Automated Denial-of-Service Attack Using the U.S. Post Office

Interesting way of fighting spam, spans real world “Denial-of-postal-Service-attack” (From Crypto-Gram Newsletter)

In December 2002, the notorious “spam king” Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.

Using all the people of Slashdot might work to some degree, but as Bruce Schneier of the Crypto-Gram Newsletter writes in his newsletter – it gets really interesting when you automate the process of adding someones address to requests for catalogs etc.

If you type the following search string into Google — “request catalog name address city state zip” — you’ll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you’re a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone’s information on all 250,000 forms. You’ll have to do some parsing of the forms, but it’s not too difficult. (There are actually a few more problems to solve. For example, the search engines normally don’t return more than 1,000 actual hits per query.) When you’re done, voila! It’s Slashdot’s attack, fully automated and dutifully executed by the U.S. Postal Service.

Somehow I think spammers such as Alan Ralsky will be very careful about giving out their mailing addresses in the future.

3 thoughts on “Automated Denial-of-Service Attack Using the U.S. Post Office”

Comments are closed.

Scroll to Top