On Tue, 7 Jan 1997, Howard C. Berkowitz wrote:
I posted recently about a recent mailbombing threat apparently originating from Cyberpromo. Many of you may have received this, but I must share it for those who haven't seen it...the specter of Cyberpromo being victimized by Nasty Evil Spammers had me laughing so hard tears ran down my face and my ribs hurt.
Unfortunately, this culprit has been operating in hit and run mode for a while, and has made good on his threats but not exactly how you might think. I am going to stick to calling him the "culprit" for liability reasons. Bear with me, there are some serious lessons at the end. The culprit had a free web page at joes.com from Joe Doll advertising "Hair Tonic" or some such. Joe Doll has a no spam policy. The culprit then did a spam to promote his page and Joe pulled it. The culprit then emailed a threatening note to Joe Doll requesting his page be restored. Joe Doll then recieved a second note notifying Joe of a pending revenge spam of 1 million emails. On Friday Morning, January 3rd we started receiving a continuous stream of phone calls complaining of a spam from joes.com (subject "El Cheapo..."). Somebody using an ibm.net dialup connection was sending out a barrage of spam in Joe Doll's name forged to appear from joe@joes.com and writen to be flame bait. We immediately began to receive a wave after wave of retaliatory strikes in the form of email bombs, SYN attacks, ping bombs, and a variety of other denial of service attacks. It would have been interesting had it not been threatening our business. We were forced to continuously manually prune the mail queue on our primary server. (People are creative when sending email bombs, there are many that randomize everything.) After we figured out that the specific address for joes.com was being SYN attacked we undefined the interface alias he was on. We also changed his MX record to "read.news.admin.net-abuse.email" to try to get the some of the attackers to stop. (I recognized some of their domains as nanae regulars after scanning the group.) By the way, we did try to contact IBM by email and by phone. We recived a trouble ticket acknowlegement back on Saturday. On Monday IBM closed the culprit's accounts, but apparently forgot to clear out their mail queue. I have recieved reports that people are still getting the forged joes.com spam from ibm.net implying that some email must have still been queued. For more information about this specific culprit see http://www.ca-probate.com/yuri.htm Here are the lessons: * If somebody sends out 1 million flame bait emails forged to be in your name and only 1% of the recipients are technical, you have 10,000 people that hate you and know how to do something about it. Even 100 determined hackers can throw a major wrench in your works. Point: This is an extremely serious security issue. * Currently, due to lack of clear criminal law in this area, many net vigilantes handle spam by exacting revenge in their own way. However, this type of "frontier justice" has a low level mob mentality and is apt to make incorrect decisions. * If we don't want everybody to take the law into their own hands then we need get the legal system involved. * However, while existing civil statutes offer one avenue, the saying is "you can't get blood from a turnip". Most spammers spam because they don't have anything better to do, and therefore don't have significant assets. I am going to briefly mention two laws, I know this is nanog, but I must leave a starting point for the next victim of this type of attack. After talking with the FBI, I was informed that Federal 18 USC 1030 ibid. does not apply. (I have no idea what it actually says, but many admins thought it applied.) A helpful netizen informed us about US Code Title 487 Section 227. However Section 401 which covers enforcement provisions refers to "the Commission". The agent in the FBI Computer Crimes Division we have been working with thinks this means the FCC. Hurricane Electric has limited resources for this sort of thing and we are going to have to let this whole issue drop. I guess we just have to wait until somebody forges 1 million emails from whitehouse.gov or something like that. Mike. +------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting & Co-location Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+