Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Spam Security

DOS Attack Via US Postal Service 332

Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"
This discussion has been archived. No new comments can be posted.

DOS Attack Via US Postal Service

Comments Filter:
  • by benna ( 614220 )
    What if people started doing this to political parties donation mailing addresses. They would not be able to sort it out to get their money effectivly shutting them down.
    • by ntrfug ( 147745 ) on Tuesday April 15, 2003 @06:14PM (#5740066)
      I doubt that political parties get really big money from their mailing lists. Their mailing lists let them maintain the fiction that they're battling each other for the support of ordinary people.

      Meanwhile in the back rooms buying and selling of politicians goes on the old-fashioned way -- face to face.
  • Hardly DOS is it (Score:4, Insightful)

    by zeoslap ( 190553 ) on Tuesday April 15, 2003 @05:26PM (#5739760) Homepage
    The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ? The victim ends up with a stuffed mailbox and the post office makes bank with all the additional traffic.

    Also this seems a little extreme 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'

    Considering the webservices the article is talking about is requesting a catalog :)
    • by Sanity ( 1431 ) on Tuesday April 15, 2003 @05:31PM (#5739798) Homepage Journal
      The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ?
      Sure it can - it renders your mailbox useless, and this can be more than an irritation for people who need to be able to receive snailmail (which I suspect is most people in the United States).
    • by sudotcsh ( 95997 ) on Tuesday April 15, 2003 @05:33PM (#5739816)
      Oh, but it's DOS all right.

      DOS we're familiar with = so many requests for connection that real (legitimate) requests are very slow to get through, if at all.
      mailDOS = so many catalogs that finding your real mail (if there is any) is an incredible waste of time, and some pieces (packets?) may be lost (dropped) in the confusion.

      If this isn't the best translation of electronic DOS to physical DOS I don't know what is.
      • DoS!=DOS (Score:5, Funny)

        by SHEENmaster ( 581283 ) <travis&utk,edu> on Tuesday April 15, 2003 @05:48PM (#5739922) Homepage Journal
        "Denial of Service", is the flooding of a server so that it stops functioning.
        "Disk Operating System", is an OS like Windows that bases its structure upon drives rather than directories like UNIX/Linux or Mac OS do. Windows NT is still a DOS even if it (supposedly) doesn't contain MS-DOS derived code.

        On a side note, DOSes seem to contribute more to server malfunctions than DoSes.
    • Re:Hardly DOS is it (Score:4, Interesting)

      by jdunlevy ( 187745 ) on Tuesday April 15, 2003 @05:38PM (#5739858) Homepage
      What about possible collateral damage: did any of SpamKing's neighbors' mail delivery get slowed down (or otherwise affected)? (Is there any way to tell?)
    • Re:Hardly DOS is it (Score:5, Interesting)

      by Wireless Joe ( 604314 ) on Tuesday April 15, 2003 @05:41PM (#5739876) Homepage
      Fun little story...

      I recently was out of town for a few days. The tiny little mailbox that my apartment complex provides probably filled up on the second day, so the postal carrier took all of it back to the post office, and left me a lovely note that if I didn't pick it up in a few days, they'd send it all back. Luckily I got back in time to pick up my mail, but it was definitely an inconvenience tracking down which post office outlet had my mail and then taking the time to go get it.

      So for a few days my postbox was shut down (mini DOS), because the postal carrier wouldn't leave me any new mail until I found the time to pick up what had already been taken away.
      • My postman does that all the time only with no warning. He smokes a lot of pot so maybe it's his paranoia, "Hey, he hasn't picked up his mail in 3 days, I better return the mail saying he moved".
      • by MO! ( 13886 )
        Well, the proactive approach to that is putting a "Vacation Hold" message in the box, or better yet bring to the local Post Office. Then they know you're coming back on a specific day and will simply hold it all at the PO rather than sending it back as undeliverable.
    • You're missing the entire point. The point isn't that someone used physical means to DDOS someone else - like you said, that's been done before. The point is that this can be automated using computers so that it requires no time at all for the perpetrator, and there are very real physical problems that occur as a result.

      How the hell was the parent modded insightful anyway?
  • anthrax (Score:5, Funny)

    by IAR80 ( 598046 ) on Tuesday April 15, 2003 @05:26PM (#5739763) Homepage
    Wasn't the last DOS attack through postal service using anthrax?
  • by pjgeer ( 106721 ) on Tuesday April 15, 2003 @05:29PM (#5739782) Journal
    It's like an executive summary [newscientist.com] of all the above links.
  • by George Walker Bush ( 306766 ) on Tuesday April 15, 2003 @05:29PM (#5739784) Homepage
    I could go to any bookstore's magazine section, get out the subscription cards (they aren't even physically bound to the magazine), send them off to the publishers, and check "Bill me later."

    There is absolutely no way for a person to prevent against this right now.

    The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed.
    • by liquidsin ( 398151 ) on Tuesday April 15, 2003 @05:36PM (#5739841) Homepage
      So instead of 600 magazines in my mailbox next month, I get 600 letters asking me if I want to subscribe? Sure, it's only a one time hassle instead of a monthly hassle, but it's still annoying. And calling to confirm is no less of a pain.

    • by Anonymous Coward
      Woohoo Schneier must be really lost outside of his cyrptography theory barrel, i mean the guy is resorting to writing papers on 7th grade pranks?

      What's next? A careful examination of how to defend against someone ringing your doorbell and running away?

      Give me a freakin' break.
    • Magazines actually do send a confirmation letter, something most kids learn about on the schoolground. Once again, GW Bush is outsmarted by elementary school students.
      • What magazines? Back in my poor college days, we'd subscribe to magazines just to get them for free. 15 or 20 magazines addressed to IP Freely, Poopoo Stayne, and Rev. Fuckyouintheass to name a few names we used.

        The only ones that caught on were the Columbia House music CD things and places that would deliver books. And we'd get 20 or 30 cds/books out of them before we'd get the "we need more info" letter. Fraud for underaged kids to get stuff to resell to buy cheap beer with fake IDs. I think if you b
    • by Guppy06 ( 410832 ) on Tuesday April 15, 2003 @06:27PM (#5740158)
      "There is absolutely no way for a person to prevent against this right now."

      However, the recipient doesn't have to pay for any of it. It's a nuisance, but nothing like paying for bandwidth consumed by a DoS.

      "The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed."

      It's cheaper for them to just send out the magazine in that month's shipment. Sending out "Are you really sure?" postcards would require a different class of mail ("standard" as opposed to "periodicals") sent in a separate mailing (two smaller pre-sort batches instead of one big one). And that doesn't include the cost of a Business Reply Mail account.
    • by TKinias ( 455818 ) on Wednesday April 16, 2003 @12:39AM (#5742033)

      Y'know, maybe I'm the only one, but I got some amusement from `George Walker Bush' posting under the subject `Lack of authentication'...

  • by rainmanjag ( 455094 ) <joshg AT myrealbox DOT com> on Tuesday April 15, 2003 @05:29PM (#5739785) Homepage
    here [nytimes.com]
  • by joe_bruin ( 266648 ) on Tuesday April 15, 2003 @05:31PM (#5739797) Homepage Journal
    quick, if we slashdot the IRS via the usps, they might never get to my taxes!
  • by edrugtrader ( 442064 ) on Tuesday April 15, 2003 @05:31PM (#5739805) Homepage
    some users of my website have gotten pissed when they lose the game and signed up the webmaster account for tons of email offers... it is basically harassment, but easy to turn off.

    yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form? i doubt it because spam is how they make most of their money.

    any input here?
  • Getting SPAM lately! Try DOS

    oh well
  • by d3am0n ( 664505 ) on Tuesday April 15, 2003 @05:35PM (#5739838)
    So wait, whenever we the people get nailed by 2 tons of junk mail, spam mail, and get our ear talked off by telemarketers, have bill board ads vying for our eye site, and our television sets screaming at us not to mention pop up ads all over the place (unless you have a popup eliminator or use an alternative web browser, long live opera). These things are all "good" but whenever we all collectively get together and nail the hell out of spammers with the pent up rage of 2 million people who can sighn them up for nail mail garbage, it's considered wrong? I think it's nothing more than a reaction from the masses and that it should be expected, after all if they can dish it, they should be able to take it. Side note; while I know that the article doesn't neccessarily refer to the attack against spammers by the slashdot crowd, there hasn't been any other successful campaign of this type that i've ever heard of on such a scale. Time to smack them with a rolled up magazine like the bad doggies they've been
    • Huh? (Score:3, Insightful)

      They didn't call this spam counterattack "bad" although it is certainly illegal. But it is an attack, and these guys are security geeks, so it's their job to investigate and propose countermeasures to things like this.
      • They didn't call this spam counterattack "bad" although it is certainly illegal. But it is an attack, and these guys are security geeks, so it's their job to investigate and propose countermeasures to things like this.

        Out of curiosity, exactly what criminal law does this violate?
  • by Neophytus ( 642863 ) on Tuesday April 15, 2003 @05:36PM (#5739839)
    Like the usenet spammer/advertiser I saw today that had a VALID but obfuscated email address set (for the company he was advertising). Amateurs.

    Ralsky got what he deserved, and hopefully moving 'on the quiet', if he did move, cost him alot of money. I read this article earlier today (didnt think of submitting it myself) and it made alot of sense. It IS all too easy to get yourself on these lists and your life is made difficult getting off them (digging about for phone numbers listed in a 500 page catalogue's small print...) - if you were subscribed to even 100 of these you would have a mammoth task to get rid of them all.
    • Or you could just not buy anything from any of the catalogs and they'll get the message that way. They won't keep on paying postage for the catalog if they can't recoup their money.
    • Someone needs to find out where he moved to, and make sure his "change of address" info gets filled out at the post office. We wouldn't want him to miss out on any important mail. :)
  • by Slurpee ( 4012 ) on Tuesday April 15, 2003 @05:36PM (#5739846) Homepage Journal

    If you type the following search string into Google -- "request catalog name address city state zip" -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms. ... When you're done, voila! It's Slashdot's attack, fully automated and dutifully executed by the U.S. Postal Service.


    What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!

    Though environmentally bad in the short term, if it shuts them down in the long term, it would save a heck of a lot of trees!
    • by jesterzog ( 189797 ) on Tuesday April 15, 2003 @08:30PM (#5740882) Journal

      ..not because of the spammers and junk mailers, but because of the legitimate businesses that you'll inevitibly be hurting.

      What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!

      Despite the spammers, there are a lot of legitimate businesses and non-profit organisations out there that are trying to get people to sign up so they don't waste their time and money mailing people who have no interest in what they have to send.

      Just because a business or organisation asks people for contact details to send mailouts doesn't mean that they're doing it maliciously. What you'll accomplish by scripting this is to give headaches to the people doing it correctly by polluting their mailing lists with people who don't want their mail. If anything, it'll have a negative effect on their customers or members who actually want to hear from them in the process, and it'll waste the resources of an organisation that often won't have a lot to waste.

  • Hey michael (Score:2, Funny)

    by fobbman ( 131816 )
    You forgot to log off of your terminal, and Taco came in and posted a repost [slashdot.org] under your name.
  • by gollum_my_gollum ( 637422 ) on Tuesday April 15, 2003 @05:38PM (#5739856)
    Most Denial of Service attacks affect more than the target itself. If I'm attacking example.com, then all machine between me and that machine are busy handling my traffic. An intentional DoS'ing may not be much worse than a slashdotting for an ISP, and is usually easier for them to shut down. That costs them money, but it doesn't take too long, and the only real cost is downtime of their other subscribers, which since most sites are independent of other customers or have so little bandwidth compared to the pipes coming into the ISP, doesn't affect other customers much.

    In the case of signing up a spammer or other unscrupulous individiual to catalogs and other physical mail, the companies that are sending these items are directly bearing the cost of your DoS. Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail. All these companies are getting screwed out of real money, not some potentially (and oft inflated) accounting of how much time/cost an ISP has for DoS countermeasures.

    Sure, I think it's great to spam the spammers, but in doing so you harm legitimate companies more than in the Internet world.

    • Nothing says "loving" like a box of dryer lint with no return address.
    • by Guppy06 ( 410832 ) on Tuesday April 15, 2003 @06:57PM (#5740341)
      "the companies that are sending these items are directly bearing the cost of your DoS."

      Costs passed on to the consumer.

      "Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail."

      No, they're cheaper. Instead of sending at Standard Mail [usps.gov] rates, they're either mailed at Periodicals [usps.gov] or Bound Printerd Matter [usps.gov]. And the printing is also cheaper because there's no envelope stuffing or card folding involved. And the lighter-stock paper is cheaper.

      "All these companies are getting screwed out of real money"

      Measured in cents or franctions of cents per recipient. And depending on how much they're shipping and where, it may actually be cheaper for them to add in a few extra addresses to bump the mailing into the next rate (we're not talking bandwidth here). The more mail they have going to a three, five or nine-digit ZIP code, the finer level of presortation they can do and the cheaper the postage for everything in that particular sack of mail.

      And don't forget these mailers are interested in addresses whether you're really interested or not. If you're not giving them Ralsky's address, rest assured that they're probably interested in buying his address from his bank, credit card company, car dealer, etc. The whole philosophy of bulk mail is that you're sending this information to people who may not know they're interested in something the mailer is selling.

      The worst money loss comes from paying $0.37 + fee for the Business Reply Mail card you send in. If you feel guilty, don't use the BRM card and pay for the postage yourself. (Just putting a stamp on a BRM card/envelope doesn't work unless you remember to cover/obscure the "Business Reply Mail" box above the address, the five vertical bars to the left of the "stamp" area, and all those horizontal bars along the right-hand side.)
  • by rlsnyder ( 231869 ) on Tuesday April 15, 2003 @05:42PM (#5739882)
    Although this is kinda funny in one isolated case, what also has to be considered is the effect on the Postal Service. Sure, they get paid to deliver this mail, but it's not that easy.

    Catalogs and Magazine subscriptions ship at cheaper rates. The rural carriers that deliver mail to people's homes aren't set up to carry mass amounts of this type of mail to people; economically, the post office is set up to run with a balance of junk and first class mail on any given route.

    Overload this with a hugh amount of bulk-rate junk mail, and you're putting a burden on the capacity of the carrier routes, which in turn will force the Postal Service to modify fees and/or service.

    I would be highly suprised if they pass this charge on to the business customers that generate the bulk mail; this would meet with too much resistance and put pressure on the business relationship. Instead, I wager we'll see the fees passed along to first class, consumer mail either through an increase in postage fees and/or fees for home delivery of mail.

    In short - The Postal Service is not the Internet. It is one orginization that can and will respond to this type of abuse, and the end result will be less service / increased cost.
    • by jonr ( 1130 ) on Tuesday April 15, 2003 @05:46PM (#5739905) Homepage Journal
      Good. I only hope that the junkmail will be more expensive to distribute, and fewer companies will use the "service".
      J.
    • I believe that the USPS is not allowed to subsidize bulk mail with 1st class mail charges. Most years, bulk mail actually subsidizes 1st class...but I think they've moved away from that lately.
    • In short - The Postal Service is not the Internet. It is one orginization that can and will respond to this type of abuse, and the end result will be less service / increased cost.

      You have to be kidding. Most catalogs by request are sent FIRST CLASS because most companies don't send enough mail every day or week to get bulk. Yes, Sears does, but for every Sears that sends a catalog there are 50 "Bob's Hottubs" that have catalogs by request that do not send enough regularly enough to get a discount. If y
    • You're forgetting the option of simply delivering a little yellow postcard from the local post office saying "We can't deliver it all, come pick it up."

      At any rate, the cost of delivering the mail is paid for by the postage (imagine that!). Even if you pre-sort the mail as finely as you can (in the order the delivery person drives past the addresses, no less) and bring it to the destination post office yourself (or through a third party), you still have to pay postage for the simple act of delivering the
  • by Anonymous Coward on Tuesday April 15, 2003 @05:42PM (#5739886)
    paper on Defending against an internet-based attack on the physical world

    Perhaps some sort of packet filter [protectiondogs.com] on the mailbox layer might be useful.
  • Lawsuit Result (Score:3, Informative)

    by lexsco ( 594799 ) on Tuesday April 15, 2003 @05:43PM (#5739889)
    Here [www.cbc.ca] is an article about another Spammer vs Anti-Spammer harrasment case. Looks like some judges are on our side.
    • Re:Lawsuit Result (Score:5, Interesting)

      by lexsco ( 594799 ) on Tuesday April 15, 2003 @05:49PM (#5739928)
      The full text follows


      Anti-spam crusader wins court battle Last Updated Tue, 15 Apr 2003 15:31:49

      ELLICOTT CITY, MARYLAND - A Maryland court has ruled in favour of an anti-spam activist who was sued by an Internet marketing executive for harassment. Spam is the common name given to junk e-mail.

      Francis Uy posts the names and addresses of spammers. This enables network operators to block junk e-mail or sue them.

      But George Allen Moore of Maryland Internet Marketing Inc. said Uy's site posting such information is harassment and wanted it pulled off the Web.

      Judge Robert Wilcox says there's no evidence Uy had harassed Moore directly, as Moore had alleged.

      Moore says he has received about 70 packages and 200 magazines at his house because of Uy's site. Moore also says he's received threatening phone calls, including one person who he says threatened to kill him.

      Moore is the owner of Maryland Internet Marketing. He's also listed as a prolific spammer by Spamhaus.org, which maintains a world directory of bulk e-mailers.

      His company hawks everything from software to diet drugs.

      "Every time you try to mess with me, I will post it and more people will learn about you," Uy warned other spammers. "I don't need to encourage harassment against you, and I don't need to. Your best option is to crawl back under a rock."

      Moore says he's considering further legal action.
      • I do believe the original CBC article left out some things. Allow me to fill in the gaps:

        [

        George Allen Moore's] company [Maryland Internet Marketing] hawks everything from [what appears to have been pirated or unlicensed OEM copies of commercial] software to [non-FDA-approved] diet drugs [of highly questionable efficicacy].

        "Every time you try to mess with me, I will post it and more people will learn about you," Uy warned other spammers. "I don't need to encourage harassment against you, and I don'

  • by stand ( 126023 ) <stan.dyck@gmai l . com> on Tuesday April 15, 2003 @05:45PM (#5739901) Homepage Journal

    Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.

    Also, you can't write filters to automatically route or categorize snail mail. You have to go through it all to find the non-spam. If this kind of attack catches on, watch out.

    I'm interested, is there anyone out there that works for the Postal Service? How can victims deal with this sort of thing?

    • Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.

      I doubt I would incur the amount of motivated anger for a group of people to spend this much time doing it. I piss a lot of people off. I get people that sign me up for shit all
      • I doubt I would incur the amount of motivated anger for a group of people to spend this much time doing it.

        Maybe, but it wouldn't even take a group of people. All you'd need is one motivated person with a search engine and a Web manipulation module like Perl's LWP. You could easily write a script to flood a person with junk mail all by yourself. A little easier to trace maybe, but still damn hard to stop.

        • Maybe, but it wouldn't even take a group of people. All you'd need is one motivated person with a search engine and a Web manipulation module like Perl's LWP. You could easily write a script to flood a person with junk mail all by yourself. A little easier to trace maybe, but still damn hard to stop.

          True, I know the methods for tracking one down online and take steps to protecting my actual address. You can get many addresses on me, but I doubt any of them are actually correct. That's my little safeguar
      • You sure? Post your address here :)

        From your freak list...

        APL bigot (606126)
        aussersterne (212916)
        chris_mahan (256577)
        CowardNeal (627678)
        cranos (592602)
        DAldredge (2353)
        Elbereth (58257)
        Godeke (32895)
        Gojira Shipi-Taro (465802)
        Graspee_Leemoor (302316)
        Grishnakh (216268)
        Hott of the World (537284)
        IceAgeComing (636874)
        Inthewire (521207)
        isoteareth (321937)
        LucVdB (64664)
        mansemat (65131)
        MillionthMonkey (240664)
        NineNine (235196)
        No More Wankers (605612)
        nordicfrost (118437)
        not_anne (203907)
        PinkStainlessTail (469560)
        pr
    • no, it is not (Score:4, Insightful)

      by g4dget ( 579145 ) on Tuesday April 15, 2003 @06:24PM (#5740130)
      Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you.

      Well, if you piss off people, they may try to get back at you. The Ralsky attack is the result of Ralsky pissing off a lot of people an each person engaging in a small and individually harmless act. In comparison to the kind of disputes among neighbors and individuals that often occur in the real world, that seems both harmless and unprosecutable. Welcome to the real world.

      If you piss off a lot of people for justifiable reasons (e.g., you are the author of Satanic Verses), then some concerned government may try to help you out. Otherwise, the solution is simple: don't piss off too many people.

      • Re:no, it is not (Score:3, Interesting)

        by stand ( 126023 )

        I agree that you shouldn't piss off too many people. Believe me, I haven't shed any tears over Ralsky's fate. But the power of DOS attacks is that they can be initiated easily by motivated *individuals*. As I said on another post, it would be easy to automate what happened to Ralsky such that a single person could initiate a flood of junk mail to any specified postal address. Or maybe you could flood a town's post office with junk mail to create a diversion and then send a real nasty letter (e.g. Anthrax) t

    • This stuff goes beyond that man, My friend owns and runs a popular website for mechwarrior gaming. He set up a paypal account on his site, and now had enough money to run a big internet pipe into his house, and host the site on hardware.

      2 days after the transition, someone tried running 550k e-mails through his machine. His machine had a properly set up filter, and bounsed everything back, unfortunatly it knocked out his ISP who he was buying the business line out of. So now the site is down, and the is
  • by Anonymous Coward
    Obligatory article text post

    Automated Denial-of-Service Attack Using the U.S. Post Office

    In December 2002, the notorious spam king Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, informa

  • Be Aware... (Score:5, Funny)

    by A Guy From Ottawa ( 599281 ) on Tuesday April 15, 2003 @05:54PM (#5739953)
    It just goes to show that people should be very careful with their personal information.

    Sincerely,

    Guy LeBarge
    186 Rideau St.
    Ottawa, ON
    K1A 25U
  • The paper.. (Score:4, Funny)

    by EinarH ( 583836 ) on Tuesday April 15, 2003 @05:58PM (#5739973) Journal
    Anyone except me that see the irony in the fact that those who wrote the paper Defending against an internet-based attack on the physical world [avirubin.com] displays their physichal world location on the top of the paper?
  • It's Not Ironic... (Score:5, Insightful)

    by MBCook ( 132727 ) <foobarsoft@foobarsoft.com> on Tuesday April 15, 2003 @06:01PM (#5739987) Homepage
    It's poetic justice. From dictionary.com:

    "...and the punishment of vice, often in an especially appropriate or ironic manner. "

    So you see, this is poetic justice, not irony. That said, I'm not mad about this happening to him, is anyone else?

  • by mediahacker ( 566995 ) on Tuesday April 15, 2003 @06:11PM (#5740052) Homepage
    He suggests that you type "request catalog name address city state zip" into Google whereupon Google will kick back some 250,000 pages with online web forms to fill out.

    Google now kicks back one hit - the article itself...

    You really have to strip your search down before it starts returning anything.
  • by forged ( 206127 ) on Tuesday April 15, 2003 @06:16PM (#5740075) Homepage Journal
    This is nothing new. Back 20 years ago or so, my father (heh!) used to collect old newspapers at airports, then he would fold 3 or 4 newspapers together into a very thick enveloppe and send this without stamps to a person of his choice that he disliked at this time.

    That worked well because where we lived, enveloppes without a return address and without stamps were delivered allright, and had to be paid in full by the receiving party for the cost of shipping plus a penalty fee for not stamping the mail in the first place.

    I doubt that he's ever made someone loose great amounts of money, but that must have annoyed the hell out of those people receiving junk and having to pay for it !

  • by Kjella ( 173770 ) on Tuesday April 15, 2003 @06:21PM (#5740102) Homepage
    ...when they understand the real-world equivalent. He's one man being DDoS'd, online almost everybody with a reasonably public email address is DDoS'd. I've got a university account, that has never been posted to mailing-lists, usenet, forums but is fairly accessible from the university homepage (student cataloges etc.) SPAM is on the rise, and that's a mail address I can't change to dlkjghadlgh@somehost.com just to get away, any more than I could move away to avoid being spammed in the real world. Neither can businesses and others with the need for a static and publicly accessible address.

    At least the catalogs he's getting have a real return address. I hate spam with fake sender, and I hope someone will soon enforce that domain.com must come from a domain.com mail server (or through one with authentication) and start the snowball running. If you can't send through the domain.com mail server, why should anyone believe you have the right to send mail for user@domain.com? The default "trust anyone" is one of the big signs e-mail was designed for "serious" use by "serious" people before the general public started using and abusing it.

    Kjella
  • What about the USPS? (Score:2, Interesting)

    by phylus ( 468215 )
    I wonder, how does the USPS deal with a person who gets that much mail? Obviously they have to deliver it since that's their whole purpose, but I know the little mail truck that comes to my house probably couldn't fit a few extra hundred pounds of mail. And the poor mailman, and the mailbox itself.

    I mean, logistically, how do they cope with it?
  • I favor Tomahawk cruise missiles, Delta Force...
  • by philipsblows ( 180703 ) on Tuesday April 15, 2003 @06:28PM (#5740163) Homepage

    Take:

    • One phone number (the victim)
    • One war dialer
    • Many, many pager numbers

    Empirically, 1000 pagers (at 3-4 dial sequences per minute) equals about 4 days of constant calls to the vicitim's phone. How I know this is another discussion...

    Of course, this was more effective when digital pagers were much, much more popular. Today, it probably wouldn't go over as well, but back in the late 80s and early 90s, it worked flawlessly. Essentially, it was distributed crank calling before the "DDOS" term was coined.

    The most interesting part was that the pager companies explicitly refused to do anything about it. No tracing of calls, no attempts to halt sequential dialing, etc. Not their problem.

  • by Anonymous Coward on Tuesday April 15, 2003 @06:37PM (#5740223)
    I work for a scummy direct marketing company, and can tell you that when people mail back dog shit, dead cats, bricks, etc. it really does slow business down because that mail is not sorted from the legitimate mail. From time to time the bomb squad is even called in to check an unexpected parcel and that can gum up the whole works.
  • by djaxl ( 543958 ) <[moc.puorgavaleulb] [ta] [ikswolsewa]> on Tuesday April 15, 2003 @07:02PM (#5740373)
    Alan Ralsky aliases and addresses [spamhaus.org].

    Seems like his "real" address is:
    Alan Murray Ralsky
    6747 Minnow Pond Dr,
    West Bloomfield,
    MI 48322
    Telephone: 248-926-0688
    Current email address: amr777@comcast.net
  • by HeyBob! ( 111243 ) on Tuesday April 15, 2003 @07:05PM (#5740383)
    Years ago, I read about a guy who intentionally signed up for as many catalogs and other junk mail as possible. I think he got 200 lbs a day. He heats his house with it.
  • Property value (Score:3, Interesting)

    by Deanasc ( 201050 ) on Tuesday April 15, 2003 @07:15PM (#5740430) Homepage Journal
    Theoretically they may have lowered the value of his house upon resale. Like murders or other infamous events in a house it's the sellers responsibility to inform the buyer or the deal can be busted at a later date. So the spammer must inform the next buyer that they may recieve a monthly flood of "For Alan Ralsky or current occupant" mail. I know I would think twice about moving into a cursed address.
  • by tregoweth ( 13591 ) on Tuesday April 15, 2003 @08:38PM (#5740932)
    Anyone know Bill Gates' home address?
  • by bizitch ( 546406 ) on Tuesday April 15, 2003 @10:29PM (#5741556) Homepage
    If we could get any of these, we could have some serious fun!

    First - get his fax number into some key marketing/questionaire databases and blamo! - Fax Spam Ahoy!

    Second - Setup a couple of "Faxback" server attacks on those numbers. Faxback servers are fantastic because they're realllly dumb. Call them up on an toll-free number and order up a mess of documents to be faxed to wherever you want. The best part is that they're relentless - they will just keep on calling (up to 10 times) to try to make a connection ... i.e. "ring ring - 'hello, Ralsky here' - *beep* *beep* - hang up - repeat 5 minutes later"

    Its mega-annoying - especially if you get a couple of them going at once - and at 3AM

    But heck ... we should at least be able to get this douchebag's fax number for his company - yes?
  • by RhettLivingston ( 544140 ) on Tuesday April 15, 2003 @10:44PM (#5741646) Journal

    to determine the business addresses that those who actually respond to his spam would be sending their checks too and swamp those? Spammers depend on a very low operational cost model to make money. If they have to sort through 100s of items of mail for every one that has a check in it, you've just increased their cost of doing business.

    If they're doing most of their business electronically, publishing a list of their SSL sites could be interesting. If we all ran something to walk the list once an hour and just make a connection to the SSL sites and leave it, they'd be effectively down. Negotiating the SSL connections has a high computing cost on their side.

    If someone were to design a virus that does that and continuously checks into sites for new lists, I might actually try to get the virus.

    In other words, if you want to have a real effect, go for cutting off the money.

  • by phorm ( 591458 ) on Wednesday April 16, 2003 @12:42AM (#5742042) Journal
    The only one who hates us more than Ralsky
    Is his postman. Can you imagine all the huge stacks of spam he has to haul up to the mailbox? Geeze, I bet by now he almost has a seperate bag...

    At least sign the guy up to Playboy so that the postman has something interesting to "obtain" from the sack 'o' mail he must have to deliver on a regular basis.
  • Some history,,,, (Score:3, Insightful)

    by watzinaneihm ( 627119 ) on Wednesday April 16, 2003 @03:53AM (#5742519) Journal
    The post [slashdot.org] that started it all.
    And a previous story [slashdot.org] on slashdot.

Know Thy User.

Working...