Security Web Digest: Earthlink Takes Big Spam Rings To Court

Herbal Viagra and porno merchants used "phisher" schemes to defraud users. Java Anonymous Proxy allowed to remove German Government back door Netgear routers accidentally cause DOS attack Some versions of Sendmail


EarthLink Inc. this week said it filed suit against two spam e-mail rings with operations in the U.S. and Canada. The ISP is suing to recover an estimated $5 million in lost employee productivity and Internet bandwidth that it claims was spent managing more than 250 million e-mail messages sent from e-mail addresses on its network, according to Pete Wellborn, outside legal counsel for EarthLink. The suit targets two separate spam operations. The first, based in Birmingham, Ala., is believed to be behinda variety of spam campaigns, including pitches for "herbal Viagra," pornography and online dating services. A second ring, in Vancouver,British Columbia, used about six different phone numbers to connect to EarthLink accounts as part of a massive "phisher" scheme to trick unsuspecting Internet users into passing on sensitive information such as account passwords and credit card numbers, Wellborn said. Phisher schemes use Web pages designed to look like legitimate Web sites such as or in complicated ruses to capture account information from customers.

The Java Anonymous Proxy (JAP) service, a collaborative effort of Dresden University of Technology, Free University Berlin and the Independent Centre for Privacy Protection Schleswig-Holstein, Germany (ICPP),has been allowed to suspend its monitoring of users IP traffic pending adecision on the legality of back-dooring it. Collectively known as the AN.ON Project, the operators appealed a lower courts decision allowing the German Feds to obtain reports on users access to a particular IP address. In a previous article The Register criticized the way the JAP team handled its initial confrontation with the Feds -- waiting quietly until a user discovered the back door before acknowledging the situation.


Network hardware maker Netgear Inc. has warned its customers of a flaw in some of its router products that has set off an accidental denial-of-service attack on the University of Wisconsin. The problem occurred because of a flawed implementation of the Network Time Protocol (NTP), which is a method commonly used by network devices to contact special time servers that pass on the correct time and date. In June, the University of Wisconsins NTP server was the victim of a huge denial-of-service attack. The university said that it was receiving 250,000 requests per second, which equated to hundreds of megabits per second. The attack was not planned or malicious but caused by hundreds of thousands of low-cost Netgear routers repeatedly requesting the latest time, which caused the universitys NTP server to fail.

Several versions of the open-source mail transfer agent Sendmail are vulnerable to remote denial-of-service attacks, according to an alert issued by the FreeBSD Project. Sendmail versions 8.12.0 through 8.12.8 are susceptible to remote exploit of a vulnerability in the code that implements DNS (domain name system) maps. An attacker sending a malformed DNS reply packet could cause Sendmail to call "free()" on an uninitialized pointer. Such a call could cause a Sendmail child process to crash, FreeBSD said in an advisory. Administrators are urged to upgrade to Sendmail 8.12.9 or apply a patch available at or from their distributors.


McAfee Wednesday reported the appearance of VBS/Flipe, a Trojan that when executed, will attempt to create the files c:\windows\xp2.vbs and c:\system.sys,which contain the following message inside: "Microsoft Windows XP 2 has released." It will also attempt to format the c:\ and a:\ drives. All of the above behaviors of VBS/Flipe were not observed in a lab environment due to a bug in the code. More information is atthis McAfee page.