News your connection to The Boston Globe
Today's Globe  |   Latest News:   Local   Nation   World   |    Education   Obituaries   Special sections  

Saboteurs hit spam's blockers

Internet vandals have found a new target: a group of online services that seek to block billions of unwanted spam e-mail messages.

The services, called "blocklists," are used by many Internet providers and major corporations to shield e-mail recipients from overwhelming amounts of junk mail. Subscribers link their e-mail servers to the blocklist, which automatically rejects any incoming e-mail from an address that is believed to be a source of spam.

Now the blocklisters are being overwhelmed by Internet saboteurs who harness large numbers of computers to bombard their victims with vast amounts of junk data.

In a technique called a "distributed denial of service attack," vandals exploit security flaws to plant programs, called "Trojan horses," on thousands of Internet-connected computers. They then order the Trojan horse programs to spew useless data at a targeted machine.

It's the equivalent of having 100,000 people dial the same phone number, over and over, at the same time. Such attacks can knock a computer offline simply by swamping it with more data than it can handle.

In recent weeks, say blocklist operators, a series of such attacks have been aimed at their computers, in what they view as a deliberate effort to force them off the Internet.

"Bad things are going on, very bad things," said Ron Guilmette, a Roseville, Calif., software engineer who runs a blocklist at Guilmette said his service has been battered by distributed denial of service attacks since last Tuesday, but so far he has fended off the assault.

"I fortunately was able to withstand the onslaught, at least until now," he said.

Spamhaus, one of the most prominent blocklists, has been under fire for 2 1/2 months, says its chief executive, Steve Linford.

"We're usually under attack from 5,000 to 10,000 servers at once," Linford said, with incoming data flows as large as 100 million bytes per second. "They're extremely large attacks that would bring down just about anything." But Spamhaus, with 16 servers scattered through 10 countries, has been able to ride it out, Linford said.

Julian Haight, creator of Seattle-based blocklist Spamcop, recently signed up with a new Internet service that provides enough bandwidth to fend off distributed denial of service assaults. "Prior to that," said Haight, "Spamcop was down for a few days," knocked off the Internet by ceaseless attacks.

Other blocklist operators have fared even worse. Australian antispammer Matthew Sullivan says his Spam & Open Relay Blocking System has been under constant digital assault for the past month, forcing Sullivan to scale back his operation. "I still have two servers null routed [disconnected] and unavailable to the world," Sullivan said in an e-mail.

The attackers have managed to drive one popular blocklist entirely offline. On Tuesday, Californian Joe Jared shut down his Osirusoft blocklist in an unexpected manner. Jared blocklisted all Internet addresses worldwide. As a result, businesses that relied on his list were suddenly unable to receive any e-mail at all, even legitimate e-mail.

"He said . . . I'm going to blacklist the world. And by golly, he did," said Jim Miller, network administrator at Simutronics Corp., a St. Charles, Mo., firm that formerly used the Osirusoft blocklist.

Jared expressed regret for the way he shut down his blocklist. "I thought there had to be a better way to do it," Jared said. "But there wasn't."

Jared said his blocklist server also hosted the website for his small business, which makes shoe inserts for people with foot problems. He couldn't shut down the blocklist server without also closing his business website, so he chose to make the blocklist unusable by blocking everything.

He said he'd spent weeks trying to fend off the denial of service attacks against his servers, but "they just beat the hell out of them. . . . I just can't be attacked like that."

Jared isn't sure he'll ever run a blocklist again. "What I am going to do is take a vacation," he said. "I need one."

News of the attacks on blocklist servers comes as the Internet is still reeling from a series of attacks by fast-spreading worm programs. One of the worms, Blaster, was designed to launch distributed denial of service attacks against Internet computers run by Microsoft Corp. Another, SoBig.F, planted Trojan horse software on infected computers, which could also have been used to carry out such attacks.

Computer security experts say there's no reason to assume a connection between the recent worms and the attacks on blocklist sites. They said that millions of computers worldwide were already infected with Trojan horse programs, even before the recent spate of worms. Vandals can take control of these machines and launch Internet attacks at will.

"I don't think the people who do this sort of thing need a SoBig," said Alfred Huger, senior director of engineering for the security response team at antivirus software maker Symantec Corp. "There are many worms out there that plant programs for doing denial of service attacks. Lots of them."

None of the victims have any idea who is behind the attacks. The FBI is investigating the SoBig worm, but tracking down the creator of a worm or Trojan horse is extremely difficult. Spamcop's Haight theorizes that the increasingly sophisticated attacks suggest a link with organized crime, but admits he hasn't a shred of evidence.

"We all would love to know who it is," Haight said, "but nobody does."

Hiawatha Bray can be reached at

Globe Archives Today (free)
Yesterday (free)
Past 30 days
Last 12 months