Internet gangsters with a grudge against anti-spam “block lists” used to stave off unwanted e-mail have unleashed a plague of data packets against some of the leading providers of the services. The onslaughts have intermittently blocked access to several of the spam fighters’ Internet sites in recent weeks and succeeded in shutting down the main host of the oft-maligned SPEWS list.
The cyberattacks, which began in midsummer and have increased steadily in the intervening weeks, forced Joe Jared, who had been hosting the Spam Prevention Early Warning System, also known as SPEWS, at his Osirusoft.com Web site, to suddenly pull the plug Tuesday on the popular but controversial block list.
“I had to shut it down to protect my livelihood,” said Jared, who also runs a small business selling shoe inserts on the Web site. “I was getting hammered with up to 1,000 megabytes (of data) per second.”
Jared’s action blocked access to the SPEWS.org Web site, though mirror sites with the list continued to operate, enabling network administrators to reconfigure their systems to query the alternate sites.
Other block lists, which are used by Internet service providers and businesses to filter out the majority of incoming spam before it reaches the end users, have come under siege from distributed denial of service (DDOS) attacks this summer. The bombardment of massive amounts of data has intermittently prevented subscribers or users from gaining access to lists at Web sites of SpamCop.net, Spamhaus.org, Monkeys.com and the Spam & Open Relay Blocking System.
Attacks more systematic, intense
DDOS attacks have been used against anti-spam sites before, but this summer’s onslaught appears to be more systematic and intense than anything seen before.
“There’s not much doubt in my mind that the various attacks are the work of the same person or organization,” said Julian Haight, president of Seattle-based SpamCop.net, which has been under attack since mid-July.
While it’s not clear who is behind the campaign, suspicion has focused on renegade spammers, who have an obvious motive.
“These block lists have become more and more effective as they’ve become focused, so they’ve started to hit home,” said Jesse Dougherty, director of development with software solution provider ActiveState.
The block lists have alienated some in the Internet community by blocking users who have nothing to do with spam, either accidentally or, in the case of SPEWS, as a deliberate tactic aimed at pressuring Internet service providers to crack down on spammers on their networks. But because the attacks are targeting multiple sites rather than just one or two, most experts say spammers are more likely culprits.
“It has been suggested to me that the person (behind the attacks) could be a site that I’ve erroneously blamed for spam, but given the amount of resources being put into it I’d certainly vote for the spammer,” said Haight.
There is widespread suspicion that they have the wherewithal to conduct such campaigns.
Spammers behind viruses?
Some security experts, and many in the anti-spam community, believe that spammers have been behind recent viruses that have placed malicious “Trojan horse” programs on vulnerable computers, creating a network of “zombies” that can be remotely ordered to launch such attacks.
And while there is no hard evidence, some believe that the “sobig” family of viruses may be recruiting for the zombie army.
Ron Guilmette, who operates a free block list at Monkeys.com, said the electronic bombardment of his site began “at 11:27 p.m. Pacific Time on Aug. 19, which coincidentally or not was the same day that sobig.f started to make the rounds.”
Guilmette said Friday that the attack by “at least 3,000 computers” has increased in volume to the point where he may have to shut down his blocklist of unsecured proxy servers, which are commonly used by spammers to disguise the source of bulk e-mail.
“If it was just impacting me and my Web site and my list, that would be one thing, but under attack now is everybody that’s associated with my site and service, including my ISP, my upstream and their upstream,” said Guilmette, a software engineer who also uses the site to advertise his business and connect with clients.
Even if it comes to that, users of Guilmette’s service will have more warning than those who had configured their mail servers to run the SPEWS list hosted on Jared’s Osirusoft.com site. On Tuesday morning, they awoke to discover that Jared reprogrammed the database to “blacklist the world,” or return all queries as positives, which apparently caused an untold number of e-mails to be falsely blocked as spam.
Administrators forced to scrammble
Jared, who drew considerable heat from network administrators who had to scramble to reconfigure their mail servers, said he would have liked to give users of his free service a heads up, but wasn’t able to under the circumstances.
“I tried to provide as smooth a shutdown as possible, but I came to the realization that I can’t lose my business over this,” he said.
There was no disputing that Jared’s tactic was effective.
“That was probably the fastest way to get admins paged, get bosses yelling … and get it changed,” said Stephen Gielda, president of Internet privacy service provider COTSE.net.
While small operations like those of Guilmette and Jared are particularly susceptible to DDOS attacks, the bigger commercial sites aren’t beyond range of the cyberspace saboteurs.
Haight, who said that SpamCop was knocked offline periodically in the early days of the attack in mid-July, said it will cost about $30,000 this year to pay for a content distribution network capable of withstanding such assaults.
Britain’s Spamhaus.org also has been able to withstand steady attacks that began more than 2 months ago, chief executive Steve Linford told the Boston Globe this week.
“We’re usually under attack from 5,000 to 10,000 servers at once,” Linford was quoted as saying in Thursday’s editions. “They’re extremely large attacks that would bring down just about anything.”
But given the increasing scale of the attacks, Guilmette of Monkeys.com warns that even resilient services like Spamhaus and SpamCop are in the cyberspace equivalent of a nuclear arms race.
‘They can take anybody down'
“The practical reality is that if you have thousands of machines, many of them with cable modems, DSL or T-1 lines, it doesn’t matter who you are or how well (the network) is distributed. If they took down eBay and Yahoo, they can take anybody down,” he said, referring to massive DDOS attacks in 2000 that knocked the Internet retailers offline.
While the escalating attacks have the anti-spam community up in arms, there is no indication that law enforcement yet considers them to be serious.
“DDOS attacks against any organization are criminal acts,” said ActiveState’s Dougherty. “When they were executed against Microsoft and Yahoo and others several years ago, there was very quick action (by law enforcement). But when the target is a (spam block list), it seems there is very little, if any, interest.”
And SpamCop’s Haight said he has filed several reports with the FBI but had no follow-up contact from the bureau.
“I’m getting bombed off the face of the Earth and no one cares,” he lamented.