May 1st, 2008

A personal denial of service attack

Posted by Paul Murphy @ 6:15 am

Categories: General, Security

Tags: Denial Of Service, Linux, Network, E-mail, It, This, It, Paul Murphy

About two weeks ago my mail system started getting a lot of reject and return messages pertaining to email being sent out with murph at winface as the return address. None of that actually originated here, of course, but by last Sunday volumes were up to about a two hundred false returns per hour.

It’s possible to find out where this is coming from, but fruitless because victim lists circulate and one guy’s mass mailing today is somebody else’s tomorrow.

By itself this wouldn’t matter, but in the broader sense it’s a directed denial of service attacked aided and abetted by the stupid and complacent among network operators.

Here, for example, is first a plea for help that arrived last Thursday morning, my response, and the sender’s network carrier response to that:

To: murph winface com
Subject: Please help me understand something
From: name withheld at sbcglobal.net
Date: Thu, 24 Apr 2008 10:04:42 -0700 (PDT)

I have been a MCSE for 11 years now, working in the IT field for 15. I have greatly desired for over 10 years to run Linux, but I can’t seem to get a fully functional, stable install in all that time. There is a massive documentation overload when it comes to Linux, so trying to find a solution to a problem is almost impossible. When trying to install any driver, especially wifi, it sometimes takes me days (I have never gotten wifi to work at all) because the documentation on how to make it work never coincides with what I have on my system. In other words, when it says to look in such and such directory, the directory doesn’t exist or is somewhere completely different from what the documentation says. And you find out the you don’t have this or that library to fulfil the dependancies for anything, so you have to go to 50 million places to get 50 million different libraries, and it still doesn’t work. Even within the same distro, things ar completely different from one versio n to the next. Also, services such as Samba will just stop working and I don’t know why. They will work one day and the next day, nothing. What am I missing? I really want to get away from Microsoft, but I can’t until I figure out what it is I don’t understand… People ask why Linux isn’t doing better in the market, I will suggest that this is the reason (and from a gamers perspective, none of the hotest games are ported to Linux.) I don’t think I’m stupid, but Linux sure makes me feel like I am. Thanks for your help, Mike

—

Date: Thu, 24 Apr 2008 11:53:40 -0600 (MDT)
From: Paul Murphy
Subject: Re: Please help me understand something
To: name withheld at sbcglobal.net
MIME-Version: 1.0
Content-MD5: hmCQGxczz7aw/SrZZgNlEA==
Sorry, I don’t think I can help you. Clearly what you need is someone to sit with you and walk you through the process - and I’m not where you are (and if I was, I probably wouldn’t take the time anyway - but distance works as an excuse).

If you’d like I could publish this in the blog and ask for someone to help you - but expect a fair amount negative comment.

—

Date: Thu, 24 Apr 2008 11:53:43 -0600 (MDT)
From: Mail Delivery Subsystem
To:
MIME-Version: 1.0
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

The original message was received at Thu, 24 Apr 2008 11:53:40 -0600 (MDT)
from suni [70.65.128.188]

—– The following addresses had permanent fatal errors —–

(reason: 553 5.3.0 flpi188,DNSBL:521< 70.65.128.188
>_is_blocked.__For_information_see_http://worldnet.att.net/general-info/bls_info/block_inquiry.html)

—– Transcript of session follows —–
… while talking to sbcmx2.prodigy.net.:
< << 553 5.3.0 flpi188,DNSBL:521< 70.65.128.188
>_is_blocked.__For_information_see_http://worldnet.att.net/general-info/bls_info/block_inquiry.html
501 5.6.0 Data format error

And if you look at AT&T’s site you find, among much else, this:

The easiest way to get your message identified as spam is to send it to people who don’t want it or to addresses that are defunct.

Now what I think they did, instead of taking the sender IP from the offending email (typically marked with something like: “Received-SPF: neutral (google.com: 77.212.41.76 is neither permitted nor denied” by the forwarder) was look up winface.com and block that - thus helping the bad guys execute their denial of service attacks. I asked them about it, but of course they block email from me and did not respond.

This creates both a problem and an opportunity. Email abuse would be trivially easy for the industry to put an end to - just recognize that every message put on the internet originates with an account someone is paying for and hold that person or company responsible. It’s not technically difficult, and the mechanisms for it are well understood - but this whole PC “security” business is a multi-billion dollar tax on the stupid and nobody wants to kill the golden goose.

Although we don’t know why att.net decided to interupt my communications with name withheld, it’s easy to argue that there’s a real cost being imposed here - and extending that argument to a few million other victims shouldn’t be much of a challenge either.

Bottom line: what we have here is clear grounds for a class action lawsuit against network carriers - one with millions of claimants and a few big, deep pocket, targets. So, just maybe, the way to finally get action on spam is to turn one bunch of lawyers against another and nail the network carriers between them - and if so, I have one question: anyone want to nominate a law firm?