RE: How many backbones here are filtering the makelovenotspam scr eensaver site?

From: Lionel []
Sent: Thursday, December 02, 2004 8:40 AM
To: Hannigan, Martin
Cc: nanog list
Subject: Re: How many backbones here are filtering the makelovenotspam
scr eensaver site?

>> > Hosted on a cablemodem? Tch, tch, how the mighty have fallen
>The blocks are widespread.
>The reports of hackers are incorrect. The blackholes are
what is stopping

What amazing efficiency. I can't help but wonder if these
same providers
are as quick at blackholing spamsite hosts, or blocking the zombies on
their user networks from spewing spam on port 25?

If you tied all the spammers into a few controllers, you see it happen

I've been following the news reports on this. Here's a quick summary
of "what I know" without making any judgement or opinion:

- The lycos screensaver campaign activated Tuesday
- Major networks began activating blocks
- When the controllers can't be reached, the clients die off
  - If screensaver is active when controllers die, it runs
        off the current target list.
      - If screensaver deactivates, then activates, it can't
        contact the servers and tells the user it's "off the internet"
  (I can't verify the veracity of the update process i.e. if it
       will die while active)
- Blocks started going up early Wednesday morning
- The press began reporting hackers due to an apparentdefacement
  being seen by many users. What they actually saw was the banner of
  an ISP that had blackholed the traffic and redirected port
  80 to a notice.
- Lycos moved their application to a hosting facility with bigger pipes
- Target sites began using redirects sending the traffic back
  to Lycos
- Press reports are coming out today regarding the blackholes
- SpamCop is the source of the target list via a page that is public
  off of the SpamCop site (SpamCop is does not appear to have complicity)
- The effectiveness of the blackholes is rising
- There are a reported 100K clients downloaded. Less than you would
  expect due to the voluminous press coverage. Probably a result of
  the blackhole activity as well.

I'm really not sure if Lycos knows about the blackholes at
this point as the press has been reporting "hackers" all the while.
If you think it's hacked, check the route.

Here's some operational data captured via ethereal

The target list generated by the botnet controller:

2023942308.xml HTTP/1.1
x-flash-version: 7,0,19,0
User-Agent: Shockwave Flash
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: Resin/2.1.14
Content-Type: text/xml; charset=UTF-8
Content-Length: 2889
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<mlns><targets location="US"><target id="TVRBd01EQXdOVGt5"
url="; bytes="357460680"
hits="2572309" percentage="100" responsetime01="498" responsetime02="0"
location="BR" /><target id="TVRBd01EQXdOVEk0" domain=""
url="; bytes="206765667" hits="1488797"
percentage="100" responsetime01="11866" responsetime02="0" location="US"
/><target id="TVRBd01EQXdOVGc0" domain=""
url="; bytes="317867325"
hits="2288427" percentage="100" responsetime01="507" responsetime02="0"
location="BR" /><target id="TVRBd01EQXdOVGcx" domain=""
url="; bytes="355920802" hits="2565612"
percentage="100" responsetime01="787" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVGcz" domain=""
url="; bytes="317590861" hits="2269503"
percentage="100" responsetime01="785" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVEkz" domain=""
url="; bytes="367630639" hits="2248424"
percentage="100" responsetime01="5542" responsetime02="0" location="CN"
/><target id="TVRBd01EQXdOVE0w" domain=""
-catalog_id=14--a=--affil=5408--subid=1" bytes="1028999994" hits="6992693"
percentage="-144200" responsetime01="1442" responsetime02="-1" location="US"
/><target id="TVRBd01EQXdOVEk1" domain=""
url="WEBSITE.WS - Your Internet Address For Lifeā„¢; bytes="742958780" hits="5063804"
percentage="100" responsetime01="1212" responsetime02="0" location="RU"
/><target id="TVRBd01EQXdOVEEz" domain=""
url="; bytes="734756904" hits="4831221"
percentage="46" responsetime01="2134" responsetime02="4541" location="CN"
/><target id="TVRBd01EQXdOVGt4" domain=""
url="; bytes="422036604" hits="2463679"
percentage="100" responsetime01="3375" responsetime02="0" location="CN"
/></targets><conf><key name="source-xml"
value="; /><key
name="interval-diagram" value="10000" /><key name="interval-hit"
value="10000" /><key name="post-data-length" value="5" /><key
name="refresh-xml" value="1200000" /><key name="current-version" value="1.0"
/><key name="spray-filter-count" value="39" /><key name="url-report"
value="; /></conf><stats><key
name="average-percentage" value="100.0" /><key name="bytes"
value="143003829363" /><key name="hits" value="859880020" /><key
name="downloads" value="103803" /><key name="target-count" value="69"

Here's what they appear to receiving a lot as a result:

<title>501 Method Not Implemented</title>
<h1>Method Not Implemented</h1>
<p>&lt;makeLOVEnotSPAM&gt;IN`TS&lt;/makeLOVEnotSPAM&gt; to /index.html not
supported.<br />

I think Lycos did not think this through enough. Their response is
HUGE. They've essentially launched a Denial of Service on themselves.
They would not have needed the larger backbone if they cut down on
the size of their response. They could have done anything with their
client, but they chose to make it full web service with a valid XML

Every transaction with their server looks to be about 3K. They could
have implemented something minimal, like a basic socket connection and
a minimal request, then sent something like a space delimited list of
parameters. They could get rid of about 75% of the data and still
preserve the same functionality.

I personally like the idea, even though it's not original, it just
took a large site to back it. Too bad they couldn't do it right.

It *can't* be done "right".

That's the point that some of us have been making, both in an ethical
sense and a technical sense. If you don't buy the ethical argument
(which is arguably a matter of personal opinion anyway) then at least
note the technical argument and think about how this is going to
interact with spammer countermeasures, including zombies, redirectors,
hijacked networks, and all the rest. Impact on spammers: negligible.
Impact on everyone else: unknown but quite possibly severe.