, SecurityFocus 2006-05-17
Story continued from Page 1
Until the beginning of May, Blue Security's Reshef believed his company's service looked ready for explosive growth.
The firm's Blue Frog service had gathered about 450,000 subscribers. Each user, who in general tended to have strong anti-spam feelings, had downloaded the free software agent to their computer and subscribed to the service.
The Blue Frog agent, which integrates with Yahoo! Mail, GMail and Hotmail, uses a central database to check incoming e-mail messages for known spam. When a match is found, the software selects a form from the site advertised in the e-mail message, and submits a message asking to be removed from the spammer's list. Because Blue Security had nearly a half million user signed up, companies who use spam lists will likely have their Web sites inundated with tens of thousands of messages.
In a way, Blue Security was following the money.
"If you look at the spam economy, there are the people that spam and then there are their clients--the sponsors," Reshef said. "We are going after the sponsors."
Some critics have charged the service with essentially being a denial-of-service (DoS) attack.
"They were causing a large number of individual packets to be sent with the intent of slowing a spammer's site down," said Anne Mitchell, president of the Institute for Spam and Internet Public Policy. "The intention was to take the server down; the intention was not to cause the user to be opted out."
Reshef denied that the massive submission of opt-out messages could be legally construed as a denial-of-service attack.
"Under the CAN-SPAM Act, the user has a right to send an opt out," Reshef said during a recent interview with SecurityFocus. "We were taking this right and automating it."
The strategy paid off, both for the company and its users. By the end of April, Blue Security had noticed that six of the top-10 spammers had used the firm's filtering service to remove any of its subscribers from the bulk e-mailers' lists, Reshef said.
"In April, we hit this critical mass," he said. "It was like a snowball. We had spammers responsible for 25 percent of the spam on the Net complying or starting to comply with our list."
At least one spammer decided not to comply. The bulk e-mailer, using the moniker PharmaMaster, used a simple technique to divine some of the names on Blue Security's opt-out list: The spammer took a very large list of e-mail addresses, used Blue Security's filter on the list, and compared the results. Any e-mail address on the first list that was not on the filtered list belonged to a Blue Frog user.
On Monday, May 1, a subset of the company's users started getting ten to twenty times the amount of spam they normally received. The messages contained numerous allegations, claiming that the Blue Frog client was illegal, that it took control of people's PCs, and that the subscribers would be criminally prosecuted.
"BlueSecurity was illegally attacking email marketers, and doing so with your help," read a portion of one message, replete with typos. "Many websites have been targeted and hit, including non-spam sites. BlueSecurity's software has been fully analyzed, and contains an abundance of malicious code... YOU CANNOT PARTICIPATE IN ILLEGAL ACTIVITIES and expect to get away with it."
PharmaMaster is a well-known purveyor of generic and fake Viagra and other drugs and herbal remedies, Resehef said, denying the allegations in the e-mail messages. The company posted a note to its site warning its users about the attack and trumpeting the turn of events as a sign of success.
On Tuesday, May 2, however, the company's Web site suddenly went dark, and with it, the company's future as an anti-spam service.