Confusion reigns over Lycos Europe spam attack site
Published:03-December-2004
By BR staff writer
Lycos Europe NV has faced the backlash from its controversial Make Love Not Spam screensaver project, with retaliatory attacks and ISP blocking apparently leading to the service being temporarily turned off.
All week, the company has been asking Internet users to download a screensaver that uses idle computer time to make repeated HTTP requests to sites identified by Lycos Europe as hosting content advertised in spam.
The system was roundly criticized by network and security professionals as being irresponsible, potentially illegal, childish, poorly conceived, prone to causing collateral damage, and likely to provoke retaliation from criminal spammers.
For many hours the makelovenotspam.com web site displayed merely a logo with the legend "Stay Tuned". Links to the page were removed from some of the portal company's national home pages, such as lycos.de.
Yet many web users found that instead of reaching that apparently official but non-functional holding page, they instead found themselves looking at a page that closely resembled a defacement, presumably executed by a malicious hacker.
For at least three days this "defaced" page has read: "Yes, attacking spammers is wrong, you know this, you shouldn't be doing it. Your IP address and request have been logged and will be reported to your ISP for further action."
For most of one day, the "defaced" page had new text: "Also, note: This machine is not hacked, this page is returned for EVERY request. Thanks for noticing though." The page, and source HTML, gave no indication of who wrote it.
Lycos Europe dismissed this as a hoax, spokespeople reportedly suggesting that spammers were circulating images of the "defacement" to web sites and reporters. This is was not the case.
"In a DDoS attack ISPs usually try to blacklist the DDoS controller," said the SANS Institute's Johannes Ullrich. "The most efficient way is just to block traffic to the controller and this is essentially what happened here."
According to Ullrich, many ISPs treated the screensaver site's IP address as a bot controller the hub through which DDoS attackers control thousands of zombie hosts and direct attacks against their targets.
The "defaced" page has now started displaying the text: "Error 404: Document Not Found" with no indication about who wrote it. It was evidently not a genuine web server error, as the "Stay Tuned" page was simultaneously accessible.
Antivirus firm F-Secure Corp said it had received three reports from users who were seeing the "defaced" page. Readers of Computerworld in Australia and New Zealand reported seeing the "defaced" page.
A spokesperson for MCI, who said she was presented with the defaced-looking version of the page from her own MCI Internet connection, could not clarify why this was the case before we went to press last night.
According to Netcraft Ltd, an Internet monitoring firm based in London, Global Crossing Ltd is blocking makelovenotspam.com on its entire global backbone network. A Global Crossing spokesperson did not return a call for comment on the matter.
Netcraft also said it had a report that Cox Communications, a major cable provider serving the US residential market, was blocking the site. A Cox spokesperson told ComputerWire that Cox is definitely not blocking the site.
The Lycos Europe campaign bore all the hallmarks of a distributed denial of service attack, but for the fact that the "bots" are actually willing end users, rather than hidden processes on PCs that have been compromised by worms.
The company said it intended the program to reduce the spam sites' bandwidth down to 5% capacity, not zero. The idea is to eat up bandwidth, increasing the cost of hosting spam sites and making it uneconomical to send spam.
ISPs could be within their rights to block such attacks, when their subscribers are participating in them. Ullrich said it is standard practice to block bot controllers when they can be identified. These controllers are often IRC servers.
In this instance a web server is being blocked, meaning users cannot voluntarily visit the site regardless of whether they intend to participate in the attack. The cryptic malicious-looking "defacement" also gave no indication of who was behind it.
Some sites targeted by the campaign have retaliated, as critics predicted. Sporadic reports of makelovenotspam.com downtime have been tied to retaliatory DDoS attacks (as well as to the 'Slashdot effect' of too much legitimate traffic).
According to F-Secure, one targeted "spam" site, moretgage.info was rewritten to repeatedly hit makelovenotspam.com, potentially causing DDoS-like conditions, and potentially reflecting the screensaver attacks back at Lycos Europe.
