From Schneier's CRYPTO-GRAM -- Automated Denial-of-Service Attack Using the U.S. Post Office

[Jeffrey Kay]

I thought this article was too cool to miss.  Perhaps I enjoyed it a
little too much.
------------------------------------------------------------------------
-------------

Automated Denial-of-Service Attack Using the U.S. Post Office

In December 2002, the notorious "spam king" Alan Ralsky gave an 
interview.  Aside from his usual comments that antagonized spam-hating 
e-mail users, he mentioned his new home in West Bloomfield, 
Michigan.  The interview was posted on Slashdot, and some enterprising 
reader found his address in some database.  Egging each other on, the 
Slashdot readership subscribed him to thousands of catalogs, mailing 
lists, information requests, etc.  The results were devastating: within 
weeks he was getting hundreds of pounds of junk mail per day and was 
unable to find his real mail amongst the deluge.

Ironic, definitely.  But more interesting is the related paper by 
security researchers Simon Byers, Avi Rubin and Dave Kormann, who have 
demonstrated how to automate this attack.

If you type the following search string into Google -- "request catalog 
name address city state zip" -- you'll get links to over 250,000 (the 
exact number varies) Web forms where you can type in your information 
and receive a catalog in the mail.  Or, if you follow where this is 
going, you can type in the information of anyone you want.  If you're a 
little bit clever with Perl (or any other scripting language), you can 
write a script that will automatically harvest the pages and fill in 
someone's information on all 250,000 forms.  You'll have to do some 
parsing of the forms, but it's not too difficult.  (There are actually 
a few more problems to solve.  For example, the search engines normally 
don't return more than 1,000 actual hits per query.)  When you're done, 
voila!  It's Slashdot's attack, fully automated and dutifully executed 
by the U.S. Postal Service.

If this were just a nasty way to harass people you don't like, it 
wouldn't be worth writing about.  What's interesting about this attack 
is that it exploits the boundary between cyberspace and the real 
world.  The reason spamming normally doesn't work with physical mail is 
that sending a piece of mail costs money, and it's just too expensive 
to bury someone's house in mail.  Subscribing someone to magazines and 
signing them up for embarrassing catalogs is an old trick, but it has 
limitations because it's physically difficult to do it on a large 
scale.  But this attack exploits the automation properties of the 
Internet, the Web availability of catalog request forms, and the paper 
world of the Post Office and catalog mailings.  All the pieces are 
required for the attack to work.

And there's no easy defense.  Companies want to make it easy for 
someone to request a catalog.  If the attacker used an anonymous 
connection to launch his attack -- one of the zillions of open wireless 
networks would be a good choice -- I don't see how he would ever get 
caught.  Even worse, it could take years for the victim to get his name 
off all of the mailing lists -- if he ever could.

Individual catalog companies can protect themselves by adding a human 
test to their sign-up form.   The idea is to add a step that a person 
can easily do, but a machine can't.  The most common technique is to 
produce a text image that OCR technology can't understand but the human 
eye can, and to require that the text be typed into the form.  These 
have been popping up on Web sites to prevent automatic registration; 
I've seen them on Yahoo and PayPal, for example.

If everyone used this sort of thing, the attack wouldn't work.  But the 
economics of the situation means that this won't happen.  The attack 
works in aggregate; each individual catalog mailer only participates to 
a small degree.  There would have to be a lot of fraud for it to be 
worth the money for a single catalog mailer to install the 
countermeasure.  (Making it illegal to send a catalog to someone who 
didn't request it could change the economics.)

Attacks like this abound.  They arise when an old physical process is 
moved onto the Internet, and is then automated in some unanticipated 
way.  They're emergent properties of the systems.  And they're going to 
become more prevalent in the years ahead.

The paper:
<http://www.avirubin.com/scripted.attacks.pdf>

The Ralsky story:
<http://www.freep.com/money/tech/mwend6_20021206.htm>
<http://www.macobserver.com/article/2002/12/06.11.shtml>

jeffrey kay 
weblog <k2.com> pgp key <www.k2.com/keys.htm> aim <jkayk2>
share files with me -- get shinkuro -- <www.shinkuro.com>

"first get your facts, then you can distort them at your leisure" --
mark twain 
"if the person in the next lane at the stoplight rolls up the window and
locks the door, support their view of life by snarling at them" -- a
biker's guide to life
"if A equals success, then the formula is A equals X plus Y plus Z. X is
work. Y is play. Z is keep your mouth shut." -- albert einstein