Misguided attackers who subscribe their victims to numerous mailing lists are making life harder for users, list keepers, ISPs, and vendors.

by Joel Snyder

No one can terrorize a whole nation, unless we are all his accomplices.--Edward R. Murrow

I used to think of myself as a techie, one of those folks who toil in relative obscurity writing software until they retire to Montana where they spend their days fishing and reminiscing about how people used to think 200MHz computers were fast. Well, I learned I don't toil in relative obscurity. As a techie who has made the Internet part of my business, I am considered a political symbol. Earlier this year a young man used the Internet as a terrorist weapon and I was one of the targets. This is an excerpt from the e-mail message I received from se7en@dis.org:

You've just been spammed very [expletive deleted] hard in retaliation for your behavior on the Internet. I have just subscribed you to 10,452 majordomo, listserv and BITNET mailing lists. By the time you get this, you should have 20,000+ messages in your email inbox, with about 1,500 additional messages per hour filling your inbox. I warned you, se7en

Open Gate
The attacker, I later learned, was not the owner of the account. He had cracked into it, much to the chagrin of the real "se7en" as well as dis.org's owners. He was able to send this message with such boldness because e-mail on the Internet is completely insecure. There are no assurances that people haven't been reading your e-mail. Internet e-mail also is unauthenticated, which means anyone can send messages pretending to be someone else. This forgery is so astonishingly easy that it's amazing that no one has come up with a way to prevent it.

Most mailing lists are managed by programs. When you send a message to a special address such as "listserv@iw.com" and you put a precisely formatted command in the message, such as "subscribe junkmail," the mailing list program uses the return address in your message to figure out who you are and, voilą! You're on the list.

Imagine if someone collected e-mail addresses from mailing lists and subscribed those people to other mailing lists. Most mailing lists are relatively low volume--maybe one or two messages a day. Some mailing lists are high volume, with dozens or even hundreds of messages a day. But pick enough lists and you've got a pretty potent weapon--a terrorist weapon.

If this happened to you, you would probably receive a thousand messages or more every hour. If the attacker planned his attack for late night on a Friday, he would create maximum damage as people slept while their mailboxes filled up. This technique is a great weapon because you not only infuriate the folks you target, you clog up, slow down, and possibly stall access lines. Internet service providers (ISPs) can't cope with 20 or 30 thousand extra messages a day.

Once the mailboxes start to fill up, things get even worse. Mail starts bouncing back, and some mailing lists go into an infinite loop, forwarding bounced mail, which bounces back, and so on.

When the terrorist first hit earlier this year, people had been aware of the potential problem but hadn't really prepared themselves. Subsequently, mailing list managers were stunned into action. Many secured their mailing lists, requiring authentication and confirmation on any subscription request.

But many more mailing list managers continued on in blissful and insecure ignorance. Consequently, Internet writers, reporters from national magazines, and even radio personality Howard Stern and Spam King Jeff Slaton found megabytes of unwanted e-mail bogging down their machines.

The Motive
Why did some unnamed elitist sociopath decide to clog the network airwaves? Let him speak for himself:

Why our actions in general? Too many people on the net do not belong. We remember the net back when there were only one thousand people on irc. We remember the net back when there were hundreds of newsgroups. We remember when we could connect to any site at any time and have no trouble transferring one or two files quickly. Too many companies are intent upon destroying the net and worrying only about their stuffed pockets. We are just one group helping to reclaim what used to be.

The net may not belong to us but we can safely say it is more ours than the capitalist pigs that are infesting it now. Like others, we are losing control of the net and want to take a last stab at revenge. Revenge may be childish and immature but it is damn fun and very rewarding.

Childish and immature is an understatement. He was also uninformed and misdirected. But terrorism has never been about rational thinking or thoughtful discourse. Like the Unabomber, the e-mail bomber rattles on in incoherent diatribe against people he thinks will tear the Internet from the intimate roots he remembers.

Our protagonist is engaged in hypocritical self-delusion. He rails against trends that are destroying the Net, yet he himself causes widespread destruction. He screams that the Net belongs to no one, yet he asserts control and imposes his own fascist vision of who can use it. He identifies profit-making companies as the enemy, yet attacks reporters and other hackers. He garnered some heavy media attention after his first e-mail bombing, and like a junkie, did it again to see if it showed up in the papers.

Defense of Hackers
Besides the annoyance caused to e-bomb recipients who are unable to receive e-mail for a few days, these acts of terror help spread the erroneous perception that hackers are evil and dangerous.

The complex and convoluted world of computers and the Net has always excited people, generally young people, to explore the boundaries of the system. The word "hacker" was first applied to people who pushed the limits of the technology, who developed clever ways of doing things or used computers in ways designers never imagined.

Many hackers--myself included--have stepped over the arbitrary line that the government has drawn separating legal from illegal. But that's not a requirement of hacking. It just happens to be a common side effect. For most hackers, the intent is not to vandalize, break laws, or terrorize. It's to learn and explore. This doesn't mean that hackers don't accidentally damage things. Even a completely benign hacker breaking no law can put a corporate security department into a tailspin as it tries to figure out what went wrong.

Hacking is embedded in the history and culture of computers and communications. People are naturally curious, and there is no better way to learn than by exploration and experience. There will always be hackers, and we have to learn to live with them and benefit from them.

But the e-mail bomber is not a hacker. He wasn't exploring or learning, and he wasn't even clever or original in his attacks.

Can anything be done? Possibly. This terrorist can't be stopped because the Internet has few barriers to the kind of attack he used. As Ehud Gavron, an ISP in Tucson, Ariz., and a victim of the e-mail bomber put it, "All he needs is his modem, an AOL disk, and his file of lists, and he's gonna do it again."

(Another form of terrorism that has surfaced recently is the bombardment of Web sites with requests that tie up the server, so that people trying to reach the site are denied access. Although server vendors are working on a cure for this type of attack, there currently is no adequate defense.)

There are ways to protect yourself from e-mail bombers. If you run a mailing list, make sure subscription requests are properly authenticated. That means either using automated tools built into your mailing list software or making sure that every subscription request is approved by a human being. People can easily see the patterns of a mail bomb, and fortunately some list administrators recognized my name among the forged names of the alleged new subscribers and didn't add me to their lists.

The best widely available mailing list software is Revised Listserv (pricing varies from $97 for 1 to 100 subscribers to $297 for 1,001 to 2,500 subscribers), marketed by L-Soft. Listserv has all of the features you would ever need to run a mailing list. Most important, Listserv lets mail-list managers automatically authenticate subscription requests. That way a list can be "open" (in the sense that you can subscribe and unsubscribe without waiting for someone to handle your request), yet still be secure because every subscription request must be acknowledged by the subscriber.

If you plan to support a mailing list, your best bet is to make sure it's run on a Listserv system. If your ISP doesn't have Listserv, there are several that offer mailing list services for a reasonable fee. You can see a list of them by looking for the "Internet Mailing List Providers" FAQ posted monthly to comp.mail.misc by Brian Edmonds.

Another popular mailing list package is Majordomo. It doesn't have all of the features of Listserv, but it's free, so lots of ISPs run it. If you're running a list on Majordomo (the current shipping version is 1.93), you should set the list to be "closed," which means the moderator must approve all subscriptions. If you don't like the overhead, either get out of the mailing list business or switch to Listserv. Or strike out into beta-test land and try Majordomo 1.94, which has a new authentication feature similar to Listserv's.

The antimailbomb software that's being developed to protect against these kinds of attacks is going to put mailing list managers squarely in the middle. Running a mailing list requires responsibility, and the ante just moved up a notch.

There many other mailing list packages in addition to Majordomo and Listserv out there. If you're running a list on one of them, make sure it requires explicit authenticated confirmation of every subscription request, or that list subscriptions are handled through a moderator.

When you practice safe and secure mailing list management, your subscribers will be happy customers.

Joel Snyder is a senior partner at Opus One, an Internet consulting company in Tucson, Ariz.
Reprinted from Internet World magazine Vol. 7 No. 12, (c) 1996 Mecklermedia Corporation. All rights reserved.