We've had a report that the popular scambaiting site 419Eater and the anti-scam site Scamwarners are the latest anti-spam sites to fall victim to a distributed denial of service (DDoS) attack. Both sites are down at this time. Details are hard to come by, but there's apparently been speculation that the attack originated from a Russian spamgang.

The Russians are pretty much the 'usual suspects' for any kind of DDoS attack. There's good reason to believe that the Zhelatin (Storm Worm) gang have been behind a number of other DDoS attacks this year, including an attack against anti-spam sites and download sites operated by a rival spam gang. Zhelatin are known to have spare capacity at the moment. There have been reports that they have built up a botnet containing more than a million computers, not all of which are currently being used for stock and pill spam.

For spam gangs like Zhelatin, a DDoS attack is just another item on the menu. When the firehose of the Zhelatin botnet gets turned on your site, it doesn't mean that it's the gang themselves who have singled you out for attack. It's more likely that the attack has been commissioned by one of their customers. In the same way that a customer can order a stock spam run, they can request a DDoS attack (although it has been claimed that DDoS attacks cost more than regular spam runs, because there is a greater risk that ISPs or law enforcement will react aggressively to shut down the machines involved).

Have the Nigerians paid to have 419Eater taken offline? While the picture we have of 419 scammers suggests that there are many people playing that particular game, there may be a few big fish who would have the money to commission an attack and an interest in seeing their particular enemies targeted. Still, it's unclear how much 419Eater would really have affected the scammers' business. While the site has some educational value and must certainly be an annoyance to some of the less sophisticated 419'ers (who waste time and energy on 'prospects' who turn out to be pranksters), it doesn't interfere directly with the spammer's business in the same way as, say, a blacklist site. Scamwarners, on the other hand, appears to be a more general anti-scam site, whose remit also covers such organized crime favorites as money transfer scams.

Earlier attacks have often seemed to be 'flavored', with several anti-spam sites of the same type hit simultaneously. For example, a Zhelatin attack against spamnation.info earlier this year also targeted other sites focusing on stock spam. Other attacks have targeted blacklists, anti-malware and -spyware sites, and general 'umbrella' sites like Spamhaus. (Although Spamhaus is probably under attack 365 days a year, so it may be hard to distinguish an attack from background noise). The current attack, with its focus on anti-scam sites, seems to fit that pattern.

Update: It seems that the DDoS attack has targeted additional sites. Artists against 419 was also hit recently (according to admins from that site, they had recently had some success in getting scam sites taken down, which apparently didn't go down well with the scammers). Another useful anti-scam site, CastleCops, has also been hit, along with other sites hosting antispam forums. One scam-fighter commented:

It kind of makes me smile though: we have definitely impacted somebody's profits ... Always a good day when that's the case.

It definitely looks as if this attack run was bought and paid for by the fake-check scammers and the phishers.