spamnation.info is back up again.
It's running a little slowly (probably because our new-found friends haven't forgotten us, and are still eagerly trying to get in) and I still need to sweep up some of the broken glass and scatter sawdust around. However, it's there.
It's possible that it won't stay up. It's very hard to defend against a determined denial-of-service attack, and if the attackers really want it down, they may step up their efforts to the point where our defences are overwhelmed. If that happens, it happens. Let me just say that I think they will find that it isn't in their interests to do that.
The fact that the site is back at all is thanks to the generosity of a number of people who came forward to help out. I won't name them here, but they know who they are and they know how much they did to make this possible.
So, a big thank-you to them, and a big thank-you to all of you who came to this blog and wrote messages of support. Let us know what we can do to make the site better, and remember to tell your friends and family the golden rule: Don't buy from spammers.
Sunday, January 21, 2007
Friday, January 19, 2007
One step at a time
The DDoS attack against spamnation.info is continuing, but the holding page is at least visible, thanks to mitigation measures deployed by the site's new host. At the moment, I'm seeing about 1200-1800 simultaneous connections to the site; at one point I counted more than 24,000 connections.
The domain is currently redirecting to this blog, but that will change soon, at which point you'll be able to enjoy an informative holding page which ... suggests you visit this blog. With a little luck, I'll be able to get something rather more useful up there in the next few days and if the mitigation holds up, we'll be back in business.
The domain is currently redirecting to this blog, but that will change soon, at which point you'll be able to enjoy an informative holding page which ... suggests you visit this blog. With a little luck, I'll be able to get something rather more useful up there in the next few days and if the mitigation holds up, we'll be back in business.
Thursday, January 18, 2007
Some people just don't give up
As an experiment, I tried rolling 'spamnation.info' over to a new location today.
The botnet that has been assigned to DDoS the site is obviously still locked on target, because the host is getting massively hit and the site is effectively unreachable.
This is a setback, but probably not a permanent one. There are always alternatives.
Incidentally, it occurs to me that this would be a great way to map a botnet. If there are any ISPs out there who'd like to know which of their customer machines are compromised, I can give them a pretty good list. telia.com and wanadoo.nl, are you listening?
And if the botnet operator running the attack is reading this, like the man says in the song:
The botnet that has been assigned to DDoS the site is obviously still locked on target, because the host is getting massively hit and the site is effectively unreachable.
This is a setback, but probably not a permanent one. There are always alternatives.
Incidentally, it occurs to me that this would be a great way to map a botnet. If there are any ISPs out there who'd like to know which of their customer machines are compromised, I can give them a pretty good list. telia.com and wanadoo.nl, are you listening?
And if the botnet operator running the attack is reading this, like the man says in the song:
Send a message to your masters,
Tell them "Nothing's over yet."
Monday, January 15, 2007
Today in spam
spamnation.info is inching back towards life, thanks in large part to the kindness of strangers. It's not quite back on its feet yet, but I hope to have it back bigger and better than ever before you can say "Hot Schoolgirl Sluts selling V!@gr@ to homeowners in new online casino LOTTERY". Or something like that.
Meanwhile - as I'm sure you've noticed - the tide of spam continues unabated. The ever-popular CBFE.PK - a perennial favorite on the spammed stocks chart - is getting still more airplay and this time the spammers have decided to accompany the shaky 'OCR-proof' graphic with an animated display of some of the ugliest emoticons I have ever seen and a photograph of some fingers holding a pen. I'm not quite sure what the reasoning is behind this odd combination, but at least it's easy to filter, thanks to the presence of recurring strings such as "Signing Pen" and "IncrdiXML". You know what you have to do.
Robert Soloway has a couple of new domains, the not-exactly-catchy 'emailbroadcastingcompany.com' and the intimidating 'emailbroadcastauthority.com', which you will also want to add to any keyword filters you manage. If past experience is any guide, you'll be seeing a lot more of those. Soloway has also taken to adding the strings "INVOICE" and "$15.00" to his spams, apparently in an attempt to trick the weak-minded into thinking that this is something they have to pay. Word on the street is that Domain Registry of America are considering legal action against him for violation of their patent.
Just kidding.
Other spammers are urging us all to "Defy agilnlg with H-G-H", which would be easier if I knew who Agilnlg was. He doesn't sound like a very nice person anyway, so go ahead and defy him if you happen to meet him. The "russsian chummy bitches" sound friendlier and perhaps more fun to hang around with. In other news, their store is my cureall, 65% of members got laid, I have won even more lotteries and several more people want to be my whore. Or possibly just one, but to judge from the number of messages she's sent, she's pretty serious about it. But I'm not falling for that: I know she only wants me for my money or, strictly speaking, for the money that my dear friend, Mr Frank Jim, manager in a Bank, is going to send me. Sorry, "Sylvia Maxwell" - or should I say "Chandra Ritter"? - I know what you're really after.
The most disturbing thing about the "I want to be your whore" spams, incidentally, is that they're using fragments of "The Hobbit" as hashbuster text. Somehow I find the combination of hairy-footed hobbits and invitations to hot illicit sex just a little disturbing. I think I speak for all of us ... well, most of us anyway ... when I say "Ewwww".
Meanwhile - as I'm sure you've noticed - the tide of spam continues unabated. The ever-popular CBFE.PK - a perennial favorite on the spammed stocks chart - is getting still more airplay and this time the spammers have decided to accompany the shaky 'OCR-proof' graphic with an animated display of some of the ugliest emoticons I have ever seen and a photograph of some fingers holding a pen. I'm not quite sure what the reasoning is behind this odd combination, but at least it's easy to filter, thanks to the presence of recurring strings such as "Signing Pen" and "IncrdiXML". You know what you have to do.
Robert Soloway has a couple of new domains, the not-exactly-catchy 'emailbroadcastingcompany.com' and the intimidating 'emailbroadcastauthority.com', which you will also want to add to any keyword filters you manage. If past experience is any guide, you'll be seeing a lot more of those. Soloway has also taken to adding the strings "INVOICE" and "$15.00" to his spams, apparently in an attempt to trick the weak-minded into thinking that this is something they have to pay. Word on the street is that Domain Registry of America are considering legal action against him for violation of their patent.
Just kidding.
Other spammers are urging us all to "Defy agilnlg with H-G-H", which would be easier if I knew who Agilnlg was. He doesn't sound like a very nice person anyway, so go ahead and defy him if you happen to meet him. The "russsian chummy bitches" sound friendlier and perhaps more fun to hang around with. In other news, their store is my cureall, 65% of members got laid, I have won even more lotteries and several more people want to be my whore. Or possibly just one, but to judge from the number of messages she's sent, she's pretty serious about it. But I'm not falling for that: I know she only wants me for my money or, strictly speaking, for the money that my dear friend, Mr Frank Jim, manager in a Bank, is going to send me. Sorry, "Sylvia Maxwell" - or should I say "Chandra Ritter"? - I know what you're really after.
The most disturbing thing about the "I want to be your whore" spams, incidentally, is that they're using fragments of "The Hobbit" as hashbuster text. Somehow I find the combination of hairy-footed hobbits and invitations to hot illicit sex just a little disturbing. I think I speak for all of us ... well, most of us anyway ... when I say "Ewwww".
Saturday, January 13, 2007
It's not just you
I've now heard about three several other anti-spam sites that were taken down by DDoS attacks yesterday. It seems that this was a coordinated attempt to sweep anti-spam projects off the Internet.
This shouldn't really come as a surprise. Back when Pharmamaster and Blue Security were fighting it out - Pharmamaster won - I wrote a post on spamnation.info that said:
It's no fun to be right all the time.
This shouldn't really come as a surprise. Back when Pharmamaster and Blue Security were fighting it out - Pharmamaster won - I wrote a post on spamnation.info that said:
Pharmamaster and his friends have shown their strength and demonstrated how far they are prepared to go to protect their spam business. Any other anti-spam initiative that seems to be effective could just as easily be next.
It's no fun to be right all the time.
Friday, January 12, 2007
The DDoS Diaries
My (otherwise wonderful) girlfriend has one habit that drives me to distraction. From time to time she will say, in a thoughtful tone of voice, "So ...". I stop thinking about whatever I was thinking about and start paying attention, waiting for her to go on.
Nothing. Silence. She just leaves her "So ..." hanging there in mid-air.
You can do that to computers too. It forms the basis of a kind of attack known as a SYN flood attack, which is one variety of distributed denial of service (DDos) attack. The attacking computers send a SYN(chronize) signal to the target, which responds with the computer equivalent of "Uh-huh" and waits for a reply to complete the connection. The reply never comes. Instead, the attacker sends more SYN signals. Or 'attackers', because there are usually very many of them. If enough attacking machines hit the target together, the target will almost inevitably go down.
Today, a distributed denial of service attack took down the anti-spam information website spamnation.info. The site was almost certainly attacked because it published information that was intended to help victims of spam. This included a regularly-updated database of spam-advertised stocks, a list of 'frequently-asked questions' about stock spam, a database of domains advertised by spam and other miscellaneous information. Apparently this displeased certain people to the point that they used a botnet to knock the site offline.
The identity of the attackers is unknown. Perhaps the most likely candidates are the spammers behind the recent wave of spam advertising penny stocks that has been flooding everyone's inboxes. The senders of this type of spam are known to use botnets to distribute their material, and they are suspected to have links to a spammer known as Pharmamaster who was allegedly responsible for taking down the Israeli company Blue Security with a sustained DDoS attack. However, there are plenty of other possibilities as well: I'd recently written on the site about the networks of spammers promoting 'mainstream' companies in the United States, and the site also contained a good deal of information about presumed Russian scammers operating 'money transfer' scams. None of these people are particularly eager to have their activities discussed in public.
I'm the webmaster of spamnation.info. I'm starting this site as a temporary alternative while I decide whether I can put the site back online and, if so, how. I'd welcome comments, reactions, and anything else - except more spam.
Nothing. Silence. She just leaves her "So ..." hanging there in mid-air.
You can do that to computers too. It forms the basis of a kind of attack known as a SYN flood attack, which is one variety of distributed denial of service (DDos) attack. The attacking computers send a SYN(chronize) signal to the target, which responds with the computer equivalent of "Uh-huh" and waits for a reply to complete the connection. The reply never comes. Instead, the attacker sends more SYN signals. Or 'attackers', because there are usually very many of them. If enough attacking machines hit the target together, the target will almost inevitably go down.
Today, a distributed denial of service attack took down the anti-spam information website spamnation.info. The site was almost certainly attacked because it published information that was intended to help victims of spam. This included a regularly-updated database of spam-advertised stocks, a list of 'frequently-asked questions' about stock spam, a database of domains advertised by spam and other miscellaneous information. Apparently this displeased certain people to the point that they used a botnet to knock the site offline.
The identity of the attackers is unknown. Perhaps the most likely candidates are the spammers behind the recent wave of spam advertising penny stocks that has been flooding everyone's inboxes. The senders of this type of spam are known to use botnets to distribute their material, and they are suspected to have links to a spammer known as Pharmamaster who was allegedly responsible for taking down the Israeli company Blue Security with a sustained DDoS attack. However, there are plenty of other possibilities as well: I'd recently written on the site about the networks of spammers promoting 'mainstream' companies in the United States, and the site also contained a good deal of information about presumed Russian scammers operating 'money transfer' scams. None of these people are particularly eager to have their activities discussed in public.
I'm the webmaster of spamnation.info. I'm starting this site as a temporary alternative while I decide whether I can put the site back online and, if so, how. I'd welcome comments, reactions, and anything else - except more spam.
Subscribe to:
Posts (Atom)