Executive Summary
New Media Group attack, May 14,1997 to May 28, 1997
 
Last update: 29 May 1997 1425 EDT
 
 
Jump to details of 8/12 attack

E-mail recipients at newmediagroup.com came under attack after Jim Youll, whose e-mail account is jim@newmediagroup.com, posted public messages supportive of those who have been working on a way to prevent Internet junk e-mail from reaching those who don't want it.

A business owner himself, Youll supports the right of businesses to advertise, but also believes that anyone who doesn't want the junk mail should be able to ban it permanently, and that criminal and civil recourse should be available to those who receive what has come to be called "Unsolicited Commercial E-mail" despite their requests that it not be sent to them. Youll also believes it should be illegal to send messages with forged headers, as it allows unscrupulous sellers to hide their true identities, and also allows massive "anonymous" attacks such as that perpetrated against him.

The attackers launched an inbound flood of messages addressed to Youll, then sent what is believed to be tens of thousands of messages outbound in several separate incidents over a period of thirteen days, fraudulently showing Youll's name and e-mail address as the sender. Recipients of the messages, already outraged at the volume of junk mail in their e-mail systems, wrote back to Youll to complain. And several thousand mis-addressed undeliverable messages "bounced" - contributing to the flood of the New Media Group mail system.

In all, the New Media Group mail server, which normally handles 20 to 30 messages a day, processed between 7,000 and 11,000 messages in fourteen days. Youll missed almost two weeks of work and has begun to incur attorney's fees which may amount to several thousand dollars as he seeks an investigation into the truth about what happened.


Diary - chronology of events

Wednesday, May 14, 1997 beginning at about 2120 EDT
About 300 messages began arriving into our system from two sources.:

1. Messages which were misaddressed and returned to me. These were sent to subscribers of the Carleton Freenet in Canada, through the nevwest.com machine. The content of the messages was the letter which threatened me. Why THAT letter was sent to these people, I do not know. Sloppy work on the attackers' part, I suppose.

Explanation: This first run was apparently an e-mail bombing attack on the four people whose names appeared at the bottom of the message:
Derek Tam, al442@freenet.carleton.ca
Peter Kosta, bn816@freenet.carleton.ca
Simon Carr, ca999@freenet.carleton.ca
Raymond Y. Chow, al955@freenet.carleton.ca
When the sending failed, they bounced back to nevwest.com, which sent them to me. Of those, only the Derek Tam account was still active at the time. I have talked with Derek and he was the subject of another similar attack recently. He has also publicly opposed junk e-mail. I believe his account has since been disabled because it overflowed, and he has contacted me from another mailing address.

2. Several hundred of the threatening messages were sent directly to my mailserver by the computer nevwest.com, operated by CTE, Inc.


Wednesday, May 14, 1997 around 2200EDT through Thursday, May 15
The first fraudulent message was mass-mailed to addressees all over the world the night and early morning(EDT) of 5/14 and 5/15. It bears my name as the sender and looks like an advertisement from me. The machine nevwest.com sent these messages, and we began receiving a barrage of letters of complaint throughout the day on 5/15.

C. Thursday, May 15, 1997 to Saturday May 17

1. A second fraudulent message was mass-mailed all over the world. This message took text from the web page on which I had offered a reward, and turned it into a "game" then bombarded people with it. The oiginal message was still in there, so that the message began growing longer. These messages were apparently sent by the computer ispam.net, which is operated by Cyber Promotions. This resulted in several thousand undeliverable messages, which were returned to me Friday morning, 5/16 and throughout the day, and lots of angry messages and incoming mail from people who are so frustrated with junk mail and thought I had mailed them.

2. A repeat of the above happened early Saturday morning with apparently a very large number of messages sent out. This caused an incoming flood of thousands of undeliverable messages. Our service provder delete some incoming mail to prevent his system filling up, and we reconfigured the systems to shift the load off his machines and onto ours. We processed several thousand messages Saturday morning, 4 to 6 per minute for several hours. These messages also were to sent from ispam.net.


D. Sunday, May 18 to Monday May 19 and continuing to present

1. A new message, again containing the old information, and now adding some taunts about me and a notice I posted to the website which people were by now reading to followup on this (Thousands of people have read the information on the website since last Friday). This was mailed early Sunday evening, EDT, and we received a flood of incoming failed-messages, and more complaints. The message now contains text from me as well as an excerpt from a message posted to the newsgroup comp.dcom.telecom, making this the lengthiest message yet. I received letters of complaint about this one through the week and an occasoinal new complaint still shows up.This again references "youll2die" and they added the phrase "I know I'm a hero though" to some text they copied from a message I posted to the comp.dcom.telecom newsgroup. Nevwest.com was the machine which sent these messages out.


E. Sunday, May 18, 0200 GMT (2200 EDT)

Two messages were posted to the newsgroup news.admin.net-abuse.email

1. A taunting message critical of the members of the newsgroup and their campaign against unwanted junk e-mail.

2. From "postmaster" at Nevwest.com. It claims their "SMTP ports" were used without authorization and "We have blocked this sender and taken the appropriate actions to insure in does not happen again."


F. Monday, May 26, 0800 EDT and 1600 EDT

A new message was mass-mailed to an unknown but apparently very large number (thousands) of recipients. As of 0900 EDT we had begun receiving bounced messages from systems around the world. A second wave of mailings happened between about 1600 and 1730 EDT.

The relay machine for these messages was confirmed to be "relay5.ispam.net" [207.124.161.54]. This is a computer run by Cyber Promotions and connected to the Internet by New Jersey-based provider IDCI. The system at 207.124.161.54 at one point was hitting our server with > 20 messages/second of direct and indirect bounces.

Bounce messages from servers, and complaint messages from those who did not understand that the mailing was forged-by-losers were still coming in through 5/28 and are expected to continue for several days.


F. Thursday, May 29, 1425 EDT

No new progress to report. I'm having a hard time getting calls returned but it's a short week. Stay tuned. Maybe we'll get this figured out anyway and find these cowards. We're still getting a lot of angry mail and some bounces, though not nearly as much as we get when they do an outbound fraudulent mailing.

In other news, Cable&Wireless also has junk e-mailers on its network. C&W is publicly-traded and I am now additionally calling for C&W shareholders to demand that their company take a responsible position as we are demanding of Alltel. The C&W backbone was used in the attacks against me on 5/29.
 
 


G. Tuesday, August 12, 2300EDT

An eighth "anonymous" fraudulent mailing was sent to thousands of people around the world this morning. As before, we have processed several thousand bounced messages, answered hundreds of messages of complaint, and continued the ongoing criminal investigation.

The reward is increased to $3,000 plus one case of Hormel Spam (tm) donated a food pantry in your name for information leading to a successful criminal or civil prosecution of any party responsible for any of the Internet attacks against jim@newmediagroup.com

The attackers are using the same methods as always, and people on the Internet are becoming quite smart about ignoring this trash instead of trying to retaliate.
 
 

 
Impact
My businesses are small, but that doesn't mean this isn't important. We were practically shut down and I have suffered and will continue to suffer financially and personally because of this. The next attack could target anyone, myself or anyone else, and could happen at any time.

So far, I have missed the better part of two weeks' work, haven't slept much, and have incurred long distance charges calling places from Nevada to the UK. My company's name has been dragged through the mud, as was mine, and my telephone number has been sprayed all over the Internet, leading to angry, threatening phone calls and even death threats.

I have received, and answered, hundreds of angry messages from people who threatened to mass mail me because they were so angry that I "sent them" the junk mail. My attorney's fees alone, are climbing well past $1,000 in these early stages.

This same type of attack closed down an Internet company (joes.com) for ten days in January, and has forced unfortunate individuals to lose the use of their private e-mail addresses for periods ranging from weeks to forever. This is not the first attack of this kind, but it's been one of the more brutal.

Back to home page


Copyright 1997 Jim Youll, all rights reserved
This document may be freely distributed provided any such redistribution presents the document in its original unmodified form including the copyright notice and this message.