Thursday, April 24, 2003

Automated Denial-of-Service Attack Using the U.S. Post Office

In December 2002, the notorious "spam king" Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.

Ironic, definitely. But more interesting is the related paper by security researchers Simon Byers, Avi Rubin and Dave Kormann, who have demonstrated how to automate this attack.

If you type the following search string into Google -- "request catalog name address city state zip" -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms. You'll have to do some parsing of the forms, but it's not too difficult. (There are actually a few more problems to solve. For example, the search engines normally don't return more than 1,000 actual hits per query.) When you're done, voila! It's Slashdot's attack, fully automated and dutifully executed by the U.S. Postal Service.

[More]