Attacks/Breaches
3/19/2013
10:05 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous DDoS Attack Report Bogus, Spamhaus Says

Anti-spam service says Russian malware gang launched attack, claims Anonymous accusation was the work of a man listed in its spammer directory.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Anti-spam service Spamhaus Tuesday dismissed reports that its site was targeted by the hacktivist collective Anonymous.

The Anonymous attack campaign was first reported by Softpedia, which said the attackers had declared the Spamhaus Project to be "an offshore criminal network of tax circumventing self-declared Internet terrorists pretending to be 'spam' fighters."

But in a statement published Tuesday titled "Softpedia publish false story of Spamhaus," Spamhaus claimed that the "Softpedia news site was today conned by a spammer into publishing a false article" about the distributed denial of service (DDoS) attack.

"The DDoS attack carried out against the Spamhaus website over the weekend was carried out by a Russian criminal malware gang and NOT by Anonymous," it said. According to Spamhaus, the reporter behind the Softpedia story, Eduard Kovacs, "was conned by a spammer named Andrew Jacob Stephens (listed in Spamhaus ROKSO) who simply posted a fake 'Anonymous Operation' to Pastebin." Contacted by email later Tuesday, Kovacs replied that "I have updated the article to clarify the source of the attack."

ROKSO refers to Spamhaus' Register Of Known Spam Operations database, which lists what it says are the world's top 100 spammers, who collectively account for 80% of all spam. That list includes Stephens, aka "Mail Mascot," and describes him as being a "spamware, spam service and spam list seller" listed as operating from both Florida and Cincinnati. Spamhaus has also published a picture of Stephens, posing with an unnamed woman, and accused him of selling spamware, harvested lists that are falsely labeled as only containing users who opted in, as well as bulletproof hosting services.

[ Want to know about the latest Anonymous investigation? See Anonymous Investigators Probe Reuters Reporter, Sabu. ]

The Spamhaus Project was founded in 1998 by Steve Linford, and is based in Geneva, Switzerland, as well as London, and run by about three dozen investigators and forensic specialists. Numerous service providers, as well as governments and military networks, use Spamhaus' real-time spam-blocking databases (DNSBLs) to help them cut down on spam.

The Pastebin post uploaded Monday and cited by Softpedia had announced the launch of "Operation Stophaus -- Stop Spamhaus" and referenced a website devoted to the "Stophaus movement," which Spamhaus said is run by Stevens.

"Spamhaus has recently blackmailed several multinational carriers into disconnecting clients, breaching their own contracts, without any legal procedure whatsoever, and pretty much everyone on the internet so-far has feared spamhaus too much to report them to the authorities, wether (sic) they have a legal department to do so or not," claimed the Pastebin post. Interestingly, the word "Anonymous" wasn't mentioned in the post, although it did close with a variation on the group's tagline, saying: "We are legion / We never forget / Spamhaus should have expected us."

Spamhaus did, however, alert users Sunday night that it was being targeted as part of a large DDoS attack. The attack appeared to be targeting the service's composite blocking list (CBL) website, which includes the CBL and exploits block list (XBL) of machines that appear to be infected by malware.

"Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline," said Laura Tessmer Atkins of anti-spam consultancy Word to the Wise, in a blog posted Monday. "Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today."

A Spamhaus media contact didn't immediately respond Tuesday to an emailed request for comment about whether the service was still suffering a DDoS attack. But late Monday, some Spamhaus users were reporting that the affected services appeared to once again be working.

The DDoS attack wasn't the first time that Spamhaus had been targeted by organizations that it blocked or apparently angered.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.