Spam linked to DDoS attacks against social networking websites

In early August, a number of very well-known social networking websites were reported to be victims of distributed denial of service (DDoS) attacks. According to MessageLabs, the attacks appear to be linked with a “Joe Job” style spam run against an anti-Russian blogger.

A “Joe Job” is a spam technique that spoofs the “From:” email address using a real email address (i.e. an unsuspecting victim) to make it appear as though that person was responsible for the email. The spam run was estimated at less than one percent of all spam at that time and distributed from a currently unclassified botnet. The run was significantly smaller compared with some of the more recent spam runs, such as the URL-shortening attacks from Donbot.

Here’s an example of one of these messages which actually originated from an IP address in Brazil, a hot spot for botnet-infected computers. The email From: address was spoofed, to appear as though it was from a company based in Ohio:

Although it is presumed that this spam run contributed to the DDoS attacks on these social networking websites, it is unlikely that this run alone could have caused all the reported disruption, suggesting that there was something else involved. MessageLabs Intelligence suggests that a botnet was also used to conduct the DDoS attack in parallel, with compromised computers under the botnet’s control commanded to, in an automated way, open the page of the targeted social networking website.