Denial of Service Attacks disguised as Spam...
Barry Shein
bzs at world.std.com
Wed Dec 31 20:30:05 UTC 1997
[The purpose of this note is to change your thinking about Spam]
Enormous amounts of this so-called "spam" is nothing of the sort, it
is malicious people using mail ports to conduct denial of service
attacks. And the sooner we wake up to this fact the better.
We need a new word for this and to publicize this new
attitude. Because as soon as someone says "spam" all that comes to
mind is a Sanford Wallace type pathetically trying to make a buck with
annoying advertising, and people (in particular law enforcement) just
won't give "annoying advertising" a moment's thought.
But I assert that we're dealing with crime and criminals here who
aren't selling anything.
Look at the several consecutive log entries attached below ("Spamf"
and "PATMATCH" mean the msg was blocked by our spam filters.)
We're receiving about *30,000* of these per day, non-stop, full-blast,
every few seconds, for days.
The fact that not one of these is getting past our filters doesn't
seem to discourage this person, not even over a period of days.
The network address of the mail relay source has been hacked (notice
how it changes with every msg), the address ("billy at bingo.edu") is
phony and forged. This person has gone to great length to hide their
identity and to make it difficult to block them at the router level.
Blocking the message itself is relatively easy, but I don't think they
care, just so long as they can hammer at your mail port day and night.
Dec 31 14:36:29 5C:world sendmail[3098]: SpamF: <billy at bingo.edu>
(relay=po1.synapse.or.jp [202.208.174.131]) PATMATCH
Dec 31 14:37:09 5C:world sendmail[3614]: SpamF: <billy at bingo.edu>
(relay=www.dma.be [195.13.24.2]) PATMATCH
Dec 31 14:37:10 5C:world sendmail[3623]: SpamF: <billy at bingo.edu>
(relay=at.atnet.it [193.207.30.132]) PATMATCH
Dec 31 14:37:22 5C:world sendmail[3765]: SpamF: <billy at bingo.edu>
(relay=mail.vienna.at [194.158.143.44]) PATMATCH
Dec 31 14:37:23 5C:world sendmail[3775]: SpamF: <billy at bingo.edu>
(relay=seus.metoc.ns.doe.ca [131.235.30.50]) PATMATCH
This person is not the only source of this, others are doing the same
thing.
I don't believe this person is actually selling anything.
Can I repeat that?
I DON'T BELIEVE THIS PERSON IS ACTUALLY SELLING ANYTHING
I do believe this is a malicious person who has learned that if you
stick some text in a message that appears to be selling something law
enforcement's mind will go blank and nothing (effective) will be
done. "It's just annoying advertising, ignore it".
The analogy which comes to mind is a town where door to door salesman
can't be considered trespassers on your doorstep. So a group of people
who want to annoy you don what appear to be door to door salesmen
accouterments (eg, a suitcase full of new household brushes) and
stands and bangs and bangs and bangs on your door, day and night.
And you tell themm to go away. And they ignore you, they keep banging.
So you call the police, and they say "he's a door to door salesman,
the law allows him to bang on your door! People bang on people's doors
all the time. Stop calling us, we can't do anything, ask him to leave
or ignore him."
We're being fooled, we're allowing criminals to operate without
challenge.
--
-Barry Shein
Software Tool & Die | bzs at world.std.com | http://www.std.com
Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
The World | Public Access Internet | Since 1989 *oo*
More information about the NANOG
mailing list