USA.net helps hackers launch email attacks
Copyright © 1998 to Bruce Simpson, syndication rights available
16 Apr 1998||
"We have zero tolerance for junk e-mail. We do not allow our users
to be subjected to it, nor do we tolerate their dispersal of it"
claims made by NET@DRESS,
the free email service provided by USA.net. These claims seem to be at odds with the
way they've set up a service that makes it easy for malevolent
users to launch totally anonymous denial of service attacks
on other Net users.
Aardvark has received complaints from Net users who've fallen victim to such attacks and has even been subjected to several itself.
Even a half-smart Net user can take advantage of the email forwarding facility offered by NET@DRESS to create an annoying and difficult to stop flow of unwanted email to any other Net user.
Aardvark has emailed email@example.com and firstname.lastname@example.org on eight occasions over the past two months, requesting that the forwarding service be amended to stop this kind of abuse and soliciting comments from USA.net in relation to the situation. They have been of no help and have failed to even acknowledge the last two messages sent.
They are obviously aware of the problem and one must assume that their total lack of response means they do not intend doing anything about it.
The hole is exploited by malevolent Net users when they sign up for a free email account with USA.net then subscribe to the many free emailed-information services offered on the very next page. They can also subscribe to any number of mailing lists and respond to the requests for confirmation before setting up the account to forward all the received email to the mailbox of whoever they choose as their victim.
The first thing the victim knows of this is the sudden deluge of unwanted email from the mailing list and information services to which the account has been subscribed. In the case of a victims accessing the Net through a dial-up account, the sheer volume of mail may make it all but impossible to even contact USA.net and ask that the account be terminated. Aardvark has documented one case recently where despite requesting the cancellation of a bogus USA.net free mail account being used to annoy, no action has yet been taken by USA.net some 4 days later.
While it is realized that competition in the free email market is quite intense at this time and USA.net no doubt consider their forwarding service to be an extra "benefit" to most users, their provision of a system that makes it child's play to launch denial of service attacks and their complete lack of response when such attacks are reported by victims is something that must be of significant concern to all Net users.
The only solution most ISPs have at this time is to block all IP traffic from the usa.net mail server, a move which disadvantages all the bona fide users with addresses @usa.net. Dial-up users are less fortunate since USA.net seem unwilling to respond to complaints and even email filtering software requires that the messages actually be downloaded first, a lengthy and in some cases expensive operation.
This is an important issue, readers are invited to voice their opinions.
Back to Aardvark Daily...