DOS Attack Via US Postal Service 332
Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree,
a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"
More info at newscientist (Score:5, Informative)
NYTimes article on the paper (Score:4, Informative)
Re:Politics that hard way (Score:2, Informative)
the new email on the block! (Score:2, Informative)
oh well
Lawsuit Result (Score:3, Informative)
Anonymous so no karma whoring (Score:2, Informative)
Automated Denial-of-Service Attack Using the U.S. Post Office
In December 2002, the notorious spam king Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.
Ironic, definitely. But more interesting is the related paper by security researchers Simon Byers, Avi Rubin and Dave Kormann, who have demonstrated how to automate this attack.
If you type the following search string into Google -- request catalog name address city state zip -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms. You'll have to do some parsing of the forms, but it's not too difficult. (There are actually a few more problems to solve. For example, the search engines normally don't return more than 1,000 actual hits per query.) When you're done, voila! It's Slashdot's attack, fully automated and dutifully executed by the U.S. Postal Service.
If this were just a nasty way to harass people you don't like, it wouldn't be worth writing about. What's interesting about this attack is that it exploits the boundary between cyberspace and the real world. The reason spamming normally doesn't work with physical mail is that sending a piece of mail costs money, and it's just too expensive to bury someone's house in mail. Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the Post Office and catalog mailings. All the pieces are required for the attack to work.
And there's no easy defense. Companies want to make it easy for someone to request a catalog. If the attacker used an anonymous connection to launch his attack -- one of the zillions of open wireless networks would be a good choice -- I don't see how he would ever get caught. Even worse, it could take years for the victim to get his name off all of the mailing lists -- if he ever could.
Individual catalog companies can protect themselves by adding a human test to their sign-up form. The idea is to add a step that a person can easily do, but a machine can't. The most common technique is to produce a text image that OCR technology can't understand but the human eye can, and to require that the text be typed into the form. These have been popping up on Web sites to prevent automatic registration; I've seen them on Yahoo and PayPal, for example.
If everyone used this sort of thing, the attack wouldn't work. But the economics of the situation means that this won't happen. The attack works in aggregate; each individual catalog mailer only participates to a small degree. There would have to be a lot of fraud for it to be worth the money for a single catalog mailer to install the countermeasure. (Making it illegal to send a catalog to someone who didn't request it could change the economics.)
Attacks like this abound. They arise when an old physical process is moved onto the Internet, and is then automated in some unanticipated way. They're emergent proper
Re: Google and DOS Attack Via US Postal Service (Score:2, Informative)
Re: Google and DOS Attack Via US Postal Service (Score:1, Informative)
263K hits last time i tried it.
Re:this works for normal spam as well... (Score:4, Informative)
How about a digital pager DDOS attack? (Score:5, Informative)
Take:
Empirically, 1000 pagers (at 3-4 dial sequences per minute) equals about 4 days of constant calls to the vicitim's phone. How I know this is another discussion...
Of course, this was more effective when digital pagers were much, much more popular. Today, it probably wouldn't go over as well, but back in the late 80s and early 90s, it worked flawlessly. Essentially, it was distributed crank calling before the "DDOS" term was coined.
The most interesting part was that the pager companies explicitly refused to do anything about it. No tracing of calls, no attempts to halt sequential dialing, etc. Not their problem.
Re:Post office "DOS" Attack is gonna backfire (Score:3, Informative)
You have to be kidding. Most catalogs by request are sent FIRST CLASS because most companies don't send enough mail every day or week to get bulk. Yes, Sears does, but for every Sears that sends a catalog there are 50 "Bob's Hottubs" that have catalogs by request that do not send enough regularly enough to get a discount. If you are not sending out at least 1000 pieces in one whack. Also, I tend to think the final delivery of 1200 pieces of mail to one address takes less resources than 1200 pieces of mail to 1200 addresses, even if the journey to that station is the same.
So the post office has been compensated for their efforts. To think 'poor post office' is pretty damn silly. Unless there is some kind of fraud or other crime involved, the USPS doesn't have an interest in this. Frankly, I don't see the crime and neither does the victim, since he is trying to sue, NOT seek criminal charges.
Re:this works for normal spam as well... (Score:2, Informative)
yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form? i doubt it because spam is how they make most of their money.
Two points:
So while 23% is a good chunk of their revenue it certainly does not qualify as most of the revenue. But, junk mail does make up 43% of the mail volume.
Re:This style of DoS harms more than the target (Score:4, Informative)
Costs passed on to the consumer.
"Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail."
No, they're cheaper. Instead of sending at Standard Mail [usps.gov] rates, they're either mailed at Periodicals [usps.gov] or Bound Printerd Matter [usps.gov]. And the printing is also cheaper because there's no envelope stuffing or card folding involved. And the lighter-stock paper is cheaper.
"All these companies are getting screwed out of real money"
Measured in cents or franctions of cents per recipient. And depending on how much they're shipping and where, it may actually be cheaper for them to add in a few extra addresses to bump the mailing into the next rate (we're not talking bandwidth here). The more mail they have going to a three, five or nine-digit ZIP code, the finer level of presortation they can do and the cheaper the postage for everything in that particular sack of mail.
And don't forget these mailers are interested in addresses whether you're really interested or not. If you're not giving them Ralsky's address, rest assured that they're probably interested in buying his address from his bank, credit card company, car dealer, etc. The whole philosophy of bulk mail is that you're sending this information to people who may not know they're interested in something the mailer is selling.
The worst money loss comes from paying $0.37 + fee for the Business Reply Mail card you send in. If you feel guilty, don't use the BRM card and pay for the postage yourself. (Just putting a stamp on a BRM card/envelope doesn't work unless you remember to cover/obscure the "Business Reply Mail" box above the address, the five vertical bars to the left of the "stamp" area, and all those horizontal bars along the right-hand side.)
From The Spamhaus Project (Score:5, Informative)
Seems like his "real" address is:
Alan Murray Ralsky
6747 Minnow Pond Dr,
West Bloomfield,
MI 48322
Telephone: 248-926-0688
Current email address: amr777@comcast.net
Re:This is a serious issue (Score:3, Informative)
2 days after the transition, someone tried running 550k e-mails through his machine. His machine had a properly set up filter, and bounsed everything back, unfortunatly it knocked out his ISP who he was buying the business line out of. So now the site is down, and the isp hasnt restored service because they say that he has exceeded bandwidth quota for his business package he signed up for.
This stuff DOES affect the people having it happen to, its just as bad as sending it through the mail, in the mail people get paid for every letter of mail they send. Online when someone shuts you down by using your paid for bandwidth, the cost lies on you, not them to cover, and that is wrong.
Anyone that does what these people do, people like Ralsky, needs to get charged for every e-mail. They should have to register as bulk mailers, that way anyone hit by an attack originating from their bulk e-mails can hit them up for cost of business lost.
Who remembers... (Score:1, Informative)
Apparently, he has a website [shifmanconsulting.com] up now... flash 6. Rather goofy.
Can't click on anything, and I sure as hell wouldn't want him working on my servers...
Here's his $HOME.
Bernard Shifman
773.391.0595
2828 N. Burling St.
Ste. 402
Chicago, IL 60657
GO TO IT! Just for the fun of it. You know you want to...
He's not a big fish like Ralsky, but he was so fr00t headed. The first catalog is free [hdis.com]...
Re:This style of DoS harms more than the target (Score:3, Informative)
But a "catalog-sized book" is not a catalog, it is a book. A catalog uses thinner, cheaper paper (note that a "catalog-sized book" doesn't have as many pages as a catalog), cheaper inks, and a cheaper binding method than even your average paperback. Everything is done on the cheap because they print so many of them and because there's no reason to build them to last more than a few months tops.
"As far as the cost of sending it, it is NOT cheaper to send a catalog than it is to send a letter."
You know, I provided links in the original post to the pricing schemes of Standard Mail, Periodical Mail and Bound Printed Matter. Was clicking on them too difficult for you?
"It costs per ounce,"
You're thinking First Class. Presorted mail is generally charged per piece and per pound of total mailing (ie. the weight of all of the pieces together).
Also, the more you are able to presort your mail, the cheaper your rate. However, you need to meet minimum mailing requirements to get the cheaper rates. For example, an entire automation tray of letters going to the same 5-digit ZIP code costs $0.190 each. If I can't fill that tray, they'll have to be put into a tray of letters going to the same 3-digit zone (first three digits of ZIP), and they'll cost $0.203 each.
"If there is too much mail, they'll hold the catalog for a later date."
Which is one of the reasons why they charge less to mail them.
"I don't know how much it actually costs to send a catlog, but you clearly have no clue."
I mailed out over 11,000 letters in October of 2002. How about you?
"The cost to send the catalog for may be 1/20 or 1/100 the cost per page than to send & print a letter, but it's more expensive to send a whole catalog than it is to send a letter."
Standard Mail letter, basic presort: $0.268
Periodical Mail (4 oz. catalog), basic presort: $0.42125
Of course, who's going to respond to that letter unless you include a Business Reply Mail (BRM) card for them to respond on? They're certainly not going to pay for that postage themselves, whether they want your catalog or not.
Standard Mail letter, basic presort: $0.268
First Class card postage: $0.23
Basic BRM per-piece fee: $0.60*
Total: $1.098
Heck, it's cheaper to send them two catalogs!
*(BRM is so "expensive" because you only pay for the postage of the ones you get back, as opposed to paying for stamps for cards that may or may not get mailed to you. Even if you ignore the BRM fee, though, it's still more expensive to send letter + postcard postage than a catalog.)
"And trying to argue that one particular piece of junk mail you've subscribed someone to will lower their cost shows a fundamental mis-understanding of math concepts."
How's this for a math concept: step function. You have to have enough pieces to fill an entire tray or sack (depending on what you're mailing) to reach that lower postage rate. Because of this, when you're near the minimum requirement of the next-cheaper rate class, it is cheaper to add a few more addresses to get to the lower rate. And I can guarantee you that the catalog publishers have step pricing as well.
Which is cheaper: 150 letters at $0.248 each, or 140 letters at $0.268 each?
"Companies now deduct $2 or more from bills if you choose all-electronic."
"The short of it is, by requesting hundreds o