Category Archives: Technical

Spamhaus under DDOS from AnonOps (Wikileaks.info)

Posted on by

Sent to a private anti-spam list I’m a member of…

From: Steve Linford at Spamhaus
Date: Sat, 18 Dec 2010 12:39:18 +0000

For speaking out about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps.

As our site can’t be reached now, we can not continue to warn Wikileaks users not to load things from the Heihachi IP. If you know journalists who would get this message out, please forward this message (entire) to them.

AnonOps did not like our article update, here’s what we said and what brought the ddos on us:

—-

In a statement released today on wikileaks.info entitled “Spamhaus’ False Allegations Against wikileaks.info”, the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus’s information on his infamous cybercrime host “false” and “none of our business” and called on people to contact Spamhaus and “voice your opinion”. Consequently Spamhaus has now received a number of emails some asking if we “want to be next”, some telling us to stop blacklisting Wikileaks (obviously they don’t understand that we never did) and others claiming we are “a pawn of US Government Agencies”.

None of the people who contacted us realised that the “Wikileaks press release” published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks – but by the person running the wikileaks.info site only – the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the “press release” was issued “by Wikileaks”. In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at wikileaks.ch.

Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian malware cybercriminals, to an audience that faithfully believes anything with a ‘Wikileaks’ logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We’re not saying “don’t go to Wikileaks” we’re saying “Use the wikileaks.ch server instead”.

—-

Steve Linford
The Spamhaus Project
http://www.spamhaus.org

Update: The full Spamhaus warning concerning wikileaks.info is here. A similar warning made by Trend Micro is here.

Release of Private Wimp MLM

Posted on by

For those who follow my technical exploits…

SnertSoft is happy to announce Private Wimp, a simple light weight mailing list manager, that is free to download. Private Wimp has been used to manage several mailing lists for past few months now.

It avoids the bloat of Major Domo, Mailman, and Ecartis . Completely written in C and so avoids the overhead of Perl or Python. Installation and configuration is short and simple; all list management can be done remotely by email; always confirms subscribe/unsubscribe requests and admin. commands; handles bounce messages (discard, forward, or removal of unknown users); provides support for four list types (announcement, trusted, closed moderated, open moderated); keeps track of users that unsubscribe; and provides a simple archive structure (similar to Ecartis).

The online documentation can be found here:

http://www.snertsoft.com/sendmail/wimp/

Learning New Tricks

Posted on by

I just love Google and Wikipedia for research. I spent the better part of today learning about the Lunar Standard Time (LST) proposal and the Julian Day Number (also the Calendar FAQ is very informative).

I even wrote Javascript classes that implemented them. I thought it would be kind of neat in an odd ball off the wall sense, like expressing the speed of light in furlong per fortnight, to display them here on the blog (see sidebar right). I’ve even had an idea for a new RFC 😉

Anal-tics & Urchins

Posted on by

Google Analytics, or my preferred name for it “google anal-tics”, is a service designed to provide web site owners with statistics about visitors movements on their site. One would think this is a simple and ordinary enough service and nothing to worry about.

However, I have two issues with this:

First, to achieve this data gathering, a web site is required to load on each web page of interest a Javascript file called urchin.js from Google or the more advanced ga.js file. Essentially a web site is telling your browser to execute some remote 3rd party script on your system. This is a BAD idea in terms of security, since it might be possible to hijack that script in transit and replace it with attack / hack code. Also the script is not loaded securely via HTTPS, so no certificate authentication or validation of any kind is done; just blind trust that google-analytics.com has not been hijack by DNS cache poisioning or that some intermediate web proxy hasn’t been compromised.

Second, I am interested in protecting my privacy online as much as possible these days. I already have a pretty big online foot print dating as far back as 1986; regardless I see it as my right to restrict data collected about me. So whenever a web site asks for HTTP cookies, Flash Cookies (How to Manage Flash Settings), tries to load advertising, or track my movements through scripts and/or cookies, I’ll go out of my way to block that from happening.

So when a web site loads urchin.js or ga.js, it is going to communicate information about visitors back to Google. I find this an invasion of my online privacy. What I do online is my business, not Google’s. Google already has enough data about what search terms I look for (this can be controlled through Google, though who knows if it is honoured or not). Frankly I don’t think Google or any other 3rd party advertiser needs to know where and what the frack I’m doing.

Simple solution: use a URL blocker, like Bork Bork Bork! or Adblock Plus, to block urchin.js, ga.js, and/or anything from google-analytics.com from being accessed. If you don’t want to use a URL block, this can also be achieved by adding to the Unix or Mac OS X /etc/hosts file (Windows has an equivalent C:\WINDOWS\system32\drivers\etc\hosts) and add an entry like:

127.0.0.1  www.google-analytics.com

Most webs sites where google-analytics.com has been blocked are designed well enough to continue functioning. However, there are a small handful of web sites that refuse to do anything when the tracking code is not loaded. Typical bad design on the web sites part. In the end I see Google Anal-Tics as evil and chose not to do business with web sites that expect me to put up with that shit.