RE: How many backbones here are filtering the makelovenotspam scr eensaver site?
-----Original Message----- From: Lionel [mailto:nop@alt.net] Sent: Thursday, December 02, 2004 8:40 AM To: Hannigan, Martin Cc: nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 2 Dec 2004 08:27:38 -0500 , "Hannigan, Martin" <hannigan@verisign.com> wrote:
Hosted on a cablemodem? Tch, tch, how the mighty have fallen
The blocks are widespread.
The reports of hackers are incorrect. The blackholes are what is stopping them.
What amazing efficiency. I can't help but wonder if these same providers are as quick at blackholing spamsite hosts, or blocking the zombies on their user networks from spewing spam on port 25?
If you tied all the spammers into a few controllers, you see it happen immediately. I've been following the news reports on this. Here's a quick summary of "what I know" without making any judgement or opinion: - The lycos screensaver campaign activated Tuesday - Major networks began activating blocks - When the controllers can't be reached, the clients die off - If screensaver is active when controllers die, it runs off the current target list. - If screensaver deactivates, then activates, it can't contact the servers and tells the user it's "off the internet" (I can't verify the veracity of the update process i.e. if it will die while active) - Blocks started going up early Wednesday morning - The press began reporting hackers due to an apparentdefacement being seen by many users. What they actually saw was the banner of an ISP that had blackholed the traffic and redirected port 80 to a notice. - Lycos moved their application to a hosting facility with bigger pipes - Target sites began using redirects sending the traffic back to Lycos - Press reports are coming out today regarding the blackholes - SpamCop is the source of the target list via a page that is public off of the SpamCop site (SpamCop is does not appear to have complicity) - The effectiveness of the blackholes is rising - There are a reported 100K clients downloaded. Less than you would expect due to the voluminous press coverage. Probably a result of the blackhole activity as well. I'm really not sure if Lycos knows about the blackholes at this point as the press has been reporting "hackers" all the while. If you think it's hacked, check the route. Here's some operational data captured via ethereal The target list generated by the botnet controller: GET /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865 2023942308.xml HTTP/1.1 Referer: http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402 9467456/12122010129438/CONFIG_28652023942308.xml x-flash-version: 7,0,19,0 User-Agent: Shockwave Flash Host: backend.makelovenotspam.com Cache-Control: no-cache HTTP/1.1 200 OK Server: Resin/2.1.14 Content-Type: text/xml; charset=UTF-8 Content-Length: 2889 Connection: close Date: Thu, 02 Dec 2004 15:22:00 GMT <?xml version="1.0" encoding="UTF-8"?> <mlns><targets location="US"><target id="TVRBd01EQXdOVGt5" domain="myshopinternetcompany.com" url="http://myshopinternetcompany.com/?e=aa5100" bytes="357460680" hits="2572309" percentage="100" responsetime01="498" responsetime02="0" location="BR" /><target id="TVRBd01EQXdOVEk0" domain="grlswaiting4u.com" url="http://grlswaiting4u.com/" bytes="206765667" hits="1488797" percentage="100" responsetime01="11866" responsetime02="0" location="US" /><target id="TVRBd01EQXdOVGc0" domain="1stwebsitetheyourshop.com" url="http://1stwebsitetheyourshop.com/?e=aa5100" bytes="317867325" hits="2288427" percentage="100" responsetime01="507" responsetime02="0" location="BR" /><target id="TVRBd01EQXdOVGcx" domain="cheap-r-x.com" url="http://cheap-r-x.com/" bytes="355920802" hits="2565612" percentage="100" responsetime01="787" responsetime02="0" location="CN" /><target id="TVRBd01EQXdOVGcz" domain="www.hlplmanhds.biz" url="http://www.hlplmanhds.biz/" bytes="317590861" hits="2269503" percentage="100" responsetime01="785" responsetime02="0" location="CN" /><target id="TVRBd01EQXdOVEkz" domain="r.vtm.homewo.com" url="http://r.vtm.homewo.com/" bytes="367630639" hits="2248424" percentage="100" responsetime01="5542" responsetime02="0" location="CN" /><target id="TVRBd01EQXdOVE0w" domain="www.incentiverewardcenter.com" url="http://www.incentiverewardcenter.com/xg_reg.htm?SID=ab9ee352c3402bdc858 e5540b887d28a--landing_page=1--show=zip--=--p=92375--c=5411-toys250_720_emc- -catalog_id=14--a=--affil=5408--subid=1" bytes="1028999994" hits="6992693" percentage="-144200" responsetime01="1442" responsetime02="-1" location="US" /><target id="TVRBd01EQXdOVEk1" domain="www.macromed.ws" url="http://www.macromed.ws/" bytes="742958780" hits="5063804" percentage="100" responsetime01="1212" responsetime02="0" location="RU" /><target id="TVRBd01EQXdOVEEz" domain="www.curdom.com" url="http://www.curdom.com/" bytes="734756904" hits="4831221" percentage="46" responsetime01="2134" responsetime02="4541" location="CN" /><target id="TVRBd01EQXdOVGt4" domain="www.bacbwefds.info" url="http://www.bacbwefds.info/" bytes="422036604" hits="2463679" percentage="100" responsetime01="3375" responsetime02="0" location="CN" /></targets><conf><key name="source-xml" value="http://backend.makelovenotspam.com/xml" /><key name="interval-diagram" value="10000" /><key name="interval-hit" value="10000" /><key name="post-data-length" value="5" /><key name="refresh-xml" value="1200000" /><key name="current-version" value="1.0" /><key name="spray-filter-count" value="39" /><key name="url-report" value="http://backend.makelovenotspam.com/report" /></conf><stats><key name="average-percentage" value="100.0" /><key name="bytes" value="143003829363" /><key name="hits" value="859880020" /><key name="downloads" value="103803" /><key name="target-count" value="69" /></stats></mlns> Here's what they appear to receiving a lot as a result: <makeLOVEnotSPAM>IN`TS</makeLOVEnotSPAM> .<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p><makeLOVEnotSPAM>IN`TS</makeLOVEnotSPAM> to /index.html not supported.<br /> </p> </body></html>
I think Lycos did not think this through enough. Their response is HUGE. They've essentially launched a Denial of Service on themselves. They would not have needed the larger backbone if they cut down on the size of their response. They could have done anything with their client, but they chose to make it full web service with a valid XML response. Every transaction with their server looks to be about 3K. They could have implemented something minimal, like a basic socket connection and a minimal request, then sent something like a space delimited list of parameters. They could get rid of about 75% of the data and still preserve the same functionality. I personally like the idea, even though it's not original, it just took a large site to back it. Too bad they couldn't do it right. On Thu, 2 Dec 2004 10:28:26 -0500, Hannigan, Martin <hannigan@verisign.com> wrote:
-----Original Message----- From: Lionel [mailto:nop@alt.net] Sent: Thursday, December 02, 2004 8:40 AM To: Hannigan, Martin Cc: nanog list Subject: Re: How many backbones here are filtering the makelovenotspam scr eensaver site?
On Thu, 2 Dec 2004 08:27:38 -0500 , "Hannigan, Martin" <hannigan@verisign.com> wrote:
Hosted on a cablemodem? Tch, tch, how the mighty have fallen
The blocks are widespread.
The reports of hackers are incorrect. The blackholes are what is stopping them.
What amazing efficiency. I can't help but wonder if these same providers are as quick at blackholing spamsite hosts, or blocking the zombies on their user networks from spewing spam on port 25?
If you tied all the spammers into a few controllers, you see it happen immediately.
I've been following the news reports on this. Here's a quick summary of "what I know" without making any judgement or opinion:
- The lycos screensaver campaign activated Tuesday - Major networks began activating blocks - When the controllers can't be reached, the clients die off - If screensaver is active when controllers die, it runs off the current target list. - If screensaver deactivates, then activates, it can't contact the servers and tells the user it's "off the internet" (I can't verify the veracity of the update process i.e. if it will die while active) - Blocks started going up early Wednesday morning - The press began reporting hackers due to an apparentdefacement being seen by many users. What they actually saw was the banner of an ISP that had blackholed the traffic and redirected port 80 to a notice. - Lycos moved their application to a hosting facility with bigger pipes - Target sites began using redirects sending the traffic back to Lycos - Press reports are coming out today regarding the blackholes - SpamCop is the source of the target list via a page that is public off of the SpamCop site (SpamCop is does not appear to have complicity) - The effectiveness of the blackholes is rising - There are a reported 100K clients downloaded. Less than you would expect due to the voluminous press coverage. Probably a result of the blackhole activity as well.
I'm really not sure if Lycos knows about the blackholes at this point as the press has been reporting "hackers" all the while. If you think it's hacked, check the route.
Here's some operational data captured via ethereal
The target list generated by the botnet controller:
GET /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865 2023942308.xml HTTP/1.1 Referer: http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402 9467456/12122010129438/CONFIG_28652023942308.xml x-flash-version: 7,0,19,0 User-Agent: Shockwave Flash Host: backend.makelovenotspam.com Cache-Control: no-cache
HTTP/1.1 200 OK Server: Resin/2.1.14 Content-Type: text/xml; charset=UTF-8 Content-Length: 2889 Connection: close Date: Thu, 02 Dec 2004 15:22:00 GMT
<?xml version="1.0" encoding="UTF-8"?> <mlns><targets location="US"><target id="TVRBd01EQXdOVGt5" domain="myshopinternetcompany.com" url="http://myshopinternetcompany.com/?e=aa5100" bytes="357460680" hits="2572309" percentage="100" responsetime01="498" responsetime02="0" location="BR" /><target id="TVRBd01EQXdOVEk0" domain="grlswaiting4u.com" url="http://grlswaiting4u.com/" bytes="206765667" hits="1488797" percentage="100" responsetime01="11866" responsetime02="0" location="US" /><target id="TVRBd01EQXdOVGc0" domain="1stwebsitetheyourshop.com" url="http://1stwebsitetheyourshop.com/?e=aa5100" bytes="317867325" hits="2288427" percentage="100" responsetime01="507" responsetime02="0" location="BR" /><target id="TVRBd01EQXdOVGcx" domain="cheap-r-x.com" url="http://cheap-r-x.com/" bytes="355920802" hits="2565612" percentage="100" responsetime01="787" responsetime02="0" location="CN" /><target id="TVRBd01EQXdOVGcz" domain="www.hlplmanhds.biz" url="http://www.hlplmanhds.biz/" bytes="317590861" hits="2269503" percentage="100" responsetime01="785" responsetime02="0" location="CN" /><target id="TVRBd01EQXdOVEkz" domain="r.vtm.homewo.com" url="http://r.vtm.homewo.com/" bytes="367630639" hits="2248424" percentage="100" responsetime01="5542" responsetime02="0" location="CN" /><target id="TVRBd01EQXdOVE0w" domain="www.incentiverewardcenter.com" url="http://www.incentiverewardcenter.com/xg_reg.htm?SID=ab9ee352c3402bdc858 e5540b887d28a--landing_page=1--show=zip--=--p=92375--c=5411-toys250_720_emc- -catalog_id=14--a=--affil=5408--subid=1" bytes="1028999994" hits="6992693" percentage="-144200" responsetime01="1442" responsetime02="-1" location="US" /><target id="TVRBd01EQXdOVEk1" domain="www.macromed.ws" url="http://www.macromed.ws/" bytes="742958780" hits="5063804" percentage="100" responsetime01="1212" responsetime02="0" location="RU" /><target id="TVRBd01EQXdOVEEz" domain="www.curdom.com" url="http://www.curdom.com/" bytes="734756904" hits="4831221" percentage="46" responsetime01="2134" responsetime02="4541" location="CN" /><target id="TVRBd01EQXdOVGt4" domain="www.bacbwefds.info" url="http://www.bacbwefds.info/" bytes="422036604" hits="2463679" percentage="100" responsetime01="3375" responsetime02="0" location="CN" /></targets><conf><key name="source-xml" value="http://backend.makelovenotspam.com/xml" /><key name="interval-diagram" value="10000" /><key name="interval-hit" value="10000" /><key name="post-data-length" value="5" /><key name="refresh-xml" value="1200000" /><key name="current-version" value="1.0" /><key name="spray-filter-count" value="39" /><key name="url-report" value="http://backend.makelovenotspam.com/report" /></conf><stats><key name="average-percentage" value="100.0" /><key name="bytes" value="143003829363" /><key name="hits" value="859880020" /><key name="downloads" value="103803" /><key name="target-count" value="69" /></stats></mlns>
Here's what they appear to receiving a lot as a result:
<makeLOVEnotSPAM>IN`TS</makeLOVEnotSPAM> .<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Method Not Implemented</title> </head><body> <h1>Method Not Implemented</h1> <p><makeLOVEnotSPAM>IN`TS</makeLOVEnotSPAM> to /index.html not supported.<br /> </p> </body></html>
On Thu, Dec 02, 2004 at 09:59:14AM -0800, Brett wrote:
I personally like the idea, even though it's not original, it just took a large site to back it. Too bad they couldn't do it right.
It *can't* be done "right". That's the point that some of us have been making, both in an ethical sense and a technical sense. If you don't buy the ethical argument (which is arguably a matter of personal opinion anyway) then at least note the technical argument and think about how this is going to interact with spammer countermeasures, including zombies, redirectors, hijacked networks, and all the rest. Impact on spammers: negligible. Impact on everyone else: unknown but quite possibly severe. ---Rsk
participants (3)
-
Brett
-
Hannigan, Martin
-
Rich Kulawiec