Slashdot Mirror
Domain: spamhaus.org
Stories and comments across the archive that link to spamhaus.org.
Comments · 861
-
good riddance
Softlayer, IBM's public cloud offering was acquired in 2013. in the 4 years its been headed up by Big Blue the service has gone from decent hosting provider to dumpster fire of penny stock spam and DDoS botnet herders.
https://www.spamhaus.org/sbl/l...
https://www.mailcleaner.net/bl... -
Re:If there is truly no evidence...
This is all cogent, because RCM is a New Jersey corporation.
You are probably thinking of another company, RCM Technologies, located in Pennsauken (New Jersey). There are other unrelated companies with similar names, including a River City Media located in Portland (Oregon).
The spam operation operated by Matt Ferris and Alvin Slocombe seems run from Washington state, along with other companies that they have registered there under names like “Acetech USA”, “Cyber World Internet Services” and others, according to SpamHaus.
-
Doesn't it just figger...
...the biggest spammer in the world is a... NAGGER!!
-
Re:Use a different account for humans
Give one email address to computers, and reserve another one just for known humans. 35k unread from assorted semi-autonomous systems? Who cares. If you actually need something in there you've got search and filters. That way human correspondence doesn't get lost in the noise.
I used Spamhaus for that, but it's being filtered by almost everybody now.
https://www.spamhaus.org/ it's grown, haven't seen this new page; it was simpler than the page suggest: NameToUse.HowManyEmailsAllowed.SpamhausAccount.
-
that should slow down the amount of spam they send
I always find it richly ironic when spam hosting isp's get cratered by a DDOS. Lie down with dogs, get up with fleas.
-
Re:Could this be FUD?No its not. This is very true and happening a LOT. I run Sendmail ( a mail server, also known as MTA) on a fairly busy mail service and have ended up using Barracuda Spam Control - https://login.barracudanetwork... to manage the insane amount of spam and virus attacks (PDF files) that I recieved just in the last few years. We had upwards of 400,000 emails an hour full of PDF laden viruses just last week...
This is a real time graphs of attacks and mails to our Barracuda Gateway to give you an idea:
** You can see countries from where attacks are coming and a little snapshot of mail volume **.
When the mail does hit our MTA, running sendmail; we run it through SA -- which also updates itself automatically (via cron) **sa-update **.
Some imporant notes:
1) You DO need clamav or else spam will the last of your worries....(Also note that clamav is a memory beast). You can also use Symatec but I have completely moved from them to ESET (Desktop) and ClamAV + Barracuda for rest.
2) RBLS: we use these:
FEATURE(dnsbl,`blackholes.mail-abuse.org', ` Mail from $&{client_addr} rejected; see http://mail-abuse.org/cgi-bin/... {client_addr}')dnl FEATURE(dnsbl,`dialups.mail-abuse.org', ` Mail from dial-up rejected; see http://mail-abuse.org/dul/endu... FEATURE(dnsbl,`zen.spamhaus.org', ` Mail from zen rejected; see https://www.spamhaus.org/zen/'...
3) Also note, that we dont listen on IPv6 even though we serve content on http. The reason (as being discussed in postfix-users (a mailing list for one the more popular mail servers) is exactly this problem. The increase of IoT devices and proliferation of IPv6 makes is next to impossible to now scan from IPv6 hosts. So as such, we dont. Although Google, Microsoft internall uses IPv6 to route emails.
4) I do not work for Barracuda.
5) Dyn's transactional email delivery option is really good. And so is Office 365 relay via their MTA (which also adds dkim signatures) and mostly would mean your mail would be delivered.
Please leave a message here if you want me to look at it.
-
Drop List or censored government DNS server?
If this is just supplying a list of IPs, as Spamhaus, OpenBL and Dshield do, then it's nothing much to be concerned about. OTOH
-
Re:another spam hosting isp gets bit in the ass
I always find it amusing when a big spammy hosting provider gets pwned. Companies that ignore their spam problems usually tend to ignore their security problems too.
http://www.spamhaus.org/sbl/li...
As a Linode customer, this post was news to me and cause for concern.
But then I saw that Rackspace had 12:
http://www.spamhaus.org/sbl/listings/rackspace.com
and I was glad to have left for Linode after Rackspace bought Slicehost.And saw that others were worse, with Dreamhost at 25:
http://www.spamhaus.org/sbl/listings/dreamhost.com -
another spam hosting isp gets bit in the ass
I always find it amusing when a big spammy hosting provider gets pwned. Companies that ignore their spam problems usually tend to ignore their security problems too.
-
lost my respect when they started hosting spammers
and ignoring complaints about it.
http://www.spamhaus.org/sbl/li...
Thats ok though, IPTABLES fixed that problem.
-
Re:Coren22, you really *are* stupid!
All you have proven is that you don't know what DNSBL does.
Understanding DNSBL Filtering -
Go talk to Spamhaus
No, really, go talk to them... they've been doing just that as a community for a lot longer, and probably have nearly all the stuff on your list and then some.
-
Re:XP
There are still a couple of hundred million XP machines running. As that number declines so does the amount of spam, but there's a long way to go.
The number of XP boxes on the internet has little to do with spam. It did when cheap VPS, cloud and broadband was uncommon. Blame their owners for a lot of things - but blame for spam is misplaced (the main exception being Michael Lindsay's "customers"). It's far cheaper, and easier to either rent a host or pay a mailing service than it is to rent (or build) a bot-net of sufficient size to produce a measurable amount of the worlds spam. SPF, DKIM and DMARC has also considerably reduced the viability of bot-nets for spamming as the major email providers reject their unauthenticated headers, or quickly identify them as spam.
The majority of those services provided by a small number of companies (in order of volume):- softbank.co.jp, unicom-bj, unicom-sc, drpeng.com.cn, webexxpurts.com, gmo.jp, kddi.ne.jp, kyivstar.net, uplus.co.kr, softcom.com.
The majority of spam is commissioned by a small number of arseholes (a significant number of them are bases in North America since China cleaned up it's act). In order of volume:-
- Canadian Pharmacy - Ukraine. A long time running pharmacy spam operation. They send tens of millions of spams per day using botnet techniques. Probably based in Eastern Europe, Ukraine/Russia. Host spammed web sites on botnets and on bulletproof Chinese web hosting.
- Dante Jimenez / Aiming Invest - United States. Spamwarez, lists, "bulletproof" hosting in the finest South Florida tradition. Working with worst cybercriminal botnet spammers. Now mostly involved in massive botnet spamming with hosting on hacked servers and Eastern European hosters.
- Yair Shalev / Kobeni Solutions - United States. High volume snowshoe spammer from Florida, (former?) partner-in-spam of ROKSO spammer Darrin Wohl. Son-in-law of ROKSO listed spammer Dan Abramovich. Sued by FTC in 2014 due to fraud.
- Yambo Financials - Ukraine. Huge spamhaus tied into distribution and billing for child, animal, and incest-porn, pirated software, and pharmaceuticals. Run their own merchant services (credit-card "collection" sites) set up as a fake "bank."
- Mike Boehm and Associates - United States. Snowshoe spam organization that uses large numbers of inexpensive, automated VPS hosting IPs and domains in whatever TLD is currently cheapest to send high volumes of spam to extremely dirty, scraped lists. Operates under many business and individual names.
- Michael Persaud - United States. Long time snowshoe type spammer.
- Michael Lindsay - United States. Lindsay's iMedia Networks is a full-fledged spam-hosting operation serving bulletproof hosting at high premiums to well known ROKSO-listed spammers. His customers spam via botnet zombies with spam payloads hosted offshore, tunneled back to his servers. He and the gang have been hijacking (stealing) IP address space from companies for years to spam from. Illegal in the USA.
- Jagger Babuin / BHSI - Canada. Romanian spammer now living in Vancouver BC. Also known as the "Dr Oz" spammer.
- First Place SEO & financial fraud spam gang - United States. Seem to be either Northern New Jersey or San Diego, California based scammers. They rent endless numbers of servers and buy endless domains to then pump out "SEO", search-engine-rankings and financial fraud scam spams.
- Josh Henderson or Nicholson - bulletproofvps.com - Canada. Offshore Bulletproof Hosting is his thing.
Top 10 countries that produce and export spam, in order of significance:- United States, China, Russian Federation, Ukraine, Japan, United Kingdom, India, Germany, Brazil, Turkey
-
Re:XP
There are still a couple of hundred million XP machines running. As that number declines so does the amount of spam, but there's a long way to go.
The number of XP boxes on the internet has little to do with spam. It did when cheap VPS, cloud and broadband was uncommon. Blame their owners for a lot of things - but blame for spam is misplaced (the main exception being Michael Lindsay's "customers"). It's far cheaper, and easier to either rent a host or pay a mailing service than it is to rent (or build) a bot-net of sufficient size to produce a measurable amount of the worlds spam. SPF, DKIM and DMARC has also considerably reduced the viability of bot-nets for spamming as the major email providers reject their unauthenticated headers, or quickly identify them as spam.
The majority of those services provided by a small number of companies (in order of volume):- softbank.co.jp, unicom-bj, unicom-sc, drpeng.com.cn, webexxpurts.com, gmo.jp, kddi.ne.jp, kyivstar.net, uplus.co.kr, softcom.com.
The majority of spam is commissioned by a small number of arseholes (a significant number of them are bases in North America since China cleaned up it's act). In order of volume:-
- Canadian Pharmacy - Ukraine. A long time running pharmacy spam operation. They send tens of millions of spams per day using botnet techniques. Probably based in Eastern Europe, Ukraine/Russia. Host spammed web sites on botnets and on bulletproof Chinese web hosting.
- Dante Jimenez / Aiming Invest - United States. Spamwarez, lists, "bulletproof" hosting in the finest South Florida tradition. Working with worst cybercriminal botnet spammers. Now mostly involved in massive botnet spamming with hosting on hacked servers and Eastern European hosters.
- Yair Shalev / Kobeni Solutions - United States. High volume snowshoe spammer from Florida, (former?) partner-in-spam of ROKSO spammer Darrin Wohl. Son-in-law of ROKSO listed spammer Dan Abramovich. Sued by FTC in 2014 due to fraud.
- Yambo Financials - Ukraine. Huge spamhaus tied into distribution and billing for child, animal, and incest-porn, pirated software, and pharmaceuticals. Run their own merchant services (credit-card "collection" sites) set up as a fake "bank."
- Mike Boehm and Associates - United States. Snowshoe spam organization that uses large numbers of inexpensive, automated VPS hosting IPs and domains in whatever TLD is currently cheapest to send high volumes of spam to extremely dirty, scraped lists. Operates under many business and individual names.
- Michael Persaud - United States. Long time snowshoe type spammer.
- Michael Lindsay - United States. Lindsay's iMedia Networks is a full-fledged spam-hosting operation serving bulletproof hosting at high premiums to well known ROKSO-listed spammers. His customers spam via botnet zombies with spam payloads hosted offshore, tunneled back to his servers. He and the gang have been hijacking (stealing) IP address space from companies for years to spam from. Illegal in the USA.
- Jagger Babuin / BHSI - Canada. Romanian spammer now living in Vancouver BC. Also known as the "Dr Oz" spammer.
- First Place SEO & financial fraud spam gang - United States. Seem to be either Northern New Jersey or San Diego, California based scammers. They rent endless numbers of servers and buy endless domains to then pump out "SEO", search-engine-rankings and financial fraud scam spams.
- Josh Henderson or Nicholson - bulletproofvps.com - Canada. Offshore Bulletproof Hosting is his thing.
Top 10 countries that produce and export spam, in order of significance:- United States, China, Russian Federation, Ukraine, Japan, United Kingdom, India, Germany, Brazil, Turkey
-
Re:SPF, DKIM, and DMARC
It also doesn't provide a graph of spam rate over time. Just three pie charts showing changes over the last three months.
Agreed, remarkably short of information. Usually their reports are accompanied by press releases, and marketing. I wonder what's different this time.
Note that while Symantec uses figures from their email scanning products - it doesn't correspond with figures from larger monitors e.g.
Senderbase - which shows a slight increase of 234.53 billion av.pd (85.93% of global traffic) for the last 12 months, against 222.88 billion av. pd (86.00% of global traffic) for the last 6 months, and 187.14 billion av. pd (86.41% of global traffic) for the last month (nowhere near half).
Securelist 3rd qtr 2014 (note the drop during that period), and 1st qtr. 2015Backgrounds for dartboards - the main offenders
I also wonder whether any reduction in email spam has just resulted in more spam via SMS and "social" networks (as well as mailing lists).
-
Re:No filter is truly effective
If you want to make a difference on spam, you need to go after the only thing spammers care about - money. The most effective tactics ever used against spam have been the ones that prevented spammers from getting paid, nothing else
Sending them to PMITA prison would also be effective.
Wrong. That has been tried before. In fact one of the world's all-time top spammers is sitting in a prison in Russia (Leo Kuvayev, aka "BadCow", aka "Alex Rodrigez") (on kiddie porn and child abuse, not spamming, charges) right now and it did not move the needle on spam volume.
As would feeding them into a woodchipper.
Don't be stupid. Just because it makes you feel better doesn't mean it helps the problem. I'm surprised you posted AC, though, as murdering spammers is generally a very popular proposal here on slashdot.
-
Re:Great!
Keep trying http://www.spamhaus.org/statis...
-
Re:Whats the big deal ?
Wrong.
The United States is the worst spammer and Indonesia is the worst cyber-attacker.
-
Have you tried spamhaus?
Check here:
I've operated my own mail server on a VPS for years. Rackspace voluntarily lists their IP spaces to prevent spammers from just buying a vps for a few hrs, sending out spam and then trashing it. Occasionally I need to remove my IP from the blacklist.
-
... and other services
Like assisting cyber criminals: http://www.spamhaus.org/sbl/li...
-
Re:Hmmmm
Well, there are lists of ranges known to be used by malware, etc. such as this: http://www.spamhaus.org/drop/ - it's not that it's a list of *all* ranges used for those things, just that these ranges are known *only* to be used for those things and so can safely be blocked outright.
Most of the rest of it comes from random compromised residential machines or hosted boxes and so is hard to block other than when you find a really shitty host like Nobis/Ubiquity who just don't care about shutting down compromised machines on their networks.
-
Re:Running your own server
Is it really now? Why do the Full Disclosure mailing list messages periodically end up in my spam folder? I clearly have hundreds of them in my inbox, yet a percentage of them end up in spam.
I think the spam filtering effectiveness comes down to one basic reason: Spamhaus
-
Re:Russia/USA is NOT the problem
-
Re:Government morons - just fix the problem
I blocked the US and it worked even better.
-
Re:Hangin's too good for him
Oh for fucks sake.
I wasn't attacking Spamhaus. I think they are great.
I was bemoaning the perfect storm that got me blocked for 3 days because of the block and DDOS.
We were blocked for XBL. Not SBL or CSS. It REALLY was because a machine was observed talking to a botnet C&C server.
But it took me days to find out it was XBL and not because of spamming. I spent those days thinking it was because of spamming, wasting time chasing smtp ports and pooring over capture traffic for clues of spamming.
Is it not a little scary that under DDOS the functions that get you blocked work fine, but the functions that tell you why do not? Like a car who's failure mode is full throttle.
-
Re:Hangin's too good for him
zen.spamhaus.org replaces sbl-xbl.spamhaus.org in most configurations. If you are currently using sbl-xbl.spamhaus.org you should replace sbl-xbl.spamhaus.org with zen.spamhaus.org.
-
Re:Hangin's too good for him
An infected machine being seen talking to a botnet is enough to get you on the XBL.
We were blocked for THAT. Not for any spamming. We DO block all port 25 except from the SMTP servers.
Maybe instead of being an insulting douche, know what the fuck you are talking about.
http://www.spamhaus.org/faq/section/Spamhaus%20XBL#37
It turned out to be an infected machine on a WIFI AP. I learned to send the WIFI traffic out a separate WAN interface so it's problems didn't affect my smtp outbound ip.
-
Re:Hangin's too good for him
Uhm... http://www.spamhaus.org/lookup/ If you're in the XBL, it'll tell you which list comprising the XBL you're in. Usually that means the CBL, which has a fairly instant delist process for listings, unless the problem keeps coming back.
-
Re:hmmm
STOPhaus is run by a known repeat spammer that is currently listed in the ROKSO named Andrew Stephens. I wouldn't put too much credence in anything on that site.
-
Re:hmmm
STOPhaus is run by a known repeat spammer that is currently listed in the ROKSO named Andrew Stephens. I wouldn't put too much credence in anything on that site.
-
Re:A more detailed proposal ...
Excellent idea.
You have described the XBL.
The Spamhaus XBL, or "Exploits Block List", is a DNSBL (DNS-served blacklist) that lists IP addresses of systems known to be infected or otherwise being used by malicious parties. ("The XBL is an automatic system whose detectors need to receive email (spam, worms, etc.) directly from the IP address so the connection data can be analysed to determine if it's a proxy or virus-spewer.") The blacklist is developed in a way primarily to be useful in reporting systems exploited to send spam, but the idea is exactly what you're referring to.
-
Re:Certainly has a legitimate track record
And you come from which shithole country?
-
Re:Sounds like
This would not add the proxy servers listed in the email to the DBL. Blocklists are created by logging the source of the spam, not by searching through the text of the spam for possible domains then listing those domains as spammers (although such content filters are useful for identifying messages as spam)
This is wrong. Spamhaus maintain four blocklists (and an aggregate blocklist) and the DBL is exactly as the grandparent described. It blocks the domains that are found in the content of spam messages. Not the IP addresses of the domains... the actual domains. A normal lookup for an IP address at a blocklist looks like this:
dig 1.0.0.127.sbl.spamhaus.org
A lookup at the DBL looks like this:
dig com.example.www.dbl.spamhaus.org
Feel free to go and look at the actual page for the DBL which was linked in the summary.
This is part of the problem with the DBL: if someone forwards your email containing your domain to a spamtrap address, your domain gets blocked. In fact, if someone just sends out a bunch of spam that contains your domain, even if the domain is not being used for the spam in any way, then it ends up on the DBL. It has a high true positive rate but it also has a high false positive rate and anyone using it as the sole reason for making a decision is poorly informed or an idiot.
-
Don't need to be a coder
You missed the point, I think. One, THIS lawsuit targets DRM, but I said 'copyright, trademark, and patent' - there's many avenues where Notch(if he wasn't a nice guy) could target something like minetest - you wouldn't need to be a coder for the game at all. Companies that merely use open source software have been sued for copyright infringement.
And you don't even need to reside in the United States to find yourself being sued in a Texan court over this stuff. Just ask Spamhaus.
As for Notch, well, he's living the american dream. I'm not going to grudge him his success, though yeah, at this point paying to have minecraft done in something other than Java would be good. He wasn't expecting to make millions from the game, and he coded in what he knew(at the time).
-
Re:Spam
USA != The Internet, but sure, USA by itself is the source of almost as much spam as the other 9 top countries combined.
-
Re:There's no "Stopping" Just "Annoying back"
Give a list of their IP's and contact information to Spamhaus http://www.spamhaus.org/. If it's bad enough they will hold the ISP's IP's hostage until they get rid of the customer. If they decide not to stop, they could contend for a spot on their "ROKSO". It still won't stop them, but it will at least cost them time and money to get new servers and ips. Also send samples of the emails you receive to their ISP's abuse department. If nothing else you'll make them unhappy for awhile.
Instead of using their personal email addresses to sign up for spam, just use spam-trap emails to sign up for their own crap. If that doesn't put them on the radar, you could always resort to weeping in a dark corner somewhere.
They will always find some new way to send junk, and spamhaus doesn't usually affect the "big" email providers, they just scare ISP's into kicking people off their network.
-
Re:Good.
>Backscatter
You get a backscatter problem when you send indiscriminate emails to addresses that do not exist with forged "from" headers. Because the bounces go not to you, but to random unaffiliated ISPs. That's the definition of backscatter.
Goddamn proof that you are a spammer or you sold to spammers. By your own words.
Read this. This is Steve Linford's reply to all this.
http://www.spamhaus.org/news.lasso?article=673
Notice that it's entirely reasonable and that my original assumption that the Dutch ISP was catering to crime was spot on.
>dutch host affiliated with RBN
Yeah. Nice guys.
By the by, I have 642 spams over the last 2 days in my spam folder just for one account. Without the filtering based on Steve Linford's hard work and the hard work of others, my email would be useless.
I have a reason to be pissed at spammers.
--
BMO -
Re:Good.
Spamhaus is a voluntary service. Here is a good one http://www.spamhaus.org/drop/ .
Nobody has EVER been forced to use Spamhaus and unless a law is passed tat makes it mandatory to use them, they will always be 100% voluntary. Allot of people choose to use Spamhaus because they are the best around.
-
Re:I rather doubt the ISPs claims.
If I understand correctly, Spamhaus doesn't list ISPs as spammers. From http://www.spamhaus.org/news.lasso?article=673: "The SBL lists 4 categories of abuse: spam sources, spam hosts, spam services and spam support services." and A2B was listed as a spam support service, not a spam source or spam host. I expect that ISPs can choose to use that information to not block them but only the direct spammers.
Of course if you want to discourage spam on the internet, you also want to discourage people from accepting spammers as customers. That's probably what the "spam support service" category is for.
-
You still get spam?
Use a debian spam filter with zen.spamhous as the rbl and things will be nice and quiet.
-
Re:People with unreliable ISP-provided email
It's my case, I'm blocked by Spamhaus' PBL.
-
Re:Better Internet for Everybody
-
Re:Spam action doesn't get less useful
Spammers don't give a shit about US laws because most of them don't live or operate here anyways.
10 worst spam havens. Currently the US in first place is almost 3 times as bad as second place China. Even worse, a lot of the spam coming out of China is sent on behalf of spammers residing in the US.
-
Your options are...
Co-locate a server in a data center, lease a server from a data center, get a business class internet account, etc etc. Here is one of several free Real time Block Lists (RBL) that block all email coming from residential ISP's: http://www.spamhaus.org/pbl/
-
Re:100 for a penny?
Many home addresses have dynamic IPs, which are banned by Spamhaus' PBL. I know it, because I've had some emails bouncing because of it. I'm now looking for a cheap MTA I can use, since my ISP doesn't provide any service for home users.
-
Not just domestic!
I have sued foreign spammers.
In 2003, I sued Global Web Promotions for their penis pill enlargement spam. Though Global Web was in Australia, they solicited business from California and caused harm in California.
See Snowney V. Harrah's Entertainment, Inc., 35 Cal. 4th 1054 (2005) (Solicitation of California Residents) , Calder v. Jones, 465 US 783(1984) (Harm directed to California)
I am currently suing a porn organization, the third time, operated by David Szpak and Emmanuel Gurtler for illegal spamming. (See http://barbieslapp.com/spam/axscharge/axscharge.htm) The main companies are all located off-shore, the US companies were mere shells for the offshore companies. These guys hired Yambo (See http://www.spamhaus.org/rokso/listing.lasso?file=880) to send spam for them. They created two new companies, just after I sued them the first time, but they claimed it was not to avoid my lawsuit but to avoid the Visa anti-fraud/chargeback detection mechanisms.
-
This site links to wikileaks.info
Wikileaks user profile contains news tidbits that link to wikileaks.org and are redirected to wikileaks.info, a site Spamhaus recently wrote about. I'll wait and see until I have some evidence that the money sent throught this account does really reach Wikileaks and not some clever Russian.
-
Re:Wikileaks.info response posted MORE UPDATES
http://www.spamhaus.org/news.lasso?article=665
Update 18 December ***Incorrect data redacted*** (click to read)
[See newer information on DDoS in update below]
A DDoS attack was launched on www.spamhaus.org today in retaliation for us warning Internet users about the Russian-German cyber criminals behind the Wikileaks mirror wikileaks.info.
Spamhaus is currently under a 2.1Gbps DDoS attack which began at 05:20 CET. As we are used to DDoS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.
By no coincidence, the 'AnonOps' DDoS group irc.anonops.net is also hosted by the same Heihachi Russian-German cybercrime gang in the same CIDR as wikileaks.info:
wikileaks.info = 92.241.190.202
irc.anonops.net = 92.241.190.94In addition to the LOIC and *OIC tools issued to dimwitted script kiddies to DDoS "enemies of Anon" with, AnonOps appears to be now escalating its DDoS attacks using dedicated criminal botnets (botnets of illegally hijacked PCs), and now appears to be directing DDoS attacks not at "enemies of Wikileaks" but at "enemies of our criminal bosses".
There is palpable irony in a DDoS being used to prevent exposure of a probably-false Wikileaks mirror that could potentially harm Wikileaks and Wikileaks readers. We hope that AnonOps supporters appreciate the irony as much as we do.
Update 19 December
We have been analyzing the traffic patters of the attempted DDoS attack against Spamhaus that started yesterday. We are seeing that it is made up of UDP and Syn flood type packets. This is not the profile of DDoS traffic from the LOIC and other *OIC tools issued to script kiddies to DDoS "enemies of Anon" with. In fact, at some semi-private forums, the AnonOps members have denied the DDoS and have stated how much they hate spam and would not attack Spamhaus. It would seem some actually read and understood what our warning message was about. Rumors are that they have also distanced themselves from members who were promoting the use of botnets to attack sites.
This now looks far more likely to be the work of people running, or hosting at, Webalta or the Heihachi cybercrime group. Possibly angered with the attention this wikileaks.info article brought to their dirty section of the internet. When one hosts spam servers, malware, Zeus and other botnet command and control (C&C) servers, bank phish sites and "backends", child exploitation sites and other badness, keeping off-the-radar is a must. Perhaps Russian authorities are now looking closer at this Webalta and its datacenter, as Russian citizens and banks are often the target of the people running systems there.
As we do when hit by these attacks, Spamhaus is working with both network experts and law-enforcement agencies to find and shut down the botnet used for the DDoS and to try and track who may be behind it.
-
Re:Wikileaks.info response posted
http://www.spamhaus.org/news.lasso?article=665
Update 15 December
In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of {your} business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies".
None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.
Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at wikileaks.ch.
Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian and German malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it.
Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead".
Update 18 December
A DDOS attack was launched on www.spamhaus.org today in retaliation for us warning Internet users about the Russian-German cyber criminals behind the Wikileaks mirror wikileaks.info.
Spamhaus is currently under a 2.1Gbps DDOS attack which began at 05:20 CET. As we are used to DDOS attacks from cybercriminals our anti-ddos defences are holding and our web servers are still operating, a little slower than normal.
By no coincidence, the 'AnonOps' DDOS group irc.anonops.net is also hosted by the same Heihachi Russian-German cybercrime gang in the same CIDR as wikileaks.info:
wikileaks.info = 92.241.190.202
irc.anonops.net = 92.241.190.94In addition to the LOIC and *OIC tools issued to dimwitted script kiddies to DDOS "enemies of Anon" with, AnonOps appears to be now escalating its DDOS attacks using dedicated criminal botnets (botnets of illegally hijacked PCs), and now appears to be directing DDOS attacks not at "enemies of Wikileaks" but at "enemies of our criminal bosses".
There is palpable irony in a DDOS being used to prevent exposure of a probably-false Wikileaks mirror that could potentially harm Wikileaks and Wikileaks readers. We hope that AnonOps supporters appreciate the irony as much as we do.
-
Wikileaks.info response posted
http://wikileaks.info/press/spamhaus-false-allegations-against-wikileaks.html
Spamhaus' False Allegations Against wikileaks.info
Published 15-Dec-2010, 8:00 AM GMT
On Tuesday, 14-Dec-2010 Spamhaus has issued a statement wherein it labels wikileaks.info as "unsafe", as they consider our hosting company as a malware facilitator:
http://www.spamhaus.org/news.lasso?article=665
We find it very disturbing that Spamhaus labels a site as dangerous without even checking if there is any malware on it. We monitor the wikileaks.info site and we can guarantee that there is no malware on it. We do not know who else is hosted with Heihachi Ltd and it is none of our business. They provide reliable hosting to us. That's it.
While we are in favour of "Blacklists", be it for mail servers or web sites, they have to be compiled with care. Just listing whole IP blocks as "bad" may be quick and easy for the blacklist editors, but will harm hosters and web site users.
Wikileaks has been pulled from big hosters like Amazon. That's why we are using a "bulletproof" hoster that does not just kick a site when it gets a letter from government or a big company. Our hoster is giving home to many political sites like castor-schottern.org and should not be blocked just because they might have hosted some malware sites.
Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser, for example), don't list us. We do hope that Spamhaus hasn't issued this statement due to political pressure.
Wikileaks.info will always be safe and clean. Promised:
Google Safe Browsing Check for wikileaks.info
Update (15-Dec-2010 17:00 PM GMT): Spamhaus has updated their statement to say that they don't blacklist us.
The wikileaks.info Team
