Spam vigilante spat knocks out blog services

A dispute between a mysterious Russian spammer and an Israeli antispam firm spilled over to the rest of the Internet on Wednesday, when denial of service attacks aimed at the Israeli firm's Web site knocked out servers that host millions of blogs.

Bloggingcompany Six Apart suffered a sophisticated denial of service attack Tuesday afternoon, Pacific Time, which caused service outages at all of Six Apart's Web sites, including LiveJournal and TypePad. The denial of service attack stems from an ongoing feud between Blue Security and an unnamed spammer disgruntled over that company's antispam crusade, according to Blue Security CEO Eran Reshef.

Blue Security, based in Haifa, Israel, operates the "Do Not Intrude" list. The company allows individuals to register an e-mail address on the list, and then tracks spam messages to those accounts with desktop client software, known as "Blue Frog."

When spam e-mail is sent to a Do Not Intrude Member, Blue Security traces the message to its origin, and then bombards the Web site behind the campaign (known as the "sponsor") with requests to remove the e-mail message from their distribution lists. Millions of e-mail messages translate into millions of "opt out" requests from Blue Security members, which bog down the spammers' servers.

In recent days, e-mail users who had registered with the Do Not Intrude list have instead been the target of a concerted spam campaign and received extortion e-mail messages threatening to continue the campaigns unless the users remove their name from the Do Not Intrude registry.

The individual behind the attack, who uses the moniker "pharmamaster" and who is believed to reside in Russia, also cut off traffic to Blue Security's Web site, allegedly by manipulating routing configurations at a large Internet backbone provider to prevent traffic from outside Israel from reaching Blue Security's servers.

"This guy is adamant about not letting Blue Security be successful," said Reshef. Blue Security's CEO claims to have had instant message conversations with "pharmamaster," whom he describes as technically sophisticated and apparently all-powerful, but also desperate. 

"This is not some kid. This is somebody who has the capacity to take down any site. He's like a weapon of mass destruction," Reshef said.

Among other things, Reshef said that “pharmamaster” claimed to have a contact at UUNET who would do his bidding. Rather than launch a denial of service attack against BlueSecurity.com, the spammer instructed the contact to alter the routing tables so that traffic from outside Israel would not reach the company's servers. Technical staff at Blue Security saw traffic to the company's site drop precipitously shortly after 4:30 p.m. local time on Tuesday, Reshef said.

But experts expressed doubts about that story.

An analysis of Internet routing records for BlueSecurity.com don't reveal any changes to the way traffic was routed to the domain in recent days, said Todd Underwood, chief operations and security officer at Renesys Corp. of Manchester, N. H., which sells Internet monitoring and analysis technology.

Instead, Blue Security appears to be the victim of a larger-than-average, but run-of-the-mill distributed denial of service attack, which has gone on unabated for around three days, said Underwood.