One Saturday night in mid-June of 2003, Spamhaus.org was staggered by unusually heavy
visitor traffic. But this was no weekend rush by Internet users to review the latest Rokso
listings. When Spamhaus director Steve Linford checked the site's log files from his control
center in London, he discovered that hundreds of computers from all over the Internet were
simultaneously bombarding one of Spamhaus's web servers with bogus requests for data.
Spamhaus was under what computer experts call a distributed denial-of-service (DDOS) attack.
Using special DDOS programs, attackers were trying to cripple Spamhaus with packets of data,
rendering the site unusable by legitimate visitors.
Linford quickly fended off the attackers by adjusting the firewall that guarded the edge
of Spamhaus's network. Spamhaus had been victimized by DDOS attacks in the past, and Linford
might have headed off to bed without giving the matter further thought. But as he scanned
the list of Internet protocol (IP) addresses of the computers trying to "packet" Spamhaus,
he noticed something odd. Almost all of them were home PCs connected to the Internet via
broadband Internet service providers such as Verizon, Comcast, Cox Communications, and Bell
South.
For Linford, one of his worst fears was coming true. Since January, computer security
experts had been tracking the gradual spread of SoBig, a new breed of computer virus. Once
installed on a PC with a cable modem or DSL line, the software had two malicious purposes.
SoBig was designed to turn the infected computer into a remotely controlled "zombie"
participant in DDOS attacks. SoBig's other purpose was to allow the PC to serve as a
spam-sending proxy, through which a spammer could send junk emails with anonymity. In nearly
all cases, the owners of the infected systems would have no idea their computers were being
used by the virus.
It wasn't clear whether spammers were responsible for the creation of SoBig. But they
certainly stood to benefit from it. With an ever expanding network of thousands of hijacked
proxies for sending spam, junk emailers could evade anti-spammers and the operators of
spam-blocking services. Meanwhile, SoBig's DDOS feature could be used to mire the blocklist
sites with bogus network traffic.
Throughout the summer of 2003, Spamhaus and other anti-spam sites, including Spews and
the SpamCop spam-reporting service, were repeatedly hit by DDOS attacks from zombies
infected with SoBig or related viruses, including one named Fizzer. Meanwhile, the
percentage of spam originating from virus-infected computers was soaring. According to
spam-tracking services, nearly 70 percent of junk email was entering the Internet through
broadband PCs compromised by SoBig and similar malicious software.
To Linford and other veteran Internet technicians, the rise of spam zombies
was part of a distressing trend: the acceptance by hackers of spamming as a
lucrative profession.
"Once upon a time, hackers hated spammers," wrote Linford in an August 2003 posting to
Nanae. "All the real hackers detest spam and the losers who send it. But lately things have
changed...hackers now see spamming and scamming as 'kewl,'" he wrote. As an example, Linford
pointed to "Styro" and "Foam," the hacker aliases of two New Orleans teenagers. In their
member profiles at SpamSoft.biz, an online forum for spammers, the teens listed as their
interests "spamming, scamming, and cracking" (the latter is slang for breaking into web
sites without authorization). While an earlier generation of hackers had altruistically used
their technical skills to help drive scam artists and spammers out of business, this new
breed of computer whiz seemed to Linford both mercenary and morally challenged.
Some unidentified anti-spammers decided to fight back against the hacker-spammers by
releasing a Trojan horse program of their own. Starting in August of 2003, junk emailers
began receiving messages forged to appear as if they were from a spammer known for selling
college diplomas. The messages offered a free technique for removing "honey pots" (otherwise
known as spam traps
) from spam mailing lists. Interested spammers were invited to view an online
multimedia demonstration of the software. But the web page listed for the video was actually
booby-trapped. If viewed using a not fully updated version of Microsoft's Internet Explorer,
the page would silently install a program named honey2.exe on the victim's computer. The
code contained a variant of SubSeven, an infamous program designed to allow the target PC to
be remotely controlled by an attacker.
[
9
]
It wasn't clear whether any junk emailers fell for the trick. Some quickly recognized
the Trojan horse video for what it was and published warnings in SpecialHam.com, a new
online forum for spammers. But what was obvious was that the war between spammers and antis
had escalated.
[
10
]
Meanwhile, the army of spam zombies continued to grow. As viruses claimed increasing
numbers of home computers, spammers discovered a new way to put the infected systems to
work. Instead of simply deploying them to send junk email or launch attacks against
blacklist sites, spammers were using the compromised PCs to host their web sites. In
September, ads for "invisible, bullet-proof" hosting began to appear at SpecialHam.com and
other spam sites. For $1,500 per month, one Poland-based group was offering to protect sites
from the network-sleuthing tools spam opponents used to identify the Internet protocol
address of a site. The group claimed to control nearly half a million "Trojaned" computers,
most of them home PCs connected to cable modems or DSL lines. The hacked systems contained
special software developed by the Poles that routed traffic between Internet users and
customers' web sites via thousands of the hijacked computers. The constantly rotating
intermediary systems confounded tools such as traceroute (a utility used to track the path
between a user's computer and a remote system), effectively masking the true location of the
web site.
By September, incessant DDOS attacks on two smaller blacklist sites, Monkeys.com and
Osirusoft.com, forced their operators to announce the permanent shutdown of their services.
The Spews site was also frequently unreachable due to the DDOS attacks. But the service
continued to function, thanks to Internet users who independently published mirror copies of
the Spews "zone files" containing the list of blacklisted IP addresses.
Desperate to identify the source of the attacks, Linford tried to cajole spammers into
ratting out the perpetrators. In exchange for information, he offered a form of probation to
several junk emailers listed on Rokso. If they turned over evidence that led to the arrest
of the attackers, Linford was willing to loosen the rules for the spammers' removal from
Rokso.
But some junk emailers misinterpreted Linford's offer. In September, an anonymous person
posted a message to Nanae, accusing Linford of trying to blackmail spammers. According to
the author, Linford had threatened to keep him on Rokso permanently if he didn't give up
information about a suspected source of the attacks. The unidentified spammer included in
his note an excerpt of email from Linford.
"You forget who's holding the cards here," Linford had written to the spammer. "We will
keep you blocked for years."
In a reply on Nanae, Linford pointed out that the anonymous newsgroup message had been
posted from an account owned by Bernie Johnson, a Michigan bulk emailer with connections to
spam king Alan Ralsky. Linford revealed that he had been discussing the attacks with Johnson
and confirmed that he had offered a deal in exchange for information.
"I've given the same deal to a number of former spammers who today run legitimate
hosting businesses and have never been heard of spamming or hosting spammers again. It's
called parole for good behavior, a concept enforcement authorities the world over use every
day," said Linford.
But Linford's efforts failed to unmask the attackers. And in November, a new virus,
specifically designed to knock Spamhaus off the Internet, was spotted. Known as Mimail E,
the virus contained code that automatically caused an infected PC to begin attacking
Spamhaus.org in order to make it unreachable. But it had no effect on the Spamhaus Block
List (SBL), which was actually hosted on over thirty servers located around the
world.
A successor virus that appeared in December 2003 had a more significant impact. Mimail F
targeted several anti-spam sites, including Spamhaus.org and Spews.org, with a
denial-of-service attack. The new code also orchestrated a massive Joe-job on the blocklist
services. PCs infected with Mimail F sent a flood of emails that were forged to appear as
though they were from Spamhaus.org. The messages informed recipients that Spamhaus.org would
be charging their credit cards $22.95 "on a weekly basis," and that a "free pack of child
porn CDs is already on the way to your billing address." The spoofed emails also invited
Internet users to visit Spamhaus.org, Spews.org, SpamCop.net, and a few other sites to view
"all types of underage porn."
For days, irate users swamped Spamhaus with complaints about the spam. Linford did his
best to explain that a virus, and not Spamhaus, had generated the messages. He referred the
annoyed spam recipients to the web sites of anti-virus software companies, where they could
find more information about Mimail. Still, the gripes continued to pour in.
Some gullible recipients even took to posting messages on Usenet newsgroups, warning
others not to visit Spamhaus.org or the other sites listed in the solicitation.
"What on earth can we do about these people?" wrote one apparently confused Internet
user, referring to Spamhaus. "They're probably just harvesting for email addresses, but who
knows? Any ideas as to how to rid the Internet of these types would be appreciated."
To rid the Internet of spam zombies, many spam opponents called upon cable and DSL
providers to be more proactive and to take steps such as removing infected customer PCs from
their networks. Some ISPs, such as Cox, earned the approval of anti-spammers when they began
blocking their users from sending email through mail servers outside the ISP's network. But
Comcast, the biggest cable-Internet provider in the U.S., seemed paralyzed by the zombie
problem and delayed taking action that would have stopped zombie PCs from sending spam
through third-party mail servers. This led some anti-spammers to call for the blacklisting
of millions of addresses assigned to Comcast.
As a stopgap measure, in December 2003, Linford began making plans to create a new
Spamhaus blacklist. The Exploits Block List (XBL) would contain a constantly updated
database of "proxy" computers that had been hacked, infected, or otherwise misconfigured to
allow spammers to commandeer them. Spamhaus would gather the data from two existing
third-party blacklists and make the XBL available for free to mail server operators.
Linford knew the XBL wouldn't eliminate the problem of spam zombies. But he felt it was
spam opponents' best defense against the constantly growing arsenal controlled by
spammer-hackers.
[
9
]
A spammer named Richard Cunningham, who used the alias Dollar, published a warning
about the Trojan horse program at SpecialHam.com on August 15, 2003.
[
10
]
As junk emailers increasingly banded together to do battle with spam opponents,
membership to clubs such as SpecialHam.com surged in mid-2003. One such organization, a
new, members-only site named TheBulkClub.com, caught my attention in the end of August
2003. A sign-up page stated that, for a twenty-dollar monthly fee, Bulk Club subscribers
could get access to a variety of how-to articles, a members' message board area, and a
system for uploading mailing lists for trade with other members.
I decided to contact Shiksaa over ICQ and ask whether she knew anything about the
site. She told me she hadn't investigated the Bulk Club yet. But moments later, she
messaged me again.
"Hey Brian," she said. Then Shiksaa sent me a link to an internal file accidentally
left exposed at TheBulkClub.com. The file contained a log of file transfers made by the
site's operators over the past month. It was the same type of file she had previously
dug up at web sites operated by Davis Hawke and other junk emailers.
"Dumb spammers," she said.
I looked at the address of the file transfer protocol (FTP) log a moment and then
decided to try a trick I had seen Shiksaa use in the past. If the Bulk Club's operators
had misconfigured their site, truncating the address after the final backslash ("/")
would enable me to view all the files in the directory containing the FTP log. Sure
enough, when I tried the shortened address in my web browser, it displayed a list of
dozens of other files at the site.
I sent a message to Shiksaa, telling her that the site's directories could be
"trolled."
"Yes, I know," came her immediate response. "Spammers are so much fun."
After she signed off, I spent a few moments examining the files left exposed at the
site. I found a document that contained a list of anti-spam organizations including
Spamhaus and Spews. There was also an article entitled "How To Spoof," and there were
summaries of various state spam regulations. Also available to members were seventeen
articles on the topic of harvesting email addresses from web pages and discussion
groups.
But the most interesting document was a list of the Bulk Club's members. Nearly 450
people had joined the spam club since it launched in February. According to the list,
some 150 were "active" members. Among them was Damon Decrescenzo, one of the operators
of Rockin Time Holdings, a Florida junk emailer sued by Microsoft the previous June.
Also a member was Jon Thau, the head of Cyberworks, a longtime Rokso-listed spam
operation. But one name especially caught my eye. John Milton, one of the aliases used
by Davis Hawke, was listed as a Bulk Club member.
A few days later, I published an article about the Bulk Club at
Wired
News
. The piece, "A Support Group for Spammers," quoted the site's
operator, a man from Akron, Ohio, named Drew Auman, who said the club was dedicated to
promoting "responsible" business practices. According to Auman, the site had recently
been knocked offline by hackers. The impact to his business, he claimed, was extreme.
"Members who enjoy conversing with fellow members are unable to get access, and
potential members cannot learn about us," said Auman.
Within days, Auman was added to the Spamhaus Rokso list. But it hardly mattered.
Soon, the Bulk Club was back online, this time hosted on a new server in India.