DOS Attack Via US Postal Service

Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"

Politics that hard way

[benna]

What if people started doing this to political parties donation mailing addresses. They would not be able to sort it out to get their money effectivly shutting them down.

Re:Politics that hard way

Your stamp costs 39 cents. The cost of my volunteer's 5 seconds which it took to open and discard the envelope costs me about 0 cents. Good try, though

Re:Politics that hard way

[ravenwolff]

uh, I don't think so.

Re:Politics that hard way

[benna]

Yeah but if you would read the article you would see that the idea is to make OTHERS pay the postage. You just sign them up for stuff. Your time may be free but you don't have unlimited time.

Re:Politics that hard way

[IAR80]

You can allways put in the envelope without a stamp and him as expeditor.

Re:Politics that hard way

[ntrfug]

I doubt that political parties get really big money from their mailing lists. Their mailing lists let them maintain the fiction that they're battling each other for the support of ordinary people.

Meanwhile in the back rooms buying and selling of politicians goes on the old-fashioned way -- face to face.

Re:Politics that hard way

[tomhudson]

The post office no longer returns mail if you mark it "return to sender". They just toss it in the garbage, which is why, years after you move into a place, you still get those mail-order catalogs for the previous occupant, even though you've diligently marked "moved", or "unknown" or "deceased" on the envelope and dropped it/them into the mailbox many times.

Unless the envelope states "return postage guaranteed" and they have an account w. the post office, it's headed for the garbage can.

Re:Politics that hard way

[IAR80]

Where I live the office is still returning it, but unfortunatelly not to many spamers arround.

Hardly DOS is it

[zeoslap]

The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ? The victim ends up with a stuffed mailbox and the post office makes bank with all the additional traffic.

Also this seems a little extreme 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'

Considering the webservices the article is talking about is requesting a catalog :)

Re:Hardly DOS is it

[Sanity]

The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ?

Sure it can - it renders your mailbox useless, and this can be more than an irritation for people who need to be able to receive snailmail (which I suspect is most people in the United States).

Re:Hardly DOS is it

[sudotcsh]

Oh, but it's DOS all right.

DOS we're familiar with = so many requests for connection that real (legitimate) requests are very slow to get through, if at all.
mailDOS = so many catalogs that finding your real mail (if there is any) is an incredible waste of time, and some pieces (packets?) may be lost (dropped) in the confusion.

If this isn't the best translation of electronic DOS to physical DOS I don't know what is.

Re:Hardly DOS is it

[jdunlevy]

What about possible collateral damage: did any of SpamKing's neighbors' mail delivery get slowed down (or otherwise affected)? (Is there any way to tell?)

Re:Hardly DOS is it

[Wireless+Joe]

Fun little story...

I recently was out of town for a few days. The tiny little mailbox that my apartment complex provides probably filled up on the second day, so the postal carrier took all of it back to the post office, and left me a lovely note that if I didn't pick it up in a few days, they'd send it all back. Luckily I got back in time to pick up my mail, but it was definitely an inconvenience tracking down which post office outlet had my mail and then taking the time to go get it.

So for a few days my postbox was shut down (mini DOS), because the postal carrier wouldn't leave me any new mail until I found the time to pick up what had already been taken away.

Re:Hardly DOS is it

If the mail volume to Raskey (The spam king) was great enough, I imagine the post office would have begun seperating his mail before it got to him (as I imagine they already do) and sending it in a seperate bin/bag to him. The post office is able to handle the volume... they have the technology... they can resort it, make it better..

Re:Hardly DOS is it

[chimpo13]

My postman does that all the time only with no warning. He smokes a lot of pot so maybe it's his paranoia, "Hey, he hasn't picked up his mail in 3 days, I better return the mail saying he moved".

Re:Hardly DOS is it

[MO!]

Well, the proactive approach to that is putting a "Vacation Hold" message in the box, or better yet bring to the local Post Office. Then they know you're coming back on a specific day and will simply hold it all at the PO rather than sending it back as undeliverable.

Re:Hardly DOS is it

let's all write them letters to find out.

Re:Hardly DOS is it

[nemesisj]

You're missing the entire point. The point isn't that someone used physical means to DDOS someone else - like you said, that's been done before. The point is that this can be automated using computers so that it requires no time at all for the perpetrator, and there are very real physical problems that occur as a result.

How the hell was the parent modded insightful anyway?

Re:Hardly DOS is it

[kesuki]

You call the free delivery of an unlimited quantity of home heating supplies a DOS attack??? why, if he lived up north, he could heat his home all winter, just burning junk-mail! Think of the favor we could be doing him, if for instance he owned a wood fired sauna, he could be burning it as hot as he wants all day long, and even let the neighbors use it ;) All without having to ever chop wood, just shovel today's batch of junkmail in!
If ne needs a "private" mail address for important things to com in, he should have to pay for an anonymous post office box, and only provide that address to important friends and relatives. just the way us 'internet' users are required to find private e-mail services and never give it out to websites (including e-card sites -- which relatives/friends need to know about) so that you only recieve important vital e-mail at this private address that noone except you and a handful of people can even find the address to.

Re:Hardly DOS is it

[Random+Frequency]

paper would burn too fast.. and it doesn't burn hot enough. You'd have to have someone shovelling in paper pretty quickly..

plus its illegal to burn your garbage in most areas.

Re:Hardly DOS is it

[kesuki]

Apparently you're unaware of The Paper log maker here
Remember, paper is basically wood pulp. shred, soak, compress, dry == instant wood.
Burning garbage is indeed illegal, however, buring paper in ones fireplace/indoor stove/sauna is not.
Paper is often used to _start_ a wood fire man so much for your 'doesn't burn hot enough' theory, in fact the problem is paper burns too hot, and too fast, which is why you need to shred, soak, compress, and dry it into instant wood.

Just so you know the illegality in burning garbage stems with the number of fires that can be caused by open pit burning, and the fact that flaming bits of loose paper can blow around etc. But by making the instant log the paper cannot just fly about.

Re:Hardly DOS is it

[kmahan]

And how is that any different from what the Spam King and all his buddies do to us in our electronic mailboxes? I receive emails that are electronic bills, work related email, etc. So because I get so much spam I have a chance of deleting/misfiling/whatever them. So if it's bad to do in the physical world it should be just as bad to do in the electronic world.

So by your argument (which I agree with because it supports mine) every Spammer is committing a DOS attack against me and should be charged with a crime. And forced to do jail time or pay restitution.

Re:Hardly DOS is it

[Random+Frequency]

the paper log maker would definately be a worthy investment then.

I was a boy scout/avid pyro =)

Just burning paper by itself is somewhat stupid though, given the amount of ash that's produced.

Re:Hardly DOS is it

[ctucker]

Just mail him a postcard that says "PING" and see how long it takes him to reply.

Re:Hardly DOS is it

[blibbleblobble]

"What about possible collateral damage: did any of SpamKing's neighbors' mail delivery get slowed down"

Well, postal services are prioritised. So when you get junkmail, that shouldn't interfere with anything more important. And as opposed to email, which also has a priority tag, this one is enforced financially. It also has human interaction, which is frequently more intelligent than a mailserver, and will often start asking questions if obvious attacks are mounted on a post-office's workload.

Re:Hardly DOS is it

[mlippert]

I don't quite get this. The mail's been delivered, why do they take it back?

I can somewhat understand not delivering new mail if your mailbox is full, but taking away already delivered mail?

It just seems wrong. Particularly if there is no note.

Re:Hardly DOS is it

[GLowder]

Actually, you could use peer pressure from his neighbors against him as well. Just add and subtract 2 from his address to get probable next door neighbor addresses. Sign them up for catalogs too. I'm willing to bet he would become more unpopular on his street.

Re:Hardly DOS is it

[ichimunki]

The log maker type of approach is suitable for newsprint and limited quantities of non-newsprint paper (i.e. the daily paper), but not for most junk mail. Your description of the content of paper is way off. A lot of the paper you'd receive as junk mail has as much filler in it as it does wood-derived cellulose. This is things like plastics or clays that help make the paper glossy or smoother or less likely to bleed-- not to mention the amount of work you'd have pulling off pieces of actual plastic from window envelopes, stickers, and the like. Not necessarily stuff that you want to burn anywhere near where you also plan to breathe.

Re:Hardly DOS is it

[kesuki]

The plastic argument is a good one to note, but clay isn't. Paper already burns hotter (as i noted) than wood. adding clay will lower the buring temperature -- in fact adding compost to the logs was suggested on one of the forms where I researched the paper-log making teqniques to get slower, cooler burns. So clay in the amounts that are added to paper is negligable in effect. a slightly cooler flame, still not as cool as wood.
And BTW plastic will burn rather nicely, if you're not too concerned about the toxic fumes it will add to the smoke. but Shh, don't tell the spam king that! he might actually just put the junk mail plastic and all in his fireplace ;) with a %750,000 house (in alabama) I'm sure he doesn't have too many nearby neighbors to worry about..

anthrax

[IAR80]

Wasn't the last DOS attack through postal service using anthrax?

Re:anthrax

[IAR80]

Unfortunatelly some postal workers were infected and some even died + caused wide spread panic. Also some postal offices were out of service and doing cleanup for months. I guess it was a DOS on the society as a whole and on postal service in particular even though the target was different.

Re:anthrax

[evilviper]

Beware the postal service ``smurf" attack!

Re:anthrax

[Sepper]

The one with the Evil Bit set to one?

Re:anthrax

[davidc]

I believe the Unabomber has the patent on the original postal based DOS...

More info at newscientist

[pjgeer]

It's like an executive summary of all the above links.

Lack of authentication

[George+Walker+Bush]

I could go to any bookstore's magazine section, get out the subscription cards (they aren't even physically bound to the magazine), send them off to the publishers, and check "Bill me later."

There is absolutely no way for a person to prevent against this right now.

The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed.

Re:Lack of authentication

[liquidsin]

So instead of 600 magazines in my mailbox next month, I get 600 letters asking me if I want to subscribe? Sure, it's only a one time hassle instead of a monthly hassle, but it's still annoying. And calling to confirm is no less of a pain.

Re:Lack of authentication

Woohoo Schneier must be really lost outside of his cyrptography theory barrel, i mean the guy is resorting to writing papers on 7th grade pranks?

What's next? A careful examination of how to defend against someone ringing your doorbell and running away?

Give me a freakin' break.

Re:Lack of authentication

[GeorgeH]

Magazines actually do send a confirmation letter, something most kids learn about on the schoolground. Once again, GW Bush is outsmarted by elementary school students.

Re:Lack of authentication

[grammar+fascist]

Not only that, but they'd probably be of the "If you don't want to subscribe, please reply" type.

Re:Lack of authentication

[chimpo13]

What magazines? Back in my poor college days, we'd subscribe to magazines just to get them for free. 15 or 20 magazines addressed to IP Freely, Poopoo Stayne, and Rev. Fuckyouintheass to name a few names we used.

The only ones that caught on were the Columbia House music CD things and places that would deliver books. And we'd get 20 or 30 cds/books out of them before we'd get the "we need more info" letter. Fraud for underaged kids to get stuff to resell to buy cheap beer with fake IDs. I think if you break 2 laws that it becomes a positive and it's okay. At least that's what George Bush has taught me.

Re:Lack of authentication

[Guppy06]

"There is absolutely no way for a person to prevent against this right now."

However, the recipient doesn't have to pay for any of it. It's a nuisance, but nothing like paying for bandwidth consumed by a DoS.

"The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed."

It's cheaper for them to just send out the magazine in that month's shipment. Sending out "Are you really sure?" postcards would require a different class of mail ("standard" as opposed to "periodicals") sent in a separate mailing (two smaller pre-sort batches instead of one big one). And that doesn't include the cost of a Business Reply Mail account.

Re:Lack of authentication

[geekoid]

No, you will start getting magazines, and a bill. There is no confirmation.

Re:Lack of authentication

[PCM2]

Back in my poor college days, we'd subscribe to magazines just to get them for free. 15 or 20 magazines addressed to IP Freely, Poopoo Stayne, and Rev. Fuckyouintheass to name a few names we used.

Ah, you smutty-mouthed youth of today. In my day, stating your name as "Freema Gazine" was sufficient.

Re:Lack of authentication

[Fastolfe]

He was responding to this:

The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed.

In that situation, they'd send 600 letters instead of 600 magazines.

Re:Lack of authentication

[charon_on_acheron]

No, you're not thinking deeply enough. It will be how to defend yourself when someone rings your doorbell and runs away, but leaves a buning paper bag of dog poop on your porch.

Re:Lack of authentication

[TKinias]

Y'know, maybe I'm the only one, but I got some amusement from `George Walker Bush' posting under the subject `Lack of authentication'...

Re:Lack of authentication

[will_die]

Worst then that is signing up with sites such as greenpeace, ACLU,etc. You can also do the various branches of the military, but from experiences they quickly remove people.
Since they quickly distribute the address of people they get to similar organizations it is a sure fire way to get lots of mail, and once you get on them it is hard to get off.
The joys of college pranks.

Re:Lack of authentication

[tcr]

What's next? A careful examination of how to defend against someone ringing your doorbell and running away?


Again, sounds like my postman... :-)

Re:Lack of authentication

[mrtroy]

Even better....

Subscribe to his address with a funny name. For example, use the same last name put put "Fuqor" as his first name or something. I am sure anything not too obvious would work just fine. Personally, I am adding a funny middle name.

Re:Lack of authentication

[broter]

Well, my little troll, perhaps you should of read the article.

From the CryptoGram:

"If this were just a nasty way to harass people you don't like, it wouldn't be worth writing about. What's interesting about this attack is that it exploits the boundary between cyberspace and the real world."

-RB

Re:Lack of authentication

[bill_mcgonigle]

However, the recipient doesn't have to pay for any of it. It's a nuisance, but nothing like paying for bandwidth consumed by a DoS.

Huh? I pay $1.30 per 30 pounds of refuse. If I got half a ton of mail a day as this guy is reported to get, it would cost me $13,520 a year to dispose of it. Granted, I could get a dumpster for less, or maybe even get it down to the recycling center (at my cost), but it's not free. Plus I'd have to take the time to find my mail among all the junk (an hour a day or so). If I'm billable at $50 an hour it's now $29,120 a year.

NYTimes article on the paper

[rainmanjag]

here

Ping of death?

[metalhed77]

Wasn't the last DOS attack through postal service using anthrax?

would that be the physical incarnation of the "ping of death" attack?

Re:Ping of death?

[IAR80]

yep. And I guess the Unabomber was the physical incarnation of the "mail bomb".

Re:Ping of death?

[wirelessbuzzers]

Vice-versa, I believe.

Re:Ping of death?

[CoyoteGuy]

Could be worse.. What if they re-enacted WinNuke? :)

Re:Ping of death?

[rootofevil]

technically wouldnt it be more like a christmas tree packet, since the anthrax leaked out and got all over other stuff at the hubs (aka routers & switches)?

death and taxes

[joe_bruin]

quick, if we slashdot the IRS via the usps, they might never get to my taxes!

Re:death and taxes

[benna]

Yeah too bad they are prepared. They are already getting millions of peices of mail today. :( It was a nice thought though. :)

Re:death and taxes

[Pharmboy]

Yeah too bad they are prepared. They are already getting millions of peices of mail today.

you talking tax returns or hate letters?

Re:death and taxes

[Guppy06]

Rule #1: Never mess with the Treasury Department.
Rule #2: Never forget rule number 1.

Remember that the IRS is in the same department as ATF and the Secret Service.

Re:death and taxes

[jhunsake]

I just watched the local news where they showed the federal attorney indicted a bunch of people on tax fraud and settled a few others with significant penalties. A coincidence, no doubt?

Re:death and taxes

[DigiBoi]

Rule #1: Never mess with the Treasury Department.

Assuming you equate the IRS being or of part the U.S. Treasury Department, i urge you to read the answer to question #1 at 31 Questions about the IRS.

Re:death and taxes

[crmsndude]

HAHAHAHAHA

That must explain why the Treasury Department lists it as one of its nine bureaus and all of the IRS logos on its website have "Department of the Treasury" right under "Internal Revenue Service." I used to work for the Treasury Department, and had a very good friend who worked at IRS. If it isn't part of Treasury, then there are several thousand federal employees, as well as millions of taxpayers, who were told otherwise in official statements, paperwork, or because they work there.

But no. let's take a group of tax evaders, which is what the people at the link you providedare. At least, they are from a legal POV.

Re:death and taxes

[Guppy06]

"For, it is better to be mute and thought a fool, than to open one's mouth and remove all doubt."

Words to live by, hm? You know, you really should read what you're linking to before pointing to it.

Explain to me how Puerto Rico isn't part of the US.

Re:death and taxes

[BenEnglishAtHome]

On the off chance that you aren't an idiot or a troll and might actually be willing to learn something, try this FAQ. It goes to great lengths, more than these anti-tax bozos deserve, to explain just how our tinfoil-hat-wearing nutjob brethren have been misled. For even more good info, try this link, this link and this link.

And if you want it straight from the horses mouth, the be-all and end-all summary page explaining why these tax resistor folks are barking up the wrong tree, try this link.

Re:death and taxes

[Mr+Guy]

Where's my +1 Crackpot when I need it.

Re:death and taxes

[automandc]

Sorry, the BATF was recently moved to the Dept. of Justice as part of the "Homeland security" reorganization.

Don't you feel more comfortable knowing John Ashcroft is in charge of firearms now?

this works for normal spam as well...

[edrugtrader]

some users of my website have gotten pissed when they lose the game and signed up the webmaster account for tons of email offers... it is basically harassment, but easy to turn off.

yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form? i doubt it because spam is how they make most of their money.

any input here?

Re:this works for normal spam as well...

[g4dget]

yesterday as i went through *35* pieces of junk mail from 3 days

Only a dozen a day? You are so lucky. I'm up to about 100 per day on my main inbox.

Re:this works for normal spam as well...

[TC+(WC)]

He's talking about physical junk mail... hence the comment that follows about the USPS

Re:this works for normal spam as well...

[DeadMeat+(TM)]

yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form?

The USPS does not, but the Direct Marketing Association does. Junkbusters has a sample opt-out letter on their Web site.

Re:this works for normal spam as well...

[edrugtrader]

i was talking about real mail. for spam i was at 400 a day, then i decided to try unsubscribing... something that i told people to never do because then they know you are real. in the end it doesn't matter if they know you are real. if the mail went through that is good enough for them. after clicking remove links for a week i'm down to about 10 pieces of easily email filterable spam a day.

so i'm getting more snail mail spam than email spam!

Re:this works for normal spam as well...

[El+Cubano]

yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form? i doubt it because spam is how they make most of their money.

Two points:

• Check out this site and you will see that standard mail (the category that spam falls into comprised only about 23% of the USPS total revenues.
• The biggest single category is still first class mail (i.e., letters home to mom and bills the electric/gas/phone company send you), making up nearly 55% of the USPS revenue in FY2001.

So while 23% is a good chunk of their revenue it certainly does not qualify as most of the revenue. But, junk mail does make up 43% of the mail volume.

the new email on the block!

[bugsmalli]

Getting SPAM lately! Try DOS

oh well

So mail spamming is bad now?

[d3am0n]

So wait, whenever we the people get nailed by 2 tons of junk mail, spam mail, and get our ear talked off by telemarketers, have bill board ads vying for our eye site, and our television sets screaming at us not to mention pop up ads all over the place (unless you have a popup eliminator or use an alternative web browser, long live opera). These things are all "good" but whenever we all collectively get together and nail the hell out of spammers with the pent up rage of 2 million people who can sighn them up for nail mail garbage, it's considered wrong? I think it's nothing more than a reaction from the masses and that it should be expected, after all if they can dish it, they should be able to take it. Side note; while I know that the article doesn't neccessarily refer to the attack against spammers by the slashdot crowd, there hasn't been any other successful campaign of this type that i've ever heard of on such a scale. Time to smack them with a rolled up magazine like the bad doggies they've been

Re:So mail spamming is bad now?

[tbmaddux]

... whenever we all collectively get together and nail the hell out of spammers with the pent up rage of 2 million people who can sighn them up for nail mail garbage, it's considered wrong?

Whether it's right or wrong isn't relevant. The rightness or wrongness of flooding Ralsky's mailbox with junk mail is old news, and isn't the point of the linked articles, which discussed a way to automate the process using the web, which removes the limitations/hassles of trying to do what was done to Ralsky on a truly large scale.

Put another way, RTFA.

Re:So mail spamming is bad now?

[mebock]

If it were a revenge exacted only on the spammer, I'd find it more palatable. But the cost of this reaction is borne by:

* the spammer
* other people that live at his address now and who move to that address any time in the next, oh, five or so years
* his letter carrier
* potentially his neighbors (misdirected mail)
* the companies that (in good faith) sent him catalogs that other people (in bad faith) signed him up for

But then, I never found the pizza prank funny.

Re:So mail spamming is bad now?

[sbwoodside]

Actually it seems likely that the kind of mass collective action undertaken by Slashdotters would be seen as wrong or illegal. In that case, each individual was doing a very small part. The difference is that in this new scenario, one person could launch such an attack with the touch of a button.

To apply the reverse principle, you see why internet protests are possible. If one person mails a senator a million times, that's mailbombing. But if a million individuals mail theat senator once each... that's progress ;-)

simon

Re:So mail spamming is bad now?

[bheerssen]

These things are all "good" but whenever we all collectively get together and nail the hell out of spammers with the pent up rage of 2 million people who can sighn them up for nail mail garbage, it's considered wrong?

Yeah, that durn enlightenment thing is annoying as hell. We gotta admit bad behavior even when it feels good.

Spammers have feelings!

[Neophytus]

Like the usenet spammer/advertiser I saw today that had a VALID but obfuscated email address set (for the company he was advertising). Amateurs.

Ralsky got what he deserved, and hopefully moving 'on the quiet', if he did move, cost him alot of money. I read this article earlier today (didnt think of submitting it myself) and it made alot of sense. It IS all too easy to get yourself on these lists and your life is made difficult getting off them (digging about for phone numbers listed in a 500 page catalogue's small print...) - if you were subscribed to even 100 of these you would have a mammoth task to get rid of them all.

Re:Spammers have feelings!

[Guppy06]

Or you could just not buy anything from any of the catalogs and they'll get the message that way. They won't keep on paying postage for the catalog if they can't recoup their money.

Re:Spammers have feelings!

[GreyyGuy]

Riiiight...

You need to pass that on to the companies that send all the catalogs I'm getting with the names of the last two or three owners of this place. Much like email spammers, they just need to get a few sales per hundred to make it worthwhile.

Automated Spam attacks...

[Slurpee]

If you type the following search string into Google -- "request catalog name address city state zip" -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms. ... When you're done, voila! It's Slashdot's attack, fully automated and dutifully executed by the U.S. Postal Service.


What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!

Though environmentally bad in the short term, if it shuts them down in the long term, it would save a heck of a lot of trees!

Re:Automated Spam attacks...

[patchmaster]

What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!

I think they might notice if 250,000 new requests for catalogs came in all at once. Nice idea in the abstract though.

Re:Automated Spam attacks...

[mrtroy]

I am going to write a private one.... :) Because today is day #2342 i wish i had one! and, its better if you add "free" into that query, since i dont want to pay for any catalogues!

Hey michael

[fobbman]

You forgot to log off of your terminal, and Taco came in and posted a repost under your name.

This style of DoS harms more than the target

[gollum_my_gollum]

Most Denial of Service attacks affect more than the target itself. If I'm attacking example.com, then all machine between me and that machine are busy handling my traffic. An intentional DoS'ing may not be much worse than a slashdotting for an ISP, and is usually easier for them to shut down. That costs them money, but it doesn't take too long, and the only real cost is downtime of their other subscribers, which since most sites are independent of other customers or have so little bandwidth compared to the pipes coming into the ISP, doesn't affect other customers much.

In the case of signing up a spammer or other unscrupulous individiual to catalogs and other physical mail, the companies that are sending these items are directly bearing the cost of your DoS. Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail. All these companies are getting screwed out of real money, not some potentially (and oft inflated) accounting of how much time/cost an ISP has for DoS countermeasures.

Sure, I think it's great to spam the spammers, but in doing so you harm legitimate companies more than in the Internet world.

Re:This style of DoS harms more than the target

[Slashed+Otter]

Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail.

Perhaps it will give them some incentive to secure their catalog order process. Perhaps if they charged $1 for the catalog and gave $1 off the first purchase or something of that nature. They're the equivalent of an open relay and, as such, I have no sympathy for thier loss.

Re:This style of DoS harms more than the target

[Guppy06]

"the companies that are sending these items are directly bearing the cost of your DoS."

Costs passed on to the consumer.

"Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail."

No, they're cheaper. Instead of sending at Standard Mail rates, they're either mailed at Periodicals or Bound Printerd Matter. And the printing is also cheaper because there's no envelope stuffing or card folding involved. And the lighter-stock paper is cheaper.

"All these companies are getting screwed out of real money"

Measured in cents or franctions of cents per recipient. And depending on how much they're shipping and where, it may actually be cheaper for them to add in a few extra addresses to bump the mailing into the next rate (we're not talking bandwidth here). The more mail they have going to a three, five or nine-digit ZIP code, the finer level of presortation they can do and the cheaper the postage for everything in that particular sack of mail.

And don't forget these mailers are interested in addresses whether you're really interested or not. If you're not giving them Ralsky's address, rest assured that they're probably interested in buying his address from his bank, credit card company, car dealer, etc. The whole philosophy of bulk mail is that you're sending this information to people who may not know they're interested in something the mailer is selling.

The worst money loss comes from paying $0.37 + fee for the Business Reply Mail card you send in. If you feel guilty, don't use the BRM card and pay for the postage yourself. (Just putting a stamp on a BRM card/envelope doesn't work unless you remember to cover/obscure the "Business Reply Mail" box above the address, the five vertical bars to the left of the "stamp" area, and all those horizontal bars along the right-hand side.)

Re:This style of DoS harms more than the target

[EdMcMan]

That would be about as popular as shareware.

Re:This style of DoS harms more than the target

[fname]

Um, fractions of a cent to send a catalog? Cheaping than sending a letter? Is that for real? Go to a store and find the cheapest catalog-sized book. Bet it costs about $6, figure $3 cost to the retailer, so the actual printing process is probably on the order of a dollar or two.

As far as the cost of sending it, it is NOT cheaper to send a catalog than it is to send a letter. It costs per ounce, and for that, the catalog companies are required to do more work for less service. If there is too much mail, they'll hold the catalog for a later date. Not many catalogs in the mail in the 1-2 weeks before x-mas for a good reason. They're all pre-sorted, etc.

I don't know how much it actually costs to send a catlog, but you clearly have no clue. The cost to send the catalog for may be 1/20 or 1/100 the cost per page than to send & print a letter, but it's more expensive to send a whole catalog than it is to send a letter. And trying to argue that one particular piece of junk mail you've subscribed someone to will lower their cost shows a fundamental mis-understanding of math concepts. There is exactly ONE letter that will lower the rate; all the other adds to the cost. So no, by lying and subscribing to a random magazine or catalog for someone you don't like, you aren't saving that magazin/ catalog company any money.

And it's not cheap to send a letter. Companies now deduct $2 or more from bills if you choose all-electronic. The short of it is, by requesting hundreds of catalogs for someone who doesn't want them, you're costing each one of those companies a few bucks. If 1000 people do this, it gets to be a real cost. If a million people do this, you've done real harm to the economy and the environment.

Re:This style of DoS harms more than the target

[deblau]

In the case of signing up a spammer or other unscrupulous individiual to catalogs and other physical mail, the companies that are sending these items are directly bearing the cost of your DoS.

Usually, the practice of sending out items without asking for payment is known as "Marketing". Giving out promo materials is something dreamed up by those guys you've heard about, but never actually seen, who live in the fancy offices while you're stuck in a cube. Strangely enough, they usually get lots and lots of money, and every company seems to have them. Coke spent $837 million on marketing in 2002 (it's down there on page 81). Believe me, they don't care if some spammer in West Bloomfield, Michigan suddenly wants to get a soda fountain catalog. If 50% of their marketing leads were bogus, they'd care.

Re:This style of DoS harms more than the target

[Guppy06]

"Go to a store and find the cheapest catalog-sized book. Bet it costs about $6, figure $3 cost to the retailer, so the actual printing process is probably on the order of a dollar or two."

But a "catalog-sized book" is not a catalog, it is a book. A catalog uses thinner, cheaper paper (note that a "catalog-sized book" doesn't have as many pages as a catalog), cheaper inks, and a cheaper binding method than even your average paperback. Everything is done on the cheap because they print so many of them and because there's no reason to build them to last more than a few months tops.

"As far as the cost of sending it, it is NOT cheaper to send a catalog than it is to send a letter."

You know, I provided links in the original post to the pricing schemes of Standard Mail, Periodical Mail and Bound Printed Matter. Was clicking on them too difficult for you?

"It costs per ounce,"

You're thinking First Class. Presorted mail is generally charged per piece and per pound of total mailing (ie. the weight of all of the pieces together).

Also, the more you are able to presort your mail, the cheaper your rate. However, you need to meet minimum mailing requirements to get the cheaper rates. For example, an entire automation tray of letters going to the same 5-digit ZIP code costs $0.190 each. If I can't fill that tray, they'll have to be put into a tray of letters going to the same 3-digit zone (first three digits of ZIP), and they'll cost $0.203 each.

"If there is too much mail, they'll hold the catalog for a later date."

Which is one of the reasons why they charge less to mail them.

"I don't know how much it actually costs to send a catlog, but you clearly have no clue."

I mailed out over 11,000 letters in October of 2002. How about you?

"The cost to send the catalog for may be 1/20 or 1/100 the cost per page than to send & print a letter, but it's more expensive to send a whole catalog than it is to send a letter."

Standard Mail letter, basic presort: $0.268
Periodical Mail (4 oz. catalog), basic presort: $0.42125

Of course, who's going to respond to that letter unless you include a Business Reply Mail (BRM) card for them to respond on? They're certainly not going to pay for that postage themselves, whether they want your catalog or not.

Standard Mail letter, basic presort: $0.268
First Class card postage: $0.23
Basic BRM per-piece fee: $0.60*
Total: $1.098

Heck, it's cheaper to send them two catalogs!

*(BRM is so "expensive" because you only pay for the postage of the ones you get back, as opposed to paying for stamps for cards that may or may not get mailed to you. Even if you ignore the BRM fee, though, it's still more expensive to send letter + postcard postage than a catalog.)

"And trying to argue that one particular piece of junk mail you've subscribed someone to will lower their cost shows a fundamental mis-understanding of math concepts."

How's this for a math concept: step function. You have to have enough pieces to fill an entire tray or sack (depending on what you're mailing) to reach that lower postage rate. Because of this, when you're near the minimum requirement of the next-cheaper rate class, it is cheaper to add a few more addresses to get to the lower rate. And I can guarantee you that the catalog publishers have step pricing as well.

Which is cheaper: 150 letters at $0.248 each, or 140 letters at $0.268 each?

"Companies now deduct $2 or more from bills if you choose all-electronic."

1. They do this to help offset the fees you pay your bank to use an electronic payment service.
2. Bills must be mailed at First Class rates. They don't get cheaper than $0.352 each.
3. It's not the $0.352 stamp that worries them, it's the $20.00 bounced check fee they may have to deal with.

"The short of it is, by requesting hundreds o

Re:This style of DoS harms more than the target

[fname]

1) Some catalogs weigh MUCH more than 4 ounces, such as Ikea

2) Yeah, it's cheaper to send 150@$0.248 than 140 at $0.268. It's more expensive to send 141 @ $0.268 than 140, even more to send 142, even more to send 143 ...; it's cheaper to send 150 @$0.248 than 149 @ $0.268. It costs more to send 151, even more to send 152, etc. Trust me, the catalog companies are aware of this. I'm sure they do crazy things like sending double copies to people if it puts them over the line. But the idea that, on average, sending an additional piece of mail saves them money makes no sense. Only in the rarest of cases (it's the 150th piece, and the manager was too stupid to send Ms. Jones a second copy) would this one additional catalog save on mailing costs (to say nothing of printing costs).

An ability to perform simple math does not demonstrate any ability to understand difficult math concepts. See, simple math is realizing that sending 150 pieces costs less than sending 149. The important part, which you've ignored, is this: catalogs cost money to print & mail; only the rare piece of mail puts you over the limit to lower the rate; the person sending the catalogs can also perform simple math; even if they can't perform simple math, on average, that additional piece of mail will cost between $0.248 and $0.268.

But it's a good straw man argument, so you might as well stick with it.

Re:This style of DoS harms more than the target

[Guppy06]

"1) Some catalogs weigh MUCH more than 4 ounces, such as Ikea"

That's what "Bound Printed Matter" is for. Again, one of the links I provided in the original post.

"I'm sure they do crazy things like sending double copies to people if it puts them over the line."

Specifically disallowed by postal regulations.

"But the idea that, on average, sending an additional piece of mail saves them money makes no sense."

How do you get "on average" from "may actually be?"

"But it's a good straw man argument, so you might as well stick with it."

Says the guy responding to his only "defensable" (ignoring your hypocrisy) position out of a half-dozen or so. Way to sieze the moral high ground there.

Re:This style of DoS harms more than the target

[lostguy]

Dude, you're an idiot. A little helpful advice -- take the hit and walk away. Arguing is only making you look even more stupid.

Pictures of the quanity of mail that Ralsky gets?

[Leknor]

I know it isa bit off topic but does anyone know of any pictures of the quanity of mail that Ralsky gets?

Post office "DOS" Attack is gonna backfire

[rlsnyder]

Although this is kinda funny in one isolated case, what also has to be considered is the effect on the Postal Service. Sure, they get paid to deliver this mail, but it's not that easy.

Catalogs and Magazine subscriptions ship at cheaper rates. The rural carriers that deliver mail to people's homes aren't set up to carry mass amounts of this type of mail to people; economically, the post office is set up to run with a balance of junk and first class mail on any given route.

Overload this with a hugh amount of bulk-rate junk mail, and you're putting a burden on the capacity of the carrier routes, which in turn will force the Postal Service to modify fees and/or service.

I would be highly suprised if they pass this charge on to the business customers that generate the bulk mail; this would meet with too much resistance and put pressure on the business relationship. Instead, I wager we'll see the fees passed along to first class, consumer mail either through an increase in postage fees and/or fees for home delivery of mail.

In short - The Postal Service is not the Internet. It is one orginization that can and will respond to this type of abuse, and the end result will be less service / increased cost.

Re:Post office "DOS" Attack is gonna backfire

[jonr]

Good. I only hope that the junkmail will be more expensive to distribute, and fewer companies will use the "service".
J.

Re:Post office "DOS" Attack is gonna backfire

[shyster]

I believe that the USPS is not allowed to subsidize bulk mail with 1st class mail charges. Most years, bulk mail actually subsidizes 1st class...but I think they've moved away from that lately.

Re:Post office "DOS" Attack is gonna backfire

[Pharmboy]

In short - The Postal Service is not the Internet. It is one orginization that can and will respond to this type of abuse, and the end result will be less service / increased cost.

You have to be kidding. Most catalogs by request are sent FIRST CLASS because most companies don't send enough mail every day or week to get bulk. Yes, Sears does, but for every Sears that sends a catalog there are 50 "Bob's Hottubs" that have catalogs by request that do not send enough regularly enough to get a discount. If you are not sending out at least 1000 pieces in one whack. Also, I tend to think the final delivery of 1200 pieces of mail to one address takes less resources than 1200 pieces of mail to 1200 addresses, even if the journey to that station is the same.

So the post office has been compensated for their efforts. To think 'poor post office' is pretty damn silly. Unless there is some kind of fraud or other crime involved, the USPS doesn't have an interest in this. Frankly, I don't see the crime and neither does the victim, since he is trying to sue, NOT seek criminal charges.

Re:Post office "DOS" Attack is gonna backfire

[Guppy06]

You're forgetting the option of simply delivering a little yellow postcard from the local post office saying "We can't deliver it all, come pick it up."

At any rate, the cost of delivering the mail is paid for by the postage (imagine that!). Even if you pre-sort the mail as finely as you can (in the order the delivery person drives past the addresses, no less) and bring it to the destination post office yourself (or through a third party), you still have to pay postage for the simple act of delivering the articles.

Re:Post office "DOS" Attack is gonna backfire

[Rich0]

The rural carriers that deliver mail to people's homes aren't set up to carry mass amounts of this type of mail to people; economically, the post office is set up to run with a balance of junk and first class mail on any given route.

Which is more costly - delivering 100,000 magazines to 100,000 addresses for 20 cents apiece, or delivering 100,000 magazines to 1 address for 20 cents apiece? The extra volume comes with extra postage, and since it is all going to one place they can just fill up a dump truck with the junk mail and dump it all on his driveway... Keep in mind that the cheap bulk rate is already profitable assuming it is distributed all over the country - if it is focused on a single address it has to be cheaper to deliver.

Re:Post office "DOS" Attack is gonna backfire

[bill_mcgonigle]

Watch out, the socialists will try to convict you of attempting to raise the (admittedly subsidized) cost of a stamp, thereby trampling on people's first ammendment rights.

This is a serious issue

[stand]

Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.

Also, you can't write filters to automatically route or categorize snail mail. You have to go through it all to find the non-spam. If this kind of attack catches on, watch out.

I'm interested, is there anyone out there that works for the Postal Service? How can victims deal with this sort of thing?

Re:This is a serious issue

[Xerithane]

Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.

I doubt I would incur the amount of motivated anger for a group of people to spend this much time doing it. I piss a lot of people off. I get people that sign me up for shit all the time. All email though, because it's hard to actually get my real address off the net without spending a few bucks.

People get pissed when you spam them, and then you get a mob, and mobs do great things to bad people (sometimes.) It's not as if Mr. Ralsky is a decent person, he is getting what he deserves. Karma does work, it's just man-made.

Re:This is a serious issue

[stand]

I doubt I would incur the amount of motivated anger for a group of people to spend this much time doing it.

Maybe, but it wouldn't even take a group of people. All you'd need is one motivated person with a search engine and a Web manipulation module like Perl's LWP. You could easily write a script to flood a person with junk mail all by yourself. A little easier to trace maybe, but still damn hard to stop.

Re:This is a serious issue

[Xerithane]

Maybe, but it wouldn't even take a group of people. All you'd need is one motivated person with a search engine and a Web manipulation module like Perl's LWP. You could easily write a script to flood a person with junk mail all by yourself. A little easier to trace maybe, but still damn hard to stop.

True, I know the methods for tracking one down online and take steps to protecting my actual address. You can get many addresses on me, but I doubt any of them are actually correct. That's my little safeguard. Although I would feel bad if it happened to one of the people living at the other addresses...

Re:This is a serious issue

[Angry+White+Guy]

You sure? Post your address here :)

From your freak list...

APL bigot (606126)
aussersterne (212916)
chris_mahan (256577)
CowardNeal (627678)
cranos (592602)
DAldredge (2353)
Elbereth (58257)
Godeke (32895)
Gojira Shipi-Taro (465802)
Graspee_Leemoor (302316)
Grishnakh (216268)
Hott of the World (537284)
IceAgeComing (636874)
Inthewire (521207)
isoteareth (321937)
LucVdB (64664)
mansemat (65131)
MillionthMonkey (240664)
NineNine (235196)
No More Wankers (605612)
nordicfrost (118437)
not_anne (203907)
PinkStainlessTail (469560)
prizog (42097)
ronfar (52216)
sheldonb (68034)
sir99 (517110)
squiggleslash (241428)
stephenbooth (172227)
TheBahxMan (249147)
thumperward (553422)
tigris (192178)
Tom7 (102298)
warmcat (3545)
workindev (607574)
zod1025 (189215)
_Ludwig (86077)

Re:This is a serious issue

[Buzz_Litebeer]

This stuff goes beyond that man, My friend owns and runs a popular website for mechwarrior gaming. He set up a paypal account on his site, and now had enough money to run a big internet pipe into his house, and host the site on hardware.

2 days after the transition, someone tried running 550k e-mails through his machine. His machine had a properly set up filter, and bounsed everything back, unfortunatly it knocked out his ISP who he was buying the business line out of. So now the site is down, and the isp hasnt restored service because they say that he has exceeded bandwidth quota for his business package he signed up for.

This stuff DOES affect the people having it happen to, its just as bad as sending it through the mail, in the mail people get paid for every letter of mail they send. Online when someone shuts you down by using your paid for bandwidth, the cost lies on you, not them to cover, and that is wrong.

Anyone that does what these people do, people like Ralsky, needs to get charged for every e-mail. They should have to register as bulk mailers, that way anyone hit by an attack originating from their bulk e-mails can hit them up for cost of business lost.

Re:This is a serious issue

[ATMAvatar]

Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you.

When I start sending around 1 billion spam emails a day, I would hope people do this to me.

This guy became a millionaire at the expense of ISPs and internet users across the globe. He represents the worst aspects of humanity, and deserves what he gets.

DoS!=DOS

[SHEENmaster]

"Denial of Service", is the flooding of a server so that it stops functioning.
"Disk Operating System", is an OS like Windows that bases its structure upon drives rather than directories like UNIX/Linux or Mac OS do. Windows NT is still a DOS even if it (supposedly) doesn't contain MS-DOS derived code.

On a side note, DOSes seem to contribute more to server malfunctions than DoSes.

Re:DoS!=DOS

[Archfeld]

err no, NT and even 2K are DRIVE LETTER dependent, 2003 will be the first fully dynamic system that will allow mounts of drives without a drive letter identifier. Beleive me, Exchange and a large SAN frame have proved this fact over and over again.
If someone can provide info to the different I would be grateful...

Re:DoS!=DOS

[srvivn21]

While the parent that you responded to is a bit rude, he is (at least partly) correct. I have a Win2K Pro setup at home with two 4.2 GB drives. One of them is mounted as my C: and P: drives (the partition holding the P: drive is my page file), and the other is mounted as a directory under "Program Files" called "Games". It has no drive letter.

I don't know if this was possible in NT, but here is an article on how it's done in 2000 or XP.

Re:DoS!=DOS

[duffbeer703]

That is a an API problem, not a limit of the OS.

Re:DoS!=DOS

[Archfeld]

Why can I only define 26 drives then total, local + fiber attached SAN disks in a Hitachi frame in Win2K AS or even Data Center. Your article only shows how to CHANGE the drive letter not how to have a drive WITHOUT a needed letter, What I need is unix like /dev/dsk/yada yada...
Exchange storage groups can only be a certain size for managability reasons, my monster server, 8 way cluster servers with 8gb of memory can handle oodles off sg's but each one is a drive and I am limited to 26 in any environment.
Thanks for the link though.

Re:DoS!=DOS

[Dahan]

That is a an API problem, not a limit of the OS.

More like a problem with the Doom III installer. GetDiskFreeSpaceEx takes a directory name and returns the amount of free space available on the volume that directory is in. Sounds like the Doom III installer is "helpfully" trimming off the directory and just passing in the drive letter. As Microsoft pointed out back in the Windows 2000 beta days:

The introduction of Dfs, NTFS junctions, and volume mount points creates situations where logical directories do not have to correspond to the same physical volume. Thus, disk space should not be assumed based on space queries made in directories other than the current one.

Re:DoS!=DOS

[GlassUser]

You should try it. You can also remove the drive letter assignment completely. So basically you can have a drive sitting there, connected and recognized by the system, but supposedly inacessable (you can actually refer to it by GUID, but only to mount and perform low level operations, I believe). And yes, before you spring with another arbitrary argument, all of this can be done from the command line.

Re:DoS!=DOS

[tomhudson]

plug an nt drive into a space controller cable on a linux box, then do a dd if=/dev/hd of=part.bin count=1024

now, use midnight commander mc to read part.bin, and you'll find a (at least on the version of Win2K I tested it on) text identifying it as a DOS 5.0 partition. Win9x has text saying it's a DOS 6.2 partition.

They're not really DOS %/6x partitions, but the code that creates the partitions is still based on that old DOS code, was never cleaned up, just extended, and still writes the same crap to the part. table.

Under both Win9x and WinNT, the drive letters are the basis of the system.

Re:DoS!=DOS

[srvivn21]

Your article only shows how to CHANGE the drive letter not how to have a drive WITHOUT a needed letter...

If there is already a drive letter assigned, click Remove. Next, click Add. When the Add New Drive Letter or Path dialog box opens, select the 'Mount in this NTFS folder' radio button and click Browse. Click Drive C to select it and then click New Folder. Name the folder and click OK.

I have never tried putting more than 10 drives in any system (nor have I had the onus of managing an Exchange server/cluster), so I can't verify if it is possible (although I guess I could partition a couple drives wildly. Hmmmm...). But the article does state how to remove the drive letter. Again, I have no empirical evidence that this will allow you to mount more than 26 drives.

Sorry it wasn't any more help.

Re:DoS!=DOS

[srvivn21]

It doesn't really work, though. Here is one example that has happened to me, although I've change the numbers and names here. Suppose your C:\ drive has 500 MB of free space, but your C:\Games directory is a different partition that has 20 GB of free disk space. Now suppose you buy Doom III, and it needs 2 GB of disk space. When the Doom III installer askes how much space is available on C:\ drive to ensure it has the space it needs to install the game, it will receive the answer that only 500 MB is available and will refuse to install in C:\Games (even though there is plenty of space available in that directory).

I'd have to disagree here. As stated above, my second drive is mounted as "Games". I don't have Doom III installed (obviously), but of the 6 or 7 games I have installed, none had a problem. My main drive only has about 500 MB left...

Re:DoS!=DOS

[srvivn21]

Who'd have ever thought that I would be defending Windows? *shrug*

Just because the partition is identified as a DOS 5.0 partition doesn't mean that it has to be mounted as a drive letter. Mount that partition under Linux (or BSD or (if possible) VMS), and you won't access it using a drive letter.

The same can be said for Win2K. You can mount a drive as a non-letter volume, and the lower levels of Win2K don't use drive letters. Here's my boot.ini on my work PC (something like lilo.conf):


[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0 )partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINN T="Microso ft Windows 2000 Professional" /fastdetect


Not a drive letter to be seen.

Re:DoS!=DOS

[tomhudson]

What I was pointing out is that many of the tools used in Win2k et. al. are just extensions/updates/mods of MS-DOS tools.

The original poster of this sub-thread was just pointing out that DoS != DOS, (Denial of Service != Disk Operating System).

Mind you, I think we're all in acronym hell nowadays anyway - for example ATM != ATM (Automatic Teller Machine != Asynchronous Transfer Mode) as just one example. Guess we'll have to switch to Acronyms Version 6 (Av6) soon because fo the namespace pollution :-)

Re:DoS!=DOS

[Archfeld]

you are correct and it is different then I had been told but I still can't use the disk, even disk administrator fails to see the device. In order for it to be generally useable it has got to be mounted and assigned a drive letter.
I don't mean to spring arbitrary arguments, I was originally a solaris admin and this should all be EASILY accomplished, but the brave new microsoft world I've been handed has some issues that I have yet to figure out :)

Re:DoS!=DOS

[GlassUser]

To be usable, it has to be mounted. But it does not necessarily have to be mounted to a drive letter. If a program requires that, it is not coded in a properly extensible manner. Tsk tsk.

It seems fairly easy to me. It's all there, there's just different ways to do things.

Re:DoS!=DOS

[srvivn21]

Mind you, I think we're all in acronym hell nowadays anyway - for example ATM != ATM (Automatic Teller Machine != Asynchronous Transfer Mode) as just one example. Guess we'll have to switch to Acronyms Version 6 (Av6) soon because fo the namespace pollution :-)

It's all about the context. :o)

1) The bandage was wound around the wound.

2) The farm was used to produce produce.

3) The dump was so full that it had to refuse more refuse.

4) We must polish the Polish furniture.

5) He could lead if he would get the lead out.

6) The soldier decided to desert his dessert in the desert.

7) Since there is no time like the present, he thought it was time to present the present.

8) A bass was painted on the head of the bass drum.

9) When shot at, the dove dove into the bushes.

10) I did not object to the object.

11) The insurance was invalid for the invalid.

12) There was a row among the oarsmen about how to row.

13) They were too close to the door to close it.

14) The buck does funny things when the does are present.

15) A seamstress and a sewer fell down into a sewer line.

16) To help with planting, the farmer taught his sow to sow.

17) The wind was too strong to wind the sail.

18) After a number of injections my jaw got number.

19) Upon seeing the tear in the painting I shed a tear.

20) I had to subject the subject to a series of tests.

21) How can I intimate this to my most intimate friend?

Re:DoS!=DOS

[tomhudson]

Love your list, it's a lot funnier than those stupid ...profit lists - if I had mod points today, you'd get a +1 funny for sure :-)

Re:DoS!=DOS

[srvivn21]

Thanks, I liked it enough to save it. I certainly can't claim credit for creating it...

Anonymous so no karma whoring

Obligatory article text post

Automated Denial-of-Service Attack Using the U.S. Post Office

In December 2002, the notorious spam king Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.

Ironic, definitely. But more interesting is the related paper by security researchers Simon Byers, Avi Rubin and Dave Kormann, who have demonstrated how to automate this attack.

If you type the following search string into Google -- request catalog name address city state zip -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms. You'll have to do some parsing of the forms, but it's not too difficult. (There are actually a few more problems to solve. For example, the search engines normally don't return more than 1,000 actual hits per query.) When you're done, voila! It's Slashdot's attack, fully automated and dutifully executed by the U.S. Postal Service.

If this were just a nasty way to harass people you don't like, it wouldn't be worth writing about. What's interesting about this attack is that it exploits the boundary between cyberspace and the real world. The reason spamming normally doesn't work with physical mail is that sending a piece of mail costs money, and it's just too expensive to bury someone's house in mail. Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the Post Office and catalog mailings. All the pieces are required for the attack to work.

And there's no easy defense. Companies want to make it easy for someone to request a catalog. If the attacker used an anonymous connection to launch his attack -- one of the zillions of open wireless networks would be a good choice -- I don't see how he would ever get caught. Even worse, it could take years for the victim to get his name off all of the mailing lists -- if he ever could.

Individual catalog companies can protect themselves by adding a human test to their sign-up form. The idea is to add a step that a person can easily do, but a machine can't. The most common technique is to produce a text image that OCR technology can't understand but the human eye can, and to require that the text be typed into the form. These have been popping up on Web sites to prevent automatic registration; I've seen them on Yahoo and PayPal, for example.

If everyone used this sort of thing, the attack wouldn't work. But the economics of the situation means that this won't happen. The attack works in aggregate; each individual catalog mailer only participates to a small degree. There would have to be a lot of fraud for it to be worth the money for a single catalog mailer to install the countermeasure. (Making it illegal to send a catalog to someone who didn't request it could change the economics.)

Attacks like this abound. They arise when an old physical process is moved onto the Internet, and is then automated in some unanticipated way. They're emergent proper

Be Aware...

[A+Guy+From+Ottawa]

It just goes to show that people should be very careful with their personal information.

Sincerely,

Guy LeBarge
186 Rideau St.
Ottawa, ON
K1A 25U

Re:Be Aware...

[MalleusEBHC]

So what did this Guy LeBarge dude do to piss you off? ;)

Re:Be Aware...

[SmoothOperator]

You mean 24 Sussex Drive, Ottawa.... I know for a fact that JC loves a good prank now and then.

Re:Be Aware...

[achaudhary]

I believe Rideau St is where Rideau Hall is located? The Governor-General's residence? Hey man, pick on Jean Chretien... Adrienne Clarkson's cool.

Re:Be Aware...

[mrtroy]

Oh ya...now I finally know what I am going to do to my landlord when I move out.

I live in a city with two really close universities, and housing is tight for students around here, so landlords rip you off. Not only that, my landlord is a sneaky, lying bastard.

Before we move in:

Landlord: yes, I will put in a washer/drier/new stove, paint the house, blah blah blah

Foolish me: oh great!

I move in.

Ok, new stove, wheres everything else

Landlord: I am going to florida!

Foolish me: ok ill spend 3 days painting and carry my laundry to my gf's.

Now, since I know his address (i mail my checks somewhere!), he can recieve 5 pounds of junk mail a day!

The paper..

[EinarH]

Anyone except me that see the irony in the fact that those who wrote the paper Defending against an internet-based attack on the physical world displays their physichal world location on the top of the paper?

It's Not Ironic...

[MBCook]

It's poetic justice. From dictionary.com:

"...and the punishment of vice, often in an especially appropriate or ironic manner. "

So you see, this is poetic justice, not irony. That said, I'm not mad about this happening to him, is anyone else?

Re:It's Not Ironic...

[taernim]

This sounds like that whole debate about how Alanis' song "Ironic" isn't really about ironic things..

I think the important thing to remember is, ironic or not... it's damn funny ^_^

Huh?

[wirelessbuzzers]

They didn't call this spam counterattack "bad" although it is certainly illegal. But it is an attack, and these guys are security geeks, so it's their job to investigate and propose countermeasures to things like this.

Re:Huh?

[Pharmboy]

They didn't call this spam counterattack "bad" although it is certainly illegal. But it is an attack, and these guys are security geeks, so it's their job to investigate and propose countermeasures to things like this.

Out of curiosity, exactly what criminal law does this violate?

Re:Huh?

[Pfhreakaz0id]

Out of curiosity, exactly what criminal law does this violate?
impersonation of an anal orifice.

re: Google and DOS Attack Via US Postal Service

[mediahacker]

He suggests that you type "request catalog name address city state zip" into Google whereupon Google will kick back some 250,000 pages with online web forms to fill out.

Google now kicks back one hit - the article itself...

You really have to strip your search down before it starts returning anything.

Re:Lex Talionis is a morally bankrupt code

[Angry+White+Guy]

What kind of giddy moral superiority to you get from seeing anyone hurt?

The best kind!

That's why I pay for my fun.

[RatBastard]

Nothing says "loving" like a box of dryer lint with no return address.

Re:That's why I pay for my fun.

[Angry+White+Guy]

How much is it to post a human head?

That's also oozing with something, if not love.

Re:That's why I pay for my fun.

[Jennifer+Ever]

How much is it to post a human head?

Shrunken or still-bleeding?

Re:That's why I pay for my fun.

[usotsuki]

Judging by the word "oozing" in the parent post, I'd suggest still bleeding.

-uso.
Now if I can only build Wolfenstein from sources...ALMOST THERE <pronk>

Re:That's why I pay for my fun.

[yokem_55]

Based on some informal googling I found that the average human head weighs around 10-13 lbs while attached (mine naturally is much heavier than that though). However, when it is detached, a significant amount of blood will be lost out of the head, and so you can then presume it to be 2-3 pounds lighter, unless you replace the blood with some sort of embalming fluid. Now if you are mailing this within the US, you can refer to the USPS rate chart available at www.usps.com

Re:I say start a 2nd wave...

[nuggz]

try calling his local pizza place, and order several.

Because fraud is fun? Or you just want to cause trouble for innocent business owners.

One variation on the same theme

[forged]

This is nothing new. Back 20 years ago or so, my father (heh!) used to collect old newspapers at airports, then he would fold 3 or 4 newspapers together into a very thick enveloppe and send this without stamps to a person of his choice that he disliked at this time.

That worked well because where we lived, enveloppes without a return address and without stamps were delivered allright, and had to be paid in full by the receiving party for the cost of shipping plus a penalty fee for not stamping the mail in the first place.

I doubt that he's ever made someone loose great amounts of money, but that must have annoyed the hell out of those people receiving junk and having to pay for it !

Re:Lex Talionis is a morally bankrupt code

This is a joke, right? Morally bankrupt my ass. I say rape the rapist. Murder the murderers. And SPAM THE FUCK OUT OF THE SPAMMERS!

Re: Google and DOS Attack Via US Postal Service

[miniretsam]

i think he meant to search all of the words, not the phrase. leave out the quotation marks and the search yields 263,000 hits...

Re: Google and DOS Attack Via US Postal Service

Try taking the quotes off your search.

263K hits last time i tried it.

Re:Lex Talionis is a morally bankrupt code

[gmhowell]

Too bad you are AC. Hope you are keeping an eye on this note.

You make numerous statements without backing. Examples: "We can't live in a world without judgement." "It can't deal with the complexities of the modern legal order," "Lex Talionis, the principle of an eye for an eye, is a morally bankrupt code of law"

Perhaps in some circumstance, this is the case. However, most people are too stupid to understand anything more complex than 'eye for an eye'.

I'd post more, but I'd probably be shouting at the wall.

Maybe somebody would realize that it is serious...

[Kjella]

...when they understand the real-world equivalent. He's one man being DDoS'd, online almost everybody with a reasonably public email address is DDoS'd. I've got a university account, that has never been posted to mailing-lists, usenet, forums but is fairly accessible from the university homepage (student cataloges etc.) SPAM is on the rise, and that's a mail address I can't change to dlkjghadlgh@somehost.com just to get away, any more than I could move away to avoid being spammed in the real world. Neither can businesses and others with the need for a static and publicly accessible address.

At least the catalogs he's getting have a real return address. I hate spam with fake sender, and I hope someone will soon enforce that domain.com must come from a domain.com mail server (or through one with authentication) and start the snowball running. If you can't send through the domain.com mail server, why should anyone believe you have the right to send mail for user@domain.com? The default "trust anyone" is one of the big signs e-mail was designed for "serious" use by "serious" people before the general public started using and abusing it.

Kjella

What about the USPS?

[phylus]

I wonder, how does the USPS deal with a person who gets that much mail? Obviously they have to deliver it since that's their whole purpose, but I know the little mail truck that comes to my house probably couldn't fit a few extra hundred pounds of mail. And the poor mailman, and the mailbox itself.

I mean, logistically, how do they cope with it?

Re:What about the USPS?

[dentar]

Each piece of mail was paid for. So, they deliver it! Why is this even a question?

Re:What about the USPS?

[phylus]

Like I said, they have to deliver it. But if you were to live in a place where there is a rural carrier in his little car, what do they do when they are not able to deliver it in a standard manner? What if there is no room in your mailbox? Do they throw it on the ground, store your hundreds of pounds of mail at the post office in the hope that you will come and get it?

Re:What about the USPS?

[wmspringer]

If they're anything like UPS, they put it under the door mat.

I swear, every time they try to deliver a package and I'm not home they stick it under the mat, even if that means the mat is a foot in the air..

Re:I say start a 2nd wave...

[miniretsam]

Calling the local taxi services and sending them there for pickup is also fun...as can be donation centers for pickups, applicance repair services, etc.

no, it is not

[g4dget]

Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you.

Well, if you piss off people, they may try to get back at you. The Ralsky attack is the result of Ralsky pissing off a lot of people an each person engaging in a small and individually harmless act. In comparison to the kind of disputes among neighbors and individuals that often occur in the real world, that seems both harmless and unprosecutable. Welcome to the real world.

If you piss off a lot of people for justifiable reasons (e.g., you are the author of Satanic Verses), then some concerned government may try to help you out. Otherwise, the solution is simple: don't piss off too many people.

Re:no, it is not

[stand]

I agree that you shouldn't piss off too many people. Believe me, I haven't shed any tears over Ralsky's fate. But the power of DOS attacks is that they can be initiated easily by motivated *individuals*. As I said on another post, it would be easy to automate what happened to Ralsky such that a single person could initiate a flood of junk mail to any specified postal address. Or maybe you could flood a town's post office with junk mail to create a diversion and then send a real nasty letter (e.g. Anthrax) to the same place in an attempt to hide it. That is the real danger.

Gees! I'm becomming such a conspiracy theorist!

Re:no, it is not

[g4dget]

But the power of DOS attacks is that they can be initiated easily by motivated *individuals*. As I said on another post, it would be easy to automate what happened to Ralsky such that a single person could initiate a flood of junk mail to any specified postal address. Or maybe you could flood a town's post office with junk mail to create a diversion and then send a real nasty letter (e.g. Anthrax) to the same place in an attempt to hide it. That is the real danger.

Come on, think about it: "someone might construct some script that then might cause lots of junk mail to be sent so that someone might be able to send through an anthrax-laced letter without anybody noticing it". You call that a "real danger"? A motivated individual could walk into a post office with a gun or bomb, and they do, albeit very, very rarely.

The "real danger" in our lives is that we trip and hit our heads, or that we crash in our cars, or that we fall down stairs, or that we eat too much greasy food and get a heart attack, or that we catch the flu. All this terrorism and cyber-attack stuff is just BS to scare people into reelecting politicians who don't know how to address the real problems that threaten us and kill us.

Re:no, it is not

[LookSharp]

If you piss off a lot of people for justifiable reasons (e.g., you are the author of Satanic Verses)...

Wow. Just... Wow! Justifiable reasons? Just because Islamic Fundamentalists regarded the author's work as blasphemy requiring personally-executed capital punishment doesn't mean that action is justifiable.

(I've never read The Satanic Versus, but people have written far more hertical and blasphemous things about Christian and Jewish beliefs. Personally, I find that opinions counter to any established school of thought are usually interesting, even if they are conspicuously wrong. What was that quote again? "Nothing is offensive to the rational mind?")

Re:no, it is not

[stand]

Whew! I've never been accused of trying to get Bush reelected before. (*That* is the "real danger" :), I think).

rather than electronic attacks,

[sstory]

I favor Tomahawk cruise missiles, Delta Force...

How about a digital pager DDOS attack?

[philipsblows]

Take:

• One phone number (the victim)
• One war dialer
• Many, many pager numbers

Empirically, 1000 pagers (at 3-4 dial sequences per minute) equals about 4 days of constant calls to the vicitim's phone. How I know this is another discussion...

Of course, this was more effective when digital pagers were much, much more popular. Today, it probably wouldn't go over as well, but back in the late 80s and early 90s, it worked flawlessly. Essentially, it was distributed crank calling before the "DDOS" term was coined.

The most interesting part was that the pager companies explicitly refused to do anything about it. No tracing of calls, no attempts to halt sequential dialing, etc. Not their problem.

Re:How about a digital pager DDOS attack?

[dacetone]

Yep, I can vouch that this is an effective technique, especially with huge ranges of 800 # pagers...

Re:How about a digital pager DDOS attack?

[dubstop]

A Distributed Denial Of Sleep attack.

Re:How about a digital pager DDOS attack?

[Dossy]

Want to talk about just desserts?

Get a hold of Ralsky's home telephone number. Then, grab as many spam email lists as you can. Send a few hundred million spam emails out with a body that reads something like:

"If you'd like to be taken out of our bulk-mailing database, please call <insert Ralsky's phone number here>."

It's a nice DDoS and if you can keep getting his number every time he gets it changed (heh) this could be quite useful. He might even start taking people who call out of his databases.

-- Dossy

I said that to Dr. Fatburn.

[www.sorehands.com]

I said the same to George Moore, aka. Dr. Fatburn. He gave me a great quote, "I don't want to take time out my enjoyment of life, to write that I didn't subscribe."

What's wrong, he could he not do the physical world equivelent of clicking the unsubscribe link?

Re: Google and DOS Attack Via US Postal Service

[mediahacker]

DOH!

You are correct Sir

retaliatory postal spamming works

I work for a scummy direct marketing company, and can tell you that when people mail back dog shit, dead cats, bricks, etc. it really does slow business down because that mail is not sorted from the legitimate mail. From time to time the bomb squad is even called in to check an unexpected parcel and that can gum up the whole works.

Setting them on each other..?

So, someone could write a script to harvest the form details for a whole lot of catalogue companies, **and each company's address** at the same time. Then they could sign each company up for all the other companies' catalogues. Not only would each of these snail-mail spammers suffer a deluge of mail in a week or two, they'd also spend a fortune on mailing catalogues they'd never recover through sales, heh! Perhaps they could be put out of business, making life nicer for the rest of us..?

Now, if only I could write PERL... :-)

Change of address

[Vic]

Someone needs to find out where he moved to, and make sure his "change of address" info gets filled out at the post office. We wouldn't want him to miss out on any important mail. :)

That's ok, you wouldn't get there

[SuperBanana]

"Anyone except me that see the irony in the fact that those who wrote the paper Defending against an internet-based attack on the physical world displays their physichal world location on the top of the paper?"

Whoa, lay off the sauce, bub. In your current condition, I think you'd get about 2 blocks before you smacked your car into a tree. Just to be safe though, please give your keyboard+mouse to a designated Slashdot Reader? We wouldn't want you to bash up your car(ma).

Pardon while I run for cover due to the atrocious pun in the last sentence.

Re:Lex Talionis is a morally bankrupt code

[Ungrounded+Lightning]

Lex Talionis, the principle of an eye for an eye, is a morally bankrupt code of law we've been moving away from for the past few thousand years, thankfully.

Wrong. Lex Talionis was the principle that you take NO MORE than an eye for an eye - promulgated as an "improvement" in an era where the response to losing an eye (or a purse) might be to do in the alleged perpetrator and confiscate all his worldly goods.

It's morally bankrupt, all right. But only to the extent that if the thief only loses what he stole, and has a nonzero chance of getting away with it, theft remains a profitmaking enterprise despite full enforcement of the law. So it becomes an endorsement of theft as a lifestyle. This is why there are "puntitive damages" - extra penalties to punish the perpetrator (thus making continued misbehavior a losing proposition even with imperfect law enforcement).

None of which applies here. Applying "Lex Talionis" to the spammer would mean spamming him, rather than seeking compensatory and puntitive damages.

===

Which is what they did, isn't it? B-)

===

Lex Talionis also recognizes a moral principal of equivalency, to wit: In an egalitarian society, regardless of what actions you think are fair, you have NO moral gripe if someone does to YOU what YOU did to them. If it was wrong for them to do in retaliation, it was AT LEAST as wrong for YOU to do without provocation.

===

I note, by the way, that your posting is IDENTICAL to one you made several times previously - including in the slashdot article credited with inspring the USPS DDoS attack in the first place. (And that last one I cited was under your own slashdot ID of Chuck Flynn.) Given that, I felt free to repeat, almost verbatim, my response to your most recent previous missive.

The posts that recieve your canned response seem to be any suggestion about spamming the spammers. You wouldn't happen to be a spammer, would you?

Re:I say start a 2nd wave...

Not only is it a stupid idea, it won't work - pizza places have been doing callback validation for years.

Junk mail -- send it back

Junk mail usually comes with return envelopes, so send the junk back!!! Empty, or filled with scrap paper (maybe other junk mail).

I guess they have to pay postage for all those returned envelopes...

2 Cool fun things to try!

[mabhatter654]

First, when the lawsuit [counter suit] gets going, can they get a deposition aginst him to discuss how he:

a. reads all of his own spam email? If not, why? Why should we?
a. sends anonomus mail-and the list of addresses he sends it from.
b. blocks incomming spam from his personal accounts! Does he include a "secret" header code in the spam, or block the list of addresses that he owns+ his buddies? How can I be on that list?

Did everyone make sure to slightly misspell his name, fake name, etc. when they filled out the forms [note: I only just heard about this and being a lamer have not contributed my self] This would make being removed from the lists that much harder. Of course, I'm sure he's against the "do not spam" lists--so he shouldn't expect anyone to automate the removal process for his address from the databases, now should he!

NAZ

[Myko]

So, what the heck IS his address??

Re:I say start a 2nd wave...

[Doug+Neal]

try calling his local pizza place, and order several... ...just after breakfast time.

From The Spamhaus Project

[djaxl]

Alan Ralsky aliases and addresses.

Seems like his "real" address is:
Alan Murray Ralsky
6747 Minnow Pond Dr,
West Bloomfield,
MI 48322
Telephone: 248-926-0688
Current email address: amr777@comcast.net

Re:From The Spamhaus Project

[anagama]

Comcast? They just bought out AT&T cable in my area. All of a sudden, I'm getting 6 spams a day on an email account that got 2 in the prior year. Conspiracy??

Re:From The Spamhaus Project

[NoWhereMan]

Thanks for the new email address. He probably misses all that spam being returned to him.

----- The following addresses had permanent fatal errors -----

----- Transcript of session follows -----
451 ... rxpoint.com: Name server timeout
Message could not be delivered for 5 days
Message will be deleted from queue

Re:From The Spamhaus Project

[Guppy06]

For all you data miners out there, the USPS verified address is:

Alan Murray Ralsky
6747 Minnow Pond Dr
West Bloomfield, MI 48322-2663

That's on carrier route C 061, delivery point 47 in Oakland County.

Re:Lex Talionis is a morally bankrupt code

[Guppy06]

If this were "eye for an eye," all that mail Ralsky would be getting would be delivered postage due.

The positive side of REAL junk mail

[HeyBob!]

Years ago, I read about a guy who intentionally signed up for as many catalogs and other junk mail as possible. I think he got 200 lbs a day. He heats his house with it.

Re: Google and DOS Attack Via US Postal Service

[HeghmoH]

I always wondered why instructions contained phrases like:

Now type "somecommand" (without the quotes).

Now I know....

Property value

[Deanasc]

Theoretically they may have lowered the value of his house upon resale. Like murders or other infamous events in a house it's the sellers responsibility to inform the buyer or the deal can be busted at a later date. So the spammer must inform the next buyer that they may recieve a monthly flood of "For Alan Ralsky or current occupant" mail. I know I would think twice about moving into a cursed address.

Re:Lex Talionis is a morally bankrupt code

[geekoid]

"
Lex Talionis, the principle of an eye for an eye,..."

If you studied this, you owuld not an eye for an eye is not literal. It is about compensation. granted, its been used out of context and basterdized by anybody who wants to do violence.

Back to Spam.
This guy is costing people a lot of money, and there is no practical recourse. It would be very difficult, if not impossible, to draft a law, or make a change to the internet to stop this abusive behaviour that would not change the internet to a heap of worthless crap.

He is not being hurt. He is being taught a valuable lesson: "Whats good for the goose is good for the gander"
More iportantly, people are taking notice and being made aware.
The only way thru stop spam is through education.

Re:I say start a 2nd wave...

[geekoid]

see, the pizza deal will only hurt the pizza shop owners.
If a guy showed up with 20 pizzas you didn't order, would you pay?

I saw that in Harry Potter.

[TheBoostedBrain]

Yepp.. at the beginning of the first harry potter movie he is attacked this way by Hogwarts.

Obvious Target

[Paul+E.+Loeb]

Am I the only one who is going to mention such a great target for this type of retalliation? I believe I have several hundred AOL cds that arrived at my house without warrant. Perhaps the AOL distribution office needs a cluttered mailbox... :)

Re:Lex Talionis is a morally bankrupt code

[splinterBR]

I think in some cases eye for an eye isn't appropriate--for example, murdering a killer is going too easy on them--locked in a cell for a long-ass time is much crueler and more deserving. However, I agree with the previous poster: SPAM THE FUCK OUT OF THE SPAMMERS

Not funny yet

[phrenq]

Enough time hasn't passed. 22.3 years. That's how long it takes for something tragic to become funny.

Re: feel safer yet?

[hburch]

As of March 1, 2003, the Secret Service and the Customs Services have been moved from the Treasury Department to the Department of Homeland Security. ATF has been split between the "tax and trade bureau", which remained in the Treasury Department, and the "law enforcement functions", which moved to the Department of Justice.

I know it's a joke, but it's a little out-of-date.

wtf? we go EASY on rapists.

[caveat]

Eh, I got enough karma, I'll bite.
Theft, assault, embezzlement, drug crimes, so on and so forth, maybe even murder, do deserve a fitting, lesser punishment...but we go too kindly on rapists as is already.

Rape is a totally different level of crime than anything short of killing somebody, and even when you kill them you aren't stuck on that same pure brutal desire to show that you can dominate somebody and do whatever you want to them, and there's not a damn thing they can do about it. I think a framing hammer to the testicles and glans would be a more fitting punishment - followed by hanging, drawing, and quartering. In the grand olde english fashion, with the entrails and the blood and the horrible horrible suffering...mmmm, let those fuckers swing. (disclaimer: very close friend was raped about a year ago)

Re:wtf? we go EASY on rapists.

[caveat]

That makes no sense whatsoever. I'm reading the first part as a rehash of my rant with "murderer" in place of "rapist" - but that has nothing to do with me, I've never killed anybody.
Beaten to within an inch of their life yes (throw out of court when it came out he was abusing his 11-year old girl), but killed, never. Still, I can *conceive* of a situation where killing would be understandable and justified, but not rape. And this is a total waste of my time at 1:54 am, you're too chickenshit to post under a real name, no reason to expect a reply.

Incidentally, why the insane venom for me? Are you a rapist, or just a retard?
I hope your friend died a horrible grisly death, have a great day :D

Re:wtf? we go EASY on rapists.

[Hentai]

Since we're already firmly off-topic...

Why the insane venom FROM you? Do you enjoy accusing people of being rapists? Or retards?

And how did you possibly consider "I hope your friend died a horrible grisly death" an appropriate response?

Bad things happen to good people. It really, really sucks. A lot of us wish it didn't. But that doesn't mean we can stop it all the time, or even make it less likely most of the time.

Our inability to fix the world often turns into rage against those who have done no wrong. Your friend got raped. His/her friend got killed. Big fucking deal. Live obviously goes on for the rest of us.

Now, that didn't feel so good, did it?

If you want to turn your outrage at a world that would allow such injustices into useful energy, temper it with compassion - compassion for the victim, compassion for the perpetrator, compassion for those caught in the middle. And never forget that every action has a formative cause, even actions as abhorrent as rape, torture and murder.

Beating someone within an inch of their life may make you FEEL better, but it's not solving the problem - it's merely perpetuating the karma. (Note that this does not mean violence is never the answer - but violence must be tempered with compassion, violence must strive to do as little harm as possible when solving its ends, and violence must be willing to take a step back and allow non-violence to work its course as well.)

The idea that violence cannot solve any problems is horribly naive, and leads to a deliberate and wilfull (and often violent!) reaction to those who understand that violence is sometimes necessary.

The idea that violence can solve ALL problems is horribly vicious, and leads to a deliberate and willfull (and often violent!) reaction to those who understand that violence often causes more harm than good.

But when all you've got is a hammer, everything looks like a nail.

He who has an ear, let him hear.

Hooray for Safari!

[Whatsthiswhatsthis]

Now that Safari supports AutoFill Form, I'll actually have something to do all day.

Cmd-shift-A all day long.

Biometrics

[drmofe]

The author's of the paper against defending against physical attacks go to some lengths to develop reverse Turing Tests to ensure that a human is involved in the loop.

A simpler protocol to ensure the same end is a non-identification based biometric check. This ensures that a real live human was present at the location and time the check was made (yes, I know this can be faked).

A non-dentification based check means that the individual is not explicitly _identified_ merely that their identity can be _verified_. Hence this is a less intrusive procedure.

This form of biometric authentication is quite often found in supermarket checkout lines for example, where an operator must periodically (or prior to significant activity such as withdrawing cash from a register) pass a biometric check to verify that a) they are present and b) they are the same individual that passed the previous check (or a new operator has taken over) and c) they are authorised to carry out various tasks.

STF

Filter? Free Heat..

[WittyName]

Your mailman is your filter.

Ralsky needs to:
1) Change his address to 123 whatever st APPT 2,
2) Buy a big mailbox
3) Buy a woodstove (He does live in the north..)
4) Find one of those guys from junkyard wars to build a temperature conveyer system..
5) Profit..

oops = s/via/on/

[soundofthemoon]

I totally misread the headline at first glance. I saw "DOS Attack on US Postal Service". And since today is tax day in the US, I thought this was a joke about the deluge of tax returns being mailed today flooding the post office and causing their service to break down. Oh well, maybe next year.

Please don't do that...

[jesterzog]

..not because of the spammers and junk mailers, but because of the legitimate businesses that you'll inevitibly be hurting.

What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!

Despite the spammers, there are a lot of legitimate businesses and non-profit organisations out there that are trying to get people to sign up so they don't waste their time and money mailing people who have no interest in what they have to send.

Just because a business or organisation asks people for contact details to send mailouts doesn't mean that they're doing it maliciously. What you'll accomplish by scripting this is to give headaches to the people doing it correctly by polluting their mailing lists with people who don't want their mail. If anything, it'll have a negative effect on their customers or members who actually want to hear from them in the process, and it'll waste the resources of an organisation that often won't have a lot to waste.

Re:Please don't do that...

[Slurpee]

mmmmmmmmm....

in that case the script would have to be more complicated than previously thought.

1) Collect Web forms where you can sign up to receive mail.

2) Filter based on if that company sends unrequested junk mail or not (is there some sort of junk mailer DB somewhere?)

3) Find companies Snail Mail details.

4) Sign each junk mail company up to other junk mail companies mailing list.

Death, taxes, and IRS Club

[PhxBlue]

Rule #1: You do not talk about the IRS.
Rule #2: You do not talk about the IRS.

we need to..

[jrap]

We need to fight spam with DDOS attacks. Imagine a distibuted client on thousands of computers, that when given the signal, attack a server known to SPAM (spamcop database?). Not the most legitimate technique, but i'm sure it would be effective.

This calls for some testing...

[tregoweth]

Anyone know Bill Gates' home address?

Rush-ian

[t0ny]

Does anyone, per chance, have Rush Limbaugh's home address?

Re:Rush-ian

[benna]

I will look and I WILL find it for the betterment of humanity!

Re:Rush-ian

[Trolling4Dollars]

You don't like Rush? You make it to my Friends list!! :)))

Re:Rush-ian

[Trolling4Dollars]

You have no idea...

Re:Rush-ian

[N3WBI3]

Yea what are the odds of finding someone on slashdot who does not like Rush, gee talk about a once in a lifetime thing..

Re:Rush-ian

[Trolling4Dollars]

Rather.

Re:Rush-ian

[N3WBI3]

That's why I am proud to be a liberal. No "neo" needed here because a timeless and classic idea rarely needs updating. That is all. Oh... I'm feeling tired... (a wag of the stump to Twirlip)

yea nobody has used the term neoliberal or pragmatic liberal

Re:Rush-ian

[Trolling4Dollars]

Hmmm... I know *I* haven't. I'm just plain liberal. That's it.

Re: Google and DOS Attack Via US Postal Service

[posm22]

He suggests that you type "request catalog name address city state zip" into Google whereupon Google will kick back some 250,000 pages with online web forms to fill out.

Google now kicks back one hit

- Try it without the quotes: about 256,000 hits.

Got Ralsky's Home Number? or Fax Number?

[bizitch]

If we could get any of these, we could have some serious fun!

First - get his fax number into some key marketing/questionaire databases and blamo! - Fax Spam Ahoy!

Second - Setup a couple of "Faxback" server attacks on those numbers. Faxback servers are fantastic because they're realllly dumb. Call them up on an toll-free number and order up a mess of documents to be faxed to wherever you want. The best part is that they're relentless - they will just keep on calling (up to 10 times) to try to make a connection ... i.e. "ring ring - 'hello, Ralsky here' - *beep* *beep* - hang up - repeat 5 minutes later"

Its mega-annoying - especially if you get a couple of them going at once - and at 3AM

But heck ... we should at least be able to get this douchebag's fax number for his company - yes?

Wouldn't it be more effective...

[RhettLivingston]

to determine the business addresses that those who actually respond to his spam would be sending their checks too and swamp those? Spammers depend on a very low operational cost model to make money. If they have to sort through 100s of items of mail for every one that has a check in it, you've just increased their cost of doing business.

If they're doing most of their business electronically, publishing a list of their SSL sites could be interesting. If we all ran something to walk the list once an hour and just make a connection to the SSL sites and leave it, they'd be effectively down. Negotiating the SSL connections has a high computing cost on their side.

If someone were to design a virus that does that and continuously checks into sites for new lists, I might actually try to get the virus.

In other words, if you want to have a real effect, go for cutting off the money.

'occupant' changed his name to 'alan ralsky'

[snot+whistle]

'occupant' changed his name to 'alan ralsky' it was in the news today. really.
if you get mail for 'occupant', make sure you fill out a forwarding slip, available from your local post office.
really, this is true. occupant was worried he would miss a catalog. he has lived at so many different places, you know.
remember, alan ralsky wants every catalog he could theoretically receive in a perfect world. let's make the world a little more perfect!

You knew it was coming . . .

[jmt9581]

Hopefully this DOS attack will 'deltree *.*' his spam operations.

*Ducks flying tomatoes*

The only one who hates us more than Ralsky

[phorm]

The only one who hates us more than Ralsky
Is his postman. Can you imagine all the huge stacks of spam he has to haul up to the mailbox? Geeze, I bet by now he almost has a seperate bag...

At least sign the guy up to Playboy so that the postman has something interesting to "obtain" from the sack 'o' mail he must have to deliver on a regular basis.

Re:This is a serious issue ---- EASY

[gmby]

Easy, just get a PO Box and change your address with the companys/friend/family you deal with to goto the PO Box. Then do a return to sender on the original address. All mail goes back to where it came from and you have to make a daily trip to the PO.

Well kinda easy...

Who remembers...

... Bernard Shifman Is A Moron Spammer?

Apparently, he has a website up now... flash 6. Rather goofy.

Can't click on anything, and I sure as hell wouldn't want him working on my servers...

Here's his $HOME.

Bernard Shifman
773.391.0595
2828 N. Burling St.
Ste. 402
Chicago, IL 60657

GO TO IT! Just for the fun of it. You know you want to...

He's not a big fish like Ralsky, but he was so fr00t headed. The first catalog is free...

Denial of entrance...

[Rxke]

When i was away from my home for a while, some idiot removed the sticker- no unsollicited mail-- from my letterbox. Sure enough, when i came back i had a hell of a job trying to enter the old house, what with all that junkmail littered and jamming behind my front door... I can imagine he has the same problem now, serves him JUST RIGHT though.

If you read the article...

[Pettifogger]

It says that this guy is getting his attorney to sue a bunch of Slashdot people for this intentional harassment.

When I scrolled through the posts, I was really looking to see if anyone here had been sued, or even contacted, about this potential suit.

So,has anyone heard anything yet? Personally, I think they'll have a hell of a time proving that anyone did anything. It might be a false threat to try to get the postal DDOS attack to stop.

Re:Interesting Idea

[Second_Derivative]

Yes it would be pretty irresponsible because a few cretins like your good self would seriously tarnish everyone else's image, and the 'bad guys' would harp on this like crazy and completely wreck our case.

Remember those so-called French "anti-war" protestors who violated a British war cemetery in the north of France? That caused an outrage and certainly didn't help the anti-war effort any. If we allow hooligans to be our ambassadors for every cause we might happen to support then everyone's in deep shit. Unfortunately this turns out to be the case more often than not because those few that yell loudest are always those that get noticed above everyone else.

Do something that would seem calm, composed and constructive. Don't do something childish that just makes you feel good. Perhaps Ralsky deserved what he got but I certainly think the attack set a disturbing precedent and those slashbots who thought they were oh so bloody clever to do it in the first place might soon get hit with a tsunami-sized repercussion wave from their actions.

</rant>

What's his address?

[ngyahloon]

What's his address? I would like to ask his opinion on getting a taste of his own medicine:P

Not here

[nuggz]

I get callback validation less then 5% of the time.

Some history,,,,

[watzinaneihm]

The post that started it all.
And a previous story on slashdot.

You are wrong

[sonamchauhan]

Regarding:
" "the companies that are sending these items are directly bearing the cost of your DoS."
Costs passed on to the consumer."
etc..

Dude (Guppy06(410832)) -- You are wrong.

"If you're not giving them Ralsky's address, rest assured that they're probably interested in buying his address... "

Firstly - Two wrongs don't make a right - If Ralsky is does something wrong, it isn't right to *lie* to hundreds of companies to get them to send him junk mail.

Secondly - as others have pointed out here, your "it's not hurting anyone else" argument is false. For example, this is one of your justifications:
" depending on how much they're shipping and where, it may actually be cheaper for them to add in a few extra addresses to bump the mailing into the next rate "
This is a classic example of wishful thinking -- the lucky company that hits this "price break" only gets a fractional reduction per catalog. On the average, most companies will *not* hit the "lucky break". End result -- real money, real trees, real petrol, real effort -- are being expended in mailing Ralsky catalogs by companies who have been lied to, to get them to do this.

Is that good?

DMA opt-out DOES WORK

[jridley]

It takes several months to take full effect but it works. I sent mine in a few years ago. We get NO junk mail. NONE. In fact, at work we were talking about the advantages of churning credit card balances between cards, and when someone said "Just get a card on one of the half dozen offers you get in the mail every day" I realized I hadn't seen one in a LONG time. Like, about a year. I used to get at least a dozen a week. Several others verified that the mailbox spammers haven't let up, so the opt-out must be working.

Not a conspiracy, just Comcast incompetence

[kiwimate]

I get more spam on my some-months-old Comcast account than I do on my free Yahoo mail account which I've had for, ooh, must be going on five or six years now. And I used to use that all the time as I was travelling to different countries for months at a time on business.

On a related note, can it be considered a DOS if Comcast gets fed up with the huge volume of spam which I diligently forward to abuse@comcast.net with full headers? What if that e-mail address (that's abuse@comcast.net, chaps) somehow gets harvested now? Whoops...

Consequence Of...

[Afty0r]

The attack is, to some degree, a consequence of the availability of private information on the Web

Only to a very very small degree.
The attack is, to a considerably larger degree, a consequence of the actions of the spammer - by engaging in a highly antisocial activity.

My real address has been on the net for years, and I haven't had a single problem, perhaps that's because I conduct myself with respect towards others?

In other news

[splatter]

Mysteriously the mail volume seems to increase every time the article gets mentioned ...

hummm talk about publicity being a bad thing

DP

Re:Pictures of the quanity of mail that Ralsky get

[ohboy-sleep]

I'd hope it's on the level of Kris Kringle in "Miracle on 34th Street" with bag after bag after bag coming in.

Better Yet...

[kcb93x]

Send it to his neighbor's address, but with HIS name on it. Then they WILL know who to get mad at.

Real estate disclosure-

[way2trivial]

Agent 'under disclosure laws, I must inform you of any known defects'
Buyer, "here it comes, what's the catch- the price is so low"

Agent 'this house was formerly owned by Alan Ralsky who...' WHHHHOOOOSHH!!!!
Agent muttering to himself "-- every damn time..

Re:Real estate disclosure-

[Rich0]

Seriously - if I bought a 3/4 million dollar home and had a mail truck dump 3 crates of catalogs on my driveway every day I think I'd be looking to sue...

Re:Good grief...

[Rich0]

In any case, no need to bitch about it and take it out on your landlord.

Uh - if the landlord advertises a service you have every reason to expect him to deliver. If he said this rat-hole costs $1000/month and take-it-or-leave-it that would be a different matter. In this case he promised repairs that could have had an influnce in the tenant's decision to stay there.

I own my own house/washer/dryer/etc - but that is my own decision. If I rented my house and it was advertised to include a W/D, you bet that I'd be suing if one were not present. You're still paying for it, after all.

In the US you can charge as much as you want for as little service as you care to offer, but what you can't do is promise to offer a service and not deliver.

Re:Lex Talionis is a morally bankrupt code

[Hentai]

Just to wax meta for a minute... what, exactly, do the 'overrated'/'underrated' mods mean, anyways? The faq touches on them, but it seems like they work differently in M2 and have a different effect on one's karma score.

How does this work?

More /. Style....

[pennsol]

If i Remembrer correctly he has a High speed DSL/ISDN something line to that house for his spam servers.. somebody find his IP address and post it on the front page..that'll be a lesson ;0 even might cost him on his bandwidth cap..doh!!

Freepost

[lordrich]

There have been recent attempts of using the freepost address of the uk labour party as a dos attack. The idea being that they are charged 19p for every letter you send them, and double that if they cancel the freepost address. How well it worked I don't know though.

Re:Maybe somebody would realize that it is serious

[FroMan]

Jerk, thanks for posting my email address...

--
FroMan
dlkjghadlgh@somehost.com
http://lau gh.its.a.joke.somehost.com