Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

"What is Scientology?" (ARSBOMB) Spam Team FAQ for Los Angeles Area ISPs

0 views

Skip to first unread message

tb...@pobox.com

unread,

Apr 18, 1997, 3:00:00 AM4/18/97

Archive-name: scientology/spam-team-faq
Posting-Frequency: monthly, on or about the 15th of the month
Last-modified: 1997/04/11
Version: 1.7 -- Final
URL: http://www.panix.com/~tbetz/WIS_Spam_Team_FAQ.html

PREFACE:
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Because the Spam Team stopped its attack sometime in December, 1996, and
(as of the second week of April, 1997) they have shown no sign of
restarting it, this is the final appearance of this monthly FAQ on Usenet.

I shall retire it after this posting.

Because of its value to novice ISPs as a reference for spammer-
fighting techniques, I shall maintain a copy of the 22 Dec 1996 release
posted below at <http://www.panix.com/~tbetz/WIS_Spam_Team_FAQ.html>
for the indefinite future.

Should the attack recommence, I shall, of course, resume posting the FAQ.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

The "What Is Scientology?" Spam Team FAQ for Los Angeles Area ISPs

Version 1.7 -- 22 Dec 1996

Do you run an Internet Service Provider or Internet-connected
Bulletin Board Service in the metro Los Angeles area?

Has a woman (or two women) come to your office recently to
open a temporary SLIP or PPP account "for my son" or "for my
brother who will be staying with me for a month on vacation"
-- happy, maybe even insisting, on paying for the month in
cash, or paying for the account using a credit card with a name
on it other than the name they give for the account holder?

Has a man called you and asked you to set up a temporary
account "for a friend who is coming to visit?"

The odds are extremely good that this account is about to be
abused by the "What Is Scientology?" Spam Team, as part of
an ongoing theft-of-service and denial-of-service attack on a
Usenet Newsgroup.

Do yourself a big favor; go lock the account they opened --
then come back and read the rest of this FAQ.

*-----------------------------------------------------------------*

This FAQ attempts to answer the following questions:

1) What is the "What Is Scientology?" Spam Attack?

2) Who is the "What Is Scientology?" Spam Team?

3) How does the "What Is Scientology?" Spam Team work?

4) Where does the "What Is Scientology?" Spam Team operate?

5) What ISPs have been victimized by the "What Is Scientology?"
Spam Team?

6) Does the "What Is Scientology?" Spam Team ever just leave
an ISP?

7) What will happen if I just ignore the "What Is Scientology?"
Spam Team while it's using my system?

8) Spamming isn't illegal. Why should I care about the
"What Is Scientology?" Spam Team?

9) I think the "What Is Scientology?" Spam Team may have purchased
an account on my system. What should I do?

10) I'm getting reports from people about the "What Is Scientology"
Spam Team using my system, but I don't know what to do. How can
I identify which accounts they are using? How can I stop them
from spamming?

*-----------------------------------------------------------------*

1) What is the "What Is Scientology?" Spam Attack?

Put simply, the "What Is Scientology?" (WIS) Spam Attack is an
apparent attempt by someone -- either the Church of Scientology, its
employees or its sympathizers -- to stifle the speech of people who
discuss, on the Usenet Newsgroup alt.religion.scientology, the past
and present wrongful practices and criminal acts of the Scientology
organization, its leadership, its corporate entities, and its
employees.

This attack has been in progress since May 19, 1996, and more
than 100,000 posts have been flooded into alt.religion.scientology to
date, in an apparent effort to "harass and discourage[1]" the regular
participants in the ongoing discussions there.

More information may be obtained at the following URLs:

http://wpxx02.toxi.uni-wuerzburg.de/~krasel/CoS/spam/info.html
http://www.now.com/issues/15/44/News/feature.html
http://pathfinder.com/Netly/daily/960923.html

2) Who is the "What Is Scientology?" Spam Team?

The WIS Spam Team appears to consist of at least three people; a man
of undetermined age, a young woman, and an older woman. Investigators
have yet to make a complete identification, though certain names seem
to keep coming up in the investigation. In the month of October 1996,
the Spam Team appears to have developed new cover stories, and have
been using these new stories to open accounts. They may also have
recruited new personnel. As investigation turns up new cover stories,
they will be included in future versions of this FAQ.

3) How does the "What Is Scientology?" Spam Team work?

The WIS Spam Team's _modus_operandi_ (M.O.) is fairly invariant. As
described in the opening paragraphs of this FAQ, they typically open a
temporary SLIP/PPP account on an ISP, paying for a month in advance.
The account may remain idle for weeks, while the WIS Spam Team abuses
other system's accounts in the following manner:

They find several open NNTP servers they can abuse. Once
they begin to abuse an NNTP server, they will continue to
post through it (using multiple forged From: addresses) between a
dozen and 2000 articles a night, repeating sets of about 700
different articles (usually excerpts from the book "What Is
Scientology?", or old Scientology press releases, always
advertising several official Scientology Web sites), at a rate of
up to ten per minute. They have been known to post 10,000
articles non-stop over a single weekend, sometimes using more
than one account simultaneously.

They will not stop until forced to stop, either by the
victimized NNTP server being closed to them, or by losing
their account when the ISP identifies it. Some ISPs have
reported closing more than one account at a time, either
paid for in cash or using a third-party's credit card bearing a
name other than the name given by the account holder. Addresses
and phone numbers given by the WIS Spam Team are invariably phony.

Put simply, they lie. They are reported to be very convincing liars.

When the other accounts are closed by the other ISPs, your system's turn
comes around.

4) Where does the "What Is Scientology?" Spam Team operate?

At present, the WIS Spam Team operates out of somewhere in the
metropolitan Los Angeles area. There have been small spams not
following the standard MO run out of other locations (including
one using bitwise.net in Boston, and small spams from AOL) but
they seem to be attempts at distraction from the standard pattern.

WIS Spam Team accounts have been closed all over the L.A. area,
after being used by the WIS Spam Team to post thousands of articles
to alt.religion.scientology, using NNTP servers all over the world[3].

5) What ISPs have been victimized by the "What Is Scientology?"
Spam Team?

directnet.com, westworld.com, wdc.net, barepower.net, netroplex.com,
interline.net, instanet.com, linkonline.net, loop.com, k-net.net,
dsphere.com, wavenet.com, internetconnect.net, cyberesc.net, 4link.net
and annex.com are just a FEW of the ISPs who have suffered from hosting
WIS Spam Team accounts.

6) Does the "What Is Scientology?" Spam Team ever just leave
an ISP?

No. Once begun, these attacks will continue for days (sometimes
weeks) at a time. To my knowledge, the WIS Spam Team has never just
left an ISP. They only stop when the ISP closes their account.

7) What will happen if I just ignore the "What Is Scientology?"
Spam Team while it's using my system?

Because the newsgroup under attack, alt.religion.scientology, is one
of the most-read Usenet newsgroups, the hounds of virtual hell come
down on the WIS Spam Team's unfortunate ISP for the duration of the
attack. Complaints come pouring in by email, fax, and telephone,
along with megabytes of Spam article headers -- which may be useful to
match logs against posting times when one tries to identify the
offending account, but which tend to clog system administrators'
inboxes.

Some systems have had to spend WEEKS (and hundreds of person-hours)
identifying the offending account, all the while suffering flames --
by email and posted all over Usenet -- from victimized readers of
alt.religion.scientology, and from other anti-net-abuse activists.
It's unpleasant, to say the least.

Also, ISPs that demonstrate an inability or unwillingness to stop the
WIS Spam Team's attacks often attract the attention of unsavory
commercial Usenet spammers, who flock to those ISPs in the hope of
perpetrating their own spams unhindered. Such customers, and the
complaints they inevitably generate, are more trouble than the income
from them is worth. Their activity is likely to further damage your
system's reputation, and you may lose many of your respectable
customers as a result.

8) Spamming isn't illegal. Why should I care about the
"What Is Scientology?" Spam Team?

Small-scale spamming may not be illegal; but the kind of spam-flood
the WIS Spam Team engages in -- attempting to make impossible the
regular use of alt.religion.scientology -- falls in the category of
Denial Of Service Attack, which is clearly illegal under 18 USC sec.
1030 [4]. (By the way, section 1030(g) provides for civil actions by
injured parties, so once the Spam Team is caught, there is likely to
be a long list of Federal civil suits brought against them, as well.)

Furthermore, by using NNTP servers other than those belonging to their
ISPs to post thousands of articles without authorization from the owners
of those servers (usually making use of little-known security holes in
INN to post through NNTP servers not intentionally left open[5] -- the
equivalent of picking the lock of a stranger's door to go into his
house and make prank phone calls from the stranger's phone), the WIS
Spam Team is committing Theft Of Services, also illegal under state
laws in every one of the United States.

To compound their criminality, in the course of their attacks, the WIS
Spam Team has been known to post (unauthorized, of course) through
.gov and even .mil NNTP servers -- which is Unauthorized Use of
Federal Computing Resources, illegal under 18 USC section 1030(a)(3).

The US Department of Energy is currently investigating just such
abuses of Federal computing systems at Lawrence Berkeley Laboratory.

9) I think the "What Is Scientology?" Spam Team may have opened
an account on my system. What should I do?

The FBI is also investigating this ongoing attack. If you think you
may have innocently opened an account for the "What Is Scientology"
Spam Team, give a call to one of the following FBI agents, each of
whom has been briefed on this case:

Agent Hugh McLean Agent Charles Neal
Phone: 1-202-324-9164 Phone: 1-310-996-3854
Fax: 1-202-324-6363

And in the meantime, if you haven't already done what I suggested
earlier, save yourself a whole lot of wasted time and trouble.

Lock the account now.

If you suspect IN THE SLIGHTEST that you may be a victim of the "What
Is Scientology" Spam Team, or if you have opened an account in a
manner that fits the M.O. described above, lock the suspect account.

Just lock it.

Don't send a warning or an inquiry. These criminals do not respond
to warnings or inquiries. The WIS Spam Team, after they have received
past warnings or inquiries, just remained logged on to the ISP's system
24 hours a day, pumping out the spam as long as they could get away with
it, until the account was finally locked and their access was revoked.

If you lock the account and your suspicions are correct, you will probably
not hear from the WIS Spam Team again. Once an account is locked, they do
not complain; when the jig is up, they just move on to another unfortunate
provider. While they have recently begun to return to providers where
they had once before held accounts, it was only after having been elsewhere
for several months.

If someone calls to complain about the locked account, the odds are
good (unless the WIS Spam Team changes its M.O., which IS possible)
that it's a legitimate account, and you can simply fix the "technical
problem" and everything will probably be all right.

But please don't take any unnecessary chances. A few minutes of
prevention here can save you many hours of cure.

If the holder of the suspect account does call and complain
(especially if the account hasn't been used yet) it's probably a good
idea to ask for (and make a record of) a telephone number you can call
back for confirmation that the person calling is indeed the account
holder. You can say that the callback is a necessary security
measure.

Then call that number, and confirm that the person who called you is
actually at that number, before unlocking the account. The WIS Spam
Team will not give you a legitimate phone number (except, perhaps, the
number of a public pay telephone) to call back, because it might be
used later to identify them.

If you want to confirm the legitimacy of the telephone number, and you
don't have access to a reverse telephone directory or a CD-ROM
telephone directory, your telephone company will probably tell you if
a particular telephone number is indeed that of a public pay telephone.

There are a number of ways you can identify the accounts the Spam
Team is using:

A) When they set up the account (or accounts) they are using, these
people gave your staff false names and telephone numbers. The
account may have been opened by one or two women who came into
your office and paid cash for a brother/son who was going to visit
them for a month; or a man may have called and opened an account
over the phone with a promise to send in a check that has not come;
or a man may have called up and asked you to set up an account
"for a friend who was coming to visit"; or they may simply have
opened a "free trial account", if you happen to offer them.

They were using a credit card (in a name different from the names
they gave for themselves and the account holder) for a while, but
they stopped that practice around July or August of 1996 -- though
they may start doing that again at any time, especially if you
require a credit card number to open a free trial account.

To identify which accounts are likely to be the Spam Team's, go
through your recent new accounts, within the last month or so.
Find out which of them fit these patterns. Try calling the numbers
they gave you at different times of the day. If you get no answer,
or if you get a message that it is a bogus number (or an office of
the Church of Scientology), or if the phone company tells you it
is a telephone booth, lock the account.

B) A harder (but surer) way is by gathering spam headers and checking
the logs for the dialups listed in the NNTP-Posting-Host: header
lines against the posting times in those headers, to determine which
user matches all the times. This method is a lot more work, and it
takes longer, but once you make the connection, it is certain.
Then shut that account down. This is the system that several ISPs
have used.

C) The third way may inconvenience some of your legitimate users
who may legitimately use outside NNTP servers, but if all else
fails, you may have to do what some other victimized ISPs have
done -- ask your provider to filter outgoing NNTP connections
from your site.

D) This Spam Team usually likes to operate through the night,
because the small ISPs it likes to abuse tend not to have staff
monitoring systems late at night, and they are less likely to
get caught. During times when the Spam Team is likely to be
active, use network monitoring tools like "netstat" under SunOS
to check what ports are active between your dial-in server and
the NNTP ports on other machines. A perl or shell script run
from "cron" could easily log this activity with a minimum of
mess.

E) Obtain the Caller-ID information from your dial-in lines.
The Hylafax freeware for UNIX systems (you can find it at
<ftp://ftp.sgi.com/sgi/fax> provides both dial-in and fax-
in/out software that's very powerful and very friendly. It
automatically collects Caller-ID from any modems that support
the feature. It also easily supports mailfax gateways for
your users (billed to their accounts with a bit of programming
added) or only your staff, for faxing forms and bills to your
customers. It also handles configuring modems for dialup and
PPP rather well.

F) Sometimes the simplest measures can be the most effective.
If your modems are external, walk over to them and watch the
traffic on the LED's for a while when the Spam Team is likely
to be working. The perpetrator is almost entirely *transmitting*
data, for hours and hours. This is extremely unusual for dialup
lines, which will more frequently download for extended periods.

G) You can make your system less inviting for the Spam Team if,
in your contracts and connection messages on your systems, you
remind users that you reserve the right to monitor their activity
for security reasons.

Method A is generally the quickest and has proved over time to be
the most effective; but a combination of the other methods may
prove to be most useful for you, if you are unfortunate enough to
be hosting the WIS Spam Team.

Good luck.

And be careful out there.

Footnotes:

[1] In 1955, L. Ron Hubbard wrote in
_A_Manual_on_the_Dissemination_of_Material_ (one of the Sacred
Scriptures of the Church of Scientology), "The purpose of a lawsuit
is to harass and discourage rather than to win. Don't ever defend.
Always attack. Find or manufacture enough threat against them to
cause them to sue for peace. ... The law can be used very easily to
harass, and enough harassment on somebody who is on the thin edge
anyway, well knowing that he is not authorized, will generally be
sufficient to cause his professional demise. If possible, of course,
ruin him utterly." This practice continues to this day, and the
present spam-flood of alt.religion.scientology is merely the latest
means of harassment being employed by this cult. For evidence that it
IS the cult engaging in this harassment, I need only point out that
all of the articles being spammed are (c) copyright Church of
Scientology International, and no legal action is being taken against
the perpetrator, while hundreds of persons who have quoted as few as
seven lines of Scientology scripture on alt.religion.scientology
received email from h...@netcom.com <Helena K. Kobrin>, attorney for
the Cult, threatening legal action; and several cases are now pending
in Federal courts against persons who quoted larger fair-use extracts
of Cult scripture in discussion on alt.religion.scientology[2].

[2] See <http://www.tiac.net/users/modemac/cos.html>,
<http://www.cybercom.net/~rnewman/scientology/home.html> and
<http://www.icon.fi/~marina/rnewman/index.htm> for more information.

[3] The WIS Spam Team has only used its own ISP's NNTP server once,
after having been on that system for a month, just as the account was
due to expire (and its admins had just closed a second account on the
same system). It was a sort of parting shot, one last insult added to
the injury.

[4] See <http://www.panix.com/~eck/computer-fraud-act.html> for the
text of 18 USC Section 1030.

[5] All official releases of INN through 1.4sec2 allow "blind" posting
to any group on the server by anyone with posting authorization for
any group. This is fixed in more recent versions.

The latest version is 1.5 -- See <http://www.isc.org/isc/> for details.

0 new messages