Attacks/Breaches
3/19/2013
10:05 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Anonymous DDoS Attack Report Bogus, Spamhaus Says

Anti-spam service says Russian malware gang launched attack, claims Anonymous accusation was the work of a man listed in its spammer directory.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Anti-spam service Spamhaus Tuesday dismissed reports that its site was targeted by the hacktivist collective Anonymous.

The Anonymous attack campaign was first reported by Softpedia, which said the attackers had declared the Spamhaus Project to be "an offshore criminal network of tax circumventing self-declared Internet terrorists pretending to be 'spam' fighters."

But in a statement published Tuesday titled "Softpedia publish false story of Spamhaus," Spamhaus claimed that the "Softpedia news site was today conned by a spammer into publishing a false article" about the distributed denial of service (DDoS) attack.

"The DDoS attack carried out against the Spamhaus website over the weekend was carried out by a Russian criminal malware gang and NOT by Anonymous," it said. According to Spamhaus, the reporter behind the Softpedia story, Eduard Kovacs, "was conned by a spammer named Andrew Jacob Stephens (listed in Spamhaus ROKSO) who simply posted a fake 'Anonymous Operation' to Pastebin." Contacted by email later Tuesday, Kovacs replied that "I have updated the article to clarify the source of the attack."

ROKSO refers to Spamhaus' Register Of Known Spam Operations database, which lists what it says are the world's top 100 spammers, who collectively account for 80% of all spam. That list includes Stephens, aka "Mail Mascot," and describes him as being a "spamware, spam service and spam list seller" listed as operating from both Florida and Cincinnati. Spamhaus has also published a picture of Stephens, posing with an unnamed woman, and accused him of selling spamware, harvested lists that are falsely labeled as only containing users who opted in, as well as bulletproof hosting services.

[ Want to know about the latest Anonymous investigation? See Anonymous Investigators Probe Reuters Reporter, Sabu. ]

The Spamhaus Project was founded in 1998 by Steve Linford, and is based in Geneva, Switzerland, as well as London, and run by about three dozen investigators and forensic specialists. Numerous service providers, as well as governments and military networks, use Spamhaus' real-time spam-blocking databases (DNSBLs) to help them cut down on spam.

The Pastebin post uploaded Monday and cited by Softpedia had announced the launch of "Operation Stophaus -- Stop Spamhaus" and referenced a website devoted to the "Stophaus movement," which Spamhaus said is run by Stevens.

"Spamhaus has recently blackmailed several multinational carriers into disconnecting clients, breaching their own contracts, without any legal procedure whatsoever, and pretty much everyone on the internet so-far has feared spamhaus too much to report them to the authorities, wether (sic) they have a legal department to do so or not," claimed the Pastebin post. Interestingly, the word "Anonymous" wasn't mentioned in the post, although it did close with a variation on the group's tagline, saying: "We are legion / We never forget / Spamhaus should have expected us."

Spamhaus did, however, alert users Sunday night that it was being targeted as part of a large DDoS attack. The attack appeared to be targeting the service's composite blocking list (CBL) website, which includes the CBL and exploits block list (XBL) of machines that appear to be infected by malware.

"Late last night I, and a number of other folks, received mail from Spamhaus informing us of a major denial of service attack against their servers. The attack is so bad that the website and main mailserver is currently offline," said Laura Tessmer Atkins of anti-spam consultancy Word to the Wise, in a blog posted Monday. "Spamhaus is working to bring the mailserver and website back up, and are hoping to have it up later today."

A Spamhaus media contact didn't immediately respond Tuesday to an emailed request for comment about whether the service was still suffering a DDoS attack. But late Monday, some Spamhaus users were reporting that the affected services appeared to once again be working.

The DDoS attack wasn't the first time that Spamhaus had been targeted by organizations that it blocked or apparently angered.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web