×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DOS Attack Via US Postal Service

michael posted about 11 years ago | from the click-here-to-unsubscribe dept.

Spam 332

Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

332 comments

Politics that hard way (2, Interesting)

benna (614220) | about 11 years ago | (#5739750)

What if people started doing this to political parties donation mailing addresses. They would not be able to sort it out to get their money effectivly shutting them down.

Re:Politics that hard way (-1, Troll)

Anonymous Coward | about 11 years ago | (#5739757)

Ohhhh....I get it: benna = dog-fuck subscriber troll. Got it. (Scribles in notebook for future reference.)

Re:Politics that hard way (1, Funny)

Anonymous Coward | about 11 years ago | (#5739768)

Your stamp costs 39 cents. The cost of my volunteer's 5 seconds which it took to open and discard the envelope costs me about 0 cents. Good try, though

Re:Politics that hard way (2, Informative)

benna (614220) | about 11 years ago | (#5739788)

Yeah but if you would read the article you would see that the idea is to make OTHERS pay the postage. You just sign them up for stuff. Your time may be free but you don't have unlimited time.

Re:Politics that hard way (1)

IAR80 (598046) | about 11 years ago | (#5739948)

You can allways put in the envelope without a stamp and him as expeditor.

Re:Politics that hard way (0)

Anonymous Coward | about 11 years ago | (#5739809)

And wouldn't that be a shame?

Re:Politics that hard way (4, Insightful)

ntrfug (147745) | about 11 years ago | (#5740066)

I doubt that political parties get really big money from their mailing lists. Their mailing lists let them maintain the fiction that they're battling each other for the support of ordinary people.

Meanwhile in the back rooms buying and selling of politicians goes on the old-fashioned way -- face to face.

FP (-1, Offtopic)

Anonymous Coward | about 11 years ago | (#5739753)

Frok Pok Tax Day Edition!

Hardly DOS is it (4, Insightful)

zeoslap (190553) | about 11 years ago | (#5739760)

The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ? The victim ends up with a stuffed mailbox and the post office makes bank with all the additional traffic.

Also this seems a little extreme 'The attack is, to some degree, a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'

Considering the webservices the article is talking about is requesting a catalog :)

Re:Hardly DOS is it (-1, Offtopic)

Anonymous Coward | about 11 years ago | (#5739775)

Hey numbnuts! Did you even read the fucking article? Sheesh. I know it's troll Tuesday and all, but still.

Re:Hardly DOS is it (4, Insightful)

Sanity (1431) | about 11 years ago | (#5739798)

The attack on the SpamKing is definitely funny. But the paper seems like an overly windy article describing how to perpetrate the old misdirected pizza/taxi cab gag on the information superhighway. While mischeiveious and a nuisance it can hardly be described as a denial of service attack now can it ?
Sure it can - it renders your mailbox useless, and this can be more than an irritation for people who need to be able to receive snailmail (which I suspect is most people in the United States).

Re:Hardly DOS is it (5, Insightful)

sudotcsh (95997) | about 11 years ago | (#5739816)

Oh, but it's DOS all right.

DOS we're familiar with = so many requests for connection that real (legitimate) requests are very slow to get through, if at all.
mailDOS = so many catalogs that finding your real mail (if there is any) is an incredible waste of time, and some pieces (packets?) may be lost (dropped) in the confusion.

If this isn't the best translation of electronic DOS to physical DOS I don't know what is.

DoS!=DOS (4, Funny)

SHEENmaster (581283) | about 11 years ago | (#5739922)

"Denial of Service", is the flooding of a server so that it stops functioning.
"Disk Operating System", is an OS like Windows that bases its structure upon drives rather than directories like UNIX/Linux or Mac OS do. Windows NT is still a DOS even if it (supposedly) doesn't contain MS-DOS derived code.

On a side note, DOSes seem to contribute more to server malfunctions than DoSes.

Re:DoS!=DOS (0, Offtopic)

Anonymous Coward | about 11 years ago | (#5739966)

Bzzt. I suppose you never looked at \\, or in boot.ini to find out what Windows NT actually does to address multiple disks. The usage of drive letters is an old standard that they've kept alive, it's not necessary, you can mount another drive in the file tree for the main drive. NT is based loosely on VMS, remember, which was Unix's number one competitor, and used many of the same conventions. DOS also is not an OS, it's nothing but a CLI for the BIOS.

Pull your head out.

Re:DoS!=DOS (1)

Archfeld (6757) | about 11 years ago | (#5740083)

err no, NT and even 2K are DRIVE LETTER dependent, 2003 will be the first fully dynamic system that will allow mounts of drives without a drive letter identifier. Beleive me, Exchange and a large SAN frame have proved this fact over and over again.
If someone can provide info to the different I would be grateful...

Re:Hardly DOS is it (3, Interesting)

jdunlevy (187745) | about 11 years ago | (#5739858)

What about possible collateral damage: did any of SpamKing's neighbors' mail delivery get slowed down (or otherwise affected)? (Is there any way to tell?)

Re:Hardly DOS is it (2, Interesting)

Anonymous Coward | about 11 years ago | (#5739923)

If the mail volume to Raskey (The spam king) was great enough, I imagine the post office would have begun seperating his mail before it got to him (as I imagine they already do) and sending it in a seperate bin/bag to him. The post office is able to handle the volume... they have the technology... they can resort it, make it better..

Re:Hardly DOS is it (5, Funny)

Anonymous Coward | about 11 years ago | (#5740074)

let's all write them letters to find out.

Re:Hardly DOS is it (5, Interesting)

Wireless Joe (604314) | about 11 years ago | (#5739876)

Fun little story...

I recently was out of town for a few days. The tiny little mailbox that my apartment complex provides probably filled up on the second day, so the postal carrier took all of it back to the post office, and left me a lovely note that if I didn't pick it up in a few days, they'd send it all back. Luckily I got back in time to pick up my mail, but it was definitely an inconvenience tracking down which post office outlet had my mail and then taking the time to go get it.

So for a few days my postbox was shut down (mini DOS), because the postal carrier wouldn't leave me any new mail until I found the time to pick up what had already been taken away.

Re:Hardly DOS is it (1)

chimpo13 (471212) | about 11 years ago | (#5739971)

My postman does that all the time only with no warning. He smokes a lot of pot so maybe it's his paranoia, "Hey, he hasn't picked up his mail in 3 days, I better return the mail saying he moved".

Re:Hardly DOS is it (2, Insightful)

MO! (13886) | about 11 years ago | (#5740046)

Well, the proactive approach to that is putting a "Vacation Hold" message in the box, or better yet bring to the local Post Office. Then they know you're coming back on a specific day and will simply hold it all at the PO rather than sending it back as undeliverable.

anthrax (5, Funny)

IAR80 (598046) | about 11 years ago | (#5739763)

Wasn't the last DOS attack through postal service using anthrax?

Ping of death? (5, Funny)

metalhed77 (250273) | about 11 years ago | (#5739787)

Wasn't the last DOS attack through postal service using anthrax?

would that be the physical incarnation of the "ping of death" attack?

Re:Ping of death? (-1, Offtopic)

Anonymous Coward | about 11 years ago | (#5739831)

lol. the only reason they didn't mod you as Funny is because they are cowards. (not ac's, TRUE cowards)

Re:anthrax (0)

Anonymous Coward | about 11 years ago | (#5739989)

sending anthrax would be more akin to sending a virus over the internet, since it uses the service rather than denying service

Re:anthrax (1)

IAR80 (598046) | about 11 years ago | (#5740018)

Unfortunatelly some postal workers were infected and some even died + caused wide spread panic. Also some postal offices were out of service and doing cleanup for months. I guess it was a DOS on the society as a whole and on postal service in particular even though the target was different.

Lack of authentication (5, Insightful)

George Walker Bush (306766) | about 11 years ago | (#5739784)

I could go to any bookstore's magazine section, get out the subscription cards (they aren't even physically bound to the magazine), send them off to the publishers, and check "Bill me later."

There is absolutely no way for a person to prevent against this right now.

The analog solution from the electronic world would be for the publishers send them an confirmation letter or something asking whether they really subscribed.

Re:Lack of authentication (0)

Anonymous Coward | about 11 years ago | (#5739818)

If you are the victim of something of this sort, all you have to do is write "Cancel" on the bill when it comes after 3 months or so. You'll end up just giving this person some free magazines, if he's smart.

Re:Lack of authentication (4, Interesting)

liquidsin (398151) | about 11 years ago | (#5739841)

So instead of 600 magazines in my mailbox next month, I get 600 letters asking me if I want to subscribe? Sure, it's only a one time hassle instead of a monthly hassle, but it's still annoying. And calling to confirm is no less of a pain.

Re:Lack of authentication (2, Funny)

Anonymous Coward | about 11 years ago | (#5739843)

Woohoo Schneier must be really lost outside of his cyrptography theory barrel, i mean the guy is resorting to writing papers on 7th grade pranks?

What's next? A careful examination of how to defend against someone ringing your doorbell and running away?

Give me a freakin' break.

Thanks for the tip! (0)

Anonymous Coward | about 11 years ago | (#5739916)

I'm going to get back at my former boss (major asshole too) now. :)

Re:Lack of authentication (1)

GeorgeH (5469) | about 11 years ago | (#5739931)

Magazines actually do send a confirmation letter, something most kids learn about on the schoolground. Once again, GW Bush is outsmarted by elementary school students.

Re:Lack of authentication (0)

Anonymous Coward | about 11 years ago | (#5739939)

Actually i remember when i was a little kid my friend got a bunch of free playboys by signing up his own address for the subscription then taking them and any bills out of the mailbox before his mom got home from work!

There was not this porno utopia we call the internet available back in those days so this was quite a score, haha.

Re:Lack of authentication (2, Troll)

chimpo13 (471212) | about 11 years ago | (#5740020)

What magazines? Back in my poor college days, we'd subscribe to magazines just to get them for free. 15 or 20 magazines addressed to IP Freely, Poopoo Stayne, and Rev. Fuckyouintheass to name a few names we used.

The only ones that caught on were the Columbia House music CD things and places that would deliver books. And we'd get 20 or 30 cds/books out of them before we'd get the "we need more info" letter. Fraud for underaged kids to get stuff to resell to buy cheap beer with fake IDs. I think if you break 2 laws that it becomes a positive and it's okay. At least that's what George Bush has taught me.

death and taxes (5, Funny)

joe_bruin (266648) | about 11 years ago | (#5739797)

quick, if we slashdot the IRS via the usps, they might never get to my taxes!

Re:death and taxes (3, Insightful)

benna (614220) | about 11 years ago | (#5739822)

Yeah too bad they are prepared. They are already getting millions of peices of mail today. :( It was a nice thought though. :)

Re:death and taxes (1)

Pharmboy (216950) | about 11 years ago | (#5740124)

Yeah too bad they are prepared. They are already getting millions of peices of mail today.

you talking tax returns or hate letters?

Re:death and taxes (-1)

GhostseTroll (582659) | about 11 years ago | (#5739859)

Grab the next motherfucker marmaduke who refuses to submit to these pelvic ostentations. Lick my sweaty nutsack while you're at it.

this works for normal spam as well... (4, Insightful)

edrugtrader (442064) | about 11 years ago | (#5739805)

some users of my website have gotten pissed when they lose the game and signed up the webmaster account for tons of email offers... it is basically harassment, but easy to turn off.

yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form? i doubt it because spam is how they make most of their money.

any input here?

Re:this works for normal spam as well... (1)

g4dget (579145) | about 11 years ago | (#5740058)

yesterday as i went through *35* pieces of junk mail from 3 days

Only a dozen a day? You are so lucky. I'm up to about 100 per day on my main inbox.

Re:this works for normal spam as well... (1)

TC (WC) (459050) | about 11 years ago | (#5740090)

He's talking about physical junk mail... hence the comment that follows about the USPS

Re:this works for normal spam as well... (1)

edrugtrader (442064) | about 11 years ago | (#5740142)

i was talking about real mail. for spam i was at 400 a day, then i decided to try unsubscribing... something that i told people to never do because then they know you are real. in the end it doesn't matter if they know you are real. if the mail went through that is good enough for them. after clicking remove links for a week i'm down to about 10 pieces of easily email filterable spam a day.

so i'm getting more snail mail spam than email spam!

Re:this works for normal spam as well... (3, Informative)

DeadMeat (TM) (233768) | about 11 years ago | (#5740122)

yesterday as i went through *35* pieces of junk mail from 3 days i was wondering if the USPS had an opt out from certain mailers form?
The USPS does not, but the Direct Marketing Association does. Junkbusters has a sample opt-out letter [junkbusters.com] on their Web site.

So mail spamming is bad now? (5, Insightful)

d3am0n (664505) | about 11 years ago | (#5739838)

So wait, whenever we the people get nailed by 2 tons of junk mail, spam mail, and get our ear talked off by telemarketers, have bill board ads vying for our eye site, and our television sets screaming at us not to mention pop up ads all over the place (unless you have a popup eliminator or use an alternative web browser, long live opera). These things are all "good" but whenever we all collectively get together and nail the hell out of spammers with the pent up rage of 2 million people who can sighn them up for nail mail garbage, it's considered wrong? I think it's nothing more than a reaction from the masses and that it should be expected, after all if they can dish it, they should be able to take it. Side note; while I know that the article doesn't neccessarily refer to the attack against spammers by the slashdot crowd, there hasn't been any other successful campaign of this type that i've ever heard of on such a scale. Time to smack them with a rolled up magazine like the bad doggies they've been

Huh? (3, Insightful)

wirelessbuzzers (552513) | about 11 years ago | (#5740051)

They didn't call this spam counterattack "bad" although it is certainly illegal. But it is an attack, and these guys are security geeks, so it's their job to investigate and propose countermeasures to things like this.

Re:Huh? (1)

Pharmboy (216950) | about 11 years ago | (#5740144)

They didn't call this spam counterattack "bad" although it is certainly illegal. But it is an attack, and these guys are security geeks, so it's their job to investigate and propose countermeasures to things like this.

Out of curiosity, exactly what criminal law does this violate?

Spammers have feelings! (4, Insightful)

Neophytus (642863) | about 11 years ago | (#5739839)

Like the usenet spammer/advertiser I saw today that had a VALID but obfuscated email address set (for the company he was advertising). Amateurs.

Ralsky got what he deserved, and hopefully moving 'on the quiet', if he did move, cost him alot of money. I read this article earlier today (didnt think of submitting it myself) and it made alot of sense. It IS all too easy to get yourself on these lists and your life is made difficult getting off them (digging about for phone numbers listed in a 500 page catalogue's small print...) - if you were subscribed to even 100 of these you would have a mammoth task to get rid of them all.

Automated Spam attacks... (4, Interesting)

Slurpee (4012) | about 11 years ago | (#5739846)


If you type the following search string into Google -- "request catalog name address city state zip" -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms. ... When you're done, voila! It's Slashdot's attack, fully automated and dutifully executed by the U.S. Postal Service.


What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!

Though environmentally bad in the short term, if it shuts them down in the long term, it would save a heck of a lot of trees!

This style of DoS harms more than the target (5, Insightful)

gollum_my_gollum (637422) | about 11 years ago | (#5739856)

Most Denial of Service attacks affect more than the target itself. If I'm attacking example.com, then all machine between me and that machine are busy handling my traffic. An intentional DoS'ing may not be much worse than a slashdotting for an ISP, and is usually easier for them to shut down. That costs them money, but it doesn't take too long, and the only real cost is downtime of their other subscribers, which since most sites are independent of other customers or have so little bandwidth compared to the pipes coming into the ISP, doesn't affect other customers much.

In the case of signing up a spammer or other unscrupulous individiual to catalogs and other physical mail, the companies that are sending these items are directly bearing the cost of your DoS. Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail. All these companies are getting screwed out of real money, not some potentially (and oft inflated) accounting of how much time/cost an ISP has for DoS countermeasures.

Sure, I think it's great to spam the spammers, but in doing so you harm legitimate companies more than in the Internet world.

That's why I pay for my fun. (1)

RatBastard (949) | about 11 years ago | (#5740060)

Nothing says "loving" like a box of dryer lint with no return address.

Pictures of the quanity of mail that Ralsky gets? (1)

Leknor (224175) | about 11 years ago | (#5739881)

I know it isa bit off topic but does anyone know of any pictures of the quanity of mail that Ralsky gets?

Re:Pictures of the quanity of mail that Ralsky get (0)

Anonymous Coward | about 11 years ago | (#5739945)


not actually the mail, but the spam himself:

http://images.google.com/images?hl=en&lr=&ie=UTF -8 &oe=UTF-8&q=ralsky

Post office "DOS" Attack is gonna backfire (5, Insightful)

rlsnyder (231869) | about 11 years ago | (#5739882)

Although this is kinda funny in one isolated case, what also has to be considered is the effect on the Postal Service. Sure, they get paid to deliver this mail, but it's not that easy.

Catalogs and Magazine subscriptions ship at cheaper rates. The rural carriers that deliver mail to people's homes aren't set up to carry mass amounts of this type of mail to people; economically, the post office is set up to run with a balance of junk and first class mail on any given route.

Overload this with a hugh amount of bulk-rate junk mail, and you're putting a burden on the capacity of the carrier routes, which in turn will force the Postal Service to modify fees and/or service.

I would be highly suprised if they pass this charge on to the business customers that generate the bulk mail; this would meet with too much resistance and put pressure on the business relationship. Instead, I wager we'll see the fees passed along to first class, consumer mail either through an increase in postage fees and/or fees for home delivery of mail.

In short - The Postal Service is not the Internet. It is one orginization that can and will respond to this type of abuse, and the end result will be less service / increased cost.

Re:Post office "DOS" Attack is gonna backfire (4, Insightful)

jonr (1130) | about 11 years ago | (#5739905)

Good. I only hope that the junkmail will be more expensive to distribute, and fewer companies will use the "service".
J.

Re:Post office "DOS" Attack is gonna backfire (1)

shyster (245228) | about 11 years ago | (#5739949)

I believe that the USPS is not allowed to subsidize bulk mail with 1st class mail charges. Most years, bulk mail actually subsidizes 1st class...but I think they've moved away from that lately.

Postbox filters (4, Funny)

Anonymous Coward | about 11 years ago | (#5739886)

paper on Defending against an internet-based attack on the physical world

Perhaps some sort of packet filter [protectiondogs.com] on the mailbox layer might be useful.

Lawsuit Result (3, Informative)

lexsco (594799) | about 11 years ago | (#5739889)

Here [www.cbc.ca] is an article about another Spammer vs Anti-Spammer harrasment case. Looks like some judges are on our side.

Re:Lawsuit Result (5, Interesting)

lexsco (594799) | about 11 years ago | (#5739928)

The full text follows


Anti-spam crusader wins court battle Last Updated Tue, 15 Apr 2003 15:31:49

ELLICOTT CITY, MARYLAND - A Maryland court has ruled in favour of an anti-spam activist who was sued by an Internet marketing executive for harassment. Spam is the common name given to junk e-mail.

Francis Uy posts the names and addresses of spammers. This enables network operators to block junk e-mail or sue them.

But George Allen Moore of Maryland Internet Marketing Inc. said Uy's site posting such information is harassment and wanted it pulled off the Web.

Judge Robert Wilcox says there's no evidence Uy had harassed Moore directly, as Moore had alleged.

Moore says he has received about 70 packages and 200 magazines at his house because of Uy's site. Moore also says he's received threatening phone calls, including one person who he says threatened to kill him.

Moore is the owner of Maryland Internet Marketing. He's also listed as a prolific spammer by Spamhaus.org, which maintains a world directory of bulk e-mailers.

His company hawks everything from software to diet drugs.

"Every time you try to mess with me, I will post it and more people will learn about you," Uy warned other spammers. "I don't need to encourage harassment against you, and I don't need to. Your best option is to crawl back under a rock."

Moore says he's considering further legal action.

Re:Lawsuit Result (2, Funny)

Tackhead (54550) | about 11 years ago | (#5740140)

I do believe the original CBC article left out some things. Allow me to fill in the gaps:

[
George Allen Moore's] company [Maryland Internet Marketing] hawks everything from [what appears to have been pirated or unlicensed OEM copies of commercial] software to [non-FDA-approved] diet drugs [of highly questionable efficicacy].

"Every time you try to mess with me, I will post it and more people will learn about you," Uy warned other spammers. "I don't need to encourage harassment against you, and I don't need to. Your best option is to crawl back under a rock."

Moore [who didn't take advantage of Uy's very kindhearted and generous offer] says he's considering further legal action. [as a defendant about to have his balls pounded flat with an AOL-branded mallet. AOL's legal team plans to turn Moore's head into a pickle jar and keep it on top of Steve Case's fridge when this is all over.]

Much better.

This is a serious issue (4, Insightful)

stand (126023) | about 11 years ago | (#5739901)

Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.

Also, you can't write filters to automatically route or categorize snail mail. You have to go through it all to find the non-spam. If this kind of attack catches on, watch out.

I'm interested, is there anyone out there that works for the Postal Service? How can victims deal with this sort of thing?

Re:This is a serious issue (2, Insightful)

Xerithane (13482) | about 11 years ago | (#5739954)

Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you. This wouldn't be a pizza delivery or Playgirl subscription every now and then, we're talking *pounds* of mail every day from many, many sources (God! your mailman would *hate* you). Easy to initiate, not easy to trace and really hard to stop.

I doubt I would incur the amount of motivated anger for a group of people to spend this much time doing it. I piss a lot of people off. I get people that sign me up for shit all the time. All email though, because it's hard to actually get my real address off the net without spending a few bucks.

People get pissed when you spam them, and then you get a mob, and mobs do great things to bad people (sometimes.) It's not as if Mr. Ralsky is a decent person, he is getting what he deserves. Karma does work, it's just man-made.

Re:This is a serious issue (2, Interesting)

stand (126023) | about 11 years ago | (#5740037)

I doubt I would incur the amount of motivated anger for a group of people to spend this much time doing it.

Maybe, but it wouldn't even take a group of people. All you'd need is one motivated person with a search engine and a Web manipulation module like Perl's LWP. You could easily write a script to flood a person with junk mail all by yourself. A little easier to trace maybe, but still damn hard to stop.

Re:This is a serious issue (1)

Xerithane (13482) | about 11 years ago | (#5740092)

Maybe, but it wouldn't even take a group of people. All you'd need is one motivated person with a search engine and a Web manipulation module like Perl's LWP. You could easily write a script to flood a person with junk mail all by yourself. A little easier to trace maybe, but still damn hard to stop.

True, I know the methods for tracking one down online and take steps to protecting my actual address. You can get many addresses on me, but I doubt any of them are actually correct. That's my little safeguard. Although I would feel bad if it happened to one of the people living at the other addresses...

Re:This is a serious issue (2, Funny)

Angry White Guy (521337) | about 11 years ago | (#5740120)

You sure? Post your address here :)

From your freak list...

APL bigot (606126)
aussersterne (212916)
chris_mahan (256577)
CowardNeal (627678)
cranos (592602)
DAldredge (2353)
Elbereth (58257)
Godeke (32895)
Gojira Shipi-Taro (465802)
Graspee_Leemoor (302316)
Grishnakh (216268)
Hott of the World (537284)
IceAgeComing (636874)
Inthewire (521207)
isoteareth (321937)
LucVdB (64664)
mansemat (65131)
MillionthMonkey (240664)
NineNine (235196)
No More Wankers (605612)
nordicfrost (118437)
not_anne (203907)
PinkStainlessTail (469560)
prizog (42097)
ronfar (52216)
sheldonb (68034)
sir99 (517110)
squiggleslash (241428)
stephenbooth (172227)
TheBahxMan (249147)
thumperward (553422)
tigris (192178)
Tom7 (102298)
warmcat (3545)
workindev (607574)
zod1025 (189215)
_Ludwig (86077)

no, it is not (3, Insightful)

g4dget (579145) | about 11 years ago | (#5740130)

Sure, the Ralsky attack is funny and ironic and all, but imagine if it happened to you.

Well, if you piss off people, they may try to get back at you. The Ralsky attack is the result of Ralsky pissing off a lot of people an each person engaging in a small and individually harmless act. In comparison to the kind of disputes among neighbors and individuals that often occur in the real world, that seems both harmless and unprosecutable. Welcome to the real world.

If you piss off a lot of people for justifiable reasons (e.g., you are the author of Satanic Verses), then some concerned government may try to help you out. Otherwise, the solution is simple: don't piss off too many people.

Anonymous so no karma whoring (2, Informative)

Anonymous Coward | about 11 years ago | (#5739935)

Obligatory article text post

Automated Denial-of-Service Attack Using the U.S. Post Office

In December 2002, the notorious spam king Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.

Ironic, definitely. But more interesting is the related paper by security researchers Simon Byers, Avi Rubin and Dave Kormann, who have demonstrated how to automate this attack.

If you type the following search string into Google -- request catalog name address city state zip -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms. You'll have to do some parsing of the forms, but it's not too difficult. (There are actually a few more problems to solve. For example, the search engines normally don't return more than 1,000 actual hits per query.) When you're done, voila! It's Slashdot's attack, fully automated and dutifully executed by the U.S. Postal Service.

If this were just a nasty way to harass people you don't like, it wouldn't be worth writing about. What's interesting about this attack is that it exploits the boundary between cyberspace and the real world. The reason spamming normally doesn't work with physical mail is that sending a piece of mail costs money, and it's just too expensive to bury someone's house in mail. Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the Post Office and catalog mailings. All the pieces are required for the attack to work.

And there's no easy defense. Companies want to make it easy for someone to request a catalog. If the attacker used an anonymous connection to launch his attack -- one of the zillions of open wireless networks would be a good choice -- I don't see how he would ever get caught. Even worse, it could take years for the victim to get his name off all of the mailing lists -- if he ever could.

Individual catalog companies can protect themselves by adding a human test to their sign-up form. The idea is to add a step that a person can easily do, but a machine can't. The most common technique is to produce a text image that OCR technology can't understand but the human eye can, and to require that the text be typed into the form. These have been popping up on Web sites to prevent automatic registration; I've seen them on Yahoo and PayPal, for example.

If everyone used this sort of thing, the attack wouldn't work. But the economics of the situation means that this won't happen. The attack works in aggregate; each individual catalog mailer only participates to a small degree. There would have to be a lot of fraud for it to be worth the money for a single catalog mailer to install the countermeasure. (Making it illegal to send a catalog to someone who didn't request it could change the economics.)

Attacks like this abound. They arise when an old physical process is moved onto the Internet, and is then automated in some unanticipated way. They're emergent properties of the systems. And they're going to become more prevalent in the years ahead.

The paper:
<http://www.avirubin.com/scripted.attacks.pdf [avirubin.com] >

The Ralsky story:
<http://www.freep.com/money/tech/mwend6_20021206 .htm [freep.com] >
<http://www.macobserver.com/article/2002/12/06.1 1.shtml [macobserver.com] >

Lex Talionis is a morally bankrupt code (-1, Interesting)

Anonymous Coward | about 11 years ago | (#5739938)

Why should we be happy when the spammers get spammed? Ponder this.

Lex Talionis, the principle of an eye for an eye, is a morally bankrupt code of law we've been moving away from for the past few thousand years, thankfully. It can't deal with the complexities of the modern legal order, and it ignores all proper justifications for systems of punishment: rehabilitation, prophylaxis, etc. It makes an assertion of rigid judgment in an attempt to avoid judgment itself. We can't live in a world without judgment.

Ask yourself this: should we rape the rapist? If not, why not? (Ignore for a moment that we essentially do rape rapists by committing them to so-called "maximum security" prisons where they get systematically brutalized and raped by guards and other inmates.) It's not a morally tenable position to lower ourselves to the level of brutes just so we can vindicate some idea of retribution.

Therefore, ask yourself why we should be happy when the spammer gets spammed? No one should have to endure the pain and annoyance of spam: it's the scurge of the online world. Not even the spammer, who may be in his business because of factors outside his control like debt or bills for an illness in the family, etc. We should be outraged when anyone is spammed, and we should put the full force of the state and the law against the perpetrator no matter who the victim! Picking and choosing among which victims to protect is something the legal order of former barbaric times did. I'd be disgusted if our government returned to those days.

Spam == bad. Victimization == bad. Why do people conflate the two? What kind of giddy moral superiority to you get from seeing anyone hurt?

Re:Lex Talionis is a morally bankrupt code (1)

Anonymous Coward | about 11 years ago | (#5740078)

This is a joke, right? Morally bankrupt my ass. I say rape the rapist. Murder the murderers. And SPAM THE FUCK OUT OF THE SPAMMERS!

Re:Lex Talionis is a morally bankrupt code (0)

Hentai (165906) | about 11 years ago | (#5740079)

Lots, actually.

People enjoy hurting other people. It makes them feel, as you said, superior.

And you can say "That's just sick and wrong" all you want, but ask yourself, first: What can you do to stop it?

And if you can't do anything to stop it, what possible difference does how you feel about it make?

And if you CAN do something to stop it, and you DO something to stop it, you're just propogating "might makes right" - after all, you just used your power to stop it (might) to enforce your belief that it should be stopped (right).

Re:Lex Talionis is a morally bankrupt code (1)

gmhowell (26755) | about 11 years ago | (#5740091)

Too bad you are AC. Hope you are keeping an eye on this note.

You make numerous statements without backing. Examples: "We can't live in a world without judgement." "It can't deal with the complexities of the modern legal order," "Lex Talionis, the principle of an eye for an eye, is a morally bankrupt code of law"

Perhaps in some circumstance, this is the case. However, most people are too stupid to understand anything more complex than 'eye for an eye'.

I'd post more, but I'd probably be shouting at the wall.

Be Aware... (5, Funny)

A Guy From Ottawa (599281) | about 11 years ago | (#5739953)

It just goes to show that people should be very careful with their personal information.

Sincerely,

Guy LeBarge
186 Rideau St.
Ottawa, ON
K1A 25U

It's Not Ironic... (5, Insightful)

MBCook (132727) | about 11 years ago | (#5739987)

It's poetic justice. From dictionary.com:

"...and the punishment of vice, often in an especially appropriate or ironic manner. "

So you see, this is poetic justice, not irony. That said, I'm not mad about this happening to him, is anyone else?

I say start a 2nd wave... (0)

miketang16 (585602) | about 11 years ago | (#5739999)

Not only doing the junk mail signup, also, try calling his local pizza place, and order several... =) btw: either use caller id blocking, or claim ur one a cell phone hehe

Re:I say start a 2nd wave... (1, Insightful)

nuggz (69912) | about 11 years ago | (#5740065)

try calling his local pizza place, and order several.

Because fraud is fun? Or you just want to cause trouble for innocent business owners.

Re:I say start a 2nd wave... (1)

miniretsam (651774) | about 11 years ago | (#5740114)

Calling the local taxi services and sending them there for pickup is also fun...as can be donation centers for pickups, applicance repair services, etc.

re: Google and DOS Attack Via US Postal Service (4, Interesting)

mediahacker (566995) | about 11 years ago | (#5740052)

He suggests that you type "request catalog name address city state zip" into Google whereupon Google will kick back some 250,000 pages with online web forms to fill out.

Google now kicks back one hit - the article itself...

You really have to strip your search down before it starts returning anything.

Re: Google and DOS Attack Via US Postal Service (0)

Anonymous Coward | about 11 years ago | (#5740086)

bull$hit. just did the search and it worked fine.

Re: Google and DOS Attack Via US Postal Service (2, Informative)

miniretsam (651774) | about 11 years ago | (#5740087)

i think he meant to search all of the words, not the phrase. leave out the quotation marks and the search yields 263,000 hits...

Re: Google and DOS Attack Via US Postal Service (1, Informative)

Anonymous Coward | about 11 years ago | (#5740089)

Try taking the quotes off your search.

263K hits last time i tried it.

One variation on the same theme (4, Funny)

forged (206127) | about 11 years ago | (#5740075)

This is nothing new. Back 20 years ago or so, my father (heh!) used to collect old newspapers at airports, then he would fold 3 or 4 newspapers together into a very thick enveloppe and send this without stamps to a person of his choice that he disliked at this time.

That worked well because where we lived, enveloppes without a return address and without stamps were delivered allright, and had to be paid in full by the receiving party for the cost of shipping plus a penalty fee for not stamping the mail in the first place.

I doubt that he's ever made someone loose great amounts of money, but that must have annoyed the hell out of those people receiving junk and having to pay for it !

Maybe somebody would realize that it is serious... (2, Insightful)

Kjella (173770) | about 11 years ago | (#5740102)

...when they understand the real-world equivalent. He's one man being DDoS'd, online almost everybody with a reasonably public email address is DDoS'd. I've got a university account, that has never been posted to mailing-lists, usenet, forums but is fairly accessible from the university homepage (student cataloges etc.) SPAM is on the rise, and that's a mail address I can't change to dlkjghadlgh@somehost.com just to get away, any more than I could move away to avoid being spammed in the real world. Neither can businesses and others with the need for a static and publicly accessible address.

At least the catalogs he's getting have a real return address. I hate spam with fake sender, and I hope someone will soon enforce that domain.com must come from a domain.com mail server (or through one with authentication) and start the snowball running. If you can't send through the domain.com mail server, why should anyone believe you have the right to send mail for user@domain.com? The default "trust anyone" is one of the big signs e-mail was designed for "serious" use by "serious" people before the general public started using and abusing it.

Kjella

What about the USPS? (2, Interesting)

phylus (468215) | about 11 years ago | (#5740108)

I wonder, how does the USPS deal with a person who gets that much mail? Obviously they have to deliver it since that's their whole purpose, but I know the little mail truck that comes to my house probably couldn't fit a few extra hundred pounds of mail. And the poor mailman, and the mailbox itself.

I mean, logistically, how do they cope with it?

Re:What about the USPS? (1)

dentar (6540) | about 11 years ago | (#5740137)

Each piece of mail was paid for. So, they deliver it! Why is this even a question?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...