingdom Data Protection Act of 1998.
Anti-Spam Policy, © 2003 by Northworks Solutions Ltd. [northworks.biz]
    info@northworks.biz

LOL!

ECraw Price: $395 / license.
  When you purchase the full version you will be allowed to use it on 1 computer and move it a maximum of 2 times ... ECrawl and has the ability to reach speeds of over 2,000,000 emails per hour, which makes it the fastest website email harvester ever developed.

ProCrawl Price: $395 / license.
  When you purchase the full version you will be allowed to use it on 2 computers and move it a maximum of 2 times. You will need an extra license for each computer beyond the second which you would like to run ProCrawl on. If you wish to obtain 2 or more copies, then please contact us. This product comes with a lifetime license and free support.
    ProCrawl ... extracts emails directly from the mailservers. It can with ease find millions of emails per hour when working on a normal DSL connection. This extracts emails with the highest speed an accuracy compared to any other programs on the market.

Sure we don't let our software be used by spammers!

Could be a BGP blackhole route

[anticypher]

Looking now, BlueSecurity seems to have moved their operations to Prolexic [prolexic.com] as of a few hours ago. This will buy them some DDoS protection. Prolexic is based in Miami, and most of my traceroutes are getting lost in Phoenix, but I can't tell if that's something Prolexic is doing or a very clever blackhole.

Netvision also seems to have GlobalXing/AS3549 as a transit provider.

My suspicion (since I don't have a looking glass with a historical search), is that someone with access to the main BGP reflectors inside of either UUNET or GlobalXing managed to make an announcement that they had a local router with a route to AS1680, and then that router just blackholed any traffic to those netblocks. It was happening during the L3/Cogent wars last year, L3 was announcing Cogent netblocks, and blackholing the traffic. If one major backbone such as UUNet makes a false BGP announcement, it could effectively block much traffic from the US to Israel, but European sites would still mostly see Israel as closer.

My next best theory is that someone at LimeLight Networks(AS3549, a GLBX reseller) is sending poison BGP announcements, but I don't see any in looking glasses.

That kind of technically advanced activity, especially with the potential for huge economic losses, should trigger an FBI investigation. Of course, the FBI isn't going to admit anything or post updates on /. until they hand up indictments to the court and make some arrests.

the AC

Re:Tucows are cowards!

[joatamon]

I'm a BlueFrog user, and I received 30 or 40 spam messages a day during the attack on Blue Security. I reported each of them to SpamCop, and SpamCop gave Tucows as the "abuse" address for a large percentage of the web sites listed in the spam messages. I've been seeing Tucows sites in my spam for months. If the SpamCop analysis is correct, then it would appear that Tucows is profiting from the spam.