• PC World
• »Software
• »Browsers & Add-Ons

Three leading antispam sites were shut down this week after becoming victims of distributed denial of service attacks, attacks that may have been launched by spammers sending out copies of the Sobig worm.

The target sites are the Spam Prevention Early Warning System (spews.org), Osirusoft (relays.osirusoft.com), and the Spam Open Relay and Blocking System (sorbs.net). All have been intermittently inaccessible. According to reports posted in online discussion forums, Osirusoft has shut down permanently.

Spam-Loving Worm

Attacks on antispam sites are not new. But the number and the sophistication of such attacks have increased dramatically over the past two months--just as the Sobig worm has accelerated.

SpamCop founder Julian Haight says his site has been constantly under attack since mid-July and was down for 48 hours. The Spamhaus Project (spamhaus.org) has been under massive attack for more than two months, according to director Steve Linford, although his site has survived unscathed.

"The same attackers who have been attacking SpamCop, Osirusoft, and Spews first tried attacking us and only moved on when they found they couldn't take us down," Linford says.

All of the attacks target so-called spam blocklists, which are databases that contain the IP addresses of suspected spam operations or computers that can be exploited to send spam. Such lists are used by corporations, ISPs, and government agencies to reduce the volume of junk mail flowing into their networks. E-mail servers at a site check the IP address of incoming messages and reject any that match one on the list.

Blocklist operators see a direct relationship between the attacks and the epidemic of e-mail worms circulating on the Net. They've noted a jump in spam originating from Sobig-infected systems. Also, Sobig worms began proliferating in the spring, about the time of the massive distributed denial of service (DDoS) attacks.

"I do believe SoBig and the DDoS on SPEWS/SORBS and the others are directly related, by author/spammer," says Matthew Sullivan, director of the Australian-based SORBS.

Merging Tactics

In a DDoS attack, thousands of so-called 'zombie' machines request information from a site simultaneously, overwhelming the site's servers and sometimes crashing it. Such zombies are usually created by installing a Trojan horse or backdoor program--typically spread via e-mail viruses--that takes over the computers of unsuspecting users.

In June, the UK-based e-mail security firm MessageLabs identified a version of the Sobig worm that could turn computers into open proxies--machines that can be exploited to send spam via remote commands.

Essentially, Sobig enables a spammer to "recruit" an infected machine as a proxy to send spam. The unwanted e-mail then avoids the blocklist because it's coming from systems that are probably not listed as known sources of spam.

"We've seen a high correlation between computers infected by backdoor viruses and those sending out large quantities of spam," says Paul Wood, MessageLabs' chief information security analyst. He says more than 60 percent of the spam MessageLabs traps each month is sent via open proxies; three quarters of those are from systems infected by a backdoor program.

Such computers could also be used to launch a denial of service attack.

"If you've got an open proxy, you can essentially use it to do whatever you like," Wood says. "These [antispam] sites were most likely attacked by someone with a vested interest in taking them offline."

Also in June, researchers at Kaspersky Laps suggested that the latest version of Sobig may have used a spam engine to spread quickly, hinting at another link in technique.

Blocklist Goes Black

The attacks have apparently inspired Osirusoft operator Joe Jared to abandon his list of open relays--e-mail servers that can be compromised by spammers.

Earlier this week, Jared altered the list so that anyone using it would be blocking all incoming e-mail, regardless of source. The Federal Trade Commission is one agency that used the Osirusoft list, but quickly dropped it after Jared made the change, says Stephen Warren, FTC chief information officer.

Jared says his site has been under steady attack for weeks, costing him around $10,000 so far. "Relays.osirusoft is down for the full count," he says. "I had to either give it up or go broke." Jared says he's in touch with the FBI about the attacks.

Security experts suggest bracing for more attacks, citing what appears an ominous turn in the war between bulk mailers and antispam activists. "Spammers are using technology that virus writers have employed for years to launch their creations into the wild," Wood says. "Either the people who created Sobig are selling the open proxy information to the spammers, or the spammers are funding the virus writers."