[Infowarrior] - Under Attack, Spam Fighter Folds

[Richard Forno]

Under Attack, Spam Fighter Folds

By Ryan Singel| 
19:30 PM May, 16, 2006
http://www.wired.com/news/technology/1,70913-0.html

A startup whose aggressive antispam measures drew a blistering counterattack
from spammers two weeks ago that brought down the company's servers along
with a wide swath of the internet is shuttering its program that targets
junk e-mailers.

In an interview with Wired News, Blue Security CEO Eran Reshef said the
Israel-based company was closing its service Wednesday since he did not want
to be responsible for an ever-escalating war that could bring down internet
service providers and websites around the world and subject its users to
denial-of-service attacks from a well-organized group in control of a
massive army of computer drones.

"Our community would very much like us to continue on the fight against
spam, and our community has grown over the last week," Reshef said. "But at
the end of the day if we continue doing so, within a few days, major
websites will go down. I don't feel that this is something I can be
responsible for. I cannot go ahead and rip up the internet to make Blue
Security work. This is not the decision a commercial entity can make."

The abrupt decision ends a high-profile standoff between spammers and a tiny
startup whose unorthodox methods had seemingly stymied some of the most
prolific purveyors of junk e-mail in the world, if only temporarily. For a
few intense days, the fight showed with shocking clarity the lengths to
which some spammers will go to protect their businesses, and the devastating
arsenals at their command.

The lesson to be learned, Reshef said, is that large ISPs and governments
need to recognize that spammers are connected to criminal syndicates and
that they, not a small startup, are the only ones who can shut down these
networks.

Blue Security's 500,000 users had been successful in convincing six of the
top 10 spam operations in the world to use its open-source mailing-list
scrubber, which Reshef said proved that Blue Security's technology and
approach was effective.

But other spammers responded differently.

Starting May 2, a spammer known as PharmaMaster used a massive network of
zombie computers to flood Blue Security's database servers with fake traffic
and hijacked a little-known Cisco Systems router feature known as "blackhole
filtering" to block anyone outside Israel from accessing Blue Security's
homepage.

The spammer also unleashed a torrent of spam targeted to a subset of Blue
Security users, which the spammer had likely gotten by scrubbing an e-mail
list and then comparing the old list with the new list. Any addresses
removed from the old list could be identified as Blue Security users.

The distributed-denial-of-service attack brought down the databases, and the
collateral damage included hundreds of thousands of websites and mail
servers hosted by Tucows, according to Elliot Noss, president and CEO of
Tucows, the internet's largest domain registrar.

"Just in terms of pure scale, it's pretty safe to call it massive," Noss
said. "I think that really the most interesting observation was how
distributed it was. We sampled IP addresses and over 70 percent were
unique."

Blogging software provider Movable Type's hosted service, TypePad, also fell
victim to PharmaMaster's bot network, after Blue Security realized that no
one could reach its homepage and posted a message to its users on its old
blog. Thirty minutes later, PharmaMaster started an attack that brought down
thousands of blogs.

Blue Security's Blue Frog antispam tool worked by having customers install a
small piece of software in their browsers that they used to report spam.
After aggregating the reports, Blue Security would try to contact the
spammers, the websites of companies being advertised and their ISPs to try
to convince the spammers to clean their lists of e-mail accounts on the
company's Do Not Intrude list.

If that did not work, Blue Security would write a custom script that spam
recipients could use to send an opt-out request to the advertised website.
In practice, that meant that hundreds of thousands of Blue Frog users could
attempt to opt out at once. In addition, the software would fill in online
order forms with the opt-out request if there was no other way to
communicate with a spammer-advertised website.

This tactic, which Blue Security says is legal under the Can-Spam Act, was
controversial with spammers and some antispammers alike.

Spammers complained in internet forums that the opt-out requests were simply
a denial-of-service attack.

Anne P. Mitchell, president and CEO of the Institute for Spam and Internet
Public Policy, is also a vocal critic of Blue Security's tactics who thinks
the company was breaking computer crime laws by having its members fill in
order forms with opt-out requests.

"Do you think Blue Frog cares if they are knowingly causing customers to
break the law of their own home country?" Mitchell asked. "They don't care
because they are sitting in Israel."

But Peter Swire, a law professor and former head privacy official for the
Clinton administration, looked into the company's operations, found them
legitimate and innovative, and signed onto the company's advisory board
earlier this year.

"I get one spam e-mail and my computer sends one opt-out request," Swire
said. "That is exactly what Can-Spam gives me the right to do."

Swire says he understands why Reshef has decided to shutter the service,
because these levels of attacks are too much for a small company to
withstand.

But he says the company showed that this tactic can work.

"If little Blue Security can affect 25 percent of spam, then this approach
shows great promise if the big boys get involved," Swire said. "If there is
a concerted effort by the big ISPs or by the government, the Can-Spam Act
provably is the basis for reducing spam."

Eric Benhamou, chairman and CEO of Benhamou Global Ventures and one of Blue
Security's lead investors, said he knew going in that Blue Security's task
was difficult. Benhamou is not writing off Blue Security, whose technology
he says has other uses, but he supports the company's decision to shut down
in order to avoid more collateral damage.

"We knew it would get really serious when the adversary was wounded," he
said. "There were no surprises on my part. When I first did my due
diligence, Eran and Amir (Hirsch) told me clearly that they knew how to
build the technology to accomplish this but weren't sure of the overall
business proposition. I said that's fine, because I want to explore
something that hasn't been done before and before there were only clever
filters. This was totally innovative."