Update on mail bombing threats--not so funny

Thu Jan 9 11:32:59 UTC 1997

On Tue, 7 Jan 1997, Howard C. Berkowitz wrote:
> I posted recently about a recent mailbombing threat apparently originating
> from Cyberpromo.  Many of you may have received this, but I must share it
> for those who haven't seen it...the specter of Cyberpromo being victimized
> by Nasty Evil Spammers had me laughing so hard tears ran down my face and
> my ribs hurt.

Unfortunately, this culprit has been operating in hit and run mode for a
while, and has made good on his threats but not exactly how you might
think.  I am going to stick to calling him the "culprit" for liability
reasons.  Bear with me, there are some serious lessons at the end.

The culprit had a free web page at joes.com from Joe Doll advertising
"Hair Tonic" or some such.  Joe Doll has a no spam policy.  The culprit
then did a spam to promote his page and Joe pulled it.  The culprit then
emailed a threatening note to Joe Doll requesting his page be restored. 
Joe Doll then recieved a second note notifying Joe of a pending revenge
spam of 1 million emails.

On Friday Morning, January 3rd we started receiving a continuous stream of
phone calls complaining of a spam from joes.com (subject "El Cheapo..."). 
Somebody using an ibm.net dialup connection was sending out a barrage of
spam in Joe Doll's name forged to appear from joe at joes.com and writen to
be flame bait. 

We immediately began to receive a wave after wave of retaliatory strikes
in the form of email bombs, SYN attacks, ping bombs, and a variety of
other denial of service attacks.  It would have been interesting had it
not been threatening our business.  We were forced to continuously
manually prune the mail queue on our primary server.  (People are creative
when sending email bombs, there are many that randomize everything.)

After we figured out that the specific address for joes.com was being SYN
attacked we undefined the interface alias he was on.  We also changed his
MX record to "read.news.admin.net-abuse.email" to try to get the some of
the attackers to stop.  (I recognized some of their domains as nanae
regulars after scanning the group.) 

By the way, we did try to contact IBM by email and by phone.  We recived a
trouble ticket acknowlegement back on Saturday.  On Monday IBM closed the
culprit's accounts, but apparently forgot to clear out their mail queue. I
have recieved reports that people are still getting the forged joes.com
spam from ibm.net implying that some email must have still been queued. 

For more information about this specific culprit see
http://www.ca-probate.com/yuri.htm

Here are the lessons:

* If somebody sends out 1 million flame bait emails forged to be in your
name and only 1% of the recipients are technical, you have 10,000 people
that hate you and know how to do something about it.  Even 100 determined
hackers can throw a major wrench in your works.  Point: This is an
extremely serious security issue.

* Currently, due to lack of clear criminal law in this area, many net
vigilantes handle spam by exacting revenge in their own way.  However,
this type of "frontier justice" has a low level mob mentality and is apt
to make incorrect decisions.

* If we don't want everybody to take the law into their own hands then we
need get the legal system involved.

* However, while existing civil statutes offer one avenue, the saying is
"you can't get blood from a turnip".  Most spammers spam because they
don't have anything better to do, and therefore don't have significant
assets.

I am going to briefly mention two laws, I know this is nanog, but I must
leave a starting point for the next victim of this type of attack.

After talking with the FBI, I was informed that Federal 18 USC 1030 ibid. 
does not apply.  (I have no idea what it actually says, but many admins
thought it applied.) 

A helpful netizen informed us about US Code Title 487 Section 227. 
However Section 401 which covers enforcement provisions refers to "the
Commission".  The agent in the FBI Computer Crimes Division we have been
working with thinks this means the FCC.

Hurricane Electric has limited resources for this sort of thing and we are
going to have to let this whole issue drop.

I guess we just have to wait until somebody forges 1 million emails from
whitehouse.gov or something like that.

Mike.

+------------------- H U R R I C A N E - E L E C T R I C -------------------+
| Mike Leber             Direct Internet Connections     Voice 408 282 1540 |
| Hurricane Electric      Web Hosting & Co-location        Fax 408 971 3340 |
| mleber at he.net                                           http://www.he.net |
+---------------------------------------------------------------------------+