North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: How many backbones here are filtering the makelovenotspam scr eensaver site?

  • From: Hannigan, Martin
  • Date: Thu Dec 02 10:32:40 2004

> -----Original Message-----
> From: Lionel [mailto:[email protected]]
> Sent: Thursday, December 02, 2004 8:40 AM
> To: Hannigan, Martin
> Cc: nanog list
> Subject: Re: How many backbones here are filtering the makelovenotspam
> scr eensaver site?
> On Thu, 2 Dec 2004 08:27:38 -0500 , "Hannigan, Martin"
> <[email protected]> wrote:
> >> > Hosted on a cablemodem?  Tch, tch, how the mighty have fallen
> >
> >
> >The blocks are widespread. 
> >
> >The reports of hackers are incorrect. The blackholes are 
> what is stopping
> >them. 
> What amazing efficiency. I can't help but wonder if these 
> same providers
> are as quick at blackholing spamsite hosts, or blocking the zombies on
> their user networks from spewing spam on port 25?

If you tied all the spammers into a few controllers, you see it happen

I've been following the news reports on this. Here's a quick summary
of "what I know" without making any judgement or opinion:

- The lycos screensaver campaign activated Tuesday
- Major networks began activating blocks
- When the controllers can't be reached, the clients die off
	- If screensaver is active when controllers die, it runs
        off the current target list.
      - If screensaver deactivates, then activates, it can't 
        contact the servers and tells the user it's "off the internet"
	(I can't verify the veracity of the update process i.e. if it 
       will die while active)
- Blocks started going up early Wednesday morning
- The press began reporting hackers due to an apparentdefacement 
  being seen by many users. What they actually saw was the banner of 
  an ISP that had blackholed the traffic and redirected port
  80 to a notice.
- Lycos moved their application to a hosting facility with bigger pipes
- Target sites began using redirects sending the traffic back 
  to Lycos
- Press reports are coming out today regarding the blackholes
- SpamCop is the source of the target list via a page that is public
  off of the SpamCop site (SpamCop is does not appear to have complicity)
- The effectiveness of the blackholes is rising
- There are a reported 100K clients downloaded. Less than you would
  expect due to the voluminous press coverage. Probably a result of 
  the blackhole activity as well.

I'm really not sure if Lycos knows about the blackholes at 
this point as the press has been reporting "hackers" all the while.
If you think it's hacked, check the route.

Here's some operational data captured via ethereal

The target list generated by the botnet controller:

2023942308.xml HTTP/1.1
x-flash-version: 7,0,19,0
User-Agent: Shockwave Flash
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: Resin/2.1.14
Content-Type: text/xml; charset=UTF-8
Content-Length: 2889
Connection: close
Date: Thu, 02 Dec 2004 15:22:00 GMT

<?xml version="1.0" encoding="UTF-8"?>
<mlns><targets location="US"><target id="TVRBd01EQXdOVGt5"
url=""; bytes="357460680"
hits="2572309" percentage="100" responsetime01="498" responsetime02="0"
location="BR" /><target id="TVRBd01EQXdOVEk0" domain=""
url=""; bytes="206765667" hits="1488797"
percentage="100" responsetime01="11866" responsetime02="0" location="US"
/><target id="TVRBd01EQXdOVGc0" domain=""
url=""; bytes="317867325"
hits="2288427" percentage="100" responsetime01="507" responsetime02="0"
location="BR" /><target id="TVRBd01EQXdOVGcx" domain=""
url=""; bytes="355920802" hits="2565612"
percentage="100" responsetime01="787" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVGcz" domain=""
url=""; bytes="317590861" hits="2269503"
percentage="100" responsetime01="785" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVEkz" domain=""
url=""; bytes="367630639" hits="2248424"
percentage="100" responsetime01="5542" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVE0w" domain=""
-catalog_id=14--a=--affil=5408--subid=1" bytes="1028999994" hits="6992693"
percentage="-144200" responsetime01="1442" responsetime02="-1" location="US"
/><target id="TVRBd01EQXdOVEk1" domain=""
url=""; bytes="742958780" hits="5063804"
percentage="100" responsetime01="1212" responsetime02="0" location="RU"
/><target id="TVRBd01EQXdOVEEz" domain=""
url=""; bytes="734756904" hits="4831221"
percentage="46" responsetime01="2134" responsetime02="4541" location="CN"
/><target id="TVRBd01EQXdOVGt4" domain=""
url=""; bytes="422036604" hits="2463679"
percentage="100" responsetime01="3375" responsetime02="0" location="CN"
/></targets><conf><key name="source-xml"
value=""; /><key
name="interval-diagram" value="10000" /><key name="interval-hit"
value="10000" /><key name="post-data-length" value="5" /><key
name="refresh-xml" value="1200000" /><key name="current-version" value="1.0"
/><key name="spray-filter-count" value="39" /><key name="url-report"
value=""; /></conf><stats><key
name="average-percentage" value="100.0" /><key name="bytes"
value="143003829363" /><key name="hits" value="859880020" /><key
name="downloads" value="103803" /><key name="target-count" value="69"

Here's what they appear to receiving a lot as a result:

<title>501 Method Not Implemented</title>
<h1>Method Not Implemented</h1>
<p>&lt;makeLOVEnotSPAM&gt;IN`TS&lt;/makeLOVEnotSPAM&gt; to /index.html not
supported.<br />