DDoS Spam Feud Backfires: 'Bulletproof' CyberBunker Busted

Stophaus.com campaign and anarchic, allegedly pro-spam Dutch hosting provider have apparently been disrupted via ongoing DDoS attacks.

Mathew J. Schwartz, Contributor

March 28, 2013

6 Min Read

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013 (click image for larger view and for slideshow)

Distributed denial-of-service (DDoS) attack proponents beware: Your own websites may also be targeted for disruption.

The anything-goes Dutch hosting provider CyberBunker, which has been accused of backing a DDoS disruption campaign against anti-spam site Spamhaus, as of Thursday morning found its own supposedly bulletproof website knocked offline, making it the apparent victim of a sustained DDoS attack.

That's an ironic twist for CyberBunker, which has been one of the most outspoken proponents -- and, some have alleged, sponsors -- of a week-long series of massive DDoS attacks against Spamhaus.

Attempts to reach CyberBunker for comment failed, in part because the company's Web-based contact form remained offline. Likewise, Sven Olaf Kamphuis, a spokesman for CyberBunker, didn't immediately respond to a message sent to his personal Facebook account, seeking comment about the apparent DDoS campaign targeting the hosting provider.

[ Meet the new cybercrime policy proposal, same as the old cybercrime policy proposal. See Tougher Computer Crime Penalties Sought By U.S. Legislators. ]

CyberBunker, which says it's headquartered in an ex-NATO "former military nuclear warfare bunker that is currently utilized as bulletproof data center," made a name for itself by advertising services to any website "except child porn and anything related to terrorism." The company previously gained notoriety for providing hosting to the Russian Business Network cybercrime gang, which the FBI ultimately helped dismantle.

Lately, CyberBunker has backed the so-called Stophaus.com campaign, which is designed to knock anti-spam organization Spamhaus offline. As of Thursday morning, however, the Stophaus.com website was also unreachable, with the homepage resolving to a page that read only "database error."

CyberBunker spokesman Kamphuis claimed that his company isn't responsible for the DDoS attacks that were first launched last week against Spamhaus. "Well, it's not us, it's a group of Internet providers which goes under the name Stophaus.com. It's basically a collective of a lot of people and Internet providers, and they've had previous issues or current issues with Spamhaus," Kamphuis told broadcaster Russia Today Wednesday. "Spamhaus pretends to be spam fighters, but effectively they're just a censorship organization which worked itself into a position where they can just look at a website and shut it down," he said.

But CyberBunker appears to have few backers outside of pro-spam circles. "These guys are just mad," Patrick Gilmore, chief architect at digital content provider Akamai Technologies told The New York Times. "To be frank, they got caught. They think they should be allowed to spam."

The target of the Stophaus.com campaign is the Spamhaus Project, which is based in Geneva and London, and which was founded in 1998 by Steve Linford. Currently it's run by about three dozen investigators and forensic specialists. Numerous service providers, as well as government and military network operators, rely on Spamhaus' real-time spam-blocking databases to help them block spam. "Spamhaus is directly or indirectly responsible for filtering as much as 80% of daily spam messages," according to Matthew Prince, CEO of DDoS prevention service CloudFlare, which last week announced that Spamhaus had become a customer.

The anti-spam operation evinces a blunt, take-no-prisoners attitude, which has included publishing names and photographs -- including images that appear to be family photos -- of people in its Register Of Known Spam Operations (ROKSO) database, which lists what it says are the world's top 100 spammers, collectively accounting for 80% of all spam. Spamhaus has also accused Andrew Jacob Stephens (aka Mail Mascot), who's listed in its ROKSO, as being the prime mover behind the Stophaus attacks. It also traced a fake Anonymous Operation -- Operation Stophaus -- supposedly launched last week, to Stephens. Spamhaus' anti-spam crusade often sounds personal. Its listing for Stephens, for example, accuses him of being a "spamware, spam service and spam list seller," who "sells spamware designed to break federal law in the U.S.," and who "fraudulently sells harvested lists as 'opt-in,' sells 'bulletproof hosting' and 'showshoe mailing' setups to other naive spammers." Finally, it accused him of "setting up a fake 'church' to scam donations and try to avoid paying taxes."

Spamhaus provoked the ire of CyberBunker in October 2011, after it designated the hosting provider to be "providing a spam support service," and asked the company's upstream service provider, A2B, to cancel its service. After A2B declined, Spamhaus responded by blacklisting A2B in its entirety, which did drive the service provider to drop CyberBunker as a customer. But A2B also filed a complaint with Dutch police, accusing Spamhaus of extortion.

CyberBunker is now leading a battle to scuttle Spamhaus. "We were the only ones to have the balls ... to not cave in to Spamhaus' demands," said CyberBunker spokesman Kamphuis. "I mean these people are blackmailing national domain registrars. The national Russian telecom regulatory people called them an illegal organization."

The DDoS resources brought to bear in attacks against Spamhaus suggest just how lucrative the practice of mass emailing -- or spamming -- can be, which also explains why many criminal gangs are involved. Numerous malware gangs, for example, use botnet-driven zombies to infect PCs and turn them into spam relays, sending emails selling pharmaceuticals and luxury goods, or distributing yet more malware, including malicious Trojan applications designed to steal people's personal financial information.

"As Spamhaus' success has eroded the business model of spammers, botnet operators are increasingly renting their networks to launch DDoS attacks," said CloudFlare's Prince.

The ongoing battle between Spamhaus and the business interests that it's apparently disrupting highlights the extent to which laws can do little to arrest spam. Legislative window dressing such as the Can-Spam Act passed by Congress in 2003 unfortunately lives up to its double meaning, since so much spam today either gets issued from countries that don't police mass-email purveyors, or generated by malware that's infected otherwise legitimate PCs.

But as shown by the months-long Operation Ababil campaign being waged against U.S. banks, blocking DDoS attacks outright remains tough, and tracing the attacks back to the organizations that are launching or funding them appears to remain quite difficult.

Indeed, asked to respond to a BBC report that at least five governments have tasked law enforcement teams to investigate the DDoS attacks, CyberBunker spokesman Kamphuis appeared to be unconcerned. "I doubt that the people who did the attacks are in any country where doing a DDoS attack is illegal or where they can even be found -- so, not much issue there," he said.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights