[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
death of usenet, film at 11 (was: Massive cancel attack report)

To: debate@fitug.de
Subject: death of usenet, film at 11 (was: Massive cancel attack report)
From: brunni@pumuckl.pumuckl.cubenet.de (Michael Brunnbauer)
Date: Wed, 25 Sep 1996 13:18:38 +0200 (MET DST)
Comment: This Message comes from the debate mailing list.
Sender: owner-debate@fitug.de

hi all

da spielt mal wieder jemand mit cancel-messages, diesmal in der dimension
von ca. 30000 stueck. ich habe gerade die ausfuehrung (nicht propagation) der
cancel-messages bei meinem inn disabled (mit dem flag '-C'), vielleicht genau
das, was diese leute erreichen wollen. ich suche nach einem weg, die cancels
der net-abuse-moderatoren selektiv zuzulassen, wer weiss was ?

Forwarded message:
> From brunni Wed Sep 25 12:42:14 1996
> Message-Id: <m0v5rPy-0004nOC@pumuckl.pumuckl.cubenet.de>
> Date: Wed, 25 Sep 96 12:42 MET DST
> From: brunni (Michael Brunnbauer)
> To: brunni
> Subject: (fwd) Massive cancel attack report
> Newsgroups: news.admin.net-abuse.misc
> 
> 
> Path: pumuckl.pumuckl.cubenet.de!news.camelot.de!news.space.net!news.ecrc.de!newsfeed.sunet.se!news01.sunet.se!sunic!02-newsfeed.univie.ac.at!03-newsfeed.univie.ac.at!sbg.ac.at!cosy.sbg.ac.at!voskovec.radio.cz!news.msfc.nasa.gov!news.sgi.com!www.nntp.primenet.com!nntp.primenet.com!ddsw1!news.mcs.net!van-bc!nrchh45.rich.nt.com!bcarh8ac.bnr.ca!ferret.ocunix.on.ca!not-for-mail
> Message-ID: <960925142708.6016.16055@ferret.ocunix.on.ca>
> Newsgroups: news.admin.net-abuse.announce,alt.nocem.misc,news.admin.net-abuse.misc
> Date: 24 Sep 1996 14:27:08 EST
> Followup-To: news.admin.net-abuse.misc
> From: clewis@ferret.ocunix.on.ca (Chris Lewis)
> Subject: Massive cancel attack report
> Organization: Despams 'R Us
> Approved: net-abuse-request@math.psu.edu
> Lines: 102
> Xref: pumuckl.pumuckl.cubenet.de news.admin.net-abuse.announce:1235 alt.nocem.misc:1555 news.admin.net-abuse.misc:21572
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> 
> Over the weekend, someone using sophisticated cancel-generating software
> posted nearly 30,000 cancels forged in the name of the original posters.
> The cancels purport to be legitimate spam/advisory cancellations, but,
> it is clear that they weren't.  It appears that someone ran a program
> that simply listened into inbound Usenet on a server, and generated
> cancels for every article it saw in the groups it was listening to.  The
> cancels were labeled with "tags" indicating why they were cancelled, but
> these tags were simply labels assigned to the groups the program
> was listening to.  If it was a alt.sex group, it got "twatcancel".
> If it was a comp.* group, it got "geekcancel".
> 
> In essence, then, in the jargon of news.admin.net-abuse.misc, a Usenet-wide
> UDP (cancel every article in usenet) was operating for a time.
> 
> The purpose of this attack is simple:  to stir up trouble and defame the
> effort to control spam (such as the Make Money Fast plague we're
> seeing).  The purpose is clear simply because of the choice of tags - to
> maximize insult and anger.
> 
> This isn't the first time this has happened, there was a "ellisd" cancel
> attack several months ago.  The ellisd incident wasn't quite as massive
> or indiscriminate as this one.
> 
> The origin of this attack is a little obscure at the moment, but it is
> being actively pursued.  The initial few thousand cancels had galstar.com
> in the path, attempting to capitalize on a discussion in
> news.admin.net-abuse.misc about galstar's admins.  The remaining thousands
> were injected through UUNET's open port.
> 
> It appears, due to some references I've seen in the relevant mailing
> lists, that these cancels were all issued from galstar (and/or a
> customer called "cottagesoft.com"), from an account paid for in cash by
> persons as yet unknown.  Either directly into galstar's NNTP server, or
> via NNTP directly to UUNET's open port.  In essence, then, someone saw
> the discussions on news.admin.net-abuse.misc and saw it as an
> opportunity to take advantage of and obtained a difficult-to-trace
> account with cottagesoft.  According to reports, the account[s] have
> been terminated, and people are still actively investigating.
> 
> It's not as hopeless as it sounds, for the number of likely suspects
> is actually quite small.  But the evidence is thin.  At the moment.
> 
> Therefore, I believe that galstar/cottagesoft were innocent victims
> of this attack, just the same as those cancelled.
> 
> In attempt to reduce the damage of this attack, I am am attempting to
> repost everything that was fraudulently cancelled.  The remainder of this
> report provides some statistics of the problem, and what I've done to
> help assuage the damage.
> 
> news.admin.net-abuse.misc has several discussions going on this event,
> which have full copies of cancels so you can see the methods the
> perpetrator attempted to use to maximize confusion.
> 
> Total cancels on this server, indexed by "tag".  Even the tags were
> carefully selected to insult and inflame as much as possible.
> 
> 7476 bincancel		(probably includes legitimate bincancels)
> 1054 dotheadcancel
> 1691 fagcancel
> 14757 geekcancel
> 1460 kikecancel
> 4044 porncancel
> 2526 slanteyecancel
> 1221 towelheadcancel
>  719 twatcancel
> 
> 25536 cancels arrived as of 1996/09/23
> 	(excluding bincancel) 
> 17758 articles out of the 25536 cancels were resurrected.
> 	(Missing articles either didn't arrive here or expired too fast.
> 	Didn't have full list of cancel tags)
> 
> 27474 arrived as of 1996/09/24
> 	(excluding bincancel)
> 
> 546   articles resurrected. 1996/09/24
> 
> As of this date, then, 18304 articles were resurrected from 27474 cancels.
> 
> I will be checking out the bincancels and see what I can do for them.
> - -- 
> All postings to news.admin.net-abuse.announce are unconfirmed and
> unverified unless stated otherwise by the moderators.  All opinions
> expressed above are considered the opinions of the original poster,
> not the moderators or their respective employers.
> 
> For a copy of the guidelines to this group, see:
> http://www.math.psu.edu/barr/net-abuse-guidelines.html
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6
> 
> iQCVAgUBMkgoop3FmCyJjHfhAQGQGQP/SSJF/5s0aSbikFK+QkzQCfNPDWFBRpaq
> npN6MlzmZhoTRN/CzMnksJYc8L2FPTYGiiLOUquS7zfSj9AKU80onlOfJ9AoKdAp
> Tc/bfWNjtmBqWSzkJJrp0f/upsSszaSnT3CWz6EChEsuv/F56mmlcK+zgL9Wgk5D
> GSfJj1fvhSw=
> =8LPq
> -----END PGP SIGNATURE-----
> 
> --
> Michael Brunnbauer, brunni@pumuckl.pumuckl.cubenet.de | Was kann ich wissen ?
> PGP Key: ID C68E3155 At Request / Key fingerprint:    | Was soll ich tun ?
> EB 78 22 80 53 CF 8B 94  37 29 2A FE 76 12 D4 C7      | Was darf ich hoffen ?
> Visit pumuckl: +49 8141 34057 / +49 8141 26601        |
> login: gast / login: nuucp Index: ~/pub/Index.txt.gz  | Segmentation fault
>
Prev by Date: Re: Rechnersperren
Next by Date: Re: nroff crashes sparc linux (fwd)
Prev by thread: Neue IT-Ausbildungsberufe (fwd)
Next by thread: Re: nroff crashes sparc linux (fwd)
Index(es):
- Date
- Thread