Update on mail bombing threats--words fail me--enjoy the laugh
I posted recently about a recent mailbombing threat apparently originating from Cyberpromo. Many of you may have received this, but I must share it for those who haven't seen it...the specter of Cyberpromo being victimized by Nasty Evil Spammers had me laughing so hard tears ran down my face and my ribs hurt. Howard ------ Received: from cyber3.7.nostoppingittop (daemon@[206.154.151.19]) by mail.clark.net (8.7.3/8.6.5) with ESMTP id UAA24805 for <hcb@clark.net>; Mon, 6 Jan 1997 20:51:28 -0500 (EST) Received: (from daemon@localhost) by cyber3.7.nostoppingittop (8.7.4/8.7.3) id UAA05715; Mon, 6 Jan 1997 20:53:44 -0500 (EST) Date: Mon, 6 Jan 1997 20:53:44 -0500 (EST) Message-Id: <199701070153.UAA05715@cyber3.7.nostoppingittop> From: abusebot@savetrees.com (Mail AutoResponder) To: "howard c. berkowitz" <hcb@clark.net> Subject: RESPONSE FROM CYBERPROMO Version 1-4-97: Cyber Promotions has recently terminated several accounts for abuse of our policies. (Updated TOS at end of message). Cyber Promotions will not tolerate irresponsible commercial email activities. The following email accounts have been *recently TERMINATED... *noci@cyberpromo.com 1-4-97: Spamming with THREATS! jrtkjs@savetrees.com 10-9-96: Forgery and spamming INTERNET jrtkjs@answerme.com "" "" "" "" "" "" dollars@savetrees.com Non-existant account. The account was forged by the people who opened the accounts above. info1@cyberpromo.com 10-8-96: Unsolicited ads to INTERNET addresses changes@answerme.com 9-30-96: Unsolicited ads to INTERNET addresses changes@cyberpromo.com 9-30-96: Unsolicited ads to INTERNET addresses changes@savetrees.com 9-30-96: Unsolicited ads to INTERNET addresses catalog@savetrees.com 9-30-96: Unsolicited ads to INTERNET addresses catalog@cyberpromo.com 9-30-96: Unsolicited ads to INTERNET addresses catalog@answerme.com 9-30-96: Unsolicited ads to INTERNET addresses eleven@answerme.com 9-28-96: Forgeries eleven@savetrees.com 9-28-96: Forgeries eleven@answerme.com 9-28-96: Forgeries tsahk@cyberpromo.com 9-27-96: Unsolicited ads to INTERNET addresses tsahk@answerme.com 9-27-96: Unsolicited ads to INTERNET addresses icssender@omni.cyberpromo.com 9-19-96: FORGED unsolicited email, making it appear that Cyberpromo's auto-sender was responsible. If you are in receipt of the message, please look through the headers and complain to the appropriate postmasters. networkes@answerme.com 9-17-96: Ignored remove requests networkes@cyberpromo.com 9-17-96: Ignored remove requests networkes@savetrees.com 9-17-96: Ignored remove requests reminders@answerme.com 9-17-96: Unsolicited ads to INTERNET addresses reminders@savetrees.com 9-17-96: Unsolicited ads to INTERNET addresses reminders@cyberpromo.com 9-17-96: Unsolicited ads to INTERNET addresses salespromo@answerme.com 9-16-96: Unsolicited ads to INTERNET addresses salespromo@savetrees.com "" "" "" "" salespromo@cyberpromo.com "" "" "" "" promo@answerme.com "" "" "" "" promo@savetrees.com "" "" "" "" promo@cyberpromo.com "" "" "" "" info4free@answerme.com "" "" "" "" info4free@savetrees.com "" "" "" "" info4free@cyberpromo.com "" "" "" "" manda@cyberpromo.com 8-28: Massive abuse to INTERNET addresses / FORGERY manda@answerme.com 8-28: Massive abuse to INTERNET addresses / FORGERY website@cyberpromo.com 8-27: excessive abuse to AOL / removals ignored sevenmil@cyberpromo.com 8-27: excessive abuse / all removals ignored sevenmil@answerme.com 8-27: "" "" "" "" "" "" vera@cyberpromo.com vera@answerme.com zol@answerme.com website@answerme.com allied@cyberpromo.com allied@answerme.com lists@cyberpromo.com lists@answerme.com Cyber Promotions is *not* in business to annoy people. We are in the business of sending (and assisting in sending) commercial (and noncommercial) email to people who are *not* offended by the receipt of these messages. Unfortunately, due to many experiences (many of which were out of our control) we have had some problems accomplishing our goals without upsetting some people. We are truly sorry about that fact, and we plan to "clean up the streets" as best as we can. Some people have been under the impression that all email that appears to come from cyberpromo.com, is from Cyber Promotions. That is not true. Most of the complaints that we have recently received have been in reaction to people who have "autoresponders" and "virtual email addresses" on our system. In that case, their mail would have referenced an account on our system, but originated from a different site. Unfortunately, software like Pegasus enables their mail to appear as if it came from us, directly. But, their true origination is still evident in the headers. You can determine where it originated if you know how to decode headers. But when doing so, remember that Pegasus, for example, actually logs into *our* sendmail. At this time, the only messages that originate from Cyber Promotions, use our proprietary Cyber Sender 5.0+ protocol which will always be indicated in the organization: header. Due to these "look alikes," it could appear that recipients' remove request were being ignored. WE DO NOT IGNORE REMOVE REQUESTS. Please note: we have no control over mail that originates from other sites, that travel through our SMTP (relay-host) servers. We will simply terminate any accounts that we maintain, that is referred to in their abusive mail. ATTENTION PRODIGY MEMBERS: It has come to Cyber Promotions' attention, that some of you are having a major problem removing yourselves from our lists. This can be attributed to the "alias" that your outgoing mail may contain. If you are having problems, please send an email to manremove@cyberpromo.com and type both of your email addresses in the body of the message, each on its own line, without any comments. The subject line is ignored. You probably have one address like xazd35r@prodigy.com and another address like sanford@prodigy.com. ATTENTION PIPELINE MEMBERS: It has come to Cyber Promotions' attention, that some of you are having a major problem removing yourselves from our lists. This can be attributed to the "alias" that your outgoing mail may contain. If you are having problems, please send an email to manremove@cyberpromo.com and type your email addresses in the body of the message, each on its own line, without any comments. The subject line is ignored. You should type your email id followed by the following THREE domains. @usa.pipeline.com, @pipeline.com, @nyc.pipeline.com. Even if you feel that your address is definately only one of the three possibilities, you should still remove all three addresses (each on its own line). ATTENTION INTERNET USERS: It has come to Cyber Promotions' attention, that some of you are having a major problem removing yourselves from our lists. This can be attributed to the "alias" that your outgoing mail may contain. If you are having problems, please send an email to manremove@cyberpromo.com and type your email addresses in the body of the message, each on its own line, without any comments. The subject line is ignored. If your email address could contain an alias like mail.domain.com or if you may have more that one email address that points to another email address, you should remove them all. If you wish to remove *every* email address in your domain, please contact us, and we will "grep" out every possibility. REVISED TERMS OF SERVICE: 1. We do not allow postings to inappropriate newsgroups with reference to your account because such postings result in *MUCH* more negative response than positive. 2. We prohibit the advertising of offensive material (ie. pornography, weapons, etc). 3. You may not use the account to participate in illegal activities. 4. Our TOS strictly prohibits the sending of mass commercial emails to INTERNET addresses, unless expressed permission has been granted to you by the recipient. In addition, you *must* honor all requests for removal from your mailing list in a diligent manner. Our service can be used in conjunction with advertisements that you place with a bulk email company other than your own or us, as long as they follow the same guidelines. 5. Cyber Promotions reserves the right to terminate any account for any reason at any time, without notice.
On Tue, 7 Jan 1997, Howard C. Berkowitz wrote:
I posted recently about a recent mailbombing threat apparently originating from Cyberpromo. Many of you may have received this, but I must share it for those who haven't seen it...the specter of Cyberpromo being victimized by Nasty Evil Spammers had me laughing so hard tears ran down my face and my ribs hurt.
Unfortunately, this culprit has been operating in hit and run mode for a while, and has made good on his threats but not exactly how you might think. I am going to stick to calling him the "culprit" for liability reasons. Bear with me, there are some serious lessons at the end. The culprit had a free web page at joes.com from Joe Doll advertising "Hair Tonic" or some such. Joe Doll has a no spam policy. The culprit then did a spam to promote his page and Joe pulled it. The culprit then emailed a threatening note to Joe Doll requesting his page be restored. Joe Doll then recieved a second note notifying Joe of a pending revenge spam of 1 million emails. On Friday Morning, January 3rd we started receiving a continuous stream of phone calls complaining of a spam from joes.com (subject "El Cheapo..."). Somebody using an ibm.net dialup connection was sending out a barrage of spam in Joe Doll's name forged to appear from joe@joes.com and writen to be flame bait. We immediately began to receive a wave after wave of retaliatory strikes in the form of email bombs, SYN attacks, ping bombs, and a variety of other denial of service attacks. It would have been interesting had it not been threatening our business. We were forced to continuously manually prune the mail queue on our primary server. (People are creative when sending email bombs, there are many that randomize everything.) After we figured out that the specific address for joes.com was being SYN attacked we undefined the interface alias he was on. We also changed his MX record to "read.news.admin.net-abuse.email" to try to get the some of the attackers to stop. (I recognized some of their domains as nanae regulars after scanning the group.) By the way, we did try to contact IBM by email and by phone. We recived a trouble ticket acknowlegement back on Saturday. On Monday IBM closed the culprit's accounts, but apparently forgot to clear out their mail queue. I have recieved reports that people are still getting the forged joes.com spam from ibm.net implying that some email must have still been queued. For more information about this specific culprit see http://www.ca-probate.com/yuri.htm Here are the lessons: * If somebody sends out 1 million flame bait emails forged to be in your name and only 1% of the recipients are technical, you have 10,000 people that hate you and know how to do something about it. Even 100 determined hackers can throw a major wrench in your works. Point: This is an extremely serious security issue. * Currently, due to lack of clear criminal law in this area, many net vigilantes handle spam by exacting revenge in their own way. However, this type of "frontier justice" has a low level mob mentality and is apt to make incorrect decisions. * If we don't want everybody to take the law into their own hands then we need get the legal system involved. * However, while existing civil statutes offer one avenue, the saying is "you can't get blood from a turnip". Most spammers spam because they don't have anything better to do, and therefore don't have significant assets. I am going to briefly mention two laws, I know this is nanog, but I must leave a starting point for the next victim of this type of attack. After talking with the FBI, I was informed that Federal 18 USC 1030 ibid. does not apply. (I have no idea what it actually says, but many admins thought it applied.) A helpful netizen informed us about US Code Title 487 Section 227. However Section 401 which covers enforcement provisions refers to "the Commission". The agent in the FBI Computer Crimes Division we have been working with thinks this means the FCC. Hurricane Electric has limited resources for this sort of thing and we are going to have to let this whole issue drop. I guess we just have to wait until somebody forges 1 million emails from whitehouse.gov or something like that. Mike. +------------------- H U R R I C A N E - E L E C T R I C -------------------+ | Mike Leber Direct Internet Connections Voice 408 282 1540 | | Hurricane Electric Web Hosting & Co-location Fax 408 971 3340 | | mleber@he.net http://www.he.net | +---------------------------------------------------------------------------+
participants (2)
-
Howard C. Berkowitz
-
Mike Leber