Slashdot Mirror
DOS Attack Via US Postal Service
Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree,
a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"
What if people started doing this to political parties donation mailing addresses. They would not be able to sort it out to get their money effectivly shutting them down.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ? The victim ends up with a stuffed mailbox and the post office makes bank with all the additional traffic.
:)
Also this seems a little extreme 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'
Considering the webservices the article is talking about is requesting a catalog
Wasn't the last DOS attack through postal service using anthrax?
http://ebgp.net/ccc/
It's like an executive summary of all the above links.
I could go to any bookstore's magazine section, get out the subscription cards (they aren't even physically bound to the magazine), send them off to the publishers, and check "Bill me later."
There is absolutely no way for a person to prevent against this right now.
The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed.
George W. Bush
President, United States of America
here
http://starboard.flowtheory.net/
Wasn't the last DOS attack through postal service using anthrax?
would that be the physical incarnation of the "ping of death" attack?
Photos.
quick, if we slashdot the IRS via the usps, they might never get to my taxes!
some users of my website have gotten pissed when they lose the game and signed up the webmaster account for tons of email offers... it is basically harassment, but easy to turn off.
yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form? i doubt it because spam is how they make most of their money.
any input here?
MARIJUANA, SHROOMS, X: ONLINE?! - E
Getting SPAM lately! Try DOS
oh well
So wait, whenever we the people get nailed by 2 tons of junk mail, spam mail, and get our ear talked off by telemarketers, have bill board ads vying for our eye site, and our television sets screaming at us not to mention pop up ads all over the place (unless you have a popup eliminator or use an alternative web browser, long live opera). These things are all "good" but whenever we all collectively get together and nail the hell out of spammers with the pent up rage of 2 million people who can sighn them up for nail mail garbage, it's considered wrong? I think it's nothing more than a reaction from the masses and that it should be expected, after all if they can dish it, they should be able to take it. Side note; while I know that the article doesn't neccessarily refer to the attack against spammers by the slashdot crowd, there hasn't been any other successful campaign of this type that i've ever heard of on such a scale. Time to smack them with a rolled up magazine like the bad doggies they've been
Like the usenet spammer/advertiser I saw today that had a VALID but obfuscated email address set (for the company he was advertising). Amateurs.
Ralsky got what he deserved, and hopefully moving 'on the quiet', if he did move, cost him alot of money. I read this article earlier today (didnt think of submitting it myself) and it made alot of sense. It IS all too easy to get yourself on these lists and your life is made difficult getting off them (digging about for phone numbers listed in a 500 page catalogue's small print...) - if you were subscribed to even 100 of these you would have a mammoth task to get rid of them all.
If you type the following search string into Google -- "request catalog name address city state zip" -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms.
What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!
Though environmentally bad in the short term, if it shuts them down in the long term, it would save a heck of a lot of trees!
In the case of signing up a spammer or other unscrupulous individiual to catalogs and other physical mail, the companies that are sending these items are directly bearing the cost of your DoS. Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail. All these companies are getting screwed out of real money, not some potentially (and oft inflated) accounting of how much time/cost an ISP has for DoS countermeasures.
Sure, I think it's great to spam the spammers, but in doing so you harm legitimate companies more than in the Internet world.
Although this is kinda funny in one isolated case, what also has to be considered is the effect on the Postal Service. Sure, they get paid to deliver this mail, but it's not that easy.
Catalogs and Magazine subscriptions ship at cheaper rates. The rural carriers that deliver mail to people's homes aren't set up to carry mass amounts of this type of mail to people; economically, the post office is set up to run with a balance of junk and first class mail on any given route.
Overload this with a hugh amount of bulk-rate junk mail, and you're putting a burden on the capacity of the carrier routes, which in turn will force the Postal Service to modify fees and/or service.
I would be highly suprised if they pass this charge on to the business customers that generate the bulk mail; this would meet with too much resistance and put pressure on the business relationship. Instead, I wager we'll see the fees passed along to first class, consumer mail either through an increase in postage fees and/or fees for home delivery of mail.
In short - The Postal Service is not the Internet. It is one orginization that can and will respond to this type of abuse, and the end result will be less service / increased cost.
Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.
Also, you can't write filters to automatically route or categorize snail mail. You have to go through it all to find the non-spam. If this kind of attack catches on, watch out.
I'm interested, is there anyone out there that works for the Postal Service? How can victims deal with this sort of thing?
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
"Denial of Service", is the flooding of a server so that it stops functioning.
"Disk Operating System", is an OS like Windows that bases its structure upon drives rather than directories like UNIX/Linux or Mac OS do. Windows NT is still a DOS even if it (supposedly) doesn't contain MS-DOS derived code.
On a side note, DOSes seem to contribute more to server malfunctions than DoSes.
You can't judge a book by the way it wears its hair.
Automated Denial-of-Service Attack Using the U.S. Post Office
In December 2002, the notorious spam king Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.
Ironic, definitely. But more interesting is the related paper by security researchers Simon Byers, Avi Rubin and Dave Kormann, who have demonstrated how to automate this attack.
If you type the following search string into Google -- request catalog name address city state zip -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms. You'll have to do some parsing of the forms, but it's not too difficult. (There are actually a few more problems to solve. For example, the search engines normally don't return more than 1,000 actual hits per query.) When you're done, voila! It's Slashdot's attack, fully automated and dutifully executed by the U.S. Postal Service.
If this were just a nasty way to harass people you don't like, it wouldn't be worth writing about. What's interesting about this attack is that it exploits the boundary between cyberspace and the real world. The reason spamming normally doesn't work with physical mail is that sending a piece of mail costs money, and it's just too expensive to bury someone's house in mail. Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the Post Office and catalog mailings. All the pieces are required for the attack to work.
And there's no easy defense. Companies want to make it easy for someone to request a catalog. If the attacker used an anonymous connection to launch his attack -- one of the zillions of open wireless networks would be a good choice -- I don't see how he would ever get caught. Even worse, it could take years for the victim to get his name off all of the mailing lists -- if he ever could.
Individual catalog companies can protect themselves by adding a human test to their sign-up form. The idea is to add a step that a person can easily do, but a machine can't. The most common technique is to produce a text image that OCR technology can't understand but the human eye can, and to require that the text be typed into the form. These have been popping up on Web sites to prevent automatic registration; I've seen them on Yahoo and PayPal, for example.
If everyone used this sort of thing, the attack wouldn't work. But the economics of the situation means that this won't happen. The attack works in aggregate; each individual catalog mailer only participates to a small degree. There would have to be a lot of fraud for it to be worth the money for a single catalog mailer to install the countermeasure. (Making it illegal to send a catalog to someone who didn't request it could change the economics.)
Attacks like this abound. They arise when an old physical process is moved onto the Internet, and is then automated in some unanticipated way. They're emergent proper
It just goes to show that people should be very careful with their personal information.
Sincerely,
Guy LeBarge
186 Rideau St.
Ottawa, ON
K1A 25U
using System.Awesome;
Anyone except me that see the irony in the fact that those who wrote the paper Defending against an internet-based attack on the physical world displays their physichal world location on the top of the paper?
Melius mori in libertate quam vivere in servitute.
"...and the punishment of vice, often in an especially appropriate or ironic manner. "
So you see, this is poetic justice, not irony. That said, I'm not mad about this happening to him, is anyone else?
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
They didn't call this spam counterattack "bad" although it is certainly illegal. But it is an attack, and these guys are security geeks, so it's their job to investigate and propose countermeasures to things like this.
I hereby place the above post in the public domain.
He suggests that you type "request catalog name address city state zip" into Google whereupon Google will kick back some 250,000 pages with online web forms to fill out.
Google now kicks back one hit - the article itself...
You really have to strip your search down before it starts returning anything.
That worked well because where we lived, enveloppes without a return address and without stamps were delivered allright, and had to be paid in full by the receiving party for the cost of shipping plus a penalty fee for not stamping the mail in the first place.
I doubt that he's ever made someone loose great amounts of money, but that must have annoyed the hell out of those people receiving junk and having to pay for it !
i think he meant to search all of the words, not the phrase. leave out the quotation marks and the search yields 263,000 hits...
...when they understand the real-world equivalent. He's one man being DDoS'd, online almost everybody with a reasonably public email address is DDoS'd. I've got a university account, that has never been posted to mailing-lists, usenet, forums but is fairly accessible from the university homepage (student cataloges etc.) SPAM is on the rise, and that's a mail address I can't change to dlkjghadlgh@somehost.com just to get away, any more than I could move away to avoid being spammed in the real world. Neither can businesses and others with the need for a static and publicly accessible address.
At least the catalogs he's getting have a real return address. I hate spam with fake sender, and I hope someone will soon enforce that domain.com must come from a domain.com mail server (or through one with authentication) and start the snowball running. If you can't send through the domain.com mail server, why should anyone believe you have the right to send mail for user@domain.com? The default "trust anyone" is one of the big signs e-mail was designed for "serious" use by "serious" people before the general public started using and abusing it.
Kjella
Live today, because you never know what tomorrow brings
I wonder, how does the USPS deal with a person who gets that much mail? Obviously they have to deliver it since that's their whole purpose, but I know the little mail truck that comes to my house probably couldn't fit a few extra hundred pounds of mail. And the poor mailman, and the mailbox itself.
I mean, logistically, how do they cope with it?
Well, if you piss off people, they may try to get back at you. The Ralsky attack is the result of Ralsky pissing off a lot of people an each person engaging in a small and individually harmless act. In comparison to the kind of disputes among neighbors and individuals that often occur in the real world, that seems both harmless and unprosecutable. Welcome to the real world.
If you piss off a lot of people for justifiable reasons (e.g., you are the author of Satanic Verses), then some concerned government may try to help you out. Otherwise, the solution is simple: don't piss off too many people.
Take:
Empirically, 1000 pagers (at 3-4 dial sequences per minute) equals about 4 days of constant calls to the vicitim's phone. How I know this is another discussion...
Of course, this was more effective when digital pagers were much, much more popular. Today, it probably wouldn't go over as well, but back in the late 80s and early 90s, it worked flawlessly. Essentially, it was distributed crank calling before the "DDOS" term was coined.
The most interesting part was that the pager companies explicitly refused to do anything about it. No tracing of calls, no attempts to halt sequential dialing, etc. Not their problem.
I work for a scummy direct marketing company, and can tell you that when people mail back dog shit, dead cats, bricks, etc. it really does slow business down because that mail is not sorted from the legitimate mail. From time to time the bomb squad is even called in to check an unexpected parcel and that can gum up the whole works.
Lex Talionis, the principle of an eye for an eye, is a morally bankrupt code of law we've been moving away from for the past few thousand years, thankfully.
Wrong. Lex Talionis was the principle that you take NO MORE than an eye for an eye - promulgated as an "improvement" in an era where the response to losing an eye (or a purse) might be to do in the alleged perpetrator and confiscate all his worldly goods.
It's morally bankrupt, all right. But only to the extent that if the thief only loses what he stole, and has a nonzero chance of getting away with it, theft remains a profitmaking enterprise despite full enforcement of the law. So it becomes an endorsement of theft as a lifestyle. This is why there are "puntitive damages" - extra penalties to punish the perpetrator (thus making continued misbehavior a losing proposition even with imperfect law enforcement).
None of which applies here. Applying "Lex Talionis" to the spammer would mean spamming him, rather than seeking compensatory and puntitive damages.
===
Which is what they did, isn't it? B-)
===
Lex Talionis also recognizes a moral principal of equivalency, to wit: In an egalitarian society, regardless of what actions you think are fair, you have NO moral gripe if someone does to YOU what YOU did to them. If it was wrong for them to do in retaliation, it was AT LEAST as wrong for YOU to do without provocation.
===
I note, by the way, that your posting is IDENTICAL to one you made several times previously - including in the slashdot article credited with inspring the USPS DDoS attack in the first place. (And that last one I cited was under your own slashdot ID of Chuck Flynn.) Given that, I felt free to repeat, almost verbatim, my response to your most recent previous missive.
The posts that recieve your canned response seem to be any suggestion about spamming the spammers. You wouldn't happen to be a spammer, would you?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
a. reads all of his own spam email? If not, why? Why should we?
a. sends anonomus mail-and the list of addresses he sends it from.
b. blocks incomming spam from his personal accounts! Does he include a "secret" header code in the spam, or block the list of addresses that he owns+ his buddies? How can I be on that list?
Did everyone make sure to slightly misspell his name, fake name, etc. when they filled out the forms [note: I only just heard about this and being a lamer have not contributed my self] This would make being removed from the lists that much harder. Of course, I'm sure he's against the "do not spam" lists--so he shouldn't expect anyone to automate the removal process for his address from the databases, now should he!
Alan Ralsky aliases and addresses.
Seems like his "real" address is:
Alan Murray Ralsky
6747 Minnow Pond Dr,
West Bloomfield,
MI 48322
Telephone: 248-926-0688
Current email address: amr777@comcast.net
Years ago, I read about a guy who intentionally signed up for as many catalogs and other junk mail as possible. I think he got 200 lbs a day. He heats his house with it.
I always wondered why instructions contained phrases like:
Now type "somecommand" (without the quotes).
Now I know....
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Theoretically they may have lowered the value of his house upon resale. Like murders or other infamous events in a house it's the sellers responsibility to inform the buyer or the deal can be busted at a later date. So the spammer must inform the next buyer that they may recieve a monthly flood of "For Alan Ralsky or current occupant" mail. I know I would think twice about moving into a cursed address.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
Yepp.. at the beginning of the first harry potter movie he is attacked this way by Hogwarts.
-- When did Ignorance Become a Point of View?
Enough time hasn't passed. 22.3 years. That's how long it takes for something tragic to become funny.
Despite the spammers, there are a lot of legitimate businesses and non-profit organisations out there that are trying to get people to sign up so they don't waste their time and money mailing people who have no interest in what they have to send.
Just because a business or organisation asks people for contact details to send mailouts doesn't mean that they're doing it maliciously. What you'll accomplish by scripting this is to give headaches to the people doing it correctly by polluting their mailing lists with people who don't want their mail. If anything, it'll have a negative effect on their customers or members who actually want to hear from them in the process, and it'll waste the resources of an organisation that often won't have a lot to waste.
Anyone know Bill Gates' home address?
If we could get any of these, we could have some serious fun!
... i.e. "ring ring - 'hello, Ralsky here' - *beep* *beep* - hang up - repeat 5 minutes later"
... we should at least be able to get this douchebag's fax number for his company - yes?
First - get his fax number into some key marketing/questionaire databases and blamo! - Fax Spam Ahoy!
Second - Setup a couple of "Faxback" server attacks on those numbers. Faxback servers are fantastic because they're realllly dumb. Call them up on an toll-free number and order up a mess of documents to be faxed to wherever you want. The best part is that they're relentless - they will just keep on calling (up to 10 times) to try to make a connection
Its mega-annoying - especially if you get a couple of them going at once - and at 3AM
But heck
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
to determine the business addresses that those who actually respond to his spam would be sending their checks too and swamp those? Spammers depend on a very low operational cost model to make money. If they have to sort through 100s of items of mail for every one that has a check in it, you've just increased their cost of doing business.
If they're doing most of their business electronically, publishing a list of their SSL sites could be interesting. If we all ran something to walk the list once an hour and just make a connection to the SSL sites and leave it, they'd be effectively down. Negotiating the SSL connections has a high computing cost on their side.
If someone were to design a virus that does that and continuously checks into sites for new lists, I might actually try to get the virus.
In other words, if you want to have a real effect, go for cutting off the money.
'occupant' changed his name to 'alan ralsky' it was in the news today. really.
if you get mail for 'occupant', make sure you fill out a forwarding slip, available from your local post office.
really, this is true. occupant was worried he would miss a catalog. he has lived at so many different places, you know.
remember, alan ralsky wants every catalog he could theoretically receive in a perfect world. let's make the world a little more perfect!
Where's Robin Hood? We could kinda really use him now.
The only one who hates us more than Ralsky
Is his postman. Can you imagine all the huge stacks of spam he has to haul up to the mailbox? Geeze, I bet by now he almost has a seperate bag...
At least sign the guy up to Playboy so that the postman has something interesting to "obtain" from the sack 'o' mail he must have to deliver on a regular basis.
When I scrolled through the posts, I was really looking to see if anyone here had been sued, or even contacted, about this potential suit.
So,has anyone heard anything yet? Personally, I think they'll have a hell of a time proving that anyone did anything. It might be a false threat to try to get the postal DDOS attack to stop.
IAAL
The post that started it all.
And a previous story on slashdot.
.ACMD setaloiv siht gnidaeR
Agent 'under disclosure laws, I must inform you of any known defects'
Buyer, "here it comes, what's the catch- the price is so low"
Agent 'this house was formerly owned by Alan Ralsky who...' WHHHHOOOOSHH!!!!
Agent muttering to himself "-- every damn time..
every day http://en.wikipedia.org/wiki/Special:Random