On Sun, Feb 23, 2003 at 08:39:53PM -0700, Bob Bish wrote: > At 07:36 PM 2/23/2003, Rich Kulawiec wrote: > >Are you aware of the numerous instances in which folks have had their > >address/domain forged into spam headers and have thus been subject > >to indirect denial-of-service attacks (e.g. millions of bounces) > > What you are talking about here goes way beyond ordinary spam.
That depends on what you consider "ordinary". If it happens often, is it "ordinary"? (It does happen often, BTW. There are a few spam operations which do it as a matter of course. Others do it as a form of revenge.) Not to mention the impact on people who have their relays/proxies hijacked and are thus denied service while millions of spams are shoved through them, and then -- for good measure -- receive the resulting complaints. Sure, they shouldn't have set their systems up in this fashion to begin with, and it was a mistake for them to do so: but the consequences they bear far outweigh the size of their mistake. "Ordinary" spam is only seen these days from new spammers. The sophisticated ones are organized, global, have multiple network connections, and some surprisingly sophisticated software to maximize their ability to hijack other systems to send their spam. They're using all sorts of clever tricks -- from asymmetric routing to frustrate people looking for them, to lots of Javascript to obfuscate URLs in their messages. This stuff is WAY beyond what career spammers like Wallace and Rines were doing just a few years ago. > I'm sure you've seen things on the news about massive virus attacks crippling > computers worldwide on occasion, but that goes way beyond something like > the Klez and other ordinary email-bourne viruses I'm discussing. It doesn't cripple computers which aren't susceptible to those particular viruses. Let's be clear: for the most part, these aren't computer virus problems: they're Microsoft Windows problems. Yes, the side-effects can impact other people (e.g. one of my network connections has rendered useless by the recent MS SQL problem because it's shared with a company whose systems became infected) but the computers themselves are unaffected. > Gee, just think what they [AOL] could do if the spent one cent per user to > fight viruses! I can't believe I'm going to take AOL's side in this, but... Why should AOL -- an Internet service provider -- compensate for the poor choices of computing platforms by its users, or the failure of its users to properly secure their own systems? Where's the responsibility of those users who willingly connect their systems to the Internet? Why aren't *they* held personally accountable for the impact/damage that their systems do? ---Rsk
