[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
death of usenet, film at 11 (was: Massive cancel attack report)
- To: email@example.com
- Subject: death of usenet, film at 11 (was: Massive cancel attack report)
- From: firstname.lastname@example.org (Michael Brunnbauer)
- Date: Wed, 25 Sep 1996 13:18:38 +0200 (MET DST)
- Comment: This Message comes from the debate mailing list.
- Sender: email@example.com
da spielt mal wieder jemand mit cancel-messages, diesmal in der dimension
von ca. 30000 stueck. ich habe gerade die ausfuehrung (nicht propagation) der
cancel-messages bei meinem inn disabled (mit dem flag '-C'), vielleicht genau
das, was diese leute erreichen wollen. ich suche nach einem weg, die cancels
der net-abuse-moderatoren selektiv zuzulassen, wer weiss was ?
> From brunni Wed Sep 25 12:42:14 1996
> Message-Id: <m0v5rPy-0004nOC@pumuckl.pumuckl.cubenet.de>
> Date: Wed, 25 Sep 96 12:42 MET DST
> From: brunni (Michael Brunnbauer)
> To: brunni
> Subject: (fwd) Massive cancel attack report
> Newsgroups: news.admin.net-abuse.misc
> Path: pumuckl.pumuckl.cubenet.de!news.camelot.de!news.space.net!news.ecrc.de!newsfeed.sunet.se!news01.sunet.se!sunic!02-newsfeed.univie.ac.at!03-newsfeed.univie.ac.at!sbg.ac.at!cosy.sbg.ac.at!voskovec.radio.cz!news.msfc.nasa.gov!news.sgi.com!www.nntp.primenet.com!nntp.primenet.com!ddsw1!news.mcs.net!van-bc!nrchh45.rich.nt.com!bcarh8ac.bnr.ca!ferret.ocunix.on.ca!not-for-mail
> Message-ID: <firstname.lastname@example.org>
> Newsgroups: news.admin.net-abuse.announce,alt.nocem.misc,news.admin.net-abuse.misc
> Date: 24 Sep 1996 14:27:08 EST
> Followup-To: news.admin.net-abuse.misc
> From: email@example.com (Chris Lewis)
> Subject: Massive cancel attack report
> Organization: Despams 'R Us
> Approved: firstname.lastname@example.org
> Lines: 102
> Xref: pumuckl.pumuckl.cubenet.de news.admin.net-abuse.announce:1235 alt.nocem.misc:1555 news.admin.net-abuse.misc:21572
> -----BEGIN PGP SIGNED MESSAGE-----
> Over the weekend, someone using sophisticated cancel-generating software
> posted nearly 30,000 cancels forged in the name of the original posters.
> The cancels purport to be legitimate spam/advisory cancellations, but,
> it is clear that they weren't. It appears that someone ran a program
> that simply listened into inbound Usenet on a server, and generated
> cancels for every article it saw in the groups it was listening to. The
> cancels were labeled with "tags" indicating why they were cancelled, but
> these tags were simply labels assigned to the groups the program
> was listening to. If it was a alt.sex group, it got "twatcancel".
> If it was a comp.* group, it got "geekcancel".
> In essence, then, in the jargon of news.admin.net-abuse.misc, a Usenet-wide
> UDP (cancel every article in usenet) was operating for a time.
> The purpose of this attack is simple: to stir up trouble and defame the
> effort to control spam (such as the Make Money Fast plague we're
> seeing). The purpose is clear simply because of the choice of tags - to
> maximize insult and anger.
> This isn't the first time this has happened, there was a "ellisd" cancel
> attack several months ago. The ellisd incident wasn't quite as massive
> or indiscriminate as this one.
> The origin of this attack is a little obscure at the moment, but it is
> being actively pursued. The initial few thousand cancels had galstar.com
> in the path, attempting to capitalize on a discussion in
> news.admin.net-abuse.misc about galstar's admins. The remaining thousands
> were injected through UUNET's open port.
> It appears, due to some references I've seen in the relevant mailing
> lists, that these cancels were all issued from galstar (and/or a
> customer called "cottagesoft.com"), from an account paid for in cash by
> persons as yet unknown. Either directly into galstar's NNTP server, or
> via NNTP directly to UUNET's open port. In essence, then, someone saw
> the discussions on news.admin.net-abuse.misc and saw it as an
> opportunity to take advantage of and obtained a difficult-to-trace
> account with cottagesoft. According to reports, the account[s] have
> been terminated, and people are still actively investigating.
> It's not as hopeless as it sounds, for the number of likely suspects
> is actually quite small. But the evidence is thin. At the moment.
> Therefore, I believe that galstar/cottagesoft were innocent victims
> of this attack, just the same as those cancelled.
> In attempt to reduce the damage of this attack, I am am attempting to
> repost everything that was fraudulently cancelled. The remainder of this
> report provides some statistics of the problem, and what I've done to
> help assuage the damage.
> news.admin.net-abuse.misc has several discussions going on this event,
> which have full copies of cancels so you can see the methods the
> perpetrator attempted to use to maximize confusion.
> Total cancels on this server, indexed by "tag". Even the tags were
> carefully selected to insult and inflame as much as possible.
> 7476 bincancel (probably includes legitimate bincancels)
> 1054 dotheadcancel
> 1691 fagcancel
> 14757 geekcancel
> 1460 kikecancel
> 4044 porncancel
> 2526 slanteyecancel
> 1221 towelheadcancel
> 719 twatcancel
> 25536 cancels arrived as of 1996/09/23
> (excluding bincancel)
> 17758 articles out of the 25536 cancels were resurrected.
> (Missing articles either didn't arrive here or expired too fast.
> Didn't have full list of cancel tags)
> 27474 arrived as of 1996/09/24
> (excluding bincancel)
> 546 articles resurrected. 1996/09/24
> As of this date, then, 18304 articles were resurrected from 27474 cancels.
> I will be checking out the bincancels and see what I can do for them.
> - --
> All postings to news.admin.net-abuse.announce are unconfirmed and
> unverified unless stated otherwise by the moderators. All opinions
> expressed above are considered the opinions of the original poster,
> not the moderators or their respective employers.
> For a copy of the guidelines to this group, see:
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6
> -----END PGP SIGNATURE-----
> Michael Brunnbauer, email@example.com | Was kann ich wissen ?
> PGP Key: ID C68E3155 At Request / Key fingerprint: | Was soll ich tun ?
> EB 78 22 80 53 CF 8B 94 37 29 2A FE 76 12 D4 C7 | Was darf ich hoffen ?
> Visit pumuckl: +49 8141 34057 / +49 8141 26601 |
> login: gast / login: nuucp Index: ~/pub/Index.txt.gz | Segmentation fault