Hi, everyone!

I'm not sure if this is the right forum to post this one, so, if a moderator thinks there is more appropriate forum for this topic, please feel free to move it (and let me know, of course).

Over the last several months, I have received an average of about 10 spams per month which contained links to malware. (I mean websites which either: (1) attempt to download malicious ActiveX controls, or: (2) get the visitor to click on a phony media player to watch some bogus news story, thereby downloading some kind of trojan or dropper to the local machine).

I have religiously reported every one of these to MIRT and anyone else who I thought might listen.

Lately, (over the last two weeks or so), I have noticed a dramatic increase in the number of such messages. So far this month, I have reported 48 of them, and we still have 11 days to the end of the month, (at least in my part of the world, anyway).

However, I have also noticed that CastleCops appears to have been under some kind of DDOS attack over about the last 10 days or so. CastleCops was unreachable from my machine for about the first 5 days, and has been quite difficult to reach since then, right up to today.

Now, I know that CastleCops has been taken down by DDOS attack before, and that it is almost always under some form of attack, anyway, but this latest one seems to have been nearly as bad as the one CastleCops had in 2007 (IIRC).

However, the last 10 days or so, when I was finding it extraordinarily difficult to connect to CastleCops, is also the period when my malware-related spam count suddenly skyrocketed! The 48 I have reported have nearly all arrived during the last 10 days!

Does anyone think that there might be a relationship between the increase in malware-related spam and the apparent DDOS attack on CastleCops?

I would be most interested to hear anyone else's opinion on this.

BTW, MIRT team: KEEP UP YOUR GREAT WORK!

The contents of spam, as I have posted elsewhere, has certainly changed over the past month or two but my method of reporting hasn't. I just forward anything that looks like spam to KnujOn and SpamCop without looking into great detail about exactly what I am reporting. Certain types of spam also gets forwarded eleswhere. Interestingly, immediately after reading your post I received three spams sent to an e-mail address that I inherited when I took over a domain a few months ago. The format of each was the same but the actual contents were slightly different. Out of curiosity I went to one of the URLs. My virus scanner then sprung into life and stopped me going any further.

May be we all recieve spam with links to malware but don't bother to check out the URL so never know. If I have no specific reason to click on a link to check out a site then generally I don't and won't so perhaps there are more links to malware out there than we suspect?

I agree entirely...

BTW, I was actually considering adding this to the thread about changes in spam content, but I felt it wasn't quite on-topic, so that's why I decided to start a new thread.

I report all my spam to KnujOn and SpamCop, just as you do. I was doing "confirmed" reports to SpamCop, but I found that the parser has been increasingly unable to resolve the spamvertised links, so I gave up on that and now I just do "quick" SpamCop reports. I can automate that with a Thunderbird filter. I use SpamAssassin to weed it out and T'bird just looks for *****SPAM***** in the subject line and forwards it all to SpamCop and KnujOn. The spams that SpamAssassin misses, I report manually. (Actually, I have several email addresses, only two of which ever receive any spam; in fact, those two addresses receive nothing but spam, so I can't train SpamAssassin on good vs. bad messages, because there aren't any good ones).

However, getting back on topic, when I was doing the "confirmed" SC reports, I noticed that some of the spams that SpamAssassin was missing were pointing to malware URLs, and that the URLs are always in a similar form, e.g., "http://www.some_domain_or_other.com/news.html", or ".../start.html", or something similar. Not only that, but the "whatever.com" part of the "www.whatever.com" (i.e., without the "../news.html" part), is a real website belonging to a real company, or, at least, it was in several instances that I checked. I haven't had time to check all of the 50 I have reported this month, but I checked about 10 of them last month and they all belonged to real companies! I use the Netcraft Toolbar for Firefox, an add-on which checks for phishing and other dangerous sites, and most of the top-level (I think that's the correct term) domains came up smelling like roses. However, like you, visiting the actual URLs would cause my AV (Kaspersky Internet Security) to go ballistic! So, I think that those company websites have most probably been hacked and they are hosting the malicious webpages unawares.

Now, I have always immediately reported such sites to MIRT, SpamCop (confirmed) and Malware.Com.Br, but my point is, that lately there has been a large increase in this type of spam, and it seems to have coincided with an apparent DDOS attack on CastleCops. I have just been wondering if these two things might be linked. I wonder if the SpamSlime have been DDOS-ing CastleCops so as to prevent reporting of this barrage of trojans/droppers, which, in turn, (given the number of clueless WindoZe UZers out there, who will click on virtually anything at all), would lead to a large increase in the already considerable size of their bot-army. Have the SpamScum, in fact, orchestrated the whole thing? (One reason I am asking this is that I have not seen any news articles about this latest apparent attack; any Google searches have only come up with articles about the 2007 attack, even though this one seems to have been almost as bad).

I have to say, if I wasn't retired and living on a "slightly-above-subsistence-level" pension, but instead, had a "lazy" $20,000 lying around, I would donate the whole bloody lot to CastleCops, so that they could finally get their new servers, and, hopefully, resist or repel such attacks. I really wish I were in a position to do that.

I guess what I'm saying is that this whole thing seems to be more than a coincidence.

Anyway, that's my two cents' worth.

What do you think?

I can neither confirm or deny the existance of a DDoS forum but I can post a link to it /f285-DDoS.html

Many thanks for the heads-up!

I shall start reading immediately!

Do you have any thoughts on my theory as outlined in my earlier posts in this thread?

I have done a lot of reporting for the sites you mention. Observations:

1. They are all hacked websites. Some are real companies, others appear to have been started up by someone who lost interest and never finished loading the website files. That type of sites is very effectively handled by Spamcop. Spamcop users don't have to report any spams for this to happen, since they are almost certainly going to Spamcop's spamtraps. Spamcop then reports them to the ISP that either shuts down the site or notifies the owner. The owner may or may not get around to doing something about the problem, but he's probably no more likely to respond to MIRT than to respond to Spamcop.

2. The malware is usually already well detected by antivirus programs. When I download samples to see if it is something I should report to CC's unknown files forum, they rarely meet the threshold of less than 50% of AV programs detecting them. So CC's list serve isn't really affecting them.

3. Without going into details, I can say that there is at least one person mailing spams with links to these sites that engages in retaliation against people who report those hacked sites, and that that person also mails for Sancash, particularly the replica sites. CC volunteers have been very effective at shutting down these domains recently since they have been getting more cooperation from Chinese registrars. In fact, the number of domains shut down as a direct result of CC volunteers reporting is in the tens of thousands within a short period, and CC's wiki is documenting that in an obvious way. So that mailer has reason to be in a retaliatory mood.

4. In addition to the DDoS against the forum, which has happened before, this attack affected the wiki and the de.castlecops.com forums, which had not been hit before. At the same time URIBL was also attacked. CC volunteers use URIBL as one of their sources of spammed domains, list the domains reported and the domains shut down on the wiki, and provide links on the wiki to URIBL. So a spammer who has had a lot of domains shut down and wondered why, might find a CC wiki page or a URIBL page very high on his google results.

5. In addition to receiving many more of these spams and having them link to many more different hacked websites, I and other people are noticing an increase in other spam despite the dramitic increase in domain suspensions. It's not a surprsiing outcome, since each spammed domain is only active a few hours -- the spammer has to work that much harder to not only get past a spam filter, but to have his domain still be alive if he does.

6. Obviously, the more malware you distribute, the more infected bots are available for DDoS. So if there is a DDoS in progress and IP's are being logged, having a supply of fresh ones is important.

It's possible the 2 events are connected but I don't think they are.

Since you mentioned dos attack and the addl realization that Paul will be pretty busy with MS, seems to me it would be prudent to open multiple backup sites ?
CC is so large, that I'd prefer seeing spam topics broken out. Google groups come to mind because they <may> be more resistant to dos ?

I could also look into opening a b.b. accessible only to registered users ?

Comments ?

Any antispam forum that actually accomplishes anything is going to be at risk of DDoS. KS Forums has been underground since last September because its second DDoS was more than the hosting service was willing to put up with. And it was a very small forum compared to CC, though we like to think we all did our best to piss off spammers.

(Hopefully it will be back open soon with better hosting.)

The donation drive is for new more powerfull servers, it's a separate issue to the DDoS.

MIRT/PIRT/SIRT (*IRT) each runs as a separate process.

There are mirrors for some parts of the site but not the forums.

I am having a difficult time to submit the excessive amount of malware I am getting these days. However, I try to submit it all to MIRT within 24 hours.

But what I am wondering: are the handlers actually able to handle more than just a tiny portion of the submitted malware (with the current response times at CC)?