Anti-Spam Sites Face Attacks

Some anti-spam block lists are under siege by anonymous attackers flooding their systems with bogus data in an effort to shut them down.

At least one of those under fire claims he knows who the assailants are.

Moreover, the most infamous block list, Spam Prevention Early Warning System, or SPEWS, has been intermittently out of service as a result.

In mid-June, some of the world's best-known anti-spam block lists began increasingly coming under what are known as distributed-denial-of-service, or DDOS, attacks.

A denial-of-service attack is akin to dialing a phone number repeatedly so that other calls can't get through. A computer under a denial of service attack will try to respond to each bogus request until it becomes overwhelmed and can't function. A distributed-denial-of-service attack hijacks thousands of computers to attack a single server, resulting in hundreds of thousands of requests at once.

Machines used in DDOS attacks reportedly often belong to unsuspecting broadband users.

The recent attacks against anti-spam block lists have steadily risen to where one of the main hosts of SPEWS had to shut down.

Joe Jared, who had been publishing SPEWS' list on his site,, was under such heavy fire that he reportedly suddenly shut his system down last week, leaving e-mail administrators who used his service scrambling to reconfigure their systems to use other sites that mirror SPEWS' list.

Moreover, to ensure administrators would know his list no longer was functioning, Jared reportedly shut his system down by block listing every IP address in the world, resulting in organizations relying on his list suddenly being unable to receive e-mail, period.

Meanwhile, was not responding to repeated log-on attempts yesterday, indicating the site is still under attack.

“Both and the various mirrors of have been very flaky,” said Laura Atkins, CEO of Word to the Wise LLC, a company that helps clients avoid being labeled as spammers.

Block lists are lists of IP addresses their maintainers think are sources of spam. Many e-mail administrators set their systems to match incoming e-mail against one or more of these controversial lists — of which there are reportedly hundreds, each with its own rules — and filter out incoming mail from listed IP addresses.

SPEWS is run anonymously to avoid its maintainers getting sued. People who find that their IP address has been listed on SPEWS have no recourse but to try communicating with SPEWS' maintainer(s) through an anti-spam newsgroup that many on both sides of the debate believe is increasingly populated by zealots, Nanae.

SPEWS is known to be quick on the block-listing trigger, and difficult to get off. It is also known to list blocks of innocent IP addresses that do business with Internet service providers who also host suspected spammers, a tactic aimed at creating “collateral damage” so the owners of the innocent-but-listed addresses either take their business elsewhere or pressure their ISPs to eliminate the suspected spammers.

“My gut is that there are portions of the attacks that are large and orchestrated, but that there are multiple attacks going on,” Atkins said. “SPEWS has upset a lot of people.”

She should know. Another organization with which Atkins is affiliated, anti-spam group the SpamCon Foundation, is listed on SPEWS because it is hosted by AboveNet Inc. SPEWS has listed “a huge chunk of AboveNet,” Atkins said.

It is unknown how many e-mail administrators use SPEWS. Atkins, however, said that in the first two hours after Jared shut down, fewer than 5,000 e-mails from a client who sends millions per day bounced.

Ironically, Atkins said she believes SPEWS is generally pretty accurate.

Meanwhile, another prominent block list,, has been under increasing DDOS attacks since June, and its maintainer claims he knows who the culprits are.

“We more or less know the groups of spammers behind these attacks,” Steven Linford, chief executive of London-based, said in an e-mail exchange.

“They are mostly porn spammers [who use the services of] spam groups including Spamtraffic (, Spamsoft ( and SpecialHam ( What we don't have [are] hard facts but that's being worked on. Conducting DDoS attacks is a crime in the U.S. although most of the spammers care very little about laws.”

He said this latest round of attacks is related to the recent spread of the SoBig virus.

“[W]e saw a major increase in DDOS just after spammers released the SoBig.E worm in June (the predecessor to SoBig.F), designed to open thousands of new (“fresh”) proxy computers to relay spam through anonymously,” Linford said. “SoBig.E created literally tens/hundreds of thousands of 'zombie' machines, which the spammers then sold each other as 'fresh proxies' and sent billions of spam e-mails through (which is why there's been such a large increase in open proxy spam since June).”

Linford said his service has been able to weather the attacks because it has 24 servers in 10 countries.

“Osirusoft (and hence SPEWS) was mostly running off a DSL line,” he said. “It doesn't take much to bring a 'home use' DSL line to its knees.”

Other block lists reportedly under attack are and

Related Posts