Bobbie Johnson, technology correspondent at The Guardian is reporting that Blue Security is killing off the Blue Frog, saying it “could no longer continue to operate in the face of an escalating threat to the internet from a malicious Russian spammer known only as PharmaMaster.” The Blug Frog had been under serious attack from PharmaMaster, knocking it and much of Canada off the air via Denial of Service attacks on its servers.
Eran Reshef, the founder of Blue, said his company, which recently drew $4.8m (£2.5m) in funding and counts several senior industry figures as directors, was simply unable to become trapped in a war against a criminal group. “This is something that’s really got to be left to governments to decide. To fight the spammers you really need to spend $100m.”
Reshef is quoted as saying “it’s a dirty little secret that there is no real way to totally prevent denial-of-service attacks – if the attacker is prepared to put enough money in, then they can beat you every time.”
A surprising conclusion, if true (Bobbie has checked around and says it is so.) Certainly I think Reshef is right that it’s up to governments to deal with this kind of thing; Blue Frog was good in principle, but its supporters began to sound more like vigilantes than a serious and kosher effort to combat spam.
What’s intriguing about this Blue Security/Blue Frog episode, where angry spammers attack the anti-spam company with a Distributed Denial of Service (DDoS) attack, which in turn directs traffic (unwittingly or wittingly, it’s not clear yet) and temporarily brings down blog hoster TypePad, is this: The guy behind Blue Security, Eran Reshef, is founder of Skybox, a company “focused on enabling the continuous enterprise-wide assessment of vulnerabilities and threats affecting corporate networks.”
This is at best somewhat embarrassing for Reshef, and for Blue Security, at worst it exposes him and the company to ridicule and lawsuits. Getting involved in battling spammers is not a task taken on lightly, and the one thing that Blue Security had going for it was that it seemed to know what it was doing. Users download software and register their email addresses in a central database. Spammers are encouraged to remove those email addresses; if they don’t, the software will respond to subsequent spam by visiting the website advertised and automatically filling the order form. If enough people have the software running this, in theory, creates an overwhelming amount of traffic for the spammer and brings their business to a halt. Blue Security now says it has tens of thousands of members.
But then came last week’s attack. Reshef initially said that that no such DDoS took place on the www.bluesecurity.com server, something contested by some analysts. He has since said that a DDoS did take place, but against operational, back-end servers and not connected to his company’s front door. This, he said, he only spotted later. He says that when he redirected traffic to his blog at TypePad there was no DDoS on the bluesecurity.com website; that, he says, came later. This appears to be borne out by web logs provided to TechWeb journalist Gregg Keizer.
Blue Security’s handling of this raises more questions than it answers. Many are highly technical and not ones I understand. But there are some basic ones. Was the company not prepared for spammers to retaliate? Did it not have any procedures in place? Why did it redirect traffic to TypePad without informing them first? Why did it not coordinate closely with its ISP? And why, given Reshef’s expertise on DDoS attacks with Skybox, was he not able to spot the DDoS attack on his backend servers?