Undercover

At War with the Spammers

When pornographic spam threatened his company's reputation, a CSO got a lesson in calling for outside help

By Anonymous

November 01, 2006 — CSO —

I have mixed feelings about outsourcing. I subscribe to the old adage, "The good Lord helps those

who help themselves." This attitude may stem from my parents, who lived through the era of both

World Wars and the Great Depression and know how to make do with very little. They are self-sufficient

Yankees who tend not to ask for help, which I think instilled the do-it-yourself tendency in me.

I actually feel guilty when I hire people to do work for me that I could do myself. I'm getting wiser now,

so that guilt doesn't last long. Usually by the second or third hole on the golf course, I've gotten over

the fact that the landscaper is busy fertilizing my lawn. But I still haven't outsourced the mowing of the

lawn, because I firmly believe that some things require personal attention.

Likewise, as a security practitioner, I'm generally reluctant to hand off the protection of my company. I

like the feeling of being capable and prepared. I'm not one to look to someone else, such as the

government, to bail me out. Still, there are times when asking for assistance is the practical thing to do.

You can't always handle everything on your own. One of the main ways I learned this was back in the

mid-1990s, when my company was struggling through a series of disruptive attacks caused by

spammers who were trying to profit by driving Web traffic to pornographic websites—and using

our company's good name to do so.

The Attacks

You might remember early spam blasts like this. Each weekend, e-mails would go out to millions of

addresses, mostly AOL accounts. The mailings contained links to pornographic websites, and the

headers said the messages came from where I worked. Later I learned that the names of at least a half

dozen other reputable companies were abused during this massive spamming campaign, but at the

time it felt like we alone were in this situation.

The spammers were not sophisticated about the addresses they used. It seemed that they had simply

generated every possible permutation of characters and affixed them to the AOL domain name

(j@aol.com, jo@aol.com, joh@aol.com, john@aol.com and so on). Some addresses actually existed, but

most did not. The ones that didn't were bounced back to our company e-mail server as undeliverable.

Thousands of these messages flooded our server and brought it to its knees. It was this denial-of-

service attack that originally clued us in to the spamming campaign.

Because the messages appeared to come from a respected company, the recipients opened them. This

• Email
• Print
• Comments
• Digg This
• SlashDot