Rise in Latvian botnets prompts Spamhaus row

Small nation battles rudeness

Reducing security risks from open source software

Concerns over the rising tide of nuisance and malicious email from Latvia have sparked an acrimonious dispute between anti-spam organisation Spamhaus and the country's top-level domain registry.

NIC.LV, which administers .lv web addresses, has branded Spamhaus "impolite, arrogant and even rude" after it added a large chunk of Latvian IP addresses to its anti-spam list. As a result "thousands of Internet users – academic users, state and municipal institutions, non-profit organisations, companies, and individuals" were cut off, it claimed.

For its part, a bemused Spamhaus says it merely followed its normal procedures, and the allegations of rudeness are the result of language barriers.

The row dates back to June. Over the previous year, Spamhaus' monitoring staff had measured a steady increase in Latvian spam and DDOS traffic, particularly from a small ISP called Microlines.

It's unclear who the offending cybercriminals were, but in common with its normal practice, Spamhaus contacted Microlines' abuse address to ask them to take down the relevant servers. When no response came, researchers added the firm's IP range to Spamhaus blocklist which is used by ISPs to cut the volume of spam entering their networks.

Spamhaus next followed its escalation procedures, which involve using RIPE data to discover who is routing the spam and reporting it to their abuse department. The aim is to force cybercriminals to at least keep hopping ISPs, a ruse that often means they leave tell-tales identifying evidence for law enforcement agencies to trace.

Microlines' spam-filled traffic was being routed by Latnet Serviss, a larger ISP. Spamhaus contacted the RIPE-registered abuse address and again received no response. It added part of what it believed was Latnet's IP range to the blocklist, based on a traceroute of the abuse address.

Unbeknown to Spamhaus, however, Latnet Serviss had effectively outsourced management of its abuse department to the University of Latvia's Institute of Mathematics and Computer Science, which houses both NIC.LV and the country's Computer Emergency Response Team (CERT).

As a result, the Institute and many other organisations were effectively cut off from the internet. This got the attention of the NIC.LV, and it wasn't happy.

Although the block on the Institute's IP addresses was removed within hours following an exchange of emails, earlier this month it released a furious open letter to mailing lists accusing Spamhaus of incompetence and protesting at the perceived injustice.

"No internet user should be punished for the actions of another internet user," it wrote. "As nations around the globe recognise that access to the internet is a basic human right it is unnacceptable to block access of those who have not committed any illegal or improper acts."

David, a Spamhaus researcher (they do not publicise their full identities), blamed NIC.LV's problems on its failure to update the RIPE records, and Latnet Serviss' failure to promptly deal with Microlines' spam.

"Spamhaus... thinks nic.lv, latnet.lv and their one-man 'CERT team' are cluelessly negligent in their handling of Latvian criminal botnet controllers we continually brought to their attention and which they ignored for so long," added Steve Linford, the founder of Spamhaus.

Once the block had been switched to its IP addresses, during its own spiky email exchange with Spamhaus, Latnet Serviss protested it should not be blocklisted because "we are one of the biggest internet providers in Latvia".

Spamhaus replied: "Ok. And Latvia is one of the smallest nations in the world."

NIC.LV perceived a slight against Latvia and wrote: "This sentence graphically illustrates the attitude of Spamhaus. It seems unbelievable that someone like Spamhaus treats incidents depending on the size of the internet user community."

According to David, Spamhaus was merely trying to say that it doesn't care what country spam is coming from or who is routing it: it will block anyone.

Nevertheless, NIC.LV is now calling for an "independent adjudicator to mediate on issues of disagreement between any entity exercising its power in an unjust way and the internet user community". ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.