[linux-elitists] Fwd: Spam DoS attack perpetrated by Earthlink against my account

Karsten M. Self kmself@ix.netcom.com
Thu Sep 25 18:30:58 PDT 2003


For those curious as to what I'm considering when I speak of ISP-based
filtering, this is my email to Earthlink.

I mean, what the heck.  I'm already speaking to their legal departement
on another matter....

Peace.

----- Forwarded message from "Karsten M. Self" <kmself@ix.netcom.com> -----

From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Fri, 26 Sep 2003 01:27:53 +0100
To: support@earthlink.net, abuse@earthlink.net
User-Agent: Mutt/1.5.4i
Subject: Spam DoS attack perpetrated by Earthlink against my account
X-Debian-GNU-Linux: Rocks
X-Kuro5hin-cabal: There is no K5 cabal
X-GPG-Fingerprint: 5CAA 226D 2CCC 0A2A A502  D09E 79F1 BCE3 8DE4 D38E
X-uptime: 23:05:04 up 37 days, 36 min,  7 users,  load average: 0.21, 0.40, 0.40

The w32.Swen.A@mm virus first appeared in the wild on or about September
18, 2003.  One week later, I am receiving on the order of 1000 mails per
day carrying this infection, through my Earthlink account.  I've
previously requested that Earthlink block this virus at the SMTP server
level.  I've heard no positive response from Earthlink regarding this
proposal.

Swen, and Earthlink's continued propogation of it, have effectively
launched a DoS attack on my dialup account -- it is completely
infeasible for me to download hundreds of megabytes of email, 95%+ of
which are simply junk, over a 56K modem connection.  Fortunately in my
case, I have access to a shell account on a friend's broadband
connection, but even he was taken aback by the multiple *gigabytes* of
traffic which Swen had generated.  If this continues, he will no longer
be able to afford offering me this service, which he provides out of his
own pocket.


As this attack is occuring through, and fully under the control of
Earthlink's servers: 

I AM CURRENTLY CONSIDERING LEGAL ACTIONS AGAINST EARTHLINK, on the
grounds that Earthlink is performing, aiding, or facilitating a denial
of service attack on my computer systems and resources. on the basis of
actions taken or explicitly not taken which could reasonably avoid or
cease this action.


My prior request was that Earthlink provide 100% filtering of viral
email as an option to its subscribers.  While there are a number of free
and commercial products which scan for specific virus signatures, the
simple expedient of identifying any executable format attachment by file
extention or Microsoft binary executable string would suffice.  My
suggestion is that this be offered on a two-tiered basis:  basic
filtering (no executable content) with a concomittent risk of false
positives, of all executable content, free of charge.  Advanced
filtering, using a specific virus filtering tool (or selection of
tools), such as major proprietary offerings (Norton, RAV, McAfee, etc.)
or free software tools such as clamav, as a premium, for-fee service.

The string below is the MIME encoded value of a Microsoft executable in
regexp form:

^TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

A list of executable MIME extentions is contained here:

    http://antivirus.about.com/library/blext.htm

Implementation should follow these guidelines:

  - The service should be prominantly featured in Earthlink
    communications, including bulling notifications, website, and a
    possible special subscriber notification mailing.  Press releases
    and news coverage of the service should also be encouraged.

  - The service should be discretionary.  A subscriber should be able to
    elect to use, or not use, the service.

  - Though I generally don't recommend this for content-blocking
    features:  the basic service should be enabled by default on new
    accounts.  It should *not* be retroactively applied to existing
    accounts.

  - The service should be active at SMTP connect time, and should return
    a permanent nondelivery error to the remote SMTP server.  The remote
    server is responsible for any notification to the originating
    sender.  The service should *not* generate its own bounce or
    nondelivery mail based on headers or envelope sender, any or all of
    which may be forged, presenting a Joe-job DDoS risk.

  - The service should provide a regular (weekly or monthly) summary to
    the user of blocked mail.  For the basic service, this might be
    restricted to a count of accepted and rejected mails.  For the
    premium service (as a revenue generating incentive), abstract or
    detail in the form of connecting remote hosts, and possibly subject
    line or description of blocked content by type or risk (e.g.:  the
    W32.FooBar.A@mm virus) could be included.

I await your response on this proposal.

Thank you.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Defeat EU Software Patents!                         http://swpat.ffii.org/

----- End forwarded message -----

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Scandinavian Designs:  Cool furniture, affordable prices, great service,
    satisfied customer.                  http://www.scandinaviandesigns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20030926/dccb87e6/attachment.pgp 


More information about the linux-elitists mailing list