Evil vs. Good cont.

Something from the blog post of Brian Krebs from Washington Post

In the following snippet from an online conversation Reshef had with a sponsor known as "ATM," the spam operator reluctantly acknowledges that scrubbing his lists of Blue Security users' addresses is the most expedient solution.

ATM: We want to understand, who is attacking us? You? Competitors? Or both? What do you want, to stop your attack? My tech people till now was able to stop your attacks, but I and you want to solve this problem peacefully.

Blue Security: We don't want to harm to your business, we only want you to stop sending spam to our users.

ATM: Who are your users? List of emails, to pass to my affiliates to stop spamming? But first, answer my question - botnet of 15k IP addresses is it yours?

BS: This is not botnet, this is 15,000 of our users from about 500,000. We have program (free/open source) which can automatically clean your email list.

ATM agrees to use the e-mail list-scrubbing program, and asks Reshef for a copy of his customer list. Reshef requests ATM's e-mail address, but the spam sponsor suggests other means of communication, ending the conversation with this priceless quote:

"I'm sick with the spam in my mail boxes, so I don't use email any more."

But one pharmacy spam sponsor who calls himself "Pharma Master" didn't exactly appreciate Blue Security's tactics, and launched a volley of distributed denial-of-service (DDoS) attacks against the company's Web site that eventually cascaded across the Web, knocking dozens of sites and thousands of blogs offline for hours.

Pharma Master: i am discussing daily with 10,000 of people and the biggest companys in the world. i know one thing which i already told you, u started with my and my people and my staff, you shall get hurt first to feel who we are. and when i'll make sure you got the point of who we are then we can talk but i dont feel like you guys really in mood of something. Bleusecurity.con is down now that's not bad how bout to keep all your system down for few months? How bout each time you play games i'll hit your company?

Here the spammer is saying he's willing to cover the costs of his sponsors being knocked offline after they send spam to Blue Security's members: "How bout each time you trying to screw someone i'll pay to sponosrs the money they loosing if they do?

Reshef didn't have much more to say to Pharma Master, and later decided he had lost the fight against the spammers. As of today, Blue Security will no longer be offering its services. Reshef said the company made the decision not to continue with the service out of fear of even more crippling attacks against his company that could further affect other sites. He said the spammers threatened to increase the volume of their attacks, and to write computer viruses that seek to attack security weaknesses in his company's software, thereby targeting the company's individual users themselves.

I can't say I'm surprised. It was only a matter of time before some spammer decided it was worth paying a few thousand dollars to rent out a botnet of 20,000 hacked home computers and take this company offline. The fact that a spammer can hold millions of Web sites hostage just because he is upset that someone is meddling in his business is disturbing.

Still, this saga is yet another reminder that while the Internet is an incredibly versatile, resilient and adaptive network, the underlying framework that the commercial Web rests upon was never designed with mutual trust and security in mind. As such, it will take a lot more than clever gimmickry to give businesses and consumers the upper hand over Internet hucksters, spammers and criminals.

Courtsey : http://blog.washingtonpost.com/securityfix/2006/05/legal_antispam_vigilante_compa.html