Two Blogs on Fallout from Two DDoS Attacks
This week two of my favorite blogs, Mickey Chandler’s Spamtacular and Brian Krebs’ KrebsOnSecurity, have posted unusually informative and thoughtful articles about two spam-related DDoS attacks. One occured three years ago; the other within the past week.
For those who prefer to read comments and kudos AFTER reading the original articles, here are direct links:
- KrebsOnSecurity (8/26/2016): Inside ‘The Attack That Almost Broke the Internet’s
- Spamtacular (8/23/2016): It’s time to consider non-userss
Brian Krebs has unearthed some startling intelligence about the March 2013 DDoS attack against Spamhaus and other, smaller anti-spam organizations and researchers. There isn’t much to say about his article but “Wow”. While I hadn’t read this information before, I was one minor target of the Stophaus crowd and well aware of the general scope of their activities at the time.
The chat and Skype logs that Brian posted fill in the picture of that DDoS nicely. IF you don’t think cybercriminals really are as intent on causing trouble as you’ve heard, this article should disabuse you of that notion.
Mickey discusses, not the DDoS attack that was launched last weekend against government offices and private security companies, but the aftermath and some likely consequences. A number of these people spent days digging out from under the deluge, unable to use their email accounts in the meantime. The apparent aim of the attack was to render email useless for these people and prevent them from effectively interfering with the criminals’ activities. Mickey discusses a (probably unintended) consequence: Spamhaus opening almost 50 SBL listings against many of the top ESPs, whose lists were used to carry out the DDoS.
Spamhaus CEO Steve Linford discussed the attack, why Spamhaus listed the ESPs, and what they hoped to accomplish on Steve and Laura Atkins’ Word to the Wise blog, a popular bulk email industry forum. In his comments, Linford states that Spamhaus had not changed its policy to require confirmed opt-in (“double opt-in”) as a condition for removal of SBL listings, but would have to consider doing so if another workable means of preventing lists from being used to DDoS innocent third parties.
Mickey took Linford at his word, and speculates about the possible outcomes. If Spamhaus and the blocklist world in general takes a more aggressive stance against companies that send email to unconfirmed email addresses, some companies who are careless about transactional (not bulk) mailings could be in a world of hurt. For example, as my fellow blogger Atro Tossavainen blogged here, some airlines email itineraries and other private information to email addresses that were never valid or were closed many years ago.
I have blogged several times about banks (such as Capital One) and financial service businesses (such as Liberty Capital) aemailing statements, account notifications, real (not 419/scam) loan offers, and collection attempts to the same sorts of email addresses. If you search this blog for the keywoard “transactional”, you will find those articles.
Spamhaus or other blocklists might not view it as part of their mandate to after companies that are careless and irresponsible in their handling of private customer — and non-customer — information. However, I regularly see behavior that has convinced me that many banks and other companies should not be trusted with the sensitive customer information that they control. I would absolutely love for Spamhaus or somebody to lower the boom on these companies.