Anti-spam service says Russian malware gang launched attack, claims Anonymous accusation was the work of a man listed in its spammer directory.

Mathew J. Schwartz, Contributor

March 19, 2013

4 Min Read

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013


Anonymous: 10 Things We Have Learned In 2013 (click image for larger view and for slideshow)

Anti-spam service Spamhaus Tuesday dismissed reports that its site was targeted by the hacktivist collective Anonymous.

The Anonymous attack campaign was first reported by Softpedia, which said the attackers had declared the Spamhaus Project to be "an offshore criminal network of tax circumventing self-declared Internet terrorists pretending to be 'spam' fighters."

But in a statement published Tuesday titled "Softpedia publish false story of Spamhaus," Spamhaus claimed that the "Softpedia news site was today conned by a spammer into publishing a false article" about the distributed denial of service (DDoS) attack.

"The DDoS attack carried out against the Spamhaus website over the weekend was carried out by a Russian criminal malware gang and NOT by Anonymous," it said. According to Spamhaus, the reporter behind the Softpedia story, Eduard Kovacs, "was conned by a spammer named Andrew Jacob Stephens (listed in Spamhaus ROKSO) who simply posted a fake 'Anonymous Operation' to Pastebin." Contacted by email later Tuesday, Kovacs replied that "I have updated the article to clarify the source of the attack."

ROKSO refers to Spamhaus' Register Of Known Spam Operations database, which lists what it says are the world's top 100 spammers, who collectively account for 80% of all spam. That list includes Stephens, aka "Mail Mascot," and describes him as being a "spamware, spam service and spam list seller" listed as operating from both Florida and Cincinnati. Spamhaus has also published a picture of Stephens, posing with an unnamed woman, and accused him of selling spamware, harvested lists that are falsely labeled as only containing users who opted in, as well as bulletproof hosting services.

[ Want to know about the latest Anonymous investigation? See Anonymous Investigators Probe Reuters Reporter, Sabu. ]

The Spamhaus Project was founded in 1998 by Steve Linford, and is based in Geneva, Switzerland, as well as London, and run by about three dozen investigators and forensic specialists. Numerous service providers, as well as governments and military networks, use Spamhaus' real-time spam-blocking databases (DNSBLs) to help them cut down on spam.

The Pastebin post uploaded Monday and cited by Softpedia had announced the launch of "Operation Stophaus -- Stop Spamhaus" and referenced a website devoted to the "Stophaus movement," which Spamhaus said is run by Stevens.

"Spamhaus has recently blackmailed several multinational carriers into disconnecting clients, breaching their own contracts, without any legal procedure whatsoever, and pretty much everyone on the internet so-far has feared spamhaus too much to report them to the authorities, wether (sic) they have a legal department to do so or not," claimed the Pastebin post. Interestingly, the word "Anonymous" wasn't mentioned in the post, although it did close with a variation on the group's tagline, saying: "We are legion / We never forget / Spamhaus should have expected us."

Spamhaus did, however, alert users Sunday night that it was being targeted as part of a large DDoS attack. The attack appeared to be targeting the service's composite blocking list (CBL) website, which includes the CBL and exploits block list (XBL) of machines that appear to be infected by malware.

"Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline," said Laura Tessmer Atkins of anti-spam consultancy Word to the Wise, in a blog posted Monday. "Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today."

A Spamhaus media contact didn't immediately respond Tuesday to an emailed request for comment about whether the service was still suffering a DDoS attack. But late Monday, some Spamhaus users were reporting that the affected services appeared to once again be working.

The DDoS attack wasn't the first time that Spamhaus had been targeted by organizations that it blocked or apparently angered.

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights