BlueFrog spammer war whacks blog site
4th May 2006
By Kevin Murphy
Six Apart Ltd, which runs the popular LiveJournal and TypePad blogging services, yesterday became the collateral victim of a very big, very sophisticated denial of service attack mounted by a Russian spammer against an unrelated security company.
The attack, which we can reveal was part of an extortion scam against users of Blue Security Inc's anti-spam software, caused hundreds of bloggers to complain about the downtime, during periods of intermittent blog access.
Six Apart told its millions of bloggers it had experienced "intermittent and limited availability for TypePad, LiveJournal, TypeKey, sixapart.com, movabletype.org and movabletype.com", before resolving the issue in the early hours of Wednesday May 3, 2006.
"He's trying to rip apart the internet just to make our community stop fighting back against spam," Blue Security's chief executive Eran Reshef said of the spammer he believes launched the attack.
LiveJournal and TypePad found themselves suffering the brunt of the attack when Blue, which says it has been targeted by a "top four" Russian spammer, redirected the front page of its website to a blog hosted at TypePad's data center.
"The major denial of service attack at TypePad was because of us hosting with TypePad," Reshef told Computer Business Review.
TypePad general manager Michael Sippey told us that the company's servers started feeling the DDoS at about 4pm US Pacific time on Tuesday May 2, and that it was still going on 24 hours later.
Six Apart mitigated the attack to the point where it was no longer causing major availability problems, but had been unable to contact Blue. The anti-spam firm is headquartered in Israel,
where May 3 was a public holiday.
Ryan said:
Interesting timing for an attack.
"From the pattern of attack it was unclear whether they were going after an individual blogger or going after us," Sippey said. He described the attack as "very big" and said whoever the culprit is, "he's very determined".
Reshef said Blue replaced the front page of its site with the TypePad blog to keep its users up to date with events, and
disagreed with commentary that said Blue acted irresponsibly by passing the DDoS burden to Six Apart.
"We didn't offload any DDoS," he said. "That's like blaming the victim of a crime."
Ryan said:
Ah yes... playing the "victim" card... where have we seen that M.O. before?
He says he knows who's behind it. He would not give a name, but said it was a "top four" spammer, who speaks Russian. That doesn't narrow it down much - the Register Of Known Spam Operations has two Russians and one Ukrainian in its top four.
Blue's software, BlueFrog, automates the process of complaining about spam, swamping spam sites with unsubscribe requests. The firm says its service is perfectly legal, but critics say it can cause DDoS effects and looks like vigilante justice.
The fight kicked off, according to Reshef, because the spammer became frustrated with the impact of BlueFrog on his business, and decided against removing BlueFrog subscribers from his mailing list.
"He started threatening our members. He said that if you do not uninstall it, we will send you more spam," Reshef said.
The company has about 450,000 users. Reshef said that the world's top two spammers have already decided to remove BlueFrog users from their mailing lists, which is the whole point of the system.
"You were expecting to recieve a lesser amount of spam," the spammer's email said, "unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally."
"By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this," it said. It gave recipients 48 hours to remove themselves from Blue's database and uninstall the software.
A second email accused Blue of putting malware on its users' machines, accused its staff of being former spammers, and
made an apparent attempt to play to any latent anti-Semitism in the company's customer base.
The attacker got the email addresses by cleaning his mailing list with an encrypted list of BlueFrog users, which Blue routinely provides to spammers as part of its service, then comparing it to his un-cleaned list, Reshef said.
After that, the attacker went after bluesecurity.com, somehow managing to have it rendered inaccessible to users in the US and Europe, while leaving it accessible in Israel, according to Reshef.
Reshef said the company has been in contact with the spammer via ICQ and that the spammer had claimed that he had carried out what he called a "backbone subversion" attack against a tier-one IP backbone.
Reshef added that the spammer had provided what purported to be a partial transcript of an ICQ chat between himself and an engineer at the backbone provider in question, in which the engineer agreed to be complicit in disconnecting Blue.
We could find no person or reference to explain whether such a thing as "backbone subversion" even exists, and spokespeople for the carrier in question had no information on the matter, so we won't name the company here.
Reshef said he did not necessarily believe the spammer's claims about the backbone provider and its engineer.
The spammer also launched a conventional bandwidth-consumption DDoS attack against bluesecurity.com. It was around this time that the company opened its new blog, which meant TypePad got whacked.
Reshef indicated that a few thousand domains managed by a top-five domain name registrar may have been impacted by the attack too, but an executive at the registrar told us that it had seen some upstream troubles but no direct attack.
Neither Reshef nor TypePad's Sippey were comfortable talking about the technical details of the attack. Sippey said he did not believe it used the potent "DNS amplification" technique that emerged earlier this year.
