Einsteiger-Informationen für unsere Erstbesucher
Zurück zur Startseite mit Einführungstour, Site Spider, KontakteZielkunden, Reichweite, Preise, Domains, IP-Nummern, Anschlusstechnik, AGB, BestellenIdee, Leute, Kunden, Investoren, Jobs, Impressum, Wurzeln, AusblickPressespiegel, Markt+Trends, Software-Patente, Open Source, Linux, Netiqette, Spam, Aktuelle EventsWebcams, Presserummel, Rechtslage, Werbung schalten, Webcam-Comics, Blue Screens, Antennenwälder, Fremde Webcams
Das Logo der muenchner-freiheit.net in Form eines Straßenschildes
Traceroute, Mail+Mailserver, DNS+Domains, Sicherheitsaspekte, Firewall FAQs, Backbone FAQs, Sonstige FAQs, Externe LinksIhr Vorteil, Rechtslage, Fotos, Gesetzestexte, Gutachten, Versicherung, Formulare, Externe LinksNetzstatus aktuell, Traffic Counter, Rechnungen, Mailboxen, Anonym surfen, Ausbaupläne, Software-Tools, Externe LinksKontakte, Wettbewerber, Externe LinksHier erfahren Sie demnächst mehr über unser Vertriebspartnerprogramm
Portale mit Detail-Informationen für verschiedene Zielgruppen
HauptmenüWählen Sie einen Hauptmenüpunkt  
UntermenüWählen Sie einen Untermenüpunkt

WAIAH.org - Webmasters Against Ignorant Abuse Hotlines
bitte keine bösen Mails an webmaster@muenchner-freiheit.net mehr

Wir haben einfach nur das Pech, dass unsere auf den Webcam-Seiten
genannten Service-E-Mail-Adressen von virenverseuchten Maschinen
bei deren Besuch gestohlen, und dann gegen uns verwendet werden.

Fakt ist, dass die Mehrzahl der Access-Provider durch Lethargie verhindert,
dass unsere Hinweise die Besitzer verseuchter Rechner zeitnah erreichen.
Junk-Mails im Minutentakt legen dann tagelang hunderte von Opfer lahm.

WAIAH ist ein Selbsthilfeprojekt betroffener Webmaster, das unter Einsatz
detektivischer Methoden den meist ahnungslosen Störer direkt aufspürt, um
ihn höflich auf die 250.000 E-Mails hinzuweisen, die er uns täglich hinkippt.

weiter

Was über uns und unsere Technik geschrieben wurde
Welche Technologien sind am Markt verfügbar und welche werden demnächst dazu kommen
Das derzeit für den technischen Mittelstand in Deutschland und Europa wohl existenzbedrohlichste Thema
Betriebssysteme und manch andere Software sind Kulturgut und benötigen deshalb offengelegte Quellen
Stürzt nie ab - das bekannteste Projekt der Open-Source-Bewegung
Informationen zu SPAM und zu unseren Abwehrtechnologien
Wir bauen ständig an unserem Netz - gelegentlich werden auch Geräte frei
Kunst- und Kulturprojekte bei denen wir beteiligt sind
  Lokale SucheSuchmaschine über alle Seiten von muenchner-freiheit.net - Suchwort eingeben, dann EINGABE-Taste drücken
Seite 0 1 von 0 1   Kopf des Spiralblocks an den oberen Bildrand Zum Kopf dieser Seite  
Gedruckt auf 0% Recyclingpapier   Am besten mit dem Browser von X. B. Liebig

WAIAH.org

Webmasters Against Ignorant Abuse Hotlines

Computer worms

Computer worms collect and maintain lists of email addresses collected from various places of an infected computer:

  • address book
  • browser cache
  • About tabs of installed programs
  • etc.

From this address list, the worm picks two off randomly, then places them as From: and To: into an email, adds a copy of the virus code, and posts off. Over and over again, as long as the computer is turned-on - even if nobody is logged in.

With an outbound data rate of 56 or 64 kbps (Modem or ISDN), a carefully designed worm with an onboard multi-threaded SMTP client can easily blow out 250,000 infected emails a day. With a symmetric DSL or T1 uplink, it could be millions.

Typical cycle times are 5 minutes or so. In other words: for a certain target on the mailing list, which means you, the other guy, or justin@nullsoft.com, another polluted email - with a different From: address - will go out every five minutes.

Primary problem - stuffed mailboxes

Contact or service addresses are commonplace on every website:

  • info@yourdomain.com
  • sales@yourdomain.com
  • webmaster@yourdomain.com
  • you name it

Whenever somebody clicks and loads one of your website pages, a list of all references on this page is automatically being loaded into the visitor's local browser cache, which is maintained on his infected computer's hard disk.

This cache includes all references found on your web page:

  • images
  • links (URLs)
  • CGI scripts
  • email addresses

As the worm regularly analyzes the browser cache, it will not take long until all of your web pages' email addresses have been added to the worm's mailing list, and start being cycled-through: welcome to the club.

To figure out that clearly: you, or better your computer, has not been infected by the worm - no way.

But the worm has stolen your service addresses now - and starts using them as a weapon against your mailbox - as well as the mailboxes of hundreds of other victims like you.

As a club member, you will suffer from two major disadvantages:

  • any of your service address mailbox will be polluted with one infected email per 5 minutes,
    i.e. 12 junk mails per hour per service mailbox, which have to be removed manually
  • your service addresses are being abused as From: address to bother all other victims on the worm's mailing list

Many shortsighted abuse hotline operators are recommending you to install some kind of filter, to strip-off all email coming from the infected computer. While this may be a viable solution for offenders with a fixed IP address, this is definitely no solution for offenders with dynamic IPs. Dynamic IP addresses are commonplace for Dial-In and ADSL access. They change at least every 24 hours, but will be changed much more often - whenever a computer temporarily disconnects from, then reconnects to the internet. As soon as the offender re-opens his line, his computer will be supplied with a new identity - and your filter will lock out the wrong IP.

Net result: as a maintainer of a company's service mailboxes, you will be getting some 250 unneccessary alerts per day - multiplied by the number of service mailboxes, multiplied by the number of virus-polluted offenders.

You will quickly end up with cleaning-up thousands of junk emails, over and over again, all day long. You cannot do anything else again. This would make you scream.

Secondary problem - bounces

Whereas mailboxes stuffed with junk and virae are annoying and steal your time, the implications of being abused as an originator are much more subtle. The problem with bounces is that abuse hotlines never understand what your problem is. For them experienced sysops, computer illiterates, who typically have turned off the display of the Received: mail headers, simply do not exist. In the real world, 99% of the computer users have the Received: mail headers turned off. For them, only the From: header is visible, followed by your email address.

Various types of bounces are being outlined in the following scenarios:

Scenario 1:

One of your customers might be just one amongst many victims. Some others from the list are, by coincidence, suppliers of your customer. Now your customer argues, that if his suppliers are bothered with virus mails looking like coming from your customer's domain, this potentially might jeopardize his reputation. At least for computer illiterates - who typically have turned off the display of the Received: mail headers.

Scenario 2:

The virus-polluted email with your email address in the From: header is running into an over-quota mailbox. As the offender's IP number is no valid email address, the overquota message is sent back to you - instead to the real originator. Result: another junk email in your service mailbox - which cannot be filtered.

More serious might be the problem that in the eyes of the victim, it's you, who has first polluted, then disabled his mailbox. Be prepared to receive very angry messages from the victims.

Scenario 3:

The virus-polluted email with your email address in the From: header is running straightway into a mail-server-based virus scanner. As the offender's IP number is no valid email address, the virus scanner alerts you - instead of the real originator. Result: another junk email in your service mailbox - which cannot be filtered.

Some ISPs argue that it is bad practice to configure virus scanners to alert the sender.

Nope: in times where there are no computer worms roaming the streets, i.e. the From: headers are valid and not faked, instead of wordlessly crushing his message, alerting the sender is certainly a good idea.

Scenario 4:

The virus-polluted email with your email address in the From: header triggers an out-of-office reply. Again the offender's IP number is no valid email address, so the out-of-office answering machine sends its message back to you - instead to the real originator. Result: another junk email in your service mailbox - which cannot be filtered.

Third problem - protection of privacy

From analyzing the - usually hidden - Received: mail headers of a message, you can quickly find the offending computer's name and IP address. By querying one of the three public whois servers, you can quickly find out the organization responsible for the offender's IP number:

  • whois.apnic.net (Asian Pacific)
  • whois.arin.net (Americas)
  • whois.ripe.net (Europe/Africa)

It's the computer's name which allows you to track an offender, even if he is regularily changing his IP address. Computer names are typically either christian names, or surnames, or geographical indications like office. Occationally, a computer's name is something like fvewh79Govh.

For most organizations, you could even find an email address like sysop@company.com, or even a sysop telephone number. If you are being bothered by a commercial company, just forward the first Received: mail header to their system operator, add a few polite words, and you are done. Be it a large or small organization, the sysop will care - you can almost rely on that. Within minutes, the problem will be gone.

If the offender is a private person, or even a small company using single-IP DSL, you have to rely on their access providers. As you know the computer name, the IP number, and the exact time and day the offender has been assigned the IP number, you may be tempted to ring up the provider. Then ask for the offending customer's email address or phone number, to politely make him aware of the problem with his computer.

Negative report: you will not get contact details. Your offender's privacy is protected by law. Even if the offender's ISP would be a good friend of yours, he is not allowed to give out contact information. The provider will ask you to contact his abuse hotline, typically abuse@provider.com, which typically cannot be contacted via telephone. Makes sense, as spelling of mail headers verbally is definitely not a good idea.

Forth problem - ignorant abuse hotlines

So you roll up your sleeves and pack together all relevant information you know about the incident, which consists of:

  • Name of computer
  • IP number (or numbers)
  • exact time (or times)
  • possibly the number - not the address list - of other victims

Do not include attachments - cut and paste the informations instead. Many abuse hotlines are not allowed to open attachments due to security reasons - sounds reasonable. Then send it to abuse@provider.com - where provider.com is the offender's ISP - not yours.

Only a few minutes later, a machined response will drop in, saying that your message has being received. There might be a ticket number, which might be used for tracking the incident later. Quite often, there are a few polite recommendations added, e.g. you should get an anti-virus package to analize your computer. Not helpful in your case.

In very rare cases, you will realize that the offending messages have been stopped after a while.

Much more typical is that even after many hours, there will not happen anything. The next morning, you will first clean up your service mailboxes from several hundreds, or thousands, of virus-polluted emails, plus about 25% bounces, plus 10 or 20 out-of-office replies, plus one or two hand-written messages similar to these authentic snippets:

Received: from BSHA1@aol.com by imo-m02.mx.aol.com (mail_out_v36_r1.1.) id s.f2.2fcfe9d5 (4418)
for <postmaster@ms2.muenchner-freiheit.net>; Thu, 21 Aug 2003 06:10:42 -0400 (EDT)

Dear Sir,
 
I have not sent any e mails to you, I do not know who you are
neither do I have you in my address book.
 
Regards
 
Sheila Downes

Unknown/Local ([?.?.?.?]) by whowhere.com (in02-mta1.whowhere.com [209.202.220.220])
by ms2.muenchner-freiheit.net (8.11.6/8.11.6) with SMTP id h823ElD29448
for <MAILER-DAEMON@ms2.muenchner-freiheit.net>; Tue, 2 Sep 2003 05:14:47 +0200

FUCK OFF PAL !!!

This guy means YOU! - Don't give guns to people like him...

And, not to forget, junk is still dropping in every five minutes. So you roll up your sleeves again, cut and paste new, current Received: headers (as the IP has changed, and they need a new exact time stamp to trace the current user of the new IP). Then send a reminder to abuse@provider.com - and wait.

In the afternoon - after hundreds, or thousands, of new junk emails, you decide that that was the last straw. Now you call the offender's provider by phone, step through the usual touch-tone-based dispatcher, then finally have a real person on the line.

You are going to tell the operator the long rigmarole again. Sure, the person is patient, helpful, and polite. But, after having waited in the line for some minutes, interrupted by several »just a moment« notifications, you will be told that there is no person available at the moment, and you should send another email complaint to abuse@provider.com. You are objecting that you have already filed two complaints, but the operator regrets »I'm so sorry«...

The next day, - after hundreds or thousands of new junk emails - you are going to call again. First tell the operator that you already have spoilt a few hours with this incident. Then try to convince the operator that he/she just needs to look up the current delegation of a certain IP in the company's RADIUS server, then look up that customer's phone number in the customer base, then call him, then tell him that there's a problem with his computer. Five minutes, and it would be done.

It's hopeless - if you still insist on salvation, you will be connected to the so-called escalation department. Their recommendation: »go to the police, and make a report against unknown«. That's their way of getting rid of you.

Emply the police or a lawyer?

Imagine to tell a policeman what's going on. He will possibly never understand what your problem is. »Turn-off your computer« or »simply erase the excess emails« is what the policeman will recommend you. It will take quite a while to make him understand that an email reservation for a table, or a room, has to be handled promptly, and not just once a day. The same applies to error messages from an industrial plant, or from a far-reaching computer network.

As junk emails are dropping in every few minutes, the operator is constrained to run over to the computer with every beep, to verify what's going on. He cannot even think of doing his actual job - demoralized by a hundred of false alarms in the course of the day.

Vigilante justice - yes or no?

You still have quite a few options left:

Blocking offender's line with flood pings

Definately not recommended, as this will block your own ressources likewise - and will definitely rock the boat with your own provider

Remotely switching off offender's computer

If the offender is not protected by a firewall, you could possibly use hacker tools to sniff his computer. If the offender's computer is scruffy, you may have a chance to simply flip it off regularly. If succeeded, you can breath a sigh of relief, then go back to your original work. But beware, you're a criminal now...

Criminal analysis of the offender's mailing list

It might be a good idea to collect all email addresses you are being flooded with. Again this is illegal, as you are not allowed to take note of them - even if they have been sent to your personal mailbox. The crucial point is that they have been sent to you inadvertently.

Extract and sort them, then try to find any correlation with the offending computer's name or location. The idea is: if the virus has collected email addresses from various places of the infected computer, it's quite possible that the virus has grabbed email addresses from the offender's email client, too. If the offender is regularly sending out real emails from his infected computer, he should have configured his email client with his real email address. So it's quite possible that the computer owner's real email address is on the list, too.

Just look at the names from the email list, e.g. what they tell you if you omit the first letter. Example: if the computer name is GEORGE, and you find an address like gmadison@..... on the list - just enter George Madison into Google.

A complementary tool is traceroute - which will give you a clue about the geographical area of the offender. If you reconcile the results from both Google and traceroute, it might well be possible to catch the offender's street address, or phone number, or even a photo.

Send out a polite email with the subject similar to Good morning Mr.Madison - greetings from Munich. Try everything that your subject field does not resemble SPAM. Then test the Subject: field if it is short enough that the important buzzwords are fully displayed in a mail client's Subject: list. Take time for an elaborate wording. Make him curious to read on, then, after scrolling down a bit, confront him with the sad truth.

Then you're done - either immediately, or the next morning at the latest. If this still does not work, ring him up on the next day. Try to be helpful and friendly - it's his provider's fault, not his.

Mass mailing into the offender's mailing list - WITHOUT disclosing the list

The main problem is: although you've got the offender's IP number from the mail headers, its reverse DNS maps towards the ISP's access router port name - instead towards the offender's machine or domain name. Not very helpful if you want to send him an email to tell him about his problem.

If you need the offender's email address, you could try a more aggressive strategy. The idea is as before: if the virus has collected email addresses from various places of the infected computer, it's quite possible that the virus has grabbed email addresses from the offender's mail client. So it's quite possible that the computer owner's real email address is among them. If you send out a polite mass mail to the entire address list with a subject like message to owner of RICHARD 66.120.44.3, you have a good chance to reach him directly.

If you get no response from the offender itself, either open by a written answer message, or anonymously by a sudden stop of the flood, you could at least benefit from a secondary effect: such kind of messages entice other victims to disclose, and associate with you in your fight, both against a yet unknown lethargic and unresponsive offender, and against his already known lethargic and unresponsive ISP.

Carefully analyze the mail headers of all bounces from your mass mailing. The offender's address list often contains the addresses of his colleagues at the same company. If one of them has left, the email will bounce back to you. From the mail headers, you will see the recipient's mail server, and the recipient's domain name. Compare this with the IP number of the offender's machine - you may just have caught him red-handed.

It's the domain name you are looking for. All domain names have been registered under real names. From the DNS and whois servers, you simply and legally can get all you need to disclose his identity. So you can contact him by email, or by other means, like phone number or street address.

Contact him politely, and make him aware of his problem. If the mail flood doesn't stop after an hour at the most, get your fellow sufferers involved to increase the pressure.

Mass mailing into the offender's mailing list - making the offender's street address and phone number, and a complete list of all victims public

This should only be your final resort - use it with caution. Never do this if you haven't announced that to the offender, or his ISP, one day or two before you really do. It is only meant for a totally unresponsive offender, which has been contacted many times before, but still not be willing, or able, to solve his problem. Maybe he has no clue of computers, or just hasn't paid the last bill of his IT service company...

This strategy will be successful in almost every cases, as it will hit the offender like a bomb: your fellow victims will pound the offender's telephone lines, until somebody pulls the plug. Just lean back and wait. Before long, you will be getting emails from much obliged people, praizing you as a hero.

WARNING:

There is a considerable risk that one from the list will blame you at SpamCop. Particularly people who have been protected from the virus flood by a mail filter, configured by a demand-responsive system operator, are still being bothered by quite a few email bounces a day.

Other than those without mail filters, who resigned themselves to several hundred unwanted junk mails a day, a protected person's tolerance level may be very low - even a single unwanted email may be a nuissace to them. After many bounces from all places of the earth, your well-meant but desparate message to the owner email may just be the last straw that will break the camel's back. Being on the edge may temporarily reduce a person's intelligence.

Although you will be the hero amongst your fellow sufferers, and have even saved the day of this idiot, your computer will be blacklisted, i.e. excluded from many mail servers around the world.

WAIAH.org is being discussing the problem with Spamcop deputies. According to SpamCop mechanics, a single complaint will not block your computer, but two will put you on the DNS blacklist. After 48 hours, your IP will automatically be removed.

Until we've found better solutions, pursuing some of our strategies may only be an option from a one-time, throw-away email account. Which is bad, as being repeatedly contacted by an anonymous hunter makes the people at the offender shy away - instead of being cooperative, and trust in you. WAIAH.org is anxious to be a trusted and respected advocacy group for solving those kind of problems fast and reliably.

Statement by SpamCop - Sep 6, 2003 - by a SpamCop Deputy

I understand your reasoning and rationale and I do understand how viruses propagate. And I certainly understand your frustration with abuse desks that are understaffed and overwhelmed, and do not react as promptly as we would like. On the other hand, I have to say that if you mass mail all the purported victims of the virus, and one or more of them reports you, that is within the definition of UBE/spam. The definition is not about conTENT it is about conSENT. I cannot stop you from doing what you think best, but I can say that if other users of SpamCop report your emails, I will not tell them that they have done the wrong thing.

It's precise and unapologetic. Think about it, and decide for yourself if you are willing to accept the risk.

Our claims

The problem is an epedemy - which causes increasing damage if not extinguished immediately.

Infection laws are good examples how to solve those kinds of problems efficiently. Problem is, that infection laws are for human epedemies, or veterinary at most, not computers'.

Our claims are:

  • to force ISPs to reverse delegate their IP numbers to the end users, i.e. the people or organizations really using them. As long as the ISPs' abuse hotlines are unresponsive, finding an ISP's access router port as offender doesn't help at all. Although - according to their rules and regulations - entering IP delegation into their public databases is mandatory, organizations like ARIN, RIPE, or APNIC do not enforce it. This is the single, major problem which precludes immediate identification of offenders.

  • to force the access ISP's abuse hotline to start verifying the allegation within 15 minutes, then try to contact their customer immediately. Regardless of having reached the offender or not, the abuse team member must contact the harassed person or organization for a report then.

    If there is nobody available to turn off the computer within an hour, the offender's ISP should disable the offender's account, until the offender reports his computer as disinfected.

  • to temporarily suspend an attacker's privacy while an attack disturbing hundreds of people is underway

Fri Sep 5 15:45 MEST - 2nd public version - ©Wolf Buchleitner, WAIAH.org

Druckversion

Bestellnummer: ../doc38.shtml (2,385 bytes)   Letzte Änderung am 02.09.03 um 14:56 Uhr MEST
  Fragen Sie uns:
muenchner-freiheit.net GmbH & Co. KG
Münchner Freiheit 20 - 80802 München
vertrieb@muenchner-freiheit.net 		Zum Kopf des Spiralblocks Zum Kopf dieser Seite