Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Spam

Internet Based Attacks in a Physical World 321

scubacuda writes "In light of the /. backlash against Spam King, Alan Ralsky, (in which /.ers published his info online--including an overhead shot of his house--and signed him up for junk) Simon Beyers, Aviel Rubin, and David Kormann have written a report entitled Defending Against an Internetbased Attack on the Physical World. Bruce Schneier notes that there's no easy defence against such an attack, largely because companies want to make it easy for consumers to get their promotional information:'Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the post office and catalog mailings. All the pieces (that) are required for the attack to work.' But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'"
This discussion has been archived. No new comments can be posted.

Internet Based Attacks in a Physical World

Comments Filter:
  • by Anonymous Coward on Monday May 12, 2003 @08:36AM (#5935894)
    If you don't want to be attacked on a large scale from the Internet, don't piss off Slashdot readers!
    It should be a no-brainer by now, and we have shown the effectiveness!
    • Seriously, has anyone written a script to auto-signup the same address for lots of postal spam?

      Perhaps there is a sourceforge project, or a module in CPAN?

      • I, too, would be interested to hear about this. Junk email is easy to deal with by hitting the delete button, but if the bastards get so much dead-tree mail the post-office has to make special arrangements, the direct marketers are going to squeal.
    • by t0ny ( 590331 ) on Monday May 12, 2003 @10:13AM (#5936560)
      wow, this is the exact same subject that was posted a few weeks ago, but it has more links.

      Someone should write a white paper detailing ways to get Slashdot to post dupes, and how it could potentially be used to do malicious things, like delaying the posting of real news.

  • All we need (Score:5, Funny)

    by OneArmedMan ( 606657 ) on Monday May 12, 2003 @08:37AM (#5935906)
    now, is a way for the internet to deliver a flaming bag of dog poo to the doorstep of your favourite enemy and life will be complete.
  • by efedora ( 180114 ) <efedora@yahoo.com> on Monday May 12, 2003 @08:37AM (#5935908) Homepage
    "A scenario could be imagined where an attacker would do this to delay the arrival of an important letter...."
    I don't know about you but I haven't trusted an important letter the the USPS for many years. Tax returns etc. go Certified or Fedex only. The USPS is just not reliable any more when the mail item is important.
    • by HowlinMad ( 220943 ) on Monday May 12, 2003 @08:56AM (#5936036) Homepage Journal
      I both agree and disagree. For $.37, if it is in fact important, then no, I would not use the standard option. But, the USPS does have other services available, i.e. Certified Mail, Registered Mail, Delivery Confirmation, Signature Required, etc. These all cost more money, but once again, if the package is important, it is well worht the small cost.

      So basically I find the USPS to be reliable, if you pay for the proper service.

    • by jellomizer ( 103300 ) on Monday May 12, 2003 @09:05AM (#5936089)
      Like Spam can delay the arrival of an important email or even have it compleatly loss in the mass, filtering, or by accident. That is the real threat of Spam. The fact that an Import Message via E-mail gets cluttered with a bunch of spam. This makes the email difficult to find. It like those pieces of junk mail that look like they are bills so you have to open them up to make sure that they are not billinging you for something you didnt sign up for.
      If Spam companies were really reptibual they would actually be working for their stuff to be easilly filtered like the ADD: to the subject line. Because there are some people who like Spam for some reason, and others who hate it, and the majority who dosent care. So by helping people filter out their own Spam give a less bitter taist in peoples mouth about the Spam. Also it helps controol their e-mail.
    • by Oswald ( 235719 ) on Monday May 12, 2003 @09:41AM (#5936334)
      This is wrong. The mail is not unreliable. In 25 years of paying my own bills, I cannot recall a single instance where somebody I owed money claimed not to have received the check I sent them. That's hundreds of pieces of important mail without a single loss or serious delay, going back to the late Seventies.

      Mostly people bash the USPS because it's something they've heard others do, not because they've had bad experiences. Have you had trouble with your mail?

      And what is Certified Mail if it isn't USPS?

      Thirty-seven goddamn cents for three- or four-day delivery anywhere in the country. A couple bucks to send a book via Media Mail and have it arrive 5 days later (10 days sooner than the estimate). I don't know what you want.

      • Weren't there a couple of "mail dumping" incidents a couple of years ago?

        IIRC, they found one postal worker with a whole basement/attic/whatever filled with undelivered mail, and other worker was found to be dumping it under an overpass or something.

        The residents had complained for years about poor mail service, lost mail, etc and when they finally found out what was going on it looked like the whole postal zone was a fscking disaster (bad management, etc etc etc).

        Overall, this seems like a rare exceptio
    • I find the USPS to be extremely inexpensive and reliable. They have never lost a letter or package of mine.

      UPS has. I have only used FedEx on a couple of occasions, so have no basis for comparison. Every damaged package I've ever gotten came via UPS; some was literally run over by a truck; they had tire tracks on the boxes. This has happened to me twice. UPS forklifted a telescope on me once. I've never seen anything that was properly packaged get damaged by USPS.

      USPS is also amazingly fast. For re
    • The US Immigration and Naturalization Service [bcis.gov] (now the BCIS as part of their re-org into Homeland Security) trusts the mail implicitly, unless they're sending you a notice that your application was denied (then they send it certified). A notice to come to a fingerprinting was not sent certified, got lost in the mail (although I have serious doubts on whether it was ever sent in the first place), and resulted in a $110 charge for me to reopen the case. Thanks a lot, guys.

      I'm sure that plenty of important

    • All US Court Systems, the army, most all banks, etc.

      You should tighten your tinfoil hat, the mind control beams are getting in!
  • by corsec67 ( 627446 ) on Monday May 12, 2003 @08:38AM (#5935918) Homepage Journal
    Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale.

    Heh, I gotta rember this excuse. "No, I didn't sign up for these dirty magazienes. It is some internet conspiracy..."

    That, and why is he complaigning?
  • to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.

    This is NOT terrorism, it IS a crime!
    • This is NOT terrorism, it IS a crime!

      I guess that depends more or less on what country it ends up in and who you send it to and most of all who sent it :)
  • This article doesn't really add anything new IMHO.
    There is one sure way to keep yourself free of such an attack, which also helps to protect you against more common attacks such as burglary, car theft and mugging.
    Keep a low profile.
    It sounds blase but it is one of the simplest and most effective defenses.
    In this case, the target has set himself up for attack, and IMHO deserved it.
    For more common attacks, you can avoid notice by not flaunting stealable possessions, avoiding dangerous areas where possible, an
  • by worst_name_ever ( 633374 ) on Monday May 12, 2003 @08:39AM (#5935929)
    Tryint to get people to subscribe to Slashdot and making them read embarrassing dupes [slashdot.org] is an old trick. These attacks exploit the lazy properties of the editors as well as their unprofessionalism. All the pieces (that) are required for this attack to work. There's a real danger in this ploy, one that few people have likely thought about: "A scenario could be imagined where a story [slashdot.org] could be posted to Slashdot, and then the same story [slashdot.org] could be posted again a couple weeks later, to wreak havoc on the Internet for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the posting of a goatse link."
  • "But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter."

    You know, aparently *nobody* thinks up terrorist acts until the newsmedia lets them know everything they need t
  • DOS by lawsuits? (Score:5, Insightful)

    by joostje ( 126457 ) on Monday May 12, 2003 @08:41AM (#5935938)
    I've always thought that in a way, a lawsuit often serves like a DOS attack, especially if it's a big company filing against an individual.


    Basically, the individual is swamped with requests s/he has to answer, and using up larges amount of resources (lawyer fees).

    Very similar to a DOS attack where a server has to answer loads of requests, eating away in its resources (CPU/netwerk traffic).

    • by Redking ( 89329 )
      You're forgetting about the lawyer fees associated with launching such an attack. Yeah the big company has deeper pockets but it's not like companies are swimming in cash to launch a physical DDoS at their whim. There are significant "overhead" costs such as bad publicity and loss of reputation. And the company has to have some legal basis to file a lawsuit otherwise it's libel/slander city. However, if the company has a case against an individual, I would think ONE lawsuit is enough to cause the loss o
    • Several states have anti-spam laws designed to make this easy. They're tort laws (person-sues-spammer-for-damages) rather than state-vs-spammer laws, and the damages are small (mostly $200-500) so you can sue in small claims court with minimal legal costs if you can catch the spammer (and if the spammer's in your state.)

      That doesn't let you catch every spammer that spams you, but it's enough that it can theoretically be very annoying to small spammers, who have to show up personally, and are more likely

  • by jkrise ( 535370 ) on Monday May 12, 2003 @08:43AM (#5935955) Journal
    "Let's hope anti-spam, anti-marketing guerrillas can keep their perspective and priorities in order."

    When the spam and other ass-orted gorillas get their perspectives in order - then let's talk of anti-spam guerrillas.

    "A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter,"

    Pure FUD and crap. How many times has spam stopped important mail? How many times anti-spam filters have deleted the 'wrong' mails? Apparently spammers have exclusive abuse rights on the 'system' while lesser users don't! Intriguing.
    • by dave_mcmillen ( 250780 ) on Monday May 12, 2003 @10:26AM (#5936675)
      "A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter,"

      Pure FUD and crap.


      Oops, I'm sorry . . . They've invoked the T-word ("terrorist"), so you are no longer allowed to express any doubts, reservations, or hesitation. Your Patriotic Duty(TM) is to wave a flag and go along with whatever they say. If you're not one of Us, you're one of Them.
  • by guacamolefoo ( 577448 ) on Monday May 12, 2003 @08:44AM (#5935958) Homepage Journal
    Thanks be to /. I had forgotten all about the old trick of signing people up for magazines or for infomercial stuff. There was a guy that I used to live with in college that we signed up for bed-wetting counseling every time he would piss himself after getting drunk. We'd send people "trial" subscriptions to Playboy and other magazines. Typical juvenile crap.

    These days, when I have access to public tax assessment databases, why should I forget all the old time-tested strategies of anonymous harassment? Simply fill out the response card from a magazine on a rack at the news stand using the address I can easily find at the courthouse, and stick a stamp on that baby. With the cross-references of mailing lists, I am sure to cause at least several hours of misery to the subject straightening out the billing mess, plus he/she will get all sorts of untold embarassing mail. All for the cost of (sometimes -- the postage paid cards are best) a stamp and a few minutes of my time.

    Hey editors: Can there be an "Ask /." on how to anonymously harass people? That'd be sure to give me some even better ideas.

      • Computer printable address labels are easily available at any office supply store. Why wear your fingers out filling out forms?
      • Most magazines these days contain several postage paid subscription cards for your convienience.
      (I've got a question for those questionable types out there. Does anyone have a list of maintainers of mailing lists that most promiscously sell their list to others? We want to get the most result for our effort here, right?)
  • Well?? Where are they? I've been waiting for someone to develop them since the last time this story was posted so I could reek havoc on my enemies mailboxes, but this doesn't seem to be anything more than an annoying dupe.
  • Grow up! (Score:2, Insightful)

    by bjr_cpan ( 672375 )
    I hate SPAM too. I probably get at least as much as any of you (maybe more, as I'm on CPAN -- but that's a moot point). I'm glad we're tracking these people down, because at some point we'll be able to bring legal action against them. But acting like a bunch of 12 year-old kids (I *think* that's when we did the ordering-someone-a-pizza-at-2am gag...) isn't going to solve anything. If anything, *he's* going to have a case against *you* for harassment, tampering with mail or various other petty crimes. Unfort
  • ... to serve as a diversion for a terrorist act ...

    A journalist wet dream: linking the internet and terrorism! Fantasies are running high, a google search for "internet terrorist OR terrorism" returns about 1,540,000 hits.
  • by arvindn ( 542080 ) on Monday May 12, 2003 @08:46AM (#5935977) Homepage Journal
    It's their view that a small program could be written, such as an easy-to-execute "script kiddie," that could effortlessly scan millions of sites on the Internet, detect which ones have free online subscription or information request forms, and fill out the forms with a victim's name and address.

    I agree that script kiddies are lower life forms and should be punished, but executing them? That's going a little too far, I say! Also, they're dumb, but wouldn't you credit them with a little more intelligence than a "small program"? The rest of the sentence is true, though. Script kiddies have enough time to waste to spend scanning millions of websites.

  • by Joe the Lesser ( 533425 ) on Monday May 12, 2003 @08:49AM (#5935993) Homepage Journal
    or even worse, to serve as a diversion for a terrorist act.

    In other news, /. has been arrested without trial under the PATRIOT act...
  • by Anonymous Coward on Monday May 12, 2003 @08:50AM (#5935998)
    I always liked the idea of placing a classified ad for a mint 1978 Camero for $750 (b/c you're getting a divorce yadda yadda) and then listing your bud's phone number as the contact info. Best to use Auto Trader or the like because the ads run longer than newspapers and can't be cancelled in a day. Never done it, but sure have been tempted on occasion...
    • by maddogsparky ( 202296 ) on Monday May 12, 2003 @09:03AM (#5936072)
      A few years ago, some of my dad's coworkers posted an add for a brand new Harley-Davidson motorcycle in one of those trader magazines. They listed their plant manager's number and stated that he worked evenings, so the best time to call was between 1-4 AM.

      Apparently, he started getting calls from several states away from irate bikers who were pissed at HIM when he told them he wasn't selling one (he never owned a motorcycle).

  • take for example the post office -- you'd think that one of their aims would be to promote less junk mail for all of us. But that's not how it works in a society where the bottom line is how much money you can rake in. And god forbid the government take an "anti-business" stance.

    So what is their pricing scheme? It costs 37c to mail a single letter, but if you're a physical spammer, you can get huge bulk discounts, effectively making it more attractive to spam. I say, why not make junk mail *more* expensive?

    Will email, if charged per-piece, be any different?
  • Mass Showing (Score:3, Insightful)

    by Flamesplash ( 469287 ) on Monday May 12, 2003 @08:59AM (#5936048) Homepage Journal
    I think that when a large number of people are willing to spend their time physically DoS attacking someone then maybe that person deserves it. I don't think that if an individual just had a grudge against the spam king that person would have been able to really do much damage, but obviously enough people felt the same way.

    I see it kind of like picketing, one person doesn't really do that much harm, but if enough people are pissed off....
    • Obviously you didn't read the article. The whole point is that instead of being limited by the free time of the people you piss off, the attack can be automated. That is, I could (were I that sort of person) whip up a quick perl script, search google, and sign the target up for literally thousands of different mailings all by myself. So where the attack on Ralsky came from a cadre of attack geeks, the attack against YOU could come from that one script kiddie who has nothing better to do with those ten mi
  • ...as well as deathtreats, flaming dog-do on your front door and drive-by TPing of your home; don't spam or otherwise piss off a lot of geeks.

    Or, if you live in Norway (and I recon several other places offer this as well), tell the postal service that you don't want the junkmail... It still won't stop the rest of the nasties, but your postbox won't fill up as you stomp out the burning poo.

  • Idiot (Score:5, Insightful)

    by theLOUDroom ( 556455 ) on Monday May 12, 2003 @09:01AM (#5936062)
    or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'

    God damn. This just makes me want to punch him in the face. Why the fuck does everyone always have to bring terrorism into everything? Ever since 9/11 we have had idiots, making comments like this about EVERYTHING. I am so sick of it.

    This guy's statement require ridiculous stretches of the imagination of one to even think of a way it might benefit a terrorist. I mean, seriously, use some common sense here. If you're trying to send someone a letter full of anthrax, you want it to actually get there.

    Yes, terrorists could use cars too. Maybe we should ban cars! That way a terrorist can't get his hands on a car and start running people over. Just imagine how many people he could kill by driving down a busy sidewalk! We better hurry!

    Then we'll have to ban chair-lifts too. Imagine how many people would be injured or killed if someone cut the cable! We can't have that, now can we?

    Ya know, they used fertilizer to make that there Oklahoma City bomb. We better get rid of fertilizer too.

    But wait! That still leaves arson! We better make matches a restricted item. Can't have a terrorist going around burning down houses, no can we?

    This kind of moronic reasoning makes me want to get this guy alone and "exploit the automation properties" of a few choice power tools.

    See! Power tools can be used for evil! Better get rid of those too. Never mind that the benefit they provide to society far outweighs the cost. Never mind that this is supposed to be a "free" society. Won't someone please think of the terrorists?
    • Re:Idiot (Score:5, Insightful)

      by brettlbecker ( 596407 ) on Monday May 12, 2003 @09:50AM (#5936409) Homepage
      I completely agree.

      The culture of fear is just sickening, and the fact that the government and state agencies are exacerbating the 'terrorist' buzzword is repulsive. As if it wasn't bad enough, the major media outlets are constantly trying to one-up each other with hysterical reporting.

      All of this serves to show how gullible, how willing most people are to accept all of this as fact. It brings out the frightened-herd metaphor in all of its glory. And it makes one wonder what happens when the world's greatest superpower is also the world's most terrified nation. What happens when animals are backed into corners?

      This is not likely to end soon. Things are going to get worse before they get better... that is, if there is a chance for things to get better.

      B

      • Re:Idiot (Score:4, Insightful)

        by curtisk ( 191737 ) on Monday May 12, 2003 @10:16AM (#5936588) Homepage Journal
        This is not likely to end soon. Things are going to get worse before they get better... that is, if there is a chance for things to get better.

        ....elections are coming up before you know it....make 2004 count!

        I'm a severe cynic as far as the election process goes, but if you don't even vote thats even more useless.

        Good post and parent post BTW

      • I was reading your post until the "t" word. Then I got so scared, I pissed in my pants and put plastic wrap around my cube!
    • Re:Idiot (Score:5, Insightful)

      by swordgeek ( 112599 ) on Monday May 12, 2003 @10:24AM (#5936662) Journal
      Well since you're already modded up to 5 (i.e. I can't moderate it up anymore), I might as well post.

      Agreed 100%. I keep hearing about the potential for "Terrorist attacks," mostly coming from US government officials or Concerned Citizens(tm). Do they forget that the anthrax attacks in the US, terrible as they were, were initiated by a born-and-raised American citizen? Or that they killed less people in total than are killed in the US by handguns every single day?

      Give it a rest folks! There will always be some way for psychopaths to kill people, possibly en masse. All that regulating every aspect of life does is annoy people, and make it impossible to live normally anymore.
      • Do they forget that the anthrax attacks in the US, terrible as they were, were initiated by a born-and-raised American citizen?


        They were? And what was this person's name?

    • Anthrax doesn't kill people. People kill people. The solution? Ban people! Let's nip terrorism right in the bud! The majority of terrorists are people, not so much dogs, or robots (until maybe Judgement Day). I'm going to get a people detector installed in my house, with an automated gun turret! Hasta la vista, people!
  • Utter Nonsense (Score:4, Interesting)

    by ePhil_One ( 634771 ) on Monday May 12, 2003 @09:03AM (#5936073) Journal
    A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.

    What a load of self serving crap. Which of course is completely shocking coming from such a community oriented guy such as a Spammer.

    When I read this, I expected it to be about something a bit more substantial, such as using the internet to have someones electricity turned off, or altering a sattelite tragectory to include someones house in its path; or maybe even taking over Dr Evil's Moon Laser to burn nasty messages in someones lawn.

    But really, taking out the postal service with a series of mass mailings? What kind of fool thinks that an attack that works on one person will scale large enough to take out the post office, or hinder any sort of criminal investigation?

  • This whole mess (spam, snail-mail attacks, etc etc etc) is just one more reason to salivate over the day when a legal and user-friendly online indentification system is in place (e.g. ping id [pingid.com] or some further derivation). This will drastically reduce spam as well as making it very difficult to sign other people up for things. It will also kick start the next .com boom (as individuals and businesses worldwide will be able to easily form binding agreements instantly across the globe).

    GPG isn't enough. Don't w
  • by Potor ( 658520 ) <farker1@gmai l . com> on Monday May 12, 2003 @09:16AM (#5936177) Journal
    It's their view that a small program could be written, such as an easy-to-execute "script kiddie," that could effortlessly scan millions of sites on the Internet, detect which ones have free online subscription or information request forms, and fill out the forms with a victim's name and address.
    what's your favourite way to execute a script-kiddy?
  • by jtheory ( 626492 ) on Monday May 12, 2003 @09:19AM (#5936202) Homepage Journal
    Newsflash: the evil spammers are fighting back and hitting slashdot where it hurts, by submitting stories to the slashdot site that have already been posted and discussed [slashdot.org].

    These stories are known in the slashdot community as "dupes", and the practice (now becoming well-celebrated in the spammer community) is called "duping the nerds".

    Stay tuned for more details in the next posted article, (and again next week, ...and probably again a few days after that, if a new newspaper article is written about it).
  • by Ironpoint ( 463916 ) on Monday May 12, 2003 @09:24AM (#5936243)
    The best way to defend from internet attack also works in the real world. Its called "Don't make large groups of people angry."

    This seems like complaining that the internet allows collaboration of large numbers of like minded people. Yeah, thats the point. The failure of this article is to understand that it is not organized. Thats like saying that all the death threats the Dixie Chicks got all came from one organized structure.

    Hundreds of thousands of people are not going to conspire to commit a single crime (Anthrax letter example). That's ridiculous.

    To suggest that just because a large number of people are equally angry and respond in a similar way (through mailing etc), that the response is organized is stupid. People who want control set up straw man organization because they can't compete against 100,000 individuals. How many times have we heard "Those protests are completely organized by organization XYZ, they have buses that bring people in". Or in labor problems: "Its XYZ union that is causing the strike, most of the workers don't care" By using the tactic of combining the perception of voice down to a single entity, detractors can be more persuasive in gaining mindshare.
  • My solution (Score:3, Interesting)

    by goldcd ( 587052 ) * on Monday May 12, 2003 @09:26AM (#5936262) Homepage
    Spam exists purely because the time spent by the spammer is of less value than the reward he gets. We don't need to completely eradicate spammers, just slow then down until it's no longer worth the effort and they quit. Try mposing limits on the amount of email that can be sent per ISP user. If it's set high emough then it'll very rarely bother a legitimate user, but make it stop it being cost effective for spamming. Say 500 emails per 7 days from one user on an SMTP or 1000 from a mailserver running on an ADSL. If you're having to send 1 million mails then signing up for/hijacking 2000 accounts is going to slow you down a bit. This would hopefully stop spamming from 'friendly' services.
    Rogue ISPs are trickier to deal with, perhaps the throttling could be used? e.g. AOL trusts MSN, therefore anything originating from MSN would be allowed straight through. AOL is slightly more warey of rogueisp.cn so throttles the acceptance of messages from them to say 50,000 a day before it starts bouncing them. If rogueisp.cn behaves then everything will work perfectly, if they allow their network to hammer AOL then AOL will start chucking the emails back at rogueisp.cn clogging up their system. A perceived problem with this is that legitimate email gets bounced - tough. Rogueisp.cn gets to explain to their customers why "AOL has returned this message because of flood of crap sanctioned by your ISP" is attached to the message that's just been returned unsent. RogueISP can now decide to enforce sendmail throttling as mentioned at the top, or lose its customers.
    Tweak the quotas so the better an ISP behaves, the higher it's quota goes and vica-versa and we can polarise connected ISPs, and it's then not to hard just to blanket ban the bad guys.
    • The STMP protocol should be extended; the receiver can require the sender to factor a large prime number before the message will be accepted. A few seconds CPU time per legitimate message is no biggie, but...

  • by defile ( 1059 ) on Monday May 12, 2003 @09:28AM (#5936276) Homepage Journal

    Imagine though, that instead of signing up just any plain individual with an ego problem, that you signed up a business for all of this junkmail.

    Think about a company sabotaging its upstart competitor by saturating their mailbox with junk. The competitor starts missing bills, notices from vendors, etc.

    Or even worse, imagine someone who has been screwed by the phone company one too many times decides to mailing list bomb their bill payment center. The costs of processing payments shoots up while mail peons have to separate the payments from the junk.

    Congresspeople start getting cut off from their constituency.

    etc...

    And the worst part is that this is so hard to undo. Even if you take the effort to unsubscribe from every single mailing list you're on, it would take the attacker mere seconds to re-add you to all of them.

    This is probably one of the most devastating non-violent denial of service attacks you can utilize today.

    Moral of the story: don't piss people off.

    • by stephenbooth ( 172227 ) on Monday May 12, 2003 @10:06AM (#5936515) Homepage Journal
      Congresspeople start getting cut off from their constituency.

      If politics in the US is anything like it is in the UK then junk mail bombing is not required, it's already happened. Politicians are already cut off from the electorate; isolated behind walls of secretaries, PAs and special interest group contributions.

      Maybe things are better in the states? But here in the UK it's rare to find someone who can name their MP or local councillor, let alone remember any of their election promises. I've been eligable to vote for 15 years now, I've written to my MP about once every 18 months on average (5 different MPs) about various local and national issues. So far I've received only one reply, and that tried to dodge my questions.

      Stephen

  • by mlush ( 620447 ) on Monday May 12, 2003 @09:34AM (#5936302)

    It would be very simple for a company to defend against being used in a scripted mail DOS attack.

    • Move the order forms to another location and slap a robots.txt on them to try and keep them out of Google et al
    • Some simple question/answer system to demonstrate the user is human
      • What is this a picture of? (multiple choice)
      • Enter the word in this picture
      • Could you type the company name in backwards (for lynx users)
      • etc
    • Use obscure names for the CGI paramaters
    • Perhaps some sort of tripwire paramater called 'postcode' that actually holds the phone number, if a postcode is entered it causes the submission to fail

    With a bit of imagination the authentication could be turned into a compatition...

  • From the headline, I thought this article was going to be about that shooting at Case Western. The apparent motive was that the victim left a nasty message on the shooter's guest book: Biswanath Halder vs. Shawn Miller, et al [apk.net].
  • 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter,

    Letters that are that important should be sent by registered mail.

    to wreak havoc on the postal system for political reasons,

    Provided the US government isn't subsidizing junk mail (if they are, they should stop), every piece of junk mail that is sent makes the USPS a small profit. Well, then let them "wreak" away.

    or even worse, to serve as a diversion for a terrorist act, such as the mailing of

  • Germans, who evidently have a hate-on for AOL


    A new word finds its way into my lexicon.
  • I hate to sounds callouse, but anything it takes to shut down the spammers, short of death or injury, is an acceptable cost in the long run.

    The problem of spam has not received any reasonable consideration by The Powers That Be in the Political engine until it starts to cause real, tangible, measureable harm.

  • by rednox ( 243124 ) on Monday May 12, 2003 @09:51AM (#5936414) Homepage

    I don't think this invalidates their conclusions, but there is one "fact" that is not actually true. The Star article states:

    Schneier discovered that by typing "request catalog name address city state zip" into Google, a person gets links to more than 250,000 sites containing subscription and request Web forms.
    Sure, Google says that it found "about 259,000" search results. However, paging through the results themselves reveals that it only found 839 [google.com]. Including the omitted, very similar pages, there are still only 997 [google.com].

    I think that the web has a huge number of automated forms that could be used for this kind of attack, but you would have to do a little more digging for them than the article implies.

  • by raehl ( 609729 ) <raehl311.yahoo@com> on Monday May 12, 2003 @10:01AM (#5936473) Homepage
    A sending list.

    Instead of buying a CD with a million email addresses, you buy a CD with the location of 100,000 catalgue/political/newsletter mailing list signup forms and a program to fill them out with your victim's information.
  • What about all the important email that gets buried under a deluge of electronic spam? Aunt Martha's prize winning cookie recipe, for example, might get lost among the hot naked teens emails. At least with email we can try to put a filter on it. But what is the government's policy about XXX regular mail coming to a 10 year old? Does that child really need his penis enlarged? An email from a teacher or college professor could easily be buried.
  • One way to prevent a scripted catalog-signup attack would be to centralize the processing of the signup forms. If all signup requests were routed through a single source, that source could easily detect a spike in signups. At that time, a confirmation phone call or letter could be sent to the recipient to determine whether they actually want all the junk, much in the same way that email list signups often generate an email that requests confirmation.

    Of course, there are privacy concerns, centralization
  • The paper by Beyers, Rubin, and Kormann is interesting, but I feel that they offer few viable options for defending against such attacks.

    Their scenario involves writing software to harvest web pages which offer to send someone snail mail, and automatically submitting the request form. In Ralsky's case the information was posted on /. and many different people signed him up for one or a few items (or called him). This is more like a coordinated DDOS attack, with /. as the control channel.

    In addition, they

  • Americans : Ever been away on vacation only to find your mailbox stuffed full of mail? Likely one or two important letters was in that big heaping wad of damp and compressed paper and coupons and shit.

    So now you must sit and spend an hour or more sorting through this mess, time wasted on a menial dumb stupid sorting task for which you receive no pay. Is this fair? Is this freedom? From what? It feels like slavery to a dumb system.

    At least in some enlightened European countries you can magically block bulk
  • If you folks don't be quite, the post office might detect the thermo nuclear bomb I mailed Alan Ralsky, the FBI and Elanor Roosevelt. If we are all very very quiet, these packages will quietly make their way through the masses of mail the targets recieve.

    Yes, I know old Elanor is dead, but others still talk to her and I just want to make my point to them. I would have mailed Santa Clause at North Pole, but that's where the nukes will go off in event of accedental firing. To take care of that, I'm ema

  • ...is "Don't Spam."

    Ralsky has no one to blame but himself. If he didn't make a career out of abusing other people's private property, none of the crap that's happening to him would ever have happened.

    No matter if it's 'right' or 'wrong' to take someone's personal info and feed it to catalog houses, it still comes back to one simple idea; You Reap What You Sow, or 'Do Unto Others,' etc. Ralsky has been heaping abuse on other people's in-boxes, servers, etc. for years, and now he's reaping the fruits of his
  • or even worse, to serve as a diversion for a terrorist act

    Finally.. and answer to junk mail! In our society of banning the tool, not the act (a la Napster), this translates into banning all forms of junk mailings! WOOOOOOOT!
  • What about mistakes? (Score:2, Interesting)

    by leighton ( 102540 )
    Of course, none of this takes into account what happens when an overexcited script kiddie targets the wrong address for attack. This happened in the Ralsky case--if you go back, you'll see that people mistakenly posted his old address, the wrong phone number, etc. So some poor innocent sap (who could just as well be you) gets a dozen subscriptions to Hot Wet Naked Shaved Teenage Catholic Schoolgirls and Buff Biker Bears that he has to explain to his wife.

    I guess that's just "collateral damage," right?
  • when the local LUG, gaming club, and anime association all stormed krispy kreme at the same time.

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...