spamnation.info is getting hit with another distributed denial of service (DDoS) attack. This is the latest in a series of attacks launched against prominent anti-spam sites. Other sites hit by earlier waves included Spamhaus, SURBL and URIBL.
The attack is much larger than the attack against spamnation.info earlier this year. I just counted more than 1200 attacking clients. As in the previous attack, the attacking botnet is believed to have been created by the Storm Worm malware (also known as Zhelatin), which is thought to be distributed and used by a Russian spam gang.
There are rumors that the Zhelatin gang are acting not as principals but as paid 'muscle' for a third party in these attacks. The Zhelatin gang build the botnets and sell time on them - for spam, for DDoS attacks, hosting and other purposes - but the actual decision to commission a DDoS is made by someone else, presumably someone whose business is being hurt by the activities of anti-spammers.
Monday, June 18, 2007
Wednesday, May 9, 2007
Feeds Burnt
I've created some Feedburner feeds for the main RSS feeds at spamnation.info.
Obviously, if the site is totally dead, these won't help you much. However, Feedburner does cache feed data, which (a) reduces the load on Spamnation, and (b) gives you a small chance of seeing some recent feed data even when the site itself is unreachable.
The feeds are at:
Obviously, if the site is totally dead, these won't help you much. However, Feedburner does cache feed data, which (a) reduces the load on Spamnation, and (b) gives you a small chance of seeing some recent feed data even when the site itself is unreachable.
The feeds are at:
Slowburn
The 'spamnation.info' site is currently unusably slow. We're trying to determine if it's another DDoS attack, or something more mundane.
If the site ever comes back enough for me to get to the RSS feeds, I'll try to set up some Feedburner feeds, in the hope of getting some information out that way.
In the meantime, if you're interested in stock spam you might like to look at Qwoter.com's stock spam report, which supplements our data with additional information, including their own 'spam rating'.
If the site ever comes back enough for me to get to the RSS feeds, I'll try to set up some Feedburner feeds, in the hope of getting some information out that way.
In the meantime, if you're interested in stock spam you might like to look at Qwoter.com's stock spam report, which supplements our data with additional information, including their own 'spam rating'.
Sunday, January 21, 2007
Back
spamnation.info is back up again.
It's running a little slowly (probably because our new-found friends haven't forgotten us, and are still eagerly trying to get in) and I still need to sweep up some of the broken glass and scatter sawdust around. However, it's there.
It's possible that it won't stay up. It's very hard to defend against a determined denial-of-service attack, and if the attackers really want it down, they may step up their efforts to the point where our defences are overwhelmed. If that happens, it happens. Let me just say that I think they will find that it isn't in their interests to do that.
The fact that the site is back at all is thanks to the generosity of a number of people who came forward to help out. I won't name them here, but they know who they are and they know how much they did to make this possible.
So, a big thank-you to them, and a big thank-you to all of you who came to this blog and wrote messages of support. Let us know what we can do to make the site better, and remember to tell your friends and family the golden rule: Don't buy from spammers.
It's running a little slowly (probably because our new-found friends haven't forgotten us, and are still eagerly trying to get in) and I still need to sweep up some of the broken glass and scatter sawdust around. However, it's there.
It's possible that it won't stay up. It's very hard to defend against a determined denial-of-service attack, and if the attackers really want it down, they may step up their efforts to the point where our defences are overwhelmed. If that happens, it happens. Let me just say that I think they will find that it isn't in their interests to do that.
The fact that the site is back at all is thanks to the generosity of a number of people who came forward to help out. I won't name them here, but they know who they are and they know how much they did to make this possible.
So, a big thank-you to them, and a big thank-you to all of you who came to this blog and wrote messages of support. Let us know what we can do to make the site better, and remember to tell your friends and family the golden rule: Don't buy from spammers.
Friday, January 19, 2007
One step at a time
The DDoS attack against spamnation.info is continuing, but the holding page is at least visible, thanks to mitigation measures deployed by the site's new host. At the moment, I'm seeing about 1200-1800 simultaneous connections to the site; at one point I counted more than 24,000 connections.
The domain is currently redirecting to this blog, but that will change soon, at which point you'll be able to enjoy an informative holding page which ... suggests you visit this blog. With a little luck, I'll be able to get something rather more useful up there in the next few days and if the mitigation holds up, we'll be back in business.
The domain is currently redirecting to this blog, but that will change soon, at which point you'll be able to enjoy an informative holding page which ... suggests you visit this blog. With a little luck, I'll be able to get something rather more useful up there in the next few days and if the mitigation holds up, we'll be back in business.
Thursday, January 18, 2007
Some people just don't give up
As an experiment, I tried rolling 'spamnation.info' over to a new location today.
The botnet that has been assigned to DDoS the site is obviously still locked on target, because the host is getting massively hit and the site is effectively unreachable.
This is a setback, but probably not a permanent one. There are always alternatives.
Incidentally, it occurs to me that this would be a great way to map a botnet. If there are any ISPs out there who'd like to know which of their customer machines are compromised, I can give them a pretty good list. telia.com and wanadoo.nl, are you listening?
And if the botnet operator running the attack is reading this, like the man says in the song:
The botnet that has been assigned to DDoS the site is obviously still locked on target, because the host is getting massively hit and the site is effectively unreachable.
This is a setback, but probably not a permanent one. There are always alternatives.
Incidentally, it occurs to me that this would be a great way to map a botnet. If there are any ISPs out there who'd like to know which of their customer machines are compromised, I can give them a pretty good list. telia.com and wanadoo.nl, are you listening?
And if the botnet operator running the attack is reading this, like the man says in the song:
Send a message to your masters,
Tell them "Nothing's over yet."
Monday, January 15, 2007
Today in spam
spamnation.info is inching back towards life, thanks in large part to the kindness of strangers. It's not quite back on its feet yet, but I hope to have it back bigger and better than ever before you can say "Hot Schoolgirl Sluts selling V!@gr@ to homeowners in new online casino LOTTERY". Or something like that.
Meanwhile - as I'm sure you've noticed - the tide of spam continues unabated. The ever-popular CBFE.PK - a perennial favorite on the spammed stocks chart - is getting still more airplay and this time the spammers have decided to accompany the shaky 'OCR-proof' graphic with an animated display of some of the ugliest emoticons I have ever seen and a photograph of some fingers holding a pen. I'm not quite sure what the reasoning is behind this odd combination, but at least it's easy to filter, thanks to the presence of recurring strings such as "Signing Pen" and "IncrdiXML". You know what you have to do.
Robert Soloway has a couple of new domains, the not-exactly-catchy 'emailbroadcastingcompany.com' and the intimidating 'emailbroadcastauthority.com', which you will also want to add to any keyword filters you manage. If past experience is any guide, you'll be seeing a lot more of those. Soloway has also taken to adding the strings "INVOICE" and "$15.00" to his spams, apparently in an attempt to trick the weak-minded into thinking that this is something they have to pay. Word on the street is that Domain Registry of America are considering legal action against him for violation of their patent.
Just kidding.
Other spammers are urging us all to "Defy agilnlg with H-G-H", which would be easier if I knew who Agilnlg was. He doesn't sound like a very nice person anyway, so go ahead and defy him if you happen to meet him. The "russsian chummy bitches" sound friendlier and perhaps more fun to hang around with. In other news, their store is my cureall, 65% of members got laid, I have won even more lotteries and several more people want to be my whore. Or possibly just one, but to judge from the number of messages she's sent, she's pretty serious about it. But I'm not falling for that: I know she only wants me for my money or, strictly speaking, for the money that my dear friend, Mr Frank Jim, manager in a Bank, is going to send me. Sorry, "Sylvia Maxwell" - or should I say "Chandra Ritter"? - I know what you're really after.
The most disturbing thing about the "I want to be your whore" spams, incidentally, is that they're using fragments of "The Hobbit" as hashbuster text. Somehow I find the combination of hairy-footed hobbits and invitations to hot illicit sex just a little disturbing. I think I speak for all of us ... well, most of us anyway ... when I say "Ewwww".
Meanwhile - as I'm sure you've noticed - the tide of spam continues unabated. The ever-popular CBFE.PK - a perennial favorite on the spammed stocks chart - is getting still more airplay and this time the spammers have decided to accompany the shaky 'OCR-proof' graphic with an animated display of some of the ugliest emoticons I have ever seen and a photograph of some fingers holding a pen. I'm not quite sure what the reasoning is behind this odd combination, but at least it's easy to filter, thanks to the presence of recurring strings such as "Signing Pen" and "IncrdiXML". You know what you have to do.
Robert Soloway has a couple of new domains, the not-exactly-catchy 'emailbroadcastingcompany.com' and the intimidating 'emailbroadcastauthority.com', which you will also want to add to any keyword filters you manage. If past experience is any guide, you'll be seeing a lot more of those. Soloway has also taken to adding the strings "INVOICE" and "$15.00" to his spams, apparently in an attempt to trick the weak-minded into thinking that this is something they have to pay. Word on the street is that Domain Registry of America are considering legal action against him for violation of their patent.
Just kidding.
Other spammers are urging us all to "Defy agilnlg with H-G-H", which would be easier if I knew who Agilnlg was. He doesn't sound like a very nice person anyway, so go ahead and defy him if you happen to meet him. The "russsian chummy bitches" sound friendlier and perhaps more fun to hang around with. In other news, their store is my cureall, 65% of members got laid, I have won even more lotteries and several more people want to be my whore. Or possibly just one, but to judge from the number of messages she's sent, she's pretty serious about it. But I'm not falling for that: I know she only wants me for my money or, strictly speaking, for the money that my dear friend, Mr Frank Jim, manager in a Bank, is going to send me. Sorry, "Sylvia Maxwell" - or should I say "Chandra Ritter"? - I know what you're really after.
The most disturbing thing about the "I want to be your whore" spams, incidentally, is that they're using fragments of "The Hobbit" as hashbuster text. Somehow I find the combination of hairy-footed hobbits and invitations to hot illicit sex just a little disturbing. I think I speak for all of us ... well, most of us anyway ... when I say "Ewwww".
Subscribe to:
Posts (Atom)