Anti-Spam Orgs Under DDoS Siege

These types of attacks have succeeded in bringing down and, in some cases, permanently knocking out important weapons in the fight against spammers.

Anti-spam forces must have hit a nerve with their adversaries.

As of the evening of June 7, anti-spam groups Spamhaus, SURBL (Spam URI Realtime Blocklists), URIBL (Realtime URI Blacklist) and others have been under a "pretty big" DDoS (distributed denial of service) attack, according to the ISC (Internet Storm Center), which is run by the SANS Institute (SysAdmin, Audit, Network, Security).

As of 11 a.m. ET on June 8, both SURBL and URIBL remained down when eWEEK checked, but Spamhaus was back up.

This is an extremely serious issue, as these types of attacks have succeeded in bringing down and, in some cases, permanently knocking out important weapons in the fight against spammers.

However, ISC member Bojan Zdrnja noted this positive side of the current DDoS: Spammers must be desperate if theyre using their resources to flood anti-spam groups rather than to send out spam.

/zimages/3/28571.gifClick here to read more about the "Storm worm descending on IM.

"This looks like the anti-spam tools are doing their job because spammers seem to be desperate when they launch DDoS attacks [otherwise they would just keep sending spam, instead of using their resources this way]," he said.

Zdrnja noted on the ISCs advisory list that these DDoS attacks are reminiscent of those carried out against anti-spam company BlueSecurity in May of 2006.

Those attacks were so vicious, they not only knocked out BlueSecuritys Blue Frog spam opt-out service and its users, they also led the company to abandon its anti-spam efforts entirely.

Blue Frog worked by allowing almost a half million users to automatically opt out of unsolicited bulk e-mail by sending one message back to the advertiser. In effect, the massive amount of automated opt-out messages spammed the spammers, forcing six of the top 10 bulk e-mailers to use BlueSecuritys filter to wipe their mailing lists clean of Blue Frog users.

One spammer, identified in news reports as PharmaMaster, chose instead to strike back with a jacked-up amount of spam resulting in a DDoS. Not only did Blue Frog choke, but Six Apart and some service providers were also knocked out. BlueSecuritys site is currently offline.

PharmaMaster employed the Storm botnet to do the dirty work. That malware can do "basically anything," Zdrnja noted, from DDoS attacks to sending spam.

The Spamhaus Project is used to this. It has an entire page devoted to the types of attacks it receives. In addition to DDoS, "Joe Jobs" are a popular attack against Spamhaus. A "Joe Job" is spam that purports to be from the anti-spam organization itself. "Spammers hope this is the way to get Internet users to harass the anti-spam organization by flooding it with complaints," the Spamhaus notes.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.