A dispute between a mysterious Russian spammer and an Israeli antispam firm spilled over to the rest of the Internet on Wednesday, when denial of service attacks aimed at the Israeli firm’s Web site knocked out servers that host millions of blogs.
Blogging company Six Apart suffered a sophisticated denial of service attack Tuesday afternoon, Pacific Time, which caused service outages at all of Six Apart’s Web sites, including LiveJournal and TypePad. The denial of service attack stems from an ongoing feud between Blue Security and an unnamed spammer disgruntled over that company’s antispam crusade, according to Blue Security CEO Eran Reshef.
Blue Security, based in Haifa, Israel, operates the “Do Not Intrude” list. The company allows individuals to register an e-mail address on the list, and then tracks spam messages to those accounts with desktop client software, known as “Blue Frog.”
When spam e-mail is sent to a Do Not Intrude Member, Blue Security traces the message to its origin, and then bombards the Web site behind the campaign (known as the “sponsor”) with requests to remove the e-mail message from their distribution lists. Millions of e-mail messages translate into millions of “opt out” requests from Blue Security members, which bog down the spammers’ servers.
In recent days, e-mail users who had registered with the Do Not Intrude list have instead been the target of a concerted spam campaign and received extortion e-mail messages threatening to continue the campaigns unless the users remove their name from the Do Not Intrude registry.
The individual behind the attack, who uses the moniker “pharmamaster” and who is believed to reside in Russia, also cut off traffic to Blue Security’s Web site, allegedly by manipulating routing configurations at a large Internet backbone provider to prevent traffic from outside Israel from reaching Blue Security’s servers.
“This guy is adamant about not letting Blue Security be successful,” said Reshef. Blue Security’s CEO claims to have had instant message conversations with “pharmamaster,” whom he describes as technically sophisticated and apparently all-powerful, but also desperate.
“This is not some kid. This is somebody who has the capacity to take down any site. He’s like a weapon of mass destruction,” Reshef said.
Among other things, Reshef said that “pharmamaster” claimed to have a contact at UUNET who would do his bidding. Rather than launch a denial of service attack against BlueSecurity.com, the spammer instructed the contact to alter the routing tables so that traffic from outside Israel would not reach the company’s servers. Technical staff at Blue Security saw traffic to the company’s site drop precipitously shortly after 4:30 p.m. local time on Tuesday, Reshef said.
But experts expressed doubts about that story.
An analysis of Internet routing records for BlueSecurity.com don’t reveal any changes to the way traffic was routed to the domain in recent days, said Todd Underwood, chief operations and security officer at Renesys Corp. of Manchester, N. H., which sells Internet monitoring and analysis technology.
Instead, Blue Security appears to be the victim of a larger-than-average, but run-of-the-mill distributed denial of service attack, which has gone on unabated for around three days, said Underwood.
That jives with reports in to the Internet Storm Center (ISC), also, said Johannes Ullrich, CTO at ISC.
That should be expected, given Blue Security’s confrontational approach to stopping spam, Underwood said.
“Spammers get pissed off when anti-spammers attack them directly,” he said.
Blue Security couldn’t do anything to avoid the DDoS attack, but Underwood was critical of the company’s reaction to the attack: moving their home page to a blog hosted at Six Apart’s TypePad service shortly after midnight local time on Tuesday.
That brought the wrath of “pharmamaster” to TypePad and Six Apart’s other services, which were knocked offline by a denial of service attack for about seven hours.
A company spokeswoman for Six Apart confirmed the attack, but said Six Apart would not discuss steps that were taken to end the attack.
“That was not friendly, nor was it clever. It’s not a good way to mitigate a denial of service attack,” she said.
Reshefsaid he is taking steps to move his domain over to a hosting provider who is capable of withstanding DoS attacks, but denies that his company’s Do Not Intrude list brought the attacks down on his head.
“This has nothing to do with Blue Security. We’re a solution to spam that’s working. This guy is very desperate and he’s willing to rip apart the Internet to stop (us),” he said.