Proposed Media Defender Flood Defeated with Two Mouse Clicks Drew Wilson | September 25, 2007 Last week’s email leak will probably be the most famous leak in p2p history. Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes The emails contained detailed communications between Media Defender employees. Hidden amongst the vacation photos and internal testing statistics was a plan to flood the eDonkey2000 network in an effort to decoy copyrighted files. The idea was to bypass search filters to post decoy files via any string the user puts in the search box. While this idea might not be new to seasoned P2P users, the way to defeat this proposal is surprisingly simple. The idea surfaced when one employee found a familiar bogus file being returned in several search results during routine internal testing. The employee then made a search string that shouldn’t return results. The search string was placed within a file name and returned as a result. He then notified other employees about this finding and felt that it could be used in their efforts to flood the network with similar files. Not surprisingly, further study was done and they found that the file that kept getting returned in these fake results contained malware and a link to a website. Unfortunately for Media Defender, they still didn’t know what caused the search string to be pasted into a file which includes other text such as ‘fast secure eMule downloads for (insert search string here).rar’ Whoever set this up was also smart enough to cause the results to return no matter what filters were used. Media Defender, in their emails, demonstrated that if you filter the search query to only files with a minimum of 50MB (as they are all less than 1MB) the results were still returned. Of course, if Media Defender actually got a working system that copied this scheme, one can only imagine what they could be capable of doing to the average user using the network via eMule. Their worry was that if they spent a lot of time getting such a system up and running, the eMule development team would add a few lines of code that would block this effort. One Media Defender assured the others that the main eMule development team never program to defeat Media Defender’s tactics and that plans for this system should go ahead. Clearly, they saw potential in this exploit. Unfortunately, nowhere in the emails does it propose how users could defeat such a scheme. In fact, the only proposal of reprogramming emule is harder than what is actually capable of defeating the flood idea – and it only takes two mouse clicks to do it. When a user performs a search and finds the files seemingly bypassing the filters, as well as incorporating the search string into the file name, that user can simply right click on the result and click ‘mark as spam’. While reprogramming the client is also an idea (and a better idea in the long term) the idea of flooding the network in this manner has already been defeated. While it is unclear whether the Media Defender’s ‘eDonkey2000 team’ was even aware of it, it is clear that this is simply another sign that development of P2P applications has always been at least a step ahead of those who want to circumvent the system for malicious purposes. Drew Wilson on Twitter: @icecube85 and Google+.