Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOS Attack Via US Postal Service

Posted by michael on from the click-here-to-unsubscribe dept.

Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"

28 of 318 comments (clear)

  1. Hardly DOS is it by zeoslap · · Score: 4, Insightful

    The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ? The victim ends up with a stuffed mailbox and the post office makes bank with all the additional traffic.

    Also this seems a little extreme 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'

    Considering the webservices the article is talking about is requesting a catalog :)

    1. Re:Hardly DOS is it by Sanity · · Score: 4, Insightful
      The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ?
      Sure it can - it renders your mailbox useless, and this can be more than an irritation for people who need to be able to receive snailmail (which I suspect is most people in the United States).
    2. Re:Hardly DOS is it by sudotcsh · · Score: 5, Insightful

      Oh, but it's DOS all right.

      DOS we're familiar with = so many requests for connection that real (legitimate) requests are very slow to get through, if at all.
      mailDOS = so many catalogs that finding your real mail (if there is any) is an incredible waste of time, and some pieces (packets?) may be lost (dropped) in the confusion.

      If this isn't the best translation of electronic DOS to physical DOS I don't know what is.

    3. Re:Hardly DOS is it by MO! · · Score: 2, Insightful

      Well, the proactive approach to that is putting a "Vacation Hold" message in the box, or better yet bring to the local Post Office. Then they know you're coming back on a specific day and will simply hold it all at the PO rather than sending it back as undeliverable.

      --
      I AM, therefore I THINK!
  2. Lack of authentication by George+Walker+Bush · · Score: 5, Insightful

    I could go to any bookstore's magazine section, get out the subscription cards (they aren't even physically bound to the magazine), send them off to the publishers, and check "Bill me later."

    There is absolutely no way for a person to prevent against this right now.

    The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed.

    --
    George W. Bush
    President, United States of America
    1. Re:Lack of authentication by Guppy06 · · Score: 4, Insightful

      "There is absolutely no way for a person to prevent against this right now."

      However, the recipient doesn't have to pay for any of it. It's a nuisance, but nothing like paying for bandwidth consumed by a DoS.

      "The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed."

      It's cheaper for them to just send out the magazine in that month's shipment. Sending out "Are you really sure?" postcards would require a different class of mail ("standard" as opposed to "periodicals") sent in a separate mailing (two smaller pre-sort batches instead of one big one). And that doesn't include the cost of a Business Reply Mail account.

  3. this works for normal spam as well... by edrugtrader · · Score: 4, Insightful

    some users of my website have gotten pissed when they lose the game and signed up the webmaster account for tons of email offers... it is basically harassment, but easy to turn off.

    yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form? i doubt it because spam is how they make most of their money.

    any input here?

    --
    MARIJUANA, SHROOMS, X: ONLINE?! - E
  4. Re:death and taxes by benna · · Score: 3, Insightful

    Yeah too bad they are prepared. They are already getting millions of peices of mail today. :( It was a nice thought though. :)

    --
    "It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
  5. So mail spamming is bad now? by d3am0n · · Score: 5, Insightful

    So wait, whenever we the people get nailed by 2 tons of junk mail, spam mail, and get our ear talked off by telemarketers, have bill board ads vying for our eye site, and our television sets screaming at us not to mention pop up ads all over the place (unless you have a popup eliminator or use an alternative web browser, long live opera). These things are all "good" but whenever we all collectively get together and nail the hell out of spammers with the pent up rage of 2 million people who can sighn them up for nail mail garbage, it's considered wrong? I think it's nothing more than a reaction from the masses and that it should be expected, after all if they can dish it, they should be able to take it. Side note; while I know that the article doesn't neccessarily refer to the attack against spammers by the slashdot crowd, there hasn't been any other successful campaign of this type that i've ever heard of on such a scale. Time to smack them with a rolled up magazine like the bad doggies they've been

  6. Spammers have feelings! by Neophytus · · Score: 4, Insightful

    Like the usenet spammer/advertiser I saw today that had a VALID but obfuscated email address set (for the company he was advertising). Amateurs.

    Ralsky got what he deserved, and hopefully moving 'on the quiet', if he did move, cost him alot of money. I read this article earlier today (didnt think of submitting it myself) and it made alot of sense. It IS all too easy to get yourself on these lists and your life is made difficult getting off them (digging about for phone numbers listed in a 500 page catalogue's small print...) - if you were subscribed to even 100 of these you would have a mammoth task to get rid of them all.

  7. This style of DoS harms more than the target by gollum_my_gollum · · Score: 5, Insightful
    Most Denial of Service attacks affect more than the target itself. If I'm attacking example.com, then all machine between me and that machine are busy handling my traffic. An intentional DoS'ing may not be much worse than a slashdotting for an ISP, and is usually easier for them to shut down. That costs them money, but it doesn't take too long, and the only real cost is downtime of their other subscribers, which since most sites are independent of other customers or have so little bandwidth compared to the pipes coming into the ISP, doesn't affect other customers much.

    In the case of signing up a spammer or other unscrupulous individiual to catalogs and other physical mail, the companies that are sending these items are directly bearing the cost of your DoS. Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail. All these companies are getting screwed out of real money, not some potentially (and oft inflated) accounting of how much time/cost an ISP has for DoS countermeasures.

    Sure, I think it's great to spam the spammers, but in doing so you harm legitimate companies more than in the Internet world.

  8. Post office "DOS" Attack is gonna backfire by rlsnyder · · Score: 5, Insightful

    Although this is kinda funny in one isolated case, what also has to be considered is the effect on the Postal Service. Sure, they get paid to deliver this mail, but it's not that easy.

    Catalogs and Magazine subscriptions ship at cheaper rates. The rural carriers that deliver mail to people's homes aren't set up to carry mass amounts of this type of mail to people; economically, the post office is set up to run with a balance of junk and first class mail on any given route.

    Overload this with a hugh amount of bulk-rate junk mail, and you're putting a burden on the capacity of the carrier routes, which in turn will force the Postal Service to modify fees and/or service.

    I would be highly suprised if they pass this charge on to the business customers that generate the bulk mail; this would meet with too much resistance and put pressure on the business relationship. Instead, I wager we'll see the fees passed along to first class, consumer mail either through an increase in postage fees and/or fees for home delivery of mail.

    In short - The Postal Service is not the Internet. It is one orginization that can and will respond to this type of abuse, and the end result will be less service / increased cost.

    1. Re:Post office "DOS" Attack is gonna backfire by jonr · · Score: 4, Insightful

      Good. I only hope that the junkmail will be more expensive to distribute, and fewer companies will use the "service".
      J.

    2. Re:Post office "DOS" Attack is gonna backfire by Guppy06 · · Score: 2, Insightful

      You're forgetting the option of simply delivering a little yellow postcard from the local post office saying "We can't deliver it all, come pick it up."

      At any rate, the cost of delivering the mail is paid for by the postage (imagine that!). Even if you pre-sort the mail as finely as you can (in the order the delivery person drives past the addresses, no less) and bring it to the destination post office yourself (or through a third party), you still have to pay postage for the simple act of delivering the articles.

  9. This is a serious issue by stand · · Score: 4, Insightful

    Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.

    Also, you can't write filters to automatically route or categorize snail mail. You have to go through it all to find the non-spam. If this kind of attack catches on, watch out.

    I'm interested, is there anyone out there that works for the Postal Service? How can victims deal with this sort of thing?

    --
    Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
    1. Re:This is a serious issue by Xerithane · · Score: 2, Insightful

      Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.
      I doubt I would incur the amount of motivated anger for a group of people to spend this much time doing it. I piss a lot of people off. I get people that sign me up for shit all the time. All email though, because it's hard to actually get my real address off the net without spending a few bucks.

      People get pissed when you spam them, and then you get a mob, and mobs do great things to bad people (sometimes.) It's not as if Mr. Ralsky is a decent person, he is getting what he deserves. Karma does work, it's just man-made.

      --
      Dacels Jewelers can't be trusted.
  10. It's Not Ironic... by MBCook · · Score: 5, Insightful
    It's poetic justice. From dictionary.com:

    "...and the punishment of vice, often in an especially appropriate or ironic manner. "

    So you see, this is poetic justice, not irony. That said, I'm not mad about this happening to him, is anyone else?

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  11. Huh? by wirelessbuzzers · · Score: 3, Insightful

    They didn't call this spam counterattack "bad" although it is certainly illegal. But it is an attack, and these guys are security geeks, so it's their job to investigate and propose countermeasures to things like this.

    --
    I hereby place the above post in the public domain.
  12. Re:I say start a 2nd wave... by nuggz · · Score: 1, Insightful

    try calling his local pizza place, and order several.

    Because fraud is fun? Or you just want to cause trouble for innocent business owners.

  13. Re:Politics that hard way by ntrfug · · Score: 4, Insightful

    I doubt that political parties get really big money from their mailing lists. Their mailing lists let them maintain the fiction that they're battling each other for the support of ordinary people.

    Meanwhile in the back rooms buying and selling of politicians goes on the old-fashioned way -- face to face.

  14. Maybe somebody would realize that it is serious... by Kjella · · Score: 2, Insightful

    ...when they understand the real-world equivalent. He's one man being DDoS'd, online almost everybody with a reasonably public email address is DDoS'd. I've got a university account, that has never been posted to mailing-lists, usenet, forums but is fairly accessible from the university homepage (student cataloges etc.) SPAM is on the rise, and that's a mail address I can't change to dlkjghadlgh@somehost.com just to get away, any more than I could move away to avoid being spammed in the real world. Neither can businesses and others with the need for a static and publicly accessible address.

    At least the catalogs he's getting have a real return address. I hate spam with fake sender, and I hope someone will soon enforce that domain.com must come from a domain.com mail server (or through one with authentication) and start the snowball running. If you can't send through the domain.com mail server, why should anyone believe you have the right to send mail for user@domain.com? The default "trust anyone" is one of the big signs e-mail was designed for "serious" use by "serious" people before the general public started using and abusing it.

    Kjella

    --
    Live today, because you never know what tomorrow brings
  15. no, it is not by g4dget · · Score: 3, Insightful
    Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you.

    Well, if you piss off people, they may try to get back at you. The Ralsky attack is the result of Ralsky pissing off a lot of people an each person engaging in a small and individually harmless act. In comparison to the kind of disputes among neighbors and individuals that often occur in the real world, that seems both harmless and unprosecutable. Welcome to the real world.

    If you piss off a lot of people for justifiable reasons (e.g., you are the author of Satanic Verses), then some concerned government may try to help you out. Otherwise, the solution is simple: don't piss off too many people.

  16. Re:death and taxes by Guppy06 · · Score: 4, Insightful

    Rule #1: Never mess with the Treasury Department.
    Rule #2: Never forget rule number 1.

    Remember that the IRS is in the same department as ATF and the Secret Service.

  17. Re:I say start a 2nd wave... by Anonymous Coward · · Score: 1, Insightful

    Not only is it a stupid idea, it won't work - pizza places have been doing callback validation for years.

  18. Please don't do that... by jesterzog · · Score: 4, Insightful

    ..not because of the spammers and junk mailers, but because of the legitimate businesses that you'll inevitibly be hurting.

    What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!

    Despite the spammers, there are a lot of legitimate businesses and non-profit organisations out there that are trying to get people to sign up so they don't waste their time and money mailing people who have no interest in what they have to send.

    Just because a business or organisation asks people for contact details to send mailouts doesn't mean that they're doing it maliciously. What you'll accomplish by scripting this is to give headaches to the people doing it correctly by polluting their mailing lists with people who don't want their mail. If anything, it'll have a negative effect on their customers or members who actually want to hear from them in the process, and it'll waste the resources of an organisation that often won't have a lot to waste.

  19. The only one who hates us more than Ralsky by phorm · · Score: 2, Insightful

    The only one who hates us more than Ralsky
    Is his postman. Can you imagine all the huge stacks of spam he has to haul up to the mailbox? Geeze, I bet by now he almost has a seperate bag...

    At least sign the guy up to Playboy so that the postman has something interesting to "obtain" from the sack 'o' mail he must have to deliver on a regular basis.

  20. Re:From The Spamhaus Project by Guppy06 · · Score: 2, Insightful

    For all you data miners out there, the USPS verified address is:

    Alan Murray Ralsky
    6747 Minnow Pond Dr
    West Bloomfield, MI 48322-2663

    That's on carrier route C 061, delivery point 47 in Oakland County.

  21. Some history,,,, by watzinaneihm · · Score: 2, Insightful

    The post that started it all.
    And a previous story on slashdot.

    --
    .ACMD setaloiv siht gnidaeR