Posted on 05/03/2005 7:39:32 PM PDT by Shieldmaiden
Fancy taking revenge on someone you don't like by deluging someone with junk mail?
A little bit of knowledge can go a long way. Thanks to the increased readiness of companies to send out brochures and magazines to anyone who bothers to register online, the US Postal Service can become the agent of denial of service attacks.
This much is well known, but a recent paper (right here: http://www.avirubin.com/scripted.attacks.pdf) by security researchers Simon Byers, Aviel Rubin and Dave Kormann demonstrates how to automate this attack.
If you type the following search string into Google -- "request catalogue name address city state zip" -- you'll get links to over thousands of Web forms where you can type in your information and receive a catalogue in the mail.
It'd be a tedious business to fill out many forms.
But anyone with a modest amount of programming skills, and a target's snail mail address, can automate the attack and deluge their victims with junk mail.
Last December, self-styled "spam king" Alan Ralsky let slip his snail-mail address. Internet activists seized on this information to deluge him with unwanted snail mail.
Within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.
A pleasantly ironic attack, made all the more satisfying by Ralsky's outraged reaction.
That attack took the collective effort of many thousands but automating the attack leaves us all vulnerable.
Noted security and encryption guru Bruce Schneier believes there is no easy defence against the attack.
"Companies want to make it easy for someone to request a catalogue. If the attacker used an anonymous connection to launch his attack -open wireless networks would be a good choice - I don't see how he would ever get caught," Schneier observes.
"Even worse, it could take years for the victim to get his name off all of the mailing lists," he adds.
Individual catalogue companies can protect themselves by blocking automated signups (inserting a step that a person can easily do, but a machine can't). But it only takes a limited percentage to omit this check for the attack to work.
Schneier isn't convinced this will happen.
"The attack works in aggregate; each individual catalogue mailer only participates to a small degree. There would have to be a lot of fraud for it to be worth the money for a single catalogue mailer to install the countermeasure," he writes.
Schneier concludes that as old physical process is moved onto the Internet such attacks are likely to become more prevalent.
Which isn't nice. ®
External Links
My daughter went to administration who agreed to discuss this with the teacher. I don't know whether or not this happened, or if this teacher was merely advised of my daughter's complaint, angering the liberal teacher further. Regardless, my daughter is now the subject of an ugly mail attack. She is getting enormous loads of mail delivered to her apartment.
Evidently the liberals don't really care about the environment as much as they say! We know it is the teacher behind this crime, and are working to prove it by obtaining the IP address which would link the attack to a specific computer.
At this point, her dad and I drove a couple hours to meet with the president of the college and her assistant. The president was a delightful lady as was her assistant. They agreed to help us try to discover the identity of the sender by using their resources to obtain an IP address of the culprit. However, by the next day they had circled the wagons, delegated our problems to an underling, and muzzled the nice young assistant. The underling's attitude was patronizing, hostile, adversarial, and rude. His conversation was with an assistant as a witness.
Now, we're suspicious of all of them and are considering an attorney. All we wanted was help getting the IP address. I can't go into all the details, but we know this attack is from this teacher or an agent of hers. Why would the university be so protective of this teacher? What are they afraid of? Could anybody out there offer any advice or insight into this?
Sorry, I can't offer advice. But if the teacher did it he is a cowardly child and should get what he deserves.
Hope everything works out for you.
You could try sending this story to Hannity or other conservative media in the hopes it will be picked up. If this can be pinned on the teacher it would make for a great example of liberal bias in college.
If they discovered that the IP address belonged to the University, they could be afraid of having their shirts sued right off their backs.
Free Fuel!
Contact your local postal inspectors. Tell them what's going on. They may be able to help.
The teacher wasn't Ward Churchill was it ? just kidding. Best of luck in this, something we pay for, we shouldn't have to suffer. If possible, pay for another school. Problem with colleges people don't deal with them like they deal with anything else they pay for. They know the value of the buck for sure.
One wonders if fraudulently using the address of another person to request mail for that person, without that person's consent, could be considered criminal impersonation...
Usually the IP address is shared among many computers, but it may not be. Also, a web proxy is usually placed between a university's net connection and the rest of the computers - it logs web accesses, blocks viruses and spyware, etc. The logs are usually kept for a while.
Tip to the "noted security and encryption guru," all the victim needs to do is get a PO Box and file a COA to that box. The PO will not forward standard class (bulk business mail) unless the mail piece bears an ancillary service endorsement. First class and periodicals (magazines and newspapers) will be forwarded to the PO Box. The PO will trash the non-forwardable std class mail.
I'm thinking you have to get one of the companies that received the request, to identify the IP address the request cam from.
You can then use some web sites like this: http://www.webyield.net/domainquery.html that allow you to plug in the IP address and it will return a spit load of info.
Good luck.
Thanks for everybody's helpful advice. Any suggestions for how to pursuade the companies to see the necessity for looking up that IP address? Running into poorly motivated workers at companies plus their irrational fear about giving the IP address out to the person who (ostensibly!) requested their catalog. Would it be worth a try to post company names here, hoping for a "connection" and help?
Your local postal inspector will subpoena the appropriate people/companies to obtain the evidence you seek...as what has happened is mail fraud against your daughter...something that the post office will smash with a vengeance.
That school is screwed.
Can you elaborate? How did he "intimidate" and "bully" her, and how did he "lose his temper"?
Wow, proof, first time I heard that mentioned in this thread.
I heard stories of many Alaskans that sent away for as much junk mail as possible to help subsidize their heating costs during the winter. :)
An all snail mail version of this attack happened to a friend of mine in college. The attacker got together a stack of business reply cards, rubber stamped the victim's name (actually, an unflattering variant of his name) and address on each one, and dropped them in the mail. The victim got a very impressive amount of junk over the next several months, probably several trees' worth.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.