Rise in Latvian botnets prompts Spamhaus row
Small nation battles rudeness
Concerns over the rising tide of nuisance and malicious email from Latvia have sparked an acrimonious dispute between anti-spam organisation Spamhaus and the country's top-level domain registry.
NIC.LV, which administers .lv web addresses, has branded Spamhaus "impolite, arrogant and even rude" after it added a large chunk of Latvian IP addresses to its anti-spam list. As a result "thousands of Internet users – academic users, state and municipal institutions, non-profit organisations, companies, and individuals" were cut off, it claimed.
For its part, a bemused Spamhaus says it merely followed its normal procedures, and the allegations of rudeness are the result of language barriers.
The row dates back to June. Over the previous year, Spamhaus' monitoring staff had measured a steady increase in Latvian spam and DDOS traffic, particularly from a small ISP called Microlines.
It's unclear who the offending cybercriminals were, but in common with its normal practice, Spamhaus contacted Microlines' abuse address to ask them to take down the relevant servers. When no response came, researchers added the firm's IP range to Spamhaus blocklist which is used by ISPs to cut the volume of spam entering their networks.
Spamhaus next followed its escalation procedures, which involve using RIPE data to discover who is routing the spam and reporting it to their abuse department. The aim is to force cybercriminals to at least keep hopping ISPs, a ruse that often means they leave tell-tales identifying evidence for law enforcement agencies to trace.
Microlines' spam-filled traffic was being routed by Latnet Serviss, a larger ISP. Spamhaus contacted the RIPE-registered abuse address and again received no response. It added part of what it believed was Latnet's IP range to the blocklist, based on a traceroute of the abuse address.
Unbeknown to Spamhaus, however, Latnet Serviss had effectively outsourced management of its abuse department to the University of Latvia's Institute of Mathematics and Computer Science, which houses both NIC.LV and the country's Computer Emergency Response Team (CERT).
As a result, the Institute and many other organisations were effectively cut off from the internet. This got the attention of the NIC.LV, and it wasn't happy.
Although the block on the Institute's IP addresses was removed within hours following an exchange of emails, earlier this month it released a furious open letter to mailing lists accusing Spamhaus of incompetence and protesting at the perceived injustice.
"No internet user should be punished for the actions of another internet user," it wrote. "As nations around the globe recognise that access to the internet is a basic human right it is unnacceptable to block access of those who have not committed any illegal or improper acts."
David, a Spamhaus researcher (they do not publicise their full identities), blamed NIC.LV's problems on its failure to update the RIPE records, and Latnet Serviss' failure to promptly deal with Microlines' spam.
"Spamhaus... thinks nic.lv, latnet.lv and their one-man 'CERT team' are cluelessly negligent in their handling of Latvian criminal botnet controllers we continually brought to their attention and which they ignored for so long," added Steve Linford, the founder of Spamhaus.
Once the block had been switched to its IP addresses, during its own spiky email exchange with Spamhaus, Latnet Serviss protested it should not be blocklisted because "we are one of the biggest internet providers in Latvia".
Spamhaus replied: "Ok. And Latvia is one of the smallest nations in the world."
NIC.LV perceived a slight against Latvia and wrote: "This sentence graphically illustrates the attitude of Spamhaus. It seems unbelievable that someone like Spamhaus treats incidents depending on the size of the internet user community."
According to David, Spamhaus was merely trying to say that it doesn't care what country spam is coming from or who is routing it: it will block anyone.
Nevertheless, NIC.LV is now calling for an "independent adjudicator to mediate on issues of disagreement between any entity exercising its power in an unjust way and the internet user community". ®
Sponsored: Becoming a Pragmatic Security Leader