Denial of Service Attacks disguised as Spam...

Perhaps there are two classes of SPAM.

There are the ones which are sent from a mailing list of KNOWN users,
and then there are those which I've seen myself that just start a A,
and blast names down the list untill the program reaches Z. AOL falls
victim to this on many occasion.
While I'd like to see all SPAM go away, you will probably never get rid
of the people who do the former. It muck like filling out any survey,
and then you get USPS mail for eons relating to the questions you answered.
It is inevitable that we will be placed on mailing lists and those lists
will be sold.

I do agree that we need to treat this as a DoS, but better methods of
tracing the user and then stopping them need to be established. In
many respects, he is forging his identity and I cannot imagine that
forgery is legal.

-ravi

many respects, he is forging his identity and I cannot imagine that
forgery is legal.

The ability to send anonymous email will probably remain protected. Also,
the legal beagles I know tell me it is perfectly legal to use an alias as
long as it is not done for fraudulent purposes.

The issue of DoS vs. annoying selling methods comes down to intent. If
there is no product, then one or more laws are being violated:

  Offering non-existant products for sale is a fraudulent activity. It is
a federal offense if it involves interstate commerce. If it is
intra-state, then usually only state laws apply.

  Intentional damage to a computer system engaged in interstate commerce is
a federal offense.

The FBI and/or the local police fraud unit should be able to help.

Identifying the source of someone sending 30,000 messages a day for a week
should be a doable task.

    --Dean

I guess I'm not making my point very well.

I'm not talking in metaphors, I'm not saying that some spammers IN
EFFECT cause denial of service attacks.

I am saying that individuals who want to harm sites, and have nothing
whatsoever to sell, act like spammers to perform their maliciousness.

For example, they take some old "MAKE MONEY FAST!!!" text and bang it
at a site 300,000 times in a day, as fast as they can, hoping to cause
that site grief, just like a smurf or SYN attack or whatever.

Why? Because as another major site adminstrator agreed with me in
private mail, relating specific incidents: You call an upstream
ISP/NSP or the FBI or whatever and their minds cloud and they say "oh
yes, SPAM, annoying isn't it? We get hundreds of complaints like this
a day we'll try to get to yours eventually, but I'd recommend just
deleting it <click>."

It's not as effective, but it looks to me like it's completely and
100% safe because the entire system which might track them down and
prosecute them completely collapses as soon as the word "spam" is
mentioned, all minds go off, form responses are sent back from
automailers, and nothing happens.

It's kind of like calling to complain about real telephone harassment
(eg, someone calling you with obscenities and threats at all hours of
the day and night) and having the telco person say "oh!
telemarketers! yes I find them annoying also, but there's not a lot
that can be done, sorry! <click>"

WHAT I AM SAYING IS we have the usual malicious, cracker sociopaths
who last week were trying to break into your routers and systems now
blasting you with millions of mail msgs they grabbed from somewhere,
not to sell something but out of the same sort of motivation that
moved them to crack your systems or do smurf attacks or whatever,
because they know that if it LOOKS LIKE spam no one will do anything
to them. Hell, no one will even really investigate beyond maybe "ah
well another spam load from some throwaway account".

I'm really going to go down in flames trying to make this distinction
aren't I?

The simple thing to do is null route the offending host(s) until they call
you and ask you to turn it off. If they don't and you don't get any
complaints from your customers, then all is good :slight_smile:

  -Steve

P.S. I find this route is very effective when dealing with sites that
source malicious behavior and refuse to deal with it.

This is a reactive solution to the problem. Though there are times
when the only solution you have is to attempt to quell the problem
through a plethora of ugly ip route statements, I hardly think it is
a good solution to the problem. Any person looking to harm your network
with intent greater than that of a passing whim would probably decide
to change his/her ip address after realizing that a host suddenly became
unreachable.

brad reynolds
ber@cwru.edu

A variant of this approach is that taken by a customer of a customer
of ours, who subscribed someone he didn't like to 130 very active
email lists. Fortunately (or unfortunately, depending on how you
look at these things) he did it rather carelessly, we keep extensive
logs, and the FBI and the UK Computer Crime unit were both very
interested.