Tactical Net Abuse FAQ, v.1.2 Web Site: http://members.aol.com/macabrus/tacticalfaq.html Text Only: ftp://members.aol.com/macabrus/tacticalfaq The Tactical Net Abuse FAQ has been continuously posted in the public domain since July 24, 1997. It is posted bi-weekly to the newsgroups: news.admin.net-abuse.misc, news.admin.net-abuse.email, news.admin.net-abuse.usenet, alt.kill.spammers, and alt.stop.spamming. Additional net abuse pages maintained by this author: Cyberpromo FAQ - http://members.aol.com/macabrus/cpfaq.html AGIS/IEMMC FAQ - http://members.aol.com/macabrus/agisfaq.html Rogue's Gallery of Net Abusers - ftp://members.aol.com/macabrus/roguesgallery Net Abuse Links - http://members.aol.com/macabrus/netabuse.html Net Abuse FAQs - http://members.aol.com/macabrus/faqs.html Spam Fighting Utilities - http://members.aol.com/macabrus/utilities.html __________________________ The purpose of this FAQ is to inform and provide corroboration for persons, companies and organizations on the net who are victimized by one or more of many abusive tactics used by advertisers and troublemakers to disrupt the Internet. It is not intended for the disruption of legitimate commerce and solicitation, nor is it intended to encourage censorship. It is, however, provided to assist those who wish to protect themselves from any or a combination of these types of net abuse. This FAQ contains an inventory and explanation of the tactics used by individuals, groups and companies that are generally accepted to be abusive to the Internet. This includes information on how chat rooms, newsgroups, websites and e-mail are abused as a means to an end. Many if not all of these tactics have been condemned almost universally by most reputable Internet service providers, and are often used as grounds for dismissal of rogue customers. ---TABLE OF CONTENTS--- 1. Chat Abuse A. Scrolling B. Flooding C. Mass messaging 2. E-mail Abuse A. Using multiple registered domains B. Forging bogus domain names C. Bounce mailings off of third parties D. Forging bogus IP addresses E. Mail through third party F. Mailbombing G. Forgery 3. Newsgroup Abuse A. Excessive cross-posting B. Excessive multi-posting C. Forged headers D. Multiple domain names E. Cascading F. Rogue cancelling G. Misconfigured cancelling H. Flooding I. Binary bombing J. Control abuse K. Forged approvals L. Resurrector abuse 4. Web Abuse A. Pounding B. Search engine flooding C. Keyword flooding D. Persistent cookies E. Pop-up windows 5. Server Abuse A. Flooding 1. Chat Abuse Abuse in internet chat rooms usually involves using methods to disrupt or eliminate conversation. There are two abusive methods used to this effect that are generally frowned upon by most reputable internet providers: A. Scrolling This technique involves repeatedly entering blank responses in rapid succession. This has the effect of eliminating conversation by pushing previously written text off of the screens of everyone involved, and making written responses few and far between. This makes it nearly impossible for the chat room participants to coherently take part in discussion. B. Flooding Flooding is similar to scrolling except for the fact that a word or short phrase is entered before entering the response. This broken form of response proves just as disruptive to the chat participants. C. Mass messaging This is basically a method of spamming a chat room, accomplishable manually or by automation. The first is where persons manually mass-message everyone on a network to come to a specified channel or whatever else they may be advertising. In automatic form, an automated script periodically submits an advertisement during a discussion. These have the effect of wasting resource space and breaking the conversations in progress, probably with nothing relating to the topic. It is essentially a real-time version of spamming newsgroups. 2. E-Mail Abuse A. Using multiple registered domains When spammers are blocked out from sites they victimize at the domain level, this technique is commonly resorted to in an effort to evade filters. This results in at least one mass mailing making it through the recipient's blocks, which is usually enough to gain the offender the new clients it wants. This technique is also used by spammers of newsgroups, in order to evade persons who are autocancelling any post from their domain. Over time, this results in a very impressive number of domains accumulated by the offending companies. The most prolific domain keeper of the abusers is Erosnet, with well over 100 registered domains used to abuse newsgroups. Cyber Promotions, with a high number of 74 registered domains, has been the high number for e-mail. B. Forging bogus domain names This involves forging an invalid domain name into the headers in an effort to evade filters placed on the offender's true domain identity. This often has the effect of clogging the systems of the site it is sent to, when the mail is blocked and cannot be returned to a valid address. Except for (C), this technique causes the most damage to a mailing target. C. Bounce mailings off of third parties This technique involves bouncing e-mail off of an innocent third party, thereby making your e-mail look like it came from that domain. It is highly probable, based on the results of the Prodigy v Cyberpromo lawsuit, that this act constitutes trademark infringement. It is known to be used by spammers as an act of revenge, to smear and provoke a negative response against their opponent in public. This tactic has the potential of spurring retribution against the innocent ISP, and in extreme circumstances can provoke an illegal Denial of Service attack against them such as mailbombings. If a bounced mailing is made to a large enough number of people, the number of legitimate, non-attack complaints alone may overload the systems of the innocent service provider. In total scope, the tactic of bouncing e-mail has the definite potential to damage or destroy the reputation of the third party. A textbook example of this technique in action was when Yuri Rutman framed joes.com after he lost his account there, virtually wiping joes.com off the face of the net by the retribution he provoked. D. Forge bogus IP addresses This method involves forging the IP address of where mail was sent from in an attempt to make it unblockable by that method. This involves using IP addresses that cannot physically exist, such as 212.959.100.011. E. Mail through third party Among the most common spamming tactics on the internet, using a third party provider to evade e-mail blocking is a regular practice now. This involves spamming customers purchasing throwaway accounts at third-party service providers so as to get a singular bulk mailing past the blocks of other companies. Most of the time this is all that is necessary to net a bulk e-mailer a new batch of clients. This is done with the full knowledge that the account will violate the Terms of Service of the provider they are using, and the account will cease to exist in short order. Because the purpose of the account was simply to exist for a one-time mailing, the spammer's goals are already accomplished by the time the account is revoked. Until the heavy penalization of 1st-time unsolicited mass mailing becomes commonplace on the internet, this practice is likely to continue. F. Mailbombing A potentially illegal method of net abuse, mailbombing is among the most commonly used forms of revenge on the internet. This involves sending a large number of mails to the same address in a very short time frame, filling the victim's mailbox and making it impossible for other mail to make it through to the recipient. Because it makes e-mail unusable for the recipient, this makes this a Denial of Service attack, which is against United States law. If done to an entire domain, this has the effect of overloading the domain's mail servers, forcing it to slow down under the weight of the traffic or force the operators to take their servers down altogether. The most massive mailbombing in internet history was done by Cyber Promotions against Netcom, forcing this large service provider to take its mail servers offline. G. Forgery This most direct method of tactical e-mail abuse involves outright forgery of the identity of the sender, often in concert with any or several of the above identified items of tactical abuse. Often this is in the form of an invalid address to make it difficult to track down the offending sender and facilitate disciplinary action against them. In the case of online services, the domain of the online service being sent to is forged into the headers, making it difficult for the online service to block the forgeries without blocking e-mail from legitimate mailing list servers to their subscribers as well. As a revenge tactic, forgery is used to impersonate an innocent party, and when used in addition to mailbombing or other excessive mailing it can facilitate a large negative reaction towards the party who was framed. 3. Newsgroup Abuse A. Excessive cross-posting This is among the earliest and most abusive tactics used in Usenet. It involves sending a singular post to a large, sometimes immense number of newsgroups at once. Usually the list of newsgroups contains several if not many groups that are irrelevant to the topic of the most. Mass marketers often use this technique to advertise to the Internet, most particularly marketers in the sex-related industries. This technique is also commonly used by trolls as a means to start an enternal argument between many kinds of newsgroups. Some fanatical free speech advocates use this technique to purposely disrupt newsgroups. This net abuse technique was one of the first on the Internet commonly labeled as "spamming." Excessive crossposting is often referred to by its abbreviated initials, ECP. Because this method of posting takes up an excessive amount of an Internet service provider's bandwidth, such posts are cancelled whenever possible. If a crosspost has a calculated BI over 20, it is generally cancelled. For a guide to established spam thresholds, see the web site at http://www.math.uiuc.edu/~tskirvin/home/spam.html. B. Excessive multi-posting A more sneaky technique than excessive crossposting is excessive multi-posting, where the Briedbart Index (BI) also applies. This tactic involves posting an article individually to a great number of groups, instead of making a singular post to a long list of newsgroups. This results in what would have been a singular article posted to many groups becoming a series of individual articles, abusing bandwidth much more than a simple crosspost would have. This tactic is most often used by mass marketers as an effort to evade detection for a longer period of time than with ECP and to make their posts more difficult to cancel. It is also used on occasion by trolls wishing to * Message split, to be continued * --- ifmail v.2.10-tx8.3.lwz * Origin: University of Tennessee (1:340/13@fidonet) Ä ALT.2600 (1:340/26) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ALT.2600 Ä Msg : 1315 of 1359 From : Hawaiian Heat 1:340/13 18 Sep 97 14:53:40 To : All 18 Sep 97 21:34:58 Subj : [part 2] Tactical Net Abuse FAQ (fwd) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ From: Hawaiian Heat * Continuation 1 of a split message * achieve the same ends. Like ECP, this tactic is largely used by mass marketers in sex-related industries such as 1-800 number sites, web sites, etc. As a result, the hierarchy alt.sex.* has been rendered about 95% useless because the regular users have been driven away from the newsgroups due to unrelenting off-topic posting abuse by advertisers. Many other areas of alt.* and biz.* (a business hierarchy) have been rendered largely dead because of this and ECP, where posts have been issued faster and in greater quantity than has been possible for spam cancellers to keep up. Spammers such as Erosnet have probably had full knowledge they were driving legitimate users off of newsgroups, and may have intentionally done so to gain a free advertising forum. If enough advertisers are doing ECP/EMC in a certain newsgroup, the effect is the same as if an individual user was flooding the newsgroup with posts. The destruction of many previously vitalized newsgroups has led to current efforts to revitalize the biz.* hierarchy through moderation, and create the new, entirely moderated mod.* hierarchy to offer a viable spam-free alternative to alt.*. In fact, ECP and EMP (as excessive multi-posting is known) are primarily responsible for sizable movements favoring increased moderation in alt.* and the Big 8 (humanities.*, soc.*, news.*, sci.*, talk.*, comp.*, rec.*, and misc.*) newsgroups. For more information about the upcoming mod.* hierarchy, visit the website at http://www.uiuc.edu/ph/www/tskirvin/manif.html. C. Forged headers In efforts to avoid detection and having accounts revoked, spammers have often resorted to the technique of forging headers to confuse those attempting to take action against them. Trolls and amateurs often forge the "From" header alone, using an entire fake address or make it appear as if the post came from someplace other than its true origin. This technique has increasingly come into use as a revenge tactic, whereby an aggrieved person posts an excessive and/or offensive post in an effort to frame their opponent and spur retaliation against them. This technique is also used for e-mail abuse. This dangerous tactic often enough results in damaging or destroying the reputation of a person or company, because most using Usenet don't know how to tell if a header is forged. If the message identification indicates a different point of origin than the address listed in the "From" header in a suspicious post, it more than likely is a malevolent forgery. More sophisticated forgers tinker with other parts of the header, such as the "Path" headers. By entering a partial pathline before sending the post an author can make it appear as if it came from another site. This tactic is difficult, but not necessarily impossible, to detect. By forging headers, an abuser can misdirect their opponents into complaining to the wrong service provider, thereby taking longer and more effort to track the spammer down and disconnect them. D. Multiple domain names Erosnet, noticing how effective cancelbots were against their advertisements, pioneered this technique of tactical newsgroup abuse to force their messages into whatever newsgroups they wanted. It involves registering an immense number of domain names, shifting from one to another once spam cancellers realize who the domain name belongs to. This ends up costing the spammer a sizable amount of money, assuming the spammer wishes to keep the domain names, which are often throwaway names that are never paid for. The end result is a running battle between the spammer and the canceller. E. Cascading Cascading, unlike other forms of newsgroup abuse, is done most often as a form of entertainment and not advertising or attack. It involves a series of posts, usually from a group of posters, designed to create an artistic text rendition of a post and responses. Such threads can end up appearing something like this: netcop. >netcop. >>netcop. >>>netcop. >>>>netcop. >>>>>netcop. >>>>netcop. >>>netcop. >>netcop. >netcop. netcop. Because cascades often involve the use of mostly repeated text, they can result in an unnecessary waste of bandwidth that, with other forms of abuse, burden a service provider. As a result, these posts must be cancelled just like every other form of substantively identical massive numbers of posts. Because spam cancelling is not content-based but based on physical posting structure and/or pattern, cascading, however deliberate, cannot be excepted or else cancelling becomes content-based. A suitable way to solve this problem involves using suffixes of differing text after cascade words or phrases, or using multiple words/phrases in and of themselves. This net-friendly technique is now used in the group alt.fan.karl-malden.nose. F. Rogue cancelling This tactic is used primarily in an effort by an aggreived person to silence their opponent or opponents in newsgroups. It involves forging the victim's name in a control message cancelling their post or posts, making it appear that the control message was sent from that person. Rogue cancelling is done entirely based on content, unlike spam cancelling which is meant to clean up excessive amounts of identical posts which hinder the operation of Usenet, such as ECP and EMP. Several newsgroups have fallen under repeated attack of this kind by opponents determined to silence the posters on those groups. This has resulted in the creation of software robots which resurrect all posts which are cancelled, so the group cannot be silenced. Two of these are known to exist. A software robot known as Lazarus responds if the group alt.religion.scientology is attacked, while Dave the Resurrector is run on a full-time basis for the news.admin.net-abuse.* hierarchy and news.groups. Because of the physical nature of Dave's programming, legitimate post cancels are not possible, unless it involves spam sent to the newsgroups or someone specifically requests owner Chris Lewis to honor their cancels. The fact that legitimate cancels are usually not possible is seen by the consensus of group users as a small price to pay for groups that fall under cancel attack an average of once every two months. G. Misconfigured cancelling This technique is often used by rogue cancellers, often by accident as well as on purpose. It involves sending a cancel message without using commonly accepted protocols, resulting in irregular cancelling of the post across the Internet. If used often enough, it forces administrators not to honor cancels at all because too many of the messages are deemed untrustworthy. H. Flooding Also known as spew, the technique of flooding is also used by a newsgroup opponent to attempt to silence a newsgroup. It involves posting a huge number of articles, often substantively identical, to create so much noise in a group that it becomes impossible for the group's users to pick out legitimate posts from the massive number of articles. This tactic is also used by persons wishing to attempt a hostile takeover of a newsgroup, flooding it until they are certain all of the group's users have been driven off. Another side effect of newsgroup flooding is that legitimate posts end up having a greatly decreased expiration time, because the sheer number of posts forces them off the news spool. I. Binary bombing Among the most disruptive and destructive methods of tactical net abuse is the fairly recently invented technique of binary bombing. This involves a rogue person or entity flooding a newsgroup that disallows binaries with binary posts. This technique, among other things, consumes much bandwidth, in addition to disrupting the normal flow of newsgroup threads. It also encourages persons new to the group to believe it is permissible to post binaries in it, causing further disruption. J. Control abuse Used by more determined rogues, this involves posting false messages to control newsgroups used by administrators to configure their Usenet feeds. One way of doing this is newgrouping large numbers of groups, flooding a newsgroup hierarchy and wasting bandwidth with bogus or joke newsgroups, groups whose titles are designed to assemble into a form of text-based art, or groups specifically intended to slander another person. Another way is to post false rmgroup messages, whereby an aggrieved newsgroup opponent attempts to silence the forum by destroying it. This can often end up in a newgroup/rmgroup war while between the opponent and the readers of the newsgroup. It was because of Control abuse that a great many sites no longer honor rmgroup messages for groups in the alt.* hierarchy. K. Forged approvals A technique often used by overzealous free speech advocates, this involves forging a header faking moderator approval of a post into a moderated newsgroup. Once the moderator approval mechanism is successfully bypassed, the rogue poster can disrupt or flood the newsgroup with however many messages they want, defeating the entire purpose of the newsgroup's format. This forces the moderator to cancel the messages and minimize the disruption as much as possible. L. Resurrector abuse Rarely seen in practice, this form of tactical abuse exists more within the realm of theoretical possibility. It is conceivable that a rogue canceller within a group or hierarchy they know is overseen by a robot reposter that reposts all cancelled messages, could use the robot to their advantage to disrupt the newsgroup. The offender can cancel groups of messages or even cancel their own messages to force duplicity of threads on a topic, deliberately disrupting the normal flow of newsgroup conversation. From time to time an aggrieved poster may also cancel their own posts knowing full well that the robot will resurrect them as part of a philosophical vendetta against the robot's existence, or to attempt to prove the newsgroup is violating an RFC or its own rules by having the resurrector be present. This results in the existence of three posts instead of one on the newsfeed, which would include the original post, a cancel message and the repost, resulting in an unnecessary waste of bandwidth. 4. Web Abuse A. Pounding Whether done manually or with specialized software, this is the most direct means of disrupting the operations of a website. When done manually it involves continually refreshing the web page with a browser, forcing the page's service provider to continually waste time and resources reloading the page's content. When done with software, the software casts multiple simultaneous hits to a website, causing the page's web server to overload at a much faster rate. By "pounding" a web page long enough, the website can be taken down through overloading its web server with too many hits. B. Search engine flooding Coming into increased use, the tactic of flooding a search engine is an indirect but occasionally effective means of web abuse. It involves entering one's website a sizable number of times into an Internet search engine site, so that when someone using the engine inquires of a certain subject or reference the search engine comes up with multiple entries of the same website. This tactic is easy bait for overzealous advertisers and egomaniacs. It has the effect of flooding the search engine, making it harder to find others' websites amongst * Message split, to be continued * --- ifmail v.2.10-tx8.3.lwz * Origin: University of Tennessee (1:340/13@fidonet) Ä ALT.2600 (1:340/26) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ALT.2600 Ä Msg : 1316 of 1359 From : Hawaiian Heat 1:340/13 18 Sep 97 14:53:40 To : All 18 Sep 97 21:34:58 Subj : [part 3] Tactical Net Abuse FAQ (fwd) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ From: Hawaiian Heat * Continuation 2 of a split message * all of the multiple entries. C. Keyword flooding In basic reality, this is another form of search engine abuse. It involves a website purposely publishing a set of specific keywords within itself and entering those keywords into a search engine. Quite often these keywords have no direct relation or relevance to the content of the site. When this is done, it has the effect of this site, and any multiple entries thereof, constantly being found when searching on keywords not specifically relating to it, misdirecting people to the site. Some websites are brazen enough to even show the set of keywords and tell users to ignore them because this is their use. It has the end effect of making keyword searches much more difficult than they ordinarily might be. D. Persistent cookies Cookies, generally used to gain information of various kinds from a person visiting websites, become an abusive infrastructure problem should one wish to refuse them. Because much web browsing software has not technologically caught up with this problem and given the user the ability to automatically refuse cookies, the person running the browser must manually refuse each of them. When such a user encounters a site that has very persistent cookies, the process of refusing them alone can take up a great deal of the user's online time. Persistent cookies are probably designed to break the end user into accepting them and give up information rather than put up with a constant barrage. E. Pop-up windows This technique involves a website, whenever a user comes to or leaves a page, forcing a separate browser window to pop up advertising items the site wants one to see. This is often designed to entice the user into further exploration of the site or other sites. However, this tactic is often used to attempt to force the user to remain at the site when the user wishes to leave. Often enough a window will persistently attempt to pop up, forcing the user to have to manually close it each time and waste time leaving the website. 5. Server Abuse A. Flooding This technique basically involves sending something ordinarily harmless and commonplace to another server in great quantity, flooding the other server and causing it to break down. One way of accomplishing this is a ping attack, whereby abnormally large pings or a number of computers working in concert with regular pings flood an individual server with pings, causing it to overload. One may also cause a syn flood to another server and have similar effect. Like other forms of tactical abuse, these server-direct forms of net abuse are specifically designed with the goal of, or have the net effect of, overloading an opponent's equipment and cause it to crash, eliminating their active presence from the Internet. -- - James