Select Page

SANs just got an email from Guy Rosen at Blue Security:

 – Spam-based threats and accusations
 – Our website is cut off from outside of Israel by a mysterious routing change
 – Later on, huge DDoSes lash out at our service’s servers (but NOT the www, note!), with adverse effects to several different hosting facilities in which they were located.
 – To restore access to our inaccessible www site and keep our users informed, we restore an old blog we had and point www there.
 – Within about an hour, a DDoS attacks the blog site on which that blog was located.
 – A massive DDoS goes out at our domain’s DNS provider, causing a service outage that affected their customers.
 – DDoSes continue as we relocate our service to bring it back up. One estimate was of something of the order of 10 million packets/sec coming in.
 – Today we are slowly coming back up and hope to see the service working soon.

I have to say that the great lengths the spammers have gone to in order to bring us down are worrying, not only in the specific context in which they took place in this last week, but I think given the general idea that so much power is available to people of this nature and that they are willing to use it in order to see things go their way. Seeing us as a threat, they did not seem to care who they brought down on the way.

Link here (thanks Ed).

My 2 cents?  I do suspect that spammers got the database.  While Blue Security didn’t publish the email addresses of their subscribers, they did establish a Do Not Spam registry which spammers could use to check emails against.  It’s seems fairly trivial to take a large list, run it against BlueSecurity’s registry and figure out who is a Blue Security user.   The people who are saying “I have multiple addresses, but only a few got targeted” simply may not have been on the master list.  However, I’m willing to be corrected on this assumption.

I am concerned about “fighting fire with fire” when it comes to spammers.  These people control spam zombies, which are botnets of users who unwittingly send spam—and can act as attackers in a DDoS.  It may make the user feel better in the short term to “fight back”, but it might not be the best idea done in this fashion.  Just block the spam using traditional methods and move on. Current generation spam filters are becoming remarkably effective. Why do you need to get users involved like this and have the potential of collateral damage?

Alex Eckelberry