Doug's Home On The Web "Now monochrome monitor compatible!"

Just a general heads up to folks, I've been getting reports from people that the machine which does email for suespammers.org mailboxes is having disk space problems. Namely:

Connected to 207.126.97.64 but sender was rejected.
Remote host said: 452 4.4.5 Insufficient disk space; try again later
I'm not going to try again; this message has been in the queue too long.

I'd love to help people out, but I am no longer involved with the SpamCon Foundation, which runs suespammers.org. I used to do volunteer sysadmin work for them, but I stepped down in January, 2006. At that time, I sent the root password for the box to their President and let them handle the system administration duties.

If you have any further inquiries about the status of the mail server, please contact the SpamCon Foundation directly.

-- Doug

[Update: Tom Geller, the founder and former Executive Director of SpamCon has commented on the issue. You can read more in his blog.]

I normally junk all of the spam I get. But, I've been getting ~100 pieces of spam a day recently, so I decided to take a closer look at it.

It turned out that over half of my spam was coming into my suespammers.org and spamcon.org email addresses. I promptly had those turned off since I stepped down from SpamCon way back in January and no longer had any involvement in the organization. Once I turned that off, I got 41 pieces of spam during the next 24 hours. Of that spam load, here's the backdown:

- 8 pieces of spam came in to various Anthrocon addresses that forward to me. And this is with me using a number of blacklists on the mailserver!

- Exactly 1 piece of spam was sent to one of my CAUCE addresses. I think I need to see what blacklists John Levine is using!

- NO pieces of spam were sent to any of my SpamEx email addresses. I can only assume that the professional spammers have caught on to SpamEx and remove those addresses from their lists.

- The remainder of my spam was sent directly to my Gmail account, and Google caught it all.

So, I guess what I learned from this is that SpamEx addresses do not seem to get spammed very much. (And even if they do, I can always turn off the address in question.)

Regarding my recent post about the DDoS on Bluesecurity, it turns out that they were being a little stupid after all. Take a look at this:

http://www.infoworld.com/article/06/05/04/78074_HNbluesecurityddos_1.html

Among other things, Reshef said that “pharmamaster” claimed to have a contact at UUNET who would do his bidding. Rather than launch a denial of service attack against BlueSecurity.com, the spammer instructed the contact to alter the routing tables so that traffic from outside Israel would not reach the company's servers. Technical staff at Blue Security saw traffic to the company's site drop precipitously shortly after 4:30 p.m. local time on Tuesday, Reshef said.

But experts expressed doubts about that story.

An analysis of Internet routing records for BlueSecurity.com don't reveal any changes to the way traffic was routed to the domain in recent days, said Todd Underwood, chief operations and security officer at Renesys Corp. of Manchester, N. H., which sells Internet monitoring and analysis technology.

Instead, Blue Security appears to be the victim of a larger-than-average, but run-of-the-mill distributed denial of service attack, which has gone on unabated for around three days, said Underwood.

That jives with reports in to the Internet Storm Center (ISC), also, said Johannes Ullrich, CTO at ISC.

That should be expected, given Blue Security's confrontational approach to stopping spam, Underwood said.

"Spammers get pissed off when anti-spammers attack them directly," he said.

Blue Security couldn't do anything to avoid the DDoS attack, but Underwood was critical of the company's reaction to the attack: moving their home page to a blog hosted at Six Apart's TypePad service shortly after midnight local time on Tuesday.

So, Bluesecurity loses one point for actually believing the spammer's lies for not checking his claims out. I'd say that the spammer loses anohter point for lieing, but he has already hit rock bottom (and started to dig).

And SixApart got screwed over because Bluesecurity reacted to the attack in a clueless manner. :-(

http://www.bluesecurity.com/announcements/pm_attack_timeline.asp

It turns out that Bluesecurity did not change their DNS to point to their blog after the DDoS attack began. Rather, the spammer somehow managed to block all non-Isreali access to their website (presumably by messing with BGP or similar). At that point, Bluesecurity updated DNS to point to their blog and post updates.

40 minutes after updates began getting posted to the blog, the spammer launched their DDoS attack against TypePad, which included LiveJournal. Who cares that 10 million journals and communities were affected, that spammer has a right to scam people make a profit, dammit! Appproximately 16 hours after that, and seeing that TypePad wasn't going away, the spammer attacked Tucows, who provided DNS to bluesecurity.com. In an attempt to get the attacks to stop, Tucows terminated service to Bluesecurity and caused further disruption.

Here's the final score:

Cheers to SixApart to standing up the to attack and dealing with it.
Cheers to Bluesecurity for refusing to allow a criminal spammer to strongarm them into shutting up.
Jeers to Tucows for letting themselves be bullied into terminating Bluesecurity's DNS services.

I SO want this spammer's head on a stake.

As some of you know, I had some concerns with Bluesecurity for a while, because I was concerned that they were essentially performing DoS attacks on spammers. However, since their site is back up, I found these awesome papers that do a really good job of explaining exactly how their technology works, and what safeguards they have in place:

http://www.bluesecurity.com/blue-frog/wp/solution_overview_wp.pdf

http://www.bluesecurity.com/blue-frog/wp/blue-security-overview-mjr.pdf

The stuff explained therein puts to rest a lot of the concerns that I had. For one thing, it's not a DDoS at all. A user's system sends a complaint to the spammer if and only if they receive any more spam /after/ the spammer has been given a 10 day "grace period" since Bluesecurity initially contacts them. Also, the total number of complaints sent is less than or equal to the number of spams that are sent after the grace period.

They also made a very important point about "remove lists" which is that they have not worked in the past because there is no enforcement mechanism. Now there is.

I'm gonna download their plugin and give it a try.