How many backbones here are filtering the makelovenotspam scr eensaver site?

• Previous message (by thread): How many backbones here are filtering the makelovenotspam screensaver site?
• Next message (by thread): How many backbones here are filtering the makelovenotspam scr eensaver site?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Lionel [mailto:nop at alt.net]
> Sent: Thursday, December 02, 2004 8:40 AM
> To: Hannigan, Martin
> Cc: nanog list
> Subject: Re: How many backbones here are filtering the makelovenotspam
> scr eensaver site?
> 
> 
> On Thu, 2 Dec 2004 08:27:38 -0500 , "Hannigan, Martin"
> <hannigan at verisign.com> wrote:
> 
> >> > Hosted on a cablemodem?  Tch, tch, how the mighty have fallen
> >
> >
> >The blocks are widespread. 
> >
> >The reports of hackers are incorrect. The blackholes are 
> what is stopping
> >them. 
> 
> What amazing efficiency. I can't help but wonder if these 
> same providers
> are as quick at blackholing spamsite hosts, or blocking the zombies on
> their user networks from spewing spam on port 25?

If you tied all the spammers into a few controllers, you see it happen
immediately.

I've been following the news reports on this. Here's a quick summary
of "what I know" without making any judgement or opinion:


- The lycos screensaver campaign activated Tuesday
- Major networks began activating blocks
- When the controllers can't be reached, the clients die off
	- If screensaver is active when controllers die, it runs
        off the current target list.
      - If screensaver deactivates, then activates, it can't 
        contact the servers and tells the user it's "off the internet"
	(I can't verify the veracity of the update process i.e. if it 
       will die while active)
- Blocks started going up early Wednesday morning
- The press began reporting hackers due to an apparentdefacement 
  being seen by many users. What they actually saw was the banner of 
  an ISP that had blackholed the traffic and redirected port
  80 to a notice.
- Lycos moved their application to a hosting facility with bigger pipes
- Target sites began using redirects sending the traffic back 
  to Lycos
- Press reports are coming out today regarding the blackholes
- SpamCop is the source of the target list via a page that is public
  off of the SpamCop site (SpamCop is does not appear to have complicity)
- The effectiveness of the blackholes is rising
- There are a reported 100K clients downloaded. Less than you would
  expect due to the voluminous press coverage. Probably a result of 
  the blackhole activity as well.

I'm really not sure if Lycos knows about the blackholes at 
this point as the press has been reporting "hackers" all the while.
If you think it's hacked, check the route.

Here's some operational data captured via ethereal

The target list generated by the botnet controller:

GET
/xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865
2023942308.xml HTTP/1.1
Referer:
http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402
9467456/12122010129438/CONFIG_28652023942308.xml
x-flash-version: 7,0,19,0
User-Agent: Shockwave Flash
Host: backend.makelovenotspam.com
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: Resin/2.1.14
Content-Type: text/xml; charset=UTF-8
Content-Length: 2889
Connection: close
Date: Thu, 02 Dec 2004 15:22:00 GMT

<?xml version="1.0" encoding="UTF-8"?>
<mlns><targets location="US"><target id="TVRBd01EQXdOVGt5"
domain="myshopinternetcompany.com"
url="http://myshopinternetcompany.com/?e=aa5100" bytes="357460680"
hits="2572309" percentage="100" responsetime01="498" responsetime02="0"
location="BR" /><target id="TVRBd01EQXdOVEk0" domain="grlswaiting4u.com"
url="http://grlswaiting4u.com/" bytes="206765667" hits="1488797"
percentage="100" responsetime01="11866" responsetime02="0" location="US"
/><target id="TVRBd01EQXdOVGc0" domain="1stwebsitetheyourshop.com"
url="http://1stwebsitetheyourshop.com/?e=aa5100" bytes="317867325"
hits="2288427" percentage="100" responsetime01="507" responsetime02="0"
location="BR" /><target id="TVRBd01EQXdOVGcx" domain="cheap-r-x.com"
url="http://cheap-r-x.com/" bytes="355920802" hits="2565612"
percentage="100" responsetime01="787" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVGcz" domain="www.hlplmanhds.biz"
url="http://www.hlplmanhds.biz/" bytes="317590861" hits="2269503"
percentage="100" responsetime01="785" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVEkz" domain="r.vtm.homewo.com"
url="http://r.vtm.homewo.com/" bytes="367630639" hits="2248424"
percentage="100" responsetime01="5542" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVE0w" domain="www.incentiverewardcenter.com"
url="http://www.incentiverewardcenter.com/xg_reg.htm?SID=ab9ee352c3402bdc858
e5540b887d28a--landing_page=1--show=zip--=--p=92375--c=5411-toys250_720_emc-
-catalog_id=14--a=--affil=5408--subid=1" bytes="1028999994" hits="6992693"
percentage="-144200" responsetime01="1442" responsetime02="-1" location="US"
/><target id="TVRBd01EQXdOVEk1" domain="www.macromed.ws"
url="http://www.macromed.ws/" bytes="742958780" hits="5063804"
percentage="100" responsetime01="1212" responsetime02="0" location="RU"
/><target id="TVRBd01EQXdOVEEz" domain="www.curdom.com"
url="http://www.curdom.com/" bytes="734756904" hits="4831221"
percentage="46" responsetime01="2134" responsetime02="4541" location="CN"
/><target id="TVRBd01EQXdOVGt4" domain="www.bacbwefds.info"
url="http://www.bacbwefds.info/" bytes="422036604" hits="2463679"
percentage="100" responsetime01="3375" responsetime02="0" location="CN"
/></targets><conf><key name="source-xml"
value="http://backend.makelovenotspam.com/xml" /><key
name="interval-diagram" value="10000" /><key name="interval-hit"
value="10000" /><key name="post-data-length" value="5" /><key
name="refresh-xml" value="1200000" /><key name="current-version" value="1.0"
/><key name="spray-filter-count" value="39" /><key name="url-report"
value="http://backend.makelovenotspam.com/report" /></conf><stats><key
name="average-percentage" value="100.0" /><key name="bytes"
value="143003829363" /><key name="hits" value="859880020" /><key
name="downloads" value="103803" /><key name="target-count" value="69"
/></stats></mlns>


Here's what they appear to receiving a lot as a result:

<makeLOVEnotSPAM>IN`TS</makeLOVEnotSPAM>
.<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Method Not Implemented</title>
</head><body>
<h1>Method Not Implemented</h1>
<p><makeLOVEnotSPAM>IN`TS</makeLOVEnotSPAM> to /index.html not
supported.<br />
</p>
</body></html>


 

• Previous message (by thread): How many backbones here are filtering the makelovenotspam screensaver site?
• Next message (by thread): How many backbones here are filtering the makelovenotspam scr eensaver site?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]