Automated Denial-of-Service Attack Using the U.S. Post Office

From voidspace.org.uk: In December 2002, the notorious “spam king” Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.

Ironic, definitely. But more interesting is the related paper by security researchers Simon Byers, Avi Rubin and Dave Kormann, who have demonstrated how to automate this attack.

If you type the following search string into Google — “request catalog name address city state zip” — you’ll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail.

Now that is frightening. See what we’ve wrought?

Advertisements