Home / Blogs

Wikileaks DDoS of Spamhaus: Political Activism at Its Dumbest

Neil Schwartzman

A week ago, Paul Vixie wrote a thoughtful piece on the morality of DDos, for both sides of the equation of the Wikileaks issues. In it he summarizes things nicely:

Denial of service is not merely a peaceful protest meant to garner attention for a cause. Denial of service is forcible and it is injurious. It is not like any form of civil disobedience, but rather it is criminal behaviour more like looting.

Well said, Paul. I find myself vacillating between sympathy for Wikileaks, and their right to publish and the need to have them publish what they have, and the need to preserve security, national and international. I atypically don't come down firmly on one side or the other. Activism of their sort keeps our society sane, but yet, lives may have been put at risk by their disclosure. I truly can't be pro or con to the issue.

What I can rail against readily is people who bring THE DUMB, and the people behind the DDoS in the pro-Wikieleaks have bought it, and brought it, wholesale, it seems. wikileaks.info is a fake mirror of Wikileaks, sitting in a sewer of malware. The IP had long been listed at Spamhaus, the venerable anti-abuse blacklist had included it in their offerings. When the wikileaks.info site was put up to capitalize on the current furor, it too was listed.

AnonOps, in their blind fervour to uphold free speech by censorship decided Spamahaus ws in the wrong, dismissed their explanation, and have taken down the Spamhaus website. As far as I know, this has not interrupted DNS lookups nor rsync of their services, but it has impeded their ability to warn people off going to that one site, that is virtually guaranteed to get someone p0wned.

Steve Linford posted the following:

"As our site can't be reached now, we can not continue to warn Wikileaks users not to load things from the Heihachi IP. If you know journalists who would get this message out, please forward this message (entire) to them."

* * *

In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of our business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies".

None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at wikileaks.ch.

Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead".

* * *

By Neil Schwartzman, Executive Director, The Coalition Against unsolicited Commercial Email - CAUCE. More blog posts from Neil Schwartzman can also be read here.

Related topics: Cyberattack, Cybercrime, Cybersecurity, DDoS, Law, Malware, Spam


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


1) Russian criminals have control over the Anonymous Coward  –  Dec 18, 2010 10:39 PM PDT

1) Russian criminals have control over the wikileaks.org and wikileaks.info domains and are distributing malware. The current real wikileaks website is wikileaks.ch.

2) Spamhaus has been telling people about (1).

3) The Russian criminals are now retaliating by using their botnets to DDoS Spamhaus under the flag of AnonOps.

4) Some of the people who call themselves Anonymous may or may not also be participating in the DDoS against Spamhaus because they are idiots.

Do you really trust these people? Fred Showker  –  Dec 19, 2010 6:18 AM PDT

Whom are we to believe? Wikileaks? Or some of the leads now floating around from inside the beltway that at least some of the posts from Wikileaks are NOT identical to their originals in the outboxes of senders.

Hmmmmm. For Wikileaks to establish themselves as "credible" would open the door to huge winfalls of profits as a "news source" ... yet a hard drive of ascii text files? And, why so long between posts??? Hmmmm. Did you think they are not reading the content? Are they selecting just the ones to post?

Why does everyone automatically trust Wikileaks at face value?

Did you think that the kind of persons who employ techniques of cyber criminals would NOT exploit the opportunity to 'edit' text files prior to posting ??? Did you think they would not want to advance their own agenda?

Who actually believes what they read in Wikileaks?

Are they the same people who believe everything they read on the internet?


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?