Attacks/Breaches
3/28/2013
09:00 AM
50%
50%

DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted

Stophaus.com campaign and anarchic, allegedly pro-spam Dutch hosting provider have apparently been disrupted via ongoing DDoS attacks.

Spamhaus' anti-spam crusade often sounds personal. Its listing for Stephens, for example, accuses him of being a "spamware, spam service and spam list seller," who "sells spamware designed to break federal law in the U.S.," and who "fraudulently sells harvested lists as 'opt-in,' sells 'bulletproof hosting' and 'showshoe mailing' setups to other naive spammers." Finally, it accused him of "setting up a fake 'church' to scam donations and try to avoid paying taxes."

Spamhaus provoked the ire of CyberBunker in October 2011, after it designated the hosting provider to be "providing a spam support service," and asked the company's upstream service provider, A2B, to cancel its service. After A2B declined, Spamhaus responded by blacklisting A2B in its entirety, which did drive the service provider to drop CyberBunker as a customer. But A2B also filed a complaint with Dutch police, accusing Spamhaus of extortion.

CyberBunker is now leading a battle to scuttle Spamhaus. "We were the only ones to have the balls ... to not cave in to Spamhaus' demands," said CyberBunker spokesman Kamphuis. "I mean these people are blackmailing national domain registrars. The national Russian telecom regulatory people called them an illegal organization."

The DDoS resources brought to bear in attacks against Spamhaus suggest just how lucrative the practice of mass emailing -- or spamming -- can be, which also explains why many criminal gangs are involved. Numerous malware gangs, for example, use botnet-driven zombies to infect PCs and turn them into spam relays, sending emails selling pharmaceuticals and luxury goods, or distributing yet more malware, including malicious Trojan applications designed to steal people's personal financial information.

"As Spamhaus' success has eroded the business model of spammers, botnet operators are increasingly renting their networks to launch DDoS attacks," said CloudFlare's Prince.

The ongoing battle between Spamhaus and the business interests that it's apparently disrupting highlights the extent to which laws can do little to arrest spam. Legislative window dressing such as the Can-Spam Act passed by Congress in 2003 unfortunately lives up to its double meaning, since so much spam today either gets issued from countries that don't police mass-email purveyors, or generated by malware that's infected otherwise legitimate PCs.

But as shown by the months-long Operation Ababil campaign being waged against U.S. banks, blocking DDoS attacks outright remains tough, and tracing the attacks back to the organizations that are launching or funding them appears to remain quite difficult.

Indeed, asked to respond to a BBC report that at least five governments have tasked law enforcement teams to investigate the DDoS attacks, CyberBunker spokesman Kamphuis appeared to be unconcerned. "I doubt that the people who did the attacks are in any country where doing a DDoS attack is illegal or where they can even be found -- so, not much issue there," he said.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IOnlyListenToFacts
50%
50%
IOnlyListenToFacts,
User Rank: Apprentice
4/6/2013 | 10:34:13 PM
re: DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted

It is painfully obvious that most of the above people who post in support of spamhaus are either directed to post here under spamhaus order OR who are simply disillusioned into believing that "all spamhaus does is maintain a list". Spamhaus does not simply block ips that are spamming, they also block *intentionally* innocent bystanders by way of what they call "punitive listings". Basically the way it works is that spamhaus lists an ip for spam and then if the ISP does not listen to their demands to remove the customer they will begin expanding the listing to cover unrelated IP space by the same provider until they list the entire network. This has the effect of entirely blocking email from ALL of the ISP or web hosting companies customers. If then, the ISP still does not weaken their stance on the customer in question, then Spamhaus begins to call the ISP a "spam supporting service" and then lists them as a spam gang, begins tracking the hosting provider and starts a slander campaign. They also start to pressure their upstream providers to shut down the entire ISP/hosting company by beginning to list the upstream isp's ip addresses. This is extortion/blackmail. "If you do not shut down the ISP we are calling a spam supporter, we will list YOUR network now and continue to until you cave in to our demands. They do this constantly and anyone who watches daily updates of their SBL lists can easily see this happening. For them to list disney, victorias secret, radio shack, Michael's art supplies and more is just ludicrous. They use terms that inflict harm on the companies they list. Calling things criminal and or "aiding and abetting" to any ISP who does not cave in to their pressures. They play judge jury and verdict and the general public is unaware of how much legitimate email is being blocked by this outfit without their knowledge. Yes, ISP's are not "forced" to use their lists to block email, but if they KNEW the tactics that spamhaus uses they would re-consider. Perhaps we should make a list of sites that aid and abet spamhaus by filtering email based on their "blacklist"? These ISP's should be made to know what spamhaus actually does and how they do it. Although I agree a DDoS is an immature solution, I *do* support the need for blogs and a listing of ISP's who support the extortionists at spamhaus. They are unknowing aiding a, in my opinion, out of control, "bigger than the law" type mafia organization which damages American business and threatens jobs and business income. We need to expose them for who they really are: They use bully tactics, they bank in know tax havens, they have no legitimate business registrations trackable back to any real owners or responsible parties, they operate "above the law" and maintain a god complex in all regard. Basic research can show they have taken bribe money to remove listings. They call themselves a non-profit, volunteer organization. This is NOT true. They have many companies they use to "collect and launder their income" try spamtec, http://mxtools.com, WordToTheWise and more.

Spamhaus is using "spin" to throw off the media. They have a force of people on twitter and other social media tweeting in support of what they do, yet those people who they recruited do not address the problems addressed above. They LOVE to keep saying "It's just a list". "I't just a list". This is NOT true and they need to stop saying that and NOW. They are masters of deception and media spin.

They fail to address also that what they do may be illegal in some countries! YES! Illegal! Allow me to demonstrate:

"A list of individuals or organizations designated for special discrimination or boycott; also to put a person or organization on such a list. Blacklists have been used for centuries as a means to identify and discriminate against undesirable individuals or organizations. A blacklist might consist, for example, of a list of names developed by a company that refuses to hire individuals who have been identified as union organizers; a country that seeks to boycott trade with other countries for political reasons; a Labor Union that identifies firms with which it will not work; or a government that wishes to specify who will not be allowed entry into the country. Many types of blacklists are legal. For example, a store may maintain a list of individuals who have not paid their bills and deny them credit privileges. Similarly, credit reports can effectively function as blacklists by identifying individuals who are poor credit risks. Because the purpose of blacklists is to exclude and discriminate, they can also result in unfair and illegal discrimination. In some cases, blacklists have done great damage to people's lives, locking them out of employment in their chosen careers or denying them access to influential organizations. For example, if a labor union makes a blacklist of workers who refuse to become members or conform to its rules, it has committed an Unfair Labor Practice in violation of federal laws. Blacklists may also necessitate disclosure laws. State and federal fair credit reporting acts, for example, require that access to information in a credit report must be given, upon request, to the person to whom the information applies.

The most famous instance of blacklisting in U.S. history occurred in the entertainment industry during the 1940s and 1950s. Motion picture companies, radio and television broadcasters, and other firms in that industry developed blacklists of individuals accused of being Communist sympathizers. Those firms then denied employment to those who were named on the blacklists. "

I do not want to plagiarize so I will reference the following if you want more info...
Further readings
Vaughn, Robert. 1972. Only Lies: A Study of Show Business Blacklisting. New York: Putnam.

I could type all day on this subject as I find anything that blocks open communication on the internet very bad for everyone. YOU SHOULD BE AWARE OF WHO IT IS YOU PLACE YOUR TRUST IN TO BLOCK EMAIL ON YOUR BEHALF.

I INVITE YOU TO PARTICIPATE IN THIS AND RESEARCH SPAMHAUS. Do not just "take for granted" that what they do is good. They make themselves out to be the angle of the internet but that is sadly not true. MANY MANY Businesses have been adversely affected by Spamhaus. Medical Practices, Dental Offices, Retail Sales stores who send out payment receipts by email!! REALLY! Imagine walking into an apple store, buying that new ipad you wanted and they ask you if you want your receipt emailed.... you get home find the ipad does not work, go to your email and Voila, no email is there because your ISP uses spamhaus and has set their mailserver to REJECT any email that is on the spamhaus list. YES, this happens, ALOT.

The reason this is not well known is that many ISP's FEAR spamhaus retaliation against their public acknowledgments that spamhaus is in the wrong. I call on ALL bandwidth providers, hosting companies and ISPs to BOYCOTT spamhaus and stop using their lists. I call on people to create lists shaming the ISP's who DO continue to block email with their lists.

Note: Did you know that spamhaus is a clickable option in many home appliances now? Yes! Sonicwall firewalls, your media players, many internet connected devices and more! There is NO WAY this orginization is a volunteer organization. Research this, take my challenge and you will FIND the truth. It is out there. Search for other terms not just spamhaus.

"Man behind illegal blacklist snooped on workers for 30 years"
"Shipyard worker was on 'illegal' blacklist"
Thats RIGHT.... Spamhaus CLAIMS To be in the UK right? It seems blacklists are illegal there!!
"Concerns over illegal blacklist"
"ICO closes down illegal blacklist database"

There is MORE AND MORE showing how blacklisting can be very illegal even in Spamhaus "home town".

Another question, WHY does Spamhaus bank in seychelles? Offshore banking? REALLY? What do they have to "hide" as a volunteer organization? Why the smoke and mirrors? Why the FAKE names? (yes people who run their blacklists are even more elusive than the people they claim are spammers.

I want everyone to go FIND ONE NEGATIVE THING ABOUT SPAMHAUS AND COME REPORT IT HERE.. YES THERE IS TONS.

Just do it. We need a fair and balanced reporting of what is going on with spamhaus, not just the board whores above who are related to the spamhaus cause.
all2gone
50%
50%
all2gone,
User Rank: Apprentice
4/1/2013 | 10:22:00 PM
re: DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted
In my opinion, I have seen the demands coming out of Spamhaus, but in all fairness, they are very effective to block those that hijack a cause in the name of their own nefarious activities. In addition, as a networking engineer, I have clients that want to use their email server to do email marketing. I tell them not to do it at all or they will get black listed and I'll dump them as a client. Because at the end of the day, it's still SPAM, SPAM, SPAM!

Good for Spamhaus for tightening their grip on the "gonads" of A2B to starve the beast.

If a spammer's house or anyone who helps them get's firebombed, I'll not lose one second of sleep. But to be clear, violence is not the answer. (wink)
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
3/29/2013 | 2:34:58 PM
re: DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted
I've seen the effects of the shotgun approach that A2B laments about. The exclusion procedure that Spamhaus provides for contesting erroneous blocking through this method can easily drag into and translate to days of downtime for the legitimate business.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.