Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted

Stophaus.com campaign and anarchic, allegedly pro-spam Dutch hosting provider have apparently been disrupted via ongoing DDoS attacks.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
Distributed denial-of-service (DDoS) attack proponents beware: Your own websites may also be targeted for disruption.

The anything-goes Dutch hosting provider CyberBunker, which has been accused of backing a DDoS disruption campaign against anti-spam site Spamhaus, as of Thursday morning found its own supposedly bulletproof website knocked offline, making it the apparent victim of a sustained DDoS attack.

That's an ironic twist for CyberBunker, which has been one of the most outspoken proponents -- and, some have alleged, sponsors -- of a week-long series of massive DDoS attacks against Spamhaus.

Attempts to reach CyberBunker for comment failed, in part because the company's Web-based contact form remained offline. Likewise, Sven Olaf Kamphuis, a spokesman for CyberBunker, didn't immediately respond to a message sent to his personal Facebook account, seeking comment about the apparent DDoS campaign targeting the hosting provider.

[ Meet the new cybercrime policy proposal, same as the old cybercrime policy proposal. See Tougher Computer Crime Penalties Sought By U.S. Legislators. ]

CyberBunker, which says it's headquartered in an ex-NATO "former military nuclear warfare bunker that is currently utilized as bulletproof data center," made a name for itself by advertising services to any website "except child porn and anything related to terrorism." The company previously gained notoriety for providing hosting to the Russian Business Network cybercrime gang, which the FBI ultimately helped dismantle.

Lately, CyberBunker has backed the so-called Stophaus.com campaign, which is designed to knock anti-spam organization Spamhaus offline. As of Thursday morning, however, the Stophaus.com website was also unreachable, with the homepage resolving to a page that read only "database error."

CyberBunker spokesman Kamphuis claimed that his company isn't responsible for the DDoS attacks that were first launched last week against Spamhaus. "Well, it's not us, it's a group of Internet providers which goes under the name Stophaus.com. It's basically a collective of a lot of people and Internet providers, and they've had previous issues or current issues with Spamhaus," Kamphuis told broadcaster Russia Today Wednesday. "Spamhaus pretends to be spam fighters, but effectively they're just a censorship organization which worked itself into a position where they can just look at a website and shut it down," he said.

But CyberBunker appears to have few backers outside of pro-spam circles. "These guys are just mad," Patrick Gilmore, chief architect at digital content provider Akamai Technologies told The New York Times. "To be frank, they got caught. They think they should be allowed to spam."

The target of the Stophaus.com campaign is the Spamhaus Project, which is based in Geneva and London, and which was founded in 1998 by Steve Linford. Currently it's run by about three dozen investigators and forensic specialists. Numerous service providers, as well as government and military network operators, rely on Spamhaus' real-time spam-blocking databases to help them block spam. "Spamhaus is directly or indirectly responsible for filtering as much as 80% of daily spam messages," according to Matthew Prince, CEO of DDoS prevention service CloudFlare, which last week announced that Spamhaus had become a customer.

The anti-spam operation evinces a blunt, take-no-prisoners attitude, which has included publishing names and photographs -- including images that appear to be family photos -- of people in its Register Of Known Spam Operations (ROKSO) database, which lists what it says are the world's top 100 spammers, collectively accounting for 80% of all spam. Spamhaus has also accused Andrew Jacob Stephens (aka Mail Mascot), who's listed in its ROKSO, as being the prime mover behind the Stophaus attacks. It also traced a fake Anonymous Operation -- Operation Stophaus -- supposedly launched last week, to Stephens.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/6/2013 | 10:34:13 PM
re: DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted

It is painfully obvious that most of the above people who post in support of spamhaus are either directed to post here under spamhaus order OR who are simply disillusioned into believing that "all spamhaus does is maintain a list". Spamhaus does not simply block ips that are spamming, they also block *intentionally* innocent bystanders by way of what they call "punitive listings". Basically the way it works is that spamhaus lists an ip for spam and then if the ISP does not listen to their demands to remove the customer they will begin expanding the listing to cover unrelated IP space by the same provider until they list the entire network. This has the effect of entirely blocking email from ALL of the ISP or web hosting companies customers. If then, the ISP still does not weaken their stance on the customer in question, then Spamhaus begins to call the ISP a "spam supporting service" and then lists them as a spam gang, begins tracking the hosting provider and starts a slander campaign. They also start to pressure their upstream providers to shut down the entire ISP/hosting company by beginning to list the upstream isp's ip addresses. This is extortion/blackmail. "If you do not shut down the ISP we are calling a spam supporter, we will list YOUR network now and continue to until you cave in to our demands. They do this constantly and anyone who watches daily updates of their SBL lists can easily see this happening. For them to list disney, victorias secret, radio shack, Michael's art supplies and more is just ludicrous. They use terms that inflict harm on the companies they list. Calling things criminal and or "aiding and abetting" to any ISP who does not cave in to their pressures. They play judge jury and verdict and the general public is unaware of how much legitimate email is being blocked by this outfit without their knowledge. Yes, ISP's are not "forced" to use their lists to block email, but if they KNEW the tactics that spamhaus uses they would re-consider. Perhaps we should make a list of sites that aid and abet spamhaus by filtering email based on their "blacklist"? These ISP's should be made to know what spamhaus actually does and how they do it. Although I agree a DDoS is an immature solution, I *do* support the need for blogs and a listing of ISP's who support the extortionists at spamhaus. They are unknowing aiding a, in my opinion, out of control, "bigger than the law" type mafia organization which damages American business and threatens jobs and business income. We need to expose them for who they really are: They use bully tactics, they bank in know tax havens, they have no legitimate business registrations trackable back to any real owners or responsible parties, they operate "above the law" and maintain a god complex in all regard. Basic research can show they have taken bribe money to remove listings. They call themselves a non-profit, volunteer organization. This is NOT true. They have many companies they use to "collect and launder their income" try spamtec, http://mxtools.com, WordToTheWise and more.

Spamhaus is using "spin" to throw off the media. They have a force of people on twitter and other social media tweeting in support of what they do, yet those people who they recruited do not address the problems addressed above. They LOVE to keep saying "It's just a list". "I't just a list". This is NOT true and they need to stop saying that and NOW. They are masters of deception and media spin.

They fail to address also that what they do may be illegal in some countries! YES! Illegal! Allow me to demonstrate:

"A list of individuals or organizations designated for special discrimination or boycott; also to put a person or organization on such a list. Blacklists have been used for centuries as a means to identify and discriminate against undesirable individuals or organizations. A blacklist might consist, for example, of a list of names developed by a company that refuses to hire individuals who have been identified as union organizers; a country that seeks to boycott trade with other countries for political reasons; a Labor Union that identifies firms with which it will not work; or a government that wishes to specify who will not be allowed entry into the country. Many types of blacklists are legal. For example, a store may maintain a list of individuals who have not paid their bills and deny them credit privileges. Similarly, credit reports can effectively function as blacklists by identifying individuals who are poor credit risks. Because the purpose of blacklists is to exclude and discriminate, they can also result in unfair and illegal discrimination. In some cases, blacklists have done great damage to people's lives, locking them out of employment in their chosen careers or denying them access to influential organizations. For example, if a labor union makes a blacklist of workers who refuse to become members or conform to its rules, it has committed an Unfair Labor Practice in violation of federal laws. Blacklists may also necessitate disclosure laws. State and federal fair credit reporting acts, for example, require that access to information in a credit report must be given, upon request, to the person to whom the information applies.

The most famous instance of blacklisting in U.S. history occurred in the entertainment industry during the 1940s and 1950s. Motion picture companies, radio and television broadcasters, and other firms in that industry developed blacklists of individuals accused of being Communist sympathizers. Those firms then denied employment to those who were named on the blacklists. "

I do not want to plagiarize so I will reference the following if you want more info...
Further readings
Vaughn, Robert. 1972. Only Lies: A Study of Show Business Blacklisting. New York: Putnam.

I could type all day on this subject as I find anything that blocks open communication on the internet very bad for everyone. YOU SHOULD BE AWARE OF WHO IT IS YOU PLACE YOUR TRUST IN TO BLOCK EMAIL ON YOUR BEHALF.

I INVITE YOU TO PARTICIPATE IN THIS AND RESEARCH SPAMHAUS. Do not just "take for granted" that what they do is good. They make themselves out to be the angle of the internet but that is sadly not true. MANY MANY Businesses have been adversely affected by Spamhaus. Medical Practices, Dental Offices, Retail Sales stores who send out payment receipts by email!! REALLY! Imagine walking into an apple store, buying that new ipad you wanted and they ask you if you want your receipt emailed.... you get home find the ipad does not work, go to your email and Voila, no email is there because your ISP uses spamhaus and has set their mailserver to REJECT any email that is on the spamhaus list. YES, this happens, ALOT.

The reason this is not well known is that many ISP's FEAR spamhaus retaliation against their public acknowledgments that spamhaus is in the wrong. I call on ALL bandwidth providers, hosting companies and ISPs to BOYCOTT spamhaus and stop using their lists. I call on people to create lists shaming the ISP's who DO continue to block email with their lists.

Note: Did you know that spamhaus is a clickable option in many home appliances now? Yes! Sonicwall firewalls, your media players, many internet connected devices and more! There is NO WAY this orginization is a volunteer organization. Research this, take my challenge and you will FIND the truth. It is out there. Search for other terms not just spamhaus.

"Man behind illegal blacklist snooped on workers for 30 years"
"Shipyard worker was on 'illegal' blacklist"
Thats RIGHT.... Spamhaus CLAIMS To be in the UK right? It seems blacklists are illegal there!!
"Concerns over illegal blacklist"
"ICO closes down illegal blacklist database"

There is MORE AND MORE showing how blacklisting can be very illegal even in Spamhaus "home town".

Another question, WHY does Spamhaus bank in seychelles? Offshore banking? REALLY? What do they have to "hide" as a volunteer organization? Why the smoke and mirrors? Why the FAKE names? (yes people who run their blacklists are even more elusive than the people they claim are spammers.


Just do it. We need a fair and balanced reporting of what is going on with spamhaus, not just the board whores above who are related to the spamhaus cause.
User Rank: Apprentice
4/1/2013 | 10:22:00 PM
re: DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted
In my opinion, I have seen the demands coming out of Spamhaus, but in all fairness, they are very effective to block those that hijack a cause in the name of their own nefarious activities. In addition, as a networking engineer, I have clients that want to use their email server to do email marketing. I tell them not to do it at all or they will get black listed and I'll dump them as a client. Because at the end of the day, it's still SPAM, SPAM, SPAM!

Good for Spamhaus for tightening their grip on the "gonads" of A2B to starve the beast.

If a spammer's house or anyone who helps them get's firebombed, I'll not lose one second of sleep. But to be clear, violence is not the answer. (wink)
User Rank: Apprentice
3/29/2013 | 2:34:58 PM
re: DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted
I've seen the effects of the shotgun approach that A2B laments about. The exclusion procedure that Spamhaus provides for contesting erroneous blocking through this method can easily drag into and translate to days of downtime for the legitimate business.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...