Archive for category Creativity

A low tech way to get a mail server blacklisted using victim’s own forums

As they say in the military, “If it’s stupid and it works, it isn’t stupid”.

This is a low-tech, labor-intensive way to get a victim’s email server blacklisted at a major public email service, using the victim’s own public forums. The email provider was very helpful in getting this sorted out, and it’s not clear that this “attack” is specific to them.

(This situation can also happen “accidentally” if a number of users subscribe to your forums,  change their minds and then report the notices as SPAM instead of unsubscribing from the forums. That doesn’t seem to be the case in this instance.)

  1. Sign up for a few free email accounts with a public email provider. Get as many as you can, perhaps at least 20. Get some friends to help you. More is better.
  2. Go to the victim’s public forum servers and use each email account to sign up for one (or in some cases more than one) forum account per public email account. This gives you 20-100 forum accounts. Let’s use 20 as the lower bound and 100 as the practical upper limit.
  3. As an alternative, if the forum doesn’t use opt-in confirmation, just subscribe a few hundred random people to get the forum notifications. Let them do the work for you.
  4. Set each forum account to send an email notification for every forum update, or as many as possible. Some forum systems allow you to “watch” individual threads, some allow you to “watch” the entire forum system, getting one email for every other users’ post.
  5. In a moderately large-ish forum system, there could be perhaps 1 update per minute, so 60 per hour – that’s now 60*20 accounts (1200) or even worst case 60*100 accounts (6000) emails per hour going out from the forums system, perhaps through the victim’s outbound SMTP server. Either way, the target public email system is seeing a lot of email coming from one domain or IP range very quickly.
  6. If the rate alone isn’t enough to get the forum or SMTP server blacklisted, then go into each of the public email accounts and mark ALL the forum notifications as SPAM. Or if you subscribed a few hundred random people to the notifications, they’ll do the work for you!
  7. The combination of high email rate combined with the 1200-6000 SPAM use complaints should be enough to get either the forum server or the victim’s outbound SMTP server blacklisted.

Note that each and every part of this situation is working as intended. It’s only when they are combined that that you get problems. (Unless the forum doesn’t do email address opt-in verification, in which it’s all on you.)

This “attack” depends on these things:

  1. lots of manual labor, either by yourself or with some friends, or even some random victims
  2. a forum system that allows one user to cause the system to send lots of email based on the behavior of many people
  3. a moderately busy forum system
  4. a public email system that is biased more towards rate-based and user complaints than message content
  5. a public email system that the victim’s user base depends on, as in “must communicate with users in that public email system”

Fortunately, this is relatively labor-intensive, and not amenable to automation.

Countermeasures are left as an exercise for the reader 🙂

Advertisements

Leave a comment

life (and tech) is not soundbytes

Google+, Twitter and Facebook just aren’t suitable for technical topics.

They all have their uses, but seem to be just too shallow for tech, and life.

Face it, when you need an answer to a technical question or learn about something that isn’t in Wikipedia, chances are that Google will lead you to a blog post. Not a Facebook page (not indexed, and rarely technical). Not Twitter (how much can you explain in 140 characters?) And probably not Google+, either (although there is sometimes good discussion there).

Nope, you’re going to end up at someone’s blog post.  Someone who faced the same problem, did their homework, pulled together from other sources, and solved the problem.

Go to Twitter for breaking news, Facebook for your friends, and Google+ for interesting discussions.

But the next time you solve a problem, how about you contribute to the world-wide-knowledgebase via a blog post somewhere?

Leave a comment

The “Usenet trap”, or reading vs. writing

You have all probably noticed that this blog isn’t updated very often.  I’m afraid I’ve fallen into what Vernor Vinge once described to me as the “Usenet trap”.

A long time ago I was fortunate enough to spend time with him on a semi-regular basis, and even shared an office with him for one semester. At that time I asked him if he ever read Usenet News (which tells you how long ago this was), and he said (paraphrasing) “No.  If you are reading, you aren’t writing, and I want to spend more time creating, and not all my time consuming.” At that time he was working on the draft that became “A Fire Upon the Deep.”

I spent some time over the past week, looking at how much time I spent consuming “media” (reading) as opposed to writing (other than work). Read the rest of this entry »

, , , ,

1 Comment

obligatory Google+ post

It seems everyone has one.  I can’t really add much to all the tens of thousands of words that have been written, so I’ll just point you to the beginning:

http://www.slideshare.net/padday/the-real-life-social-network-v2

Leave a comment

boredom, creativity and…. iPads and search engines

Peter Bregman has an interesting hypothesis:  we are too connected to information, and we need “boredom time” to be creative and productive.

He makes the case that carrying an always connected device (in his case an iPad) allowed him to be too productive, that is, productive at any time of the day or night.  He allowed work and activity to fill all the time in his life because he had a device that made that easy.  In other words he discovered an aspect of  Parkinson’s Law.

I think he is on to something, but I’d like to suggest that it is really the over-ease of access to information that is the problem.  With Google (or any other search engine) on every device we carry with us, there is never a need to ask “I wonder if…”.  We never have to think about that question, we can always get the answer immediately.

When was the last time that any dinner time (or work time) question remained contested?  In other words when was the last time you had a discussion, an argument (in the classic sense) about a question of fact?  It is too easy to immediately answer those questions, and therefore we are losing the ability to question authority and make creative arguments to support our positions.

I believe that the reverie of a chain of “I wonder if…” questions can lead down some very creative pathways, and too many of us are short-circuiting that process.  Science fiction is some of the most creative literature around, in terms of “ideas per page”, and it requires the creation of “what if…” chains for which you choose muliple non-obvious answers.  Easy access to information, too soon, short-circuits the creative process that can lead you into those great “out of the box” ideas that make all the difference.

So, it’s not always about getting those hours of uninterrupted time, it’s about making some of that time unconnected and unstructured time.

There’s been a lot of discussion in the sysadmin community about turning off your email client to get those uninterrupted hours to make progress on projects.  I believe that we also need to turn off search engines to get unconnected and unstructured thinking time.

So don’t always focus on time management throughout your entire life, and give yourself permission to explore “what if…” on your own.

1 Comment

%d bloggers like this: