On 2 May 2006, a dispute between an anti-spam company and disgruntled spammers spilled out onto the Internet, affecting millions of bloggers and website owners.

The anti-spam company, Blue Security (BS), makes Blue Frog. When a BS customer receives a spam message, Blue Frog tries to connect to the spammer’s website, find its opt-out form, and fill it in. The method is considered controversial. Detractors worry that when a sender’s address has been spoofed, or a network breached, the victim may be trapped between the spammer’s message pump on one side, and the Blue Frog attempts to connect on the other.

The dispute centered around the spammers’ angry response to BS activities.

The reactions of the BS team dragged millions of disinterested third parties into its fight, knocking them offline for hours.

To reconstruct what really happened, we have combined the timeline published by BS with that published by Six Apart, the publisher of Typepad, the host of 10 million victimized blogs.

Elapsed Time
hr:mn
Event
000:00
 2 May, 14:47 GMT: According to BS timeline, at 5:47 PM (local time) on Tuesday, BS received a message from Master Criminal PharmaMaster, announcing that the company’s website, bluesecurity.com was no longer accessible from outside Israel.
001:43
 2 May, 16:30 GMT:One hour and forty three minutes later, BS employees noted that there was no load on the company website and “that most visitors originate from Israel.”
005:30
 2 May, 20:17 GMT:Three hours and 47 minutes after confirming that there was little activity on the company website, BS determined that the website was inaccessible from abroad.
007:58
 2 May, 22:45 GMT: BS reverts to an old company blog, Blue Zone Blog, hosted on Typepad.
008:13
 2 May, 23:00 GMT: Six Apart says a sophisticated distributed denial of service attack began, affecting all Six Apart sites, “causing intermittent and limited availability for TypePad, LiveJournal, TypeKey, sixapart.com, movabletype.org and movabletype.com.”
008:33
 2 May, 23:20 GMT: BS redirects bluesecurity.com website traffic to Blue Zone Blog. (23:20 GMT)
009:10
 2 May, 23:57 GMT: Last comment posted to Blue Zone Blog. Typepad succumbs to DDoS attack.
020:03
 3 May, 10:50 GMT: Six Apart reported that “TypePad’s availability returned to normal.”
025:56
 3 May, 16:43 GMT: After its DNS servers are overwhelmed, the provider of BS DNS services, Tucows, terminates BS account.
Jaikumar Vijaya writes in PC World that DNS service for Tucows customers was disrupted for about twelve hours.

Further, Vijaya reports that Todd Underwood, chief operations and security officer for Renesys, an Internet monitoring company, thought the BS reaction to a DDoS attack was unusual:

“If you are under attack it is your duty not to redirect it against someone else. It is not a fair or an ethical decision,” Underwood said, adding that it is hard to imagine that Blue Security didn’t know it was being hit with a DDoS attack when it pointed its URL to the blog site.

Long time spam fighter CAUCE board member John Levine agrees. As chairman of the Internet Anti-Spam Research Group, a board member on Coalition Against Unsolicited Commercial Email (CAUCE) and co-author of Fighting Spam for Dummies, Levine has spent a good deal of time fighting spam. He told PC World he considers the act of redirecting a DDoS attack to an unaware third party irresponsible.

Physicist Jason Levine likened the BS maneuver to “dealing with a water main break in your basement by hooking a big hose up to the leaking joint and redirecting the water into your neighbors basement instead.”

As Email Battles pointed out last week, to a wall of flames from an enraged BS community, when BS redirected their problems to Typepad, BS brought the outside world into its fight. The timeline only confirms our original assessment of bad judgement. In that vein, we can’t help wondering… After the tip that started the Crisis Clock, why did it take BS hours to confirm that the website was only accessible in-country? A trip to traceroute.org might have cleared up that question within minutes.

Most importantly, BS deliberately or incompetently brought millions of innocent third parties into its battle, which makes the act (while not necessarily the company) either evil or dumb. Take your pick.

We happily defend anybody’s right to pursue anti-spam strategies in any way they see fit… as long as disinterested and innocent third parties are left out of it.

Ten million bloggers… not spammers or emailers or anyone else attached to the BS mission… were taken out when BS redirected its blog to Six Apart. That’s flat wrong, no matter how you rationalize it.

More BS/Typepad stories on Email Battles:

Email Battles Backgrounder:

Adware Apple Broadband Browsers Email Exchange Groupware Identity Theft IM Intellectual Property Linux Lotus Microsoft Misc. Mobile Open Source Operating Systems P2P Phishing Privacy Programming Scams Search Security Spam Spyware Viruses VOIP Vulnerabilities Wireless

Network Tools

May 9th, 2006 at 11:35 am

Kraig

Considering typepad and 6apart notices a DDoS attack BEFORE BS switched their domain to point to the blog, it seems that the DNS change wasn’t solely the cause of Typepad and Co. being brought down. I don’t agree with passing off a DDoS attack to a third party unnaware, but it seems that it wasn’t strickly their fault.

And shouldn’t the finger be pointed at the person DDoS’ing them in the first place. No matter how bad their reaction was, they wern’t the ones causing the problem

May 9th, 2006 at 2:50 pm

tero

I agree with Kraig. I think it’s the spammers ddossing blue security who should be blamed. Even if BS made a stupid decision..

May 9th, 2006 at 3:45 pm

Jon

Of course the spammer should be blamed for DDoSing BS.

BS, however, was incredibly stupid/irresponsible/corrupt to send the attackers to Typepad by redirecting their web traffic. They should be willing to take the blame for that action.

May 9th, 2006 at 4:29 pm

BJ Gillette

Gregg Keizer wrote at TechWeb: When asked if he (Eran Reshef) had contacted Six Apart prior to repointing his corporate site, or informed them that other company servers were currently under attack at the time, he only answered “I’m not saying this was the smartest move.”

Reshef said, in retrospect, he should have posted a press release (which he did).

He also might have considered dropping an email heads-up to his clients from a back up server.

The BS chief admits he screwed up. So why are his followers so adamant that the decision to foist a BS personal nightmare off on a community of 10 million innocents is someone else’s fault?

Frankly, I am baffled.

(http://news.yahoo.com/s/cmp/20060506/tc_cmp/187200870)

May 9th, 2006 at 4:58 pm

David Hart

Article: Blue Frog or Toadstool?

We take a very critical look at the information that Blue Frog is providing. The data simply doesn’t make sense. The conclusion is that this is hyperbole in pursuit of an IPO.
(http://tqmcube.com/bluefrog.php)