(A Javascript-enabled browser is required to email me.)

TBTF for 1995-12-06: List hijacking revisited; the state of Usenet spam

Keith Dawson (dawson dot tbtf at gmail dot com)
Thu, 7 Dec 1995 00:38:26 -0500

One of the compensations of being an unpaid net.journalist is that I get to
make predictions. One of the downsides is that it's really easy to check up
on predictions when everything is archived on the Web. Herewith an update on
the most unequivocal prediction yet to appear on TBTF. In the number for
1995-09-24 I wrote:

[B]efore 1995 ends the Net will see a brief controversy over the technique
I call "list hijacking." Everyone who runs a mailing list will secure it
and the fast-vanishing culture of Net openness will erode another notch.

How are we doing? Has the Net seen a list hijacking yet? Here are two cases
that have some of the flavor of the practice I imagined; but both are on a
far grander scale. (Or as J.B.S. Haldane might have written, were he alive
and surfing today, "The Net is not only queerer than we suppose, it is queer-
er than we can suppose.")
Threads Email spam and antispam tactics
See also TBTF for
2000-07-20, 1999-07-19, 1998-11-17, 07-27, 03-30, 02-09, 01-12, 1997-11-24, 10-20, 09-29, 09-22, more...

I. The Crusader / National Alliance spams

Beginning on September 26 a series of spam attacks erupted, continuing for
four days. Copies of an extremely racist message were sent to tens of thous-
ands of email addresses around the world. There was speculation on the news-
group news.admin.net-abuse.misc that the addresses could have come from col-
lecting a few months' worth of Usenet postings, scanning the Internet Relay
Chat for usernames, and possibly buying (or more likely, stealing) a commer-
cial list or two.

This case is oblique to the postulated practice of list hijacking, but it
is a fascinating study in cracking and spamming, so I'll say on. The spams
at first emanated from a site in Germany, then one in France, and finally
one in Italy. Crackers got root access to these machines apparently by
exploiting the "sendmail" vulnerability -- a.k.a. the oldest trick in the
book, a.k.a. the fool's mate. (Shame on the administrators who hadn't
patched their systems to close this hole since it was discovered in 1989.)
Net.god types who posted to news.admin.net-abuse.misc about strategies to
counter the spam began to notice their messages being eradicated by forged
cancel messages that, on investigation, proved to originate at the same site
in Italy.

The spammers claimed to speak for an organization called the National Alli-
ance. This is an actual outfit with racist views similar to those expressed
in the spam; but a leader of the National Alliance came forward publicly on
the Net and disclaimed any official involvement. He said they wanted to find
the perpetrators as much as anyone, because the organization's good name had
been besmirched by bad nettiquete. (Go figure. "I may be a racist but I'm no
spammer.") It did no good. Every account that the Net could locate associated
with the National Alliance was mailbombed. One particularly devious attack
was deplored in the newsgroup:

> This is a slick hack, aimed at flooding the mailbox of National
> Alliance's netcom account, but instead it will torture thousands of
> mailing list and news admins all over the globe. Someone... posted
> "From" listserv@netcom.com to a whole bunch of test groups... Machines
> all over the world will see this "test" message and attempt to respond
> to "the author" -- listserv@netcom.com. When netcom's listserver sees
> this reply, it will think that treborle@netcom.com has requested to be
> subscribed to over 900 [mailing list] groups, and flood his mailbox.
> Even if he removes himself from those lists, the auto-responses will
> flood in for weeks, and put him right back on.

See <http://www.panix.com/~lan/crusader/index.html> for the whole sad story.

II. List hoovering by iaf.net

This next item isn't proof of list hijacking, but it sounds to me like en-
abling technology on a massive scale for wannabe hijackers.

Beginning some time in November an organization called Innovative Insights
(Alpharetta, GA) sent a robot to many list servers on the Net asking each
to divulge the membership of each of its lists. I first heard about the
trolling from Scott Lawrence <lawrence at world dot std dot com> on Nov. 20. Scott
got no response to his email inquiries to the postmaster at iaf.net. On
Nov. 29 Chuq Von Rospach <chuqui at plaidworks dot com> posted a heads-up about
iaf.net's robot's activities to the newsgroup comp.mail.list-admin.policy
and quoted the response he had received from Dwight Merriman at iaf.net:

> robot1@iaf.net is an automated agent that is gathering addresses
> from various sources including publicly-accessible mailing lists.
> The information will be used in a white pages directory through which
> one can look up individuals by name; this query will -not- result in
> the sending of junk e-mail.

Chuq poured concentrated scorn on this last claim, deserved IMO, because
whether or not iaf.net features junk email in their business plan, its
intended users will most certainly spam. Chuq's posting garnered only
one response that I saw, to the tune of "Chill, man, the spam is much
worse on Usenet." (So, this makes mass email spam acceptable?) Scott in-
forms me that as of a few days ago a followup message to the robot re-
turned with "No such user." Dare we hope that Innovative Insights has
reconsidered its business plan? More likely they've just finished the

The state of Usenet spam

Things have been developing rapidly in the field of spam countertactics.
The entity known as Cancelmoose[tm] <moose at cm dot org>, <http://www.cm.org/>,
who started out by issuing cancel messages against the spams of Cantor &
Siegel through an anonymous remailer (see TBTF for 1995-04-07, 0001.html in
the archive), has now proposed a systematic antispam mechanism. Called
NoCeM (pronounced "no-see-um," the same as the ubiquitous Maine spring
flies), the system allows anyone to police for spam and anyone to heed
the spam warnings of whomever s/he likes. NoCeM actions are coordinated
through the newsgroup alt.nocem.misc, to which a robot called AutoMoose
posts periodic notices of candidates for NoCeM sanction (but does not
issue the sanctions nor cancel the messages). AutoMoose runs hourly, or
more often if a major spam is in progress.

Chris Lewis <clewis at ferret dot ocunix dot on dot ca> runs an automated antispam pro-
cess that cancels messages posted numerous times or excessively cross-
posted. His summary message of Dec. 4 lists 3717 messages cancelled in
the period since Nov. 7 -- about 45 MB worth of material. The posting
addresses are listed, and sources with names like marketing@money.com
and the National Dating Service are all too common. How many of them
got their start by reading Cantor & Siegel's book?

Both Cancelmoose[tm] and Lewis use PGP-signed messages to guarantee au-
thenticatable integrity.

House Conferees Approve Sweeping Net Censorship

>>From Center for Democracy and Technology (1995-12-05):

> By a razor thin margin, members of the House Conference Committee on
> Telecommunications Reform have approved a broad proposal to censor
> constitutionally protected speech on the Internet. The provisions
> adopted today would make the Internet and Interactive media the most
> heavily regulated medium in the United States... The proposal, if
> agreed to by the full conference committee, would impose $100,000
> fines and prison terms for anyone who posts any "indecent" material
> in a public forum, including the "7 dirty words", the text of classic
> works of fiction such as The Catcher In The Rye, or Ulysses, artwork
> containing images of nudes, or rap lyrics.

Threads Scientology's war against the Net
See also TBTF for
1997-11-17, 1996-01-22, 1995-12-18, 12-10, 12-06, 08-21
>>From the Weekly Recap (1995-12-03):

> In a closely-watched case, the U.S. District Court for the
> Northern District of California has ruled that Netcom On-Line
> Communication Services is not liable for direct infringement or
> vicarious liability in a copyright infringement suit brought by the
> Church of Scientology. Netcom provided the Internet access which
> enabled Tom Klemesrud, the operator of a Bulletin Board Service
> to link a Usenet newsgroup to the Internet. Near-verbatim copies
> of the Church's materials were posted on the Usenet group
> alt.religion.scientology by Dennis Erlich, a former minister
> critical of the Church.


>>CDT: Visit the net-censorship issues page, <http://www.cdt.org/cda.html>.

>>Weekly Recap -- mail majordomo@case.wsgr.com without subject
> and with message: subscribe multimedia-list .

TBTF alerts you twice a week to bellwethers in computer and communications
technology, with special attention to commerce on the Internet. See the
archive at <http://www.tbtf.com/>. To subscribe send the
message "subscribe" to tbtf-request@world.std.com. Commercial use prohib-
ited. For non-commercial purposes please forward and post as you see fit.
Keith Dawson dawson dot tbtf at gmail dot com dawson@atria.com
Layer of ash separates morning and evening milk.


Copyright © 1994-2017 by Keith Dawson. Commercial use prohibited. May be excerpted, mailed, posted, or linked for non-commercial purposes.