Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /home/jbg2h0zf/public_html/ on line 3
Social Distributed Denial of Service


Social Distributed Denial of Service

Oh, someone held a grudge against a Mr. Sam Nastat. I don’t know why, or even who, but someone definitely did.

Let’s consider this scenario. You lead a non-profit / donation-driven organization which one fine autumn day, receives this email:

Date: Tue, 4 Oct 2005 10:09:33 -0400
To: daphnecryptogramgr

I would like to make a $10,000 contribution to your noble cause. Also put me on your mailing list for updates, newsletters, or anything you think I should know about. Call me at ***-***-**** with details needed for my check. I also want to introduce you to some corporate friends of mine who can make a much larger donation. Keep up the good work - Sam

At first you think – yeah, right. But wait, suddenly it occurs to you that Americans do have a strong sense of tax relief charity, so you start looking into this - a few minutes of your time is worth the possibility of $10,000 for your organization.

As it turns out, Mr. Nastat seems to exist, and he is a high-profile employee for Altus Explorations. His phone number checks out, too. Even more interesting, Mr. Nastat seems to have sponsored a Canadian Martial Arts academy.

Donated before? Check. Phone number checks out? Check. $10,000 to spare? Probably Check. Coprorate friends? Probably Check.

In hope of an unexpected gift, your reply email is on the way. Unfortunatelly, it will bounce:

This Message was undeliverable due to the following reason: The user(s) account is temporarily over quota.

Now what could this mean? Let’s call him. Damn, you got the voicem-wait, what’s that? Voicemail full?

This is pretty much what happened to me and a few other people involved in donation-driven organizations.

After a little more research, we discovered that the same exact email was archived at the gnu mailing list archives and also sent to Mozilla (their disappointment was blogged by Gervase Markham).

Apparently someone sent out emails to NPO’s claiming to be willing to pay $10,000. People everywhere bought it and started emailing and calling to get their $10,000. I bet that the first phone calls Mr. Nastat received must have been awkward:

-Sam Nastat
-Hello, we’re from XYZ, we’re calling about the donation?
-Hi. What donation?
-Your 10,000 donation to our noble cause?

So eventually Mr. Nastat’s mailbox was filled with replies, he had to turn his cellphone off, and his voicemail was filled with donation requests as well.

As an attack on Mr. Nastat, this move was very clever. Technological means couldn’t help stop the harassment in this case: The spam filters couldn’t have recognized the messages as spam, since the addresses were legitimate and they weren’t trying to sell Viagra or Xanax.

This is a lot like a Distributed Denial of Service attack: In DDOS, you make a bot network of zombie computers flood a website with requests. In this case, you make people want to contact Mr. Nastat.

The difference here is that people are more effective than computers because they can use different means to their end: Personal email, work email, cell phone number, home phone number, Altus Explorations phone number, etc. (all easily found googling)

This is quite interesting because it is harassment against one person delivered through many channels. I suspect Mr. Nastat will have to use a different cell phone number for a while, Altus Explorations will have to tell the telephone center not to connect Mr. Nastat unless they are sure it is not related to donations, he will have to delete a lot of unwanted messages or change his email address, and even go through verbal abuse when people who reach him find out that they aren’t getting $10,000 for passing Go.

The brilliance in this is that it causes a lot of trouble for no cost. By spamming a few NPO’s and filling some poor bastards with hope (myself included), you cause anybody you want a big headache. There is no defense against this – except changing your email and phone numbers.

The scary part of this story is that it’s a web attack which escapes the web and starts ringing your cell, your house, your company.

Gervase Markham’s blog entry


Also in this category - Social Media Media Player