Sept. 24, 2003 — Denial of service attacks by “zombie armies” of compromised computers have put two more spam-blocking lists out of business, adding to the body count in what one victim described as an “all-out war” raging in cyberspace.
The operators of the Monkeys.com and Blackhole.compu.net “block lists” - used by Internet service providers and businesses to filter out incoming spam before it reaches end users - both announced this week that they are abandoning the services in the face of distributed denial of service attacks (DDOS) that have targeted anti-spam sites offering the lists this summer.
“It just wasn’t feasible to run this (list) and make ourselves a large target anymore,” said Bill Larson, network administrator for the Tennessee-based Internet Service Provider Compu-net Enterprises.
In withdrawing from the field of battle, they join Osirusoft.com, which announced earlier this month that it would no longer host the Spam Prevention Early Warning System, also known as SPEWS.
Other block list providers, including SpamCop.net, Spamhaus.org and the Spam & Open Relay Blocking System (SORBS) also have reported being subjected to increasingly intense DDOS attacks from thousands of compromised computers known as “zombies.”
Mysterious forces behind attack
The “zombie army” is being marshaled by mysterious opponents of anti-spam forces who use virus-infected e-mail and hacking techniques to take control of machines from unknowing users, most of whom haven’t taken the precaution of installing firewalls or anti-virus software to protect them from intruders.
Ron Guilmette, who operated the Monkeys.com block list for more than a year and a half before shutting it down Monday night, said in a news group posting announcing the list’s demise that he had “underestimated both the enemy’s level of sophistication, and also the enemy’s level of brute malevolence.”
Guilmette, of Roseville, Calif., told MSNBC.com on Wednesday that his mail, web and DNS servers were bombarded by data packets directed at Monkeys.com from “more than 10,000 machines” in DDOS attacks that lasted for 10 days beginning on Aug. 19 and then resumed again late last week.
He said that while his “small fry” operation was more susceptible than some of the bigger lists like SPEWS and Spamhaus, none of the anti-spam services are impervious.
“All of these services are now under criminal attack, which is premeditated and financially driven,” he said. “It’s all-out warfare and the bad guys have broken out the nuclear weapons.”
In the case of Compu-Net, Larson said he made the decision to cease operating the list not because of a DDOS attack, but because of an escalating case in which someone was forging company e-mail addresses on spam, causing many thousands of messages to “bounce” back and threatening to overwhelm the company’s e-mail servers.
Threats to servers, selves
In addition to the bounced e-mail, Larson and other members of Compu-Net staff were forced to handle a flood of abuse complaints from people who wrongly believed the company was spamming them and deal with “threats against ourselves, our servers and our Internet connection,” he wrote in a posting to the news.admin.net-abuse.email (NANAE) news group.
And he feared that the DDOS attacks that have targeted other block list operators would be next.
“As an ISP, if we got hit by a denial of service attack that lasted a week or 10 days, we would be out of business,” Larson said, explaining the decision to cut and run.
Earlier this month, the cyberattacks forced Joe Jared, who had been hosting the Spam Prevention Early Warning System, also known as SPEWS, at his Osirusoft.com Web site, to suddenly pull the plug on the popular but controversial block list.
Jared’s action blocked access to the SPEWS.org Web site, though mirror sites with the list continued to operate, enabling network administrators to reconfigure their systems to query the alternate sites.
Other block lists, which are used by Internet service providers and businesses to filter out the majority of incoming spam before it reaches the end users, have come under siege from distributed denial of service (DDOS) attacks this summer. The bombardment of massive amounts of data has intermittently prevented subscribers or users from gaining access to lists at Web sites of SpamCop.net, Spamhaus.org, Monkeys.com and the Spam & Open Relay Blocking System.
Attacks more systematic, intense
DDOS attacks have been used against anti-spam sites before, but this summer’s onslaught appears to be more systematic and intense than anything seen before.
“There’s not much doubt in my mind that the various attacks are the work of the same person or organization,” Julian Haight, president of Seattle-based SpamCop.net, which has been under attack intermittently since mid-July, told MSNBC.com earlier this month.
While it’s not clear who is behind the campaign, suspicion has focused on renegade spammers, who have an obvious motive.
“These block lists have become more and more effective as they’ve become focused, so they’ve started to hit home,” said Jesse Dougherty, director of development with software solution provider ActiveState.
The block lists have alienated some in the Internet community by blocking users who have nothing to do with spam, either accidentally or, in the case of SPEWS, as a deliberate tactic aimed at pressuring Internet service providers to crack down on spammers on their networks. But because the attacks are targeting multiple sites rather than just one or two, most experts say spammers are more likely culprits.
“It has been suggested to me that the person (behind the attacks) could be a site that I’ve erroneously blamed for spam, but given the amount of resources being put into it I’d certainly vote for the spammer,” said Haight.
An extra $30,000 on bill
Haight, who said that SpamCop was knocked offline periodically in the early days of the attack in mid-July, said it will cost about $30,000 this year to pay for a content distribution network capable of withstanding such assaults.
Britain’s Spamhaus.org also has been able to withstand steady attacks that began more than 2½ months ago, chief executive Steve Linford told the Boston Globe earlier this month.
“We’re usually under attack from 5,000 to 10,000 servers at once,” Linford was quoted as saying. “They’re extremely large attacks that would bring down just about anything.”
Some security experts, and many in the anti-spam community, believe that spammers have been behind recent viruses that have placed malicious “Trojan horse” programs on vulnerable computers, creating the network of “zombies” that can be remotely ordered to launch such attacks.
And while there is no hard evidence, some believe that the “sobig” family of viruses may be recruiting for the zombie army.
Guilmette, the former provider of the Monkeys.com block list, said the electronic bombardment of his site began “at 11:27 p.m. Pacific Time on Aug. 19, which coincidentally or not was the same day that sobig.f started to make the rounds.”
Big ISPs seen as culprits
While the escalating attacks have the anti-spam community up in arms, there is no indication that law enforcement yet considers them to be serious.
“I went to my local police and I had to twist their arms just to get them to take a report,” said Guilmette, adding that he called his local FBI office and left a message but was never called back.
But the longtime spam fighter said he bears more of a grudge against big ISPs like AT&T and UUNet, because they are in a better position to halt the attacks.
“If www.whitehouse.gov had been under attack for 10 days, you can bet your ass that the big providers would have gone to the lower level ISPs and and asked them to shut off the machines that were part of the zombie army that was doing the attacking,” he said. “In my case they told me all I could do was try to ride it out and hope for the best.”
© 2013 msnbc.com Reprints