18 May 2006

Blue Security Mocked by PharmaMaster, Russian spammer


Blue Security Mocked by PharmaMaster, Russian spammer Blue Security cancelled its anti-spam efforts after startling PharmaMaster.

Blue Security cancelled its anti-spam efforts after startling PharmaMaster.

Blue Security CEO Eran Reshef:

"We didn't think PharmaMaster would go to extreme of launching a denial of service attack against so many organisations. With 20-20 hindsight we wouldn't have made these configuration changes, but at the time we didn't think he'd go so far. My mistake was not anticipating he'd go berserk."

"It's clear to us that (giving up spam-fighting efforts) would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start. Our users never signed up for this kind of thing."

The Blue Frog software tool, produced by Blue Security Inc., operated as part of a community-based anti-spam system which tried to persuade spammers to remove community members' addresses from their mailing-lists by automating the complaint process for each user as they receive spam. Blue Security maintained these addresses in encrypted form in a Do Not Intrude Registry, and spammers could use free tools to clean their lists.

Blue Security ceased operations on May 16th 2006 due to fears the spammers would continue to mass DDOS sites in order to seek revenge.

Blue Security CEO Eran Reshef later identified the attacker as PharmaMaster.

Prime suspects for the Distributed Denial of Service (DDOS) attack on Blue Security's servers have been identified in the ROKSO database as Christopher Brown AKA Swank AKA "Dollar", his partner Joshua Burch AKA "zMACk" and "killthem."

Spammers frequently engage in deliberate fraud to send out their messages. Spammers often use false names, addresses, phone numbers, and other contact information to set up "disposable" accounts at various Internet service providers. They also often use falsified or stolen credit card numbers to pay for these accounts. This allows them to move quickly from one account to the next as the host ISPs discover and shut down each one.

They go to great lengths to conceal the origin of their messages. They do this by spoofing e-mail addresses (much easier than Internet protocol spoofing). The e-mail protocol (SMTP) has no authentication by default, so the spammer can easily make a message appear to originate from any e-mail address. To prevent this, some ISPs and domains require the use of SMTP-AUTH, allowing positive identification of the specific account from which an e-mail originates.

Theoretically, spammers cannot completely spoof e-mail delivery chains (the 'Received' header), since the receiving mailserver records the actual connection from the last mailserver's IP address. To counter this, some spammers forge additional delivery headers to make it appear as if the e-mail had previously traversed many legitimate servers. But even when the fake headers are identified, tracing an e-mail message's route is usually fruitless. Many ISPs have thousands of customers, and identifying spammers is tedious and generally not considered worth the effort.

Spammers frequently seek out and make use of vulnerable third-party systems such as open mail relays and open proxy servers. The SMTP system, used to send e-mail across the Internet, forwards mail from one server to another; mail servers that ISPs run commonly require some form of authentication that the user is a customer of that ISP. Open relays, however, do not properly check who is using the mail server and pass all mail to the destination address, making it quite a bit harder to track down spammers.

Increasingly, networks of virus-infected Windows PCs (zombies, botnets) are used to send spam.

Spoofing can have serious consequences for legitimate e-mail users. Not only can their e-mail inboxes get clogged up with "undeliverable" e-mails in addition to volumes of spam, they can mistakenly be identified as a spammer. Not only may they receive irate e-mail from spam victims, but (if spam victims report the e-mail address owner to the ISP, for example) their ISP may terminate their service for spamming.

No comments: