Denial of Service Attacks disguised as Spam...
[The purpose of this note is to change your thinking about Spam] Enormous amounts of this so-called "spam" is nothing of the sort, it is malicious people using mail ports to conduct denial of service attacks. And the sooner we wake up to this fact the better. We need a new word for this and to publicize this new attitude. Because as soon as someone says "spam" all that comes to mind is a Sanford Wallace type pathetically trying to make a buck with annoying advertising, and people (in particular law enforcement) just won't give "annoying advertising" a moment's thought. But I assert that we're dealing with crime and criminals here who aren't selling anything. Look at the several consecutive log entries attached below ("Spamf" and "PATMATCH" mean the msg was blocked by our spam filters.) We're receiving about *30,000* of these per day, non-stop, full-blast, every few seconds, for days. The fact that not one of these is getting past our filters doesn't seem to discourage this person, not even over a period of days. The network address of the mail relay source has been hacked (notice how it changes with every msg), the address ("billy@bingo.edu") is phony and forged. This person has gone to great length to hide their identity and to make it difficult to block them at the router level. Blocking the message itself is relatively easy, but I don't think they care, just so long as they can hammer at your mail port day and night. Dec 31 14:36:29 5C:world sendmail[3098]: SpamF: <billy@bingo.edu> (relay=po1.synapse.or.jp [202.208.174.131]) PATMATCH Dec 31 14:37:09 5C:world sendmail[3614]: SpamF: <billy@bingo.edu> (relay=www.dma.be [195.13.24.2]) PATMATCH Dec 31 14:37:10 5C:world sendmail[3623]: SpamF: <billy@bingo.edu> (relay=at.atnet.it [193.207.30.132]) PATMATCH Dec 31 14:37:22 5C:world sendmail[3765]: SpamF: <billy@bingo.edu> (relay=mail.vienna.at [194.158.143.44]) PATMATCH Dec 31 14:37:23 5C:world sendmail[3775]: SpamF: <billy@bingo.edu> (relay=seus.metoc.ns.doe.ca [131.235.30.50]) PATMATCH This person is not the only source of this, others are doing the same thing. I don't believe this person is actually selling anything. Can I repeat that? I DON'T BELIEVE THIS PERSON IS ACTUALLY SELLING ANYTHING I do believe this is a malicious person who has learned that if you stick some text in a message that appears to be selling something law enforcement's mind will go blank and nothing (effective) will be done. "It's just annoying advertising, ignore it". The analogy which comes to mind is a town where door to door salesman can't be considered trespassers on your doorstep. So a group of people who want to annoy you don what appear to be door to door salesmen accouterments (eg, a suitcase full of new household brushes) and stands and bangs and bangs and bangs on your door, day and night. And you tell themm to go away. And they ignore you, they keep banging. So you call the police, and they say "he's a door to door salesman, the law allows him to bang on your door! People bang on people's doors all the time. Stop calling us, we can't do anything, ask him to leave or ignore him." We're being fooled, we're allowing criminals to operate without challenge. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
Perhaps there are two classes of SPAM. There are the ones which are sent from a mailing list of KNOWN users, and then there are those which I've seen myself that just start a A, and blast names down the list untill the program reaches Z. AOL falls victim to this on many occasion. While I'd like to see all SPAM go away, you will probably never get rid of the people who do the former. It muck like filling out any survey, and then you get USPS mail for eons relating to the questions you answered. It is inevitable that we will be placed on mailing lists and those lists will be sold. I do agree that we need to treat this as a DoS, but better methods of tracing the user and then stopping them need to be established. In many respects, he is forging his identity and I cannot imagine that forgery is legal. -ravi -- Ravi H Pina * "There are only two way to live your life. One is as ravi@iagnet.net * though nothing is a mairacle. The other is as though DID:216.523.2615 * everything is a miracle." NOC:800.424.3223 * -- Albert Einstein
many respects, he is forging his identity and I cannot imagine that forgery is legal.
The ability to send anonymous email will probably remain protected. Also, the legal beagles I know tell me it is perfectly legal to use an alias as long as it is not done for fraudulent purposes. The issue of DoS vs. annoying selling methods comes down to intent. If there is no product, then one or more laws are being violated: Offering non-existant products for sale is a fraudulent activity. It is a federal offense if it involves interstate commerce. If it is intra-state, then usually only state laws apply. Intentional damage to a computer system engaged in interstate commerce is a federal offense. The FBI and/or the local police fraud unit should be able to help. Identifying the source of someone sending 30,000 messages a day for a week should be a doable task. --Dean ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP http://www.av8.com ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
I guess I'm not making my point very well. I'm not talking in metaphors, I'm not saying that some spammers IN EFFECT cause denial of service attacks. I am saying that individuals who want to harm sites, and have nothing whatsoever to sell, act like spammers to perform their maliciousness. For example, they take some old "MAKE MONEY FAST!!!" text and bang it at a site 300,000 times in a day, as fast as they can, hoping to cause that site grief, just like a smurf or SYN attack or whatever. Why? Because as another major site adminstrator agreed with me in private mail, relating specific incidents: You call an upstream ISP/NSP or the FBI or whatever and their minds cloud and they say "oh yes, SPAM, annoying isn't it? We get hundreds of complaints like this a day we'll try to get to yours eventually, but I'd recommend just deleting it <click>." It's not as effective, but it looks to me like it's completely and 100% safe because the entire system which might track them down and prosecute them completely collapses as soon as the word "spam" is mentioned, all minds go off, form responses are sent back from automailers, and nothing happens. It's kind of like calling to complain about real telephone harassment (eg, someone calling you with obscenities and threats at all hours of the day and night) and having the telco person say "oh! telemarketers! yes I find them annoying also, but there's not a lot that can be done, sorry! <click>" WHAT I AM SAYING IS we have the usual malicious, cracker sociopaths who last week were trying to break into your routers and systems now blasting you with millions of mail msgs they grabbed from somewhere, not to sell something but out of the same sort of motivation that moved them to crack your systems or do smurf attacks or whatever, because they know that if it LOOKS LIKE spam no one will do anything to them. Hell, no one will even really investigate beyond maybe "ah well another spam load from some throwaway account". I'm really going to go down in flames trying to make this distinction aren't I? -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
On Mon, 5 Jan 1998, Barry Shein wrote:
Why? Because as another major site adminstrator agreed with me in private mail, relating specific incidents: You call an upstream ISP/NSP or the FBI or whatever and their minds cloud and they say "oh yes, SPAM, annoying isn't it? We get hundreds of complaints like this a day we'll try to get to yours eventually, but I'd recommend just deleting it <click>."
The simple thing to do is null route the offending host(s) until they call you and ask you to turn it off. If they don't and you don't get any complaints from your customers, then all is good :) -Steve P.S. I find this route is very effective when dealing with sites that source malicious behavior and refuse to deal with it.
On Tue, 6 Jan 1998, Steve Noble wrote:
The simple thing to do is null route the offending host(s) until they call you and ask you to turn it off. If they don't and you don't get any complaints from your customers, then all is good :)
-Steve
This is a reactive solution to the problem. Though there are times when the only solution you have is to attempt to quell the problem through a plethora of ugly ip route statements, I hardly think it is a good solution to the problem. Any person looking to harm your network with intent greater than that of a passing whim would probably decide to change his/her ip address after realizing that a host suddenly became unreachable. brad reynolds ber@cwru.edu
On Mon, 5 Jan 1998, Barry Shein wrote:
I'm not talking in metaphors, I'm not saying that some spammers IN EFFECT cause denial of service attacks.
I am saying that individuals who want to harm sites, and have nothing whatsoever to sell, act like spammers to perform their maliciousness.
For example, they take some old "MAKE MONEY FAST!!!" text and bang it at a site 300,000 times in a day, as fast as they can, hoping to cause that site grief, just like a smurf or SYN attack or whatever.
A variant of this approach is that taken by a customer of a customer of ours, who subscribed someone he didn't like to 130 very active email lists. Fortunately (or unfortunately, depending on how you look at these things) he did it rather carelessly, we keep extensive logs, and the FBI and the UK Computer Crime unit were both very interested. -- Jim Dixon VBCnet GB Ltd http://www.vbc.net tel +44 117 929 1316 fax +44 117 927 2015
[The purpose of this note is to change your thinking about Spam]
Enormous amounts of this so-called "spam" is nothing of the sort, it is malicious people using mail ports to conduct denial of service attacks. And the sooner we wake up to this fact the better.
We need a new word for this and to publicize this new attitude. Because as soon as someone says "spam" all that comes to mind is a Sanford Wallace type pathetically trying to make a buck with annoying advertising, and people (in particular law enforcement) just won't give "annoying advertising" a moment's thought.
Good point. Perhaps the best analogies for the law types are the junk-faxing laws. It's outsiders maliciously consuming a particular resource.
The fact that not one of these is getting past our filters doesn't seem to discourage this person, not even over a period of days.
Yeah, but the person sending them may not be able to tell that they're not getting through.
I don't believe this person is actually selling anything.
Can I repeat that?
I DON'T BELIEVE THIS PERSON IS ACTUALLY SELLING ANYTHING
Out of curiosity, have you looked at the content of the message? It's interesting that this may be a DoS attack, where there are other things one can do to try and deny service. (Although, setting up somebody else's mail server to repeatedly connect is in fact a pretty legit DoS in and of itself...)
We're being fooled, we're allowing criminals to operate without challenge.
-- -Barry Shein
Are they criminals? I don't know if I want to get into a debate about "criminal" vs. "doing something nasty that's not been declared illegal". Either way, I agree that there should be moved to curb this sort of repeated contact, whether it's a deliberate attack or not. eric
On Mon, 5 Jan 1998, Eric Osborne wrote:
Are they criminals? I don't know if I want to get into a debate about "criminal" vs. "doing something nasty that's not been declared illegal". Either way, I agree that there should be moved to curb this sort of repeated contact, whether it's a deliberate attack or not.
What about representing yourself to be from another domain (e.g. AOL.COM) so that the rejects/flames/etc. go to an innocent agent? Isn't that a form of fraud? - James D. Wilson netsurf@sersol.com
On Jan 5, NetSurfer <netsurf@sersol.com> wrote:
What about representing yourself to be from another domain (e.g. AOL.COM) so that the rejects/flames/etc. go to an innocent agent? Isn't that a form of fraud?
Yes, and both AOL and Compuserve have won civil court cases based on that. ********************************************************* J.D. Falk voice: +1-650-482-2840 Supervisor, Network Operations fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." *********************************************************
I would be interested to know: Have there been any court cases in which the plantiff (spam victim) sued the defendant (spamming asshole) for monetary compensation for damages, due to the fact that the plantiff's e-mail carried a signature along the lines of "$x charge per spam message recieved"? (no other factors of significance involved...)...? OR... incidents in which such a "spam fee" was actually paid outside of court? It would be interesting to find out how effective such a threat really is. Thanks, Adam On Wed, 7 Jan 1998, J.D. Falk wrote:
On Jan 5, NetSurfer <netsurf@sersol.com> wrote:
What about representing yourself to be from another domain (e.g. AOL.COM) so that the rejects/flames/etc. go to an innocent agent? Isn't that a form of fraud?
Yes, and both AOL and Compuserve have won civil court cases based on that.
********************************************************* J.D. Falk voice: +1-650-482-2840 Supervisor, Network Operations fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net
"The People You Know. The People You Trust." *********************************************************
On Jan 7, Adam Rothschild <asr@millburn.net> wrote:
I would be interested to know:
Have there been any court cases in which the plantiff (spam victim) sued the defendant (spamming asshole) for monetary compensation for damages, due to the fact that the plantiff's e-mail carried a signature along the lines of "$x charge per spam message recieved"? (no other factors of significance involved...)...?
OR... incidents in which such a "spam fee" was actually paid outside of court?
It would be interesting to find out how effective such a threat really is.
To the best of my knowledge (and I follow this closely, though I no longer read the news.admin.net-abuse.* groups due to my limited time and their overwhelming lack of substance), nobody has ever collected based on such threats. In some instances, however, that specific spam has stopped. We should probably continue this elsewhere, perhaps spam-policy or a similar list. ********************************************************* J.D. Falk voice: +1-650-482-2840 Supervisor, Network Operations fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." *********************************************************
participants (10)
-
Adam Rothschild -
Barry Shein -
Bradley Reynolds -
Dean Anderson -
Eric Osborne -
J.D. Falk -
Jim Dixon -
NetSurfer -
Ravi Pina -
Steve Noble