Programs delete 25,000 Usenet newsgroup messages Cancelbot programs cause havoc By Elinor Mills

October  1996

Mail this article to a friend

San Francisco -- More than 25,000 postings to a variety of Usenet groups were deleted in late September by a series of automatic "cancelbot" programs in the latest Internet security attack, owners of several Internet Service Providers (ISP) confirmed. The programs were traced back through servers run by UUNet Technologies Inc. and other ISPs to a subscriber of Cottage Software, a small ISP in Tulsa, OK, according to Rick Adams, UUNet founder and chief technology officer.

Cottage Software has canceled the account of the unidentified user and turned information over to the FBI, said William Brunton, president and founder of Cottage Software. The user, whom Brunton said had signed up several days before the attack was launched, apparently went through other ISP servers to get to the newsgroups.

"People frequently try to launder things through UUNet," said Adams. "But the dumber ones don't know that we log the source of every incoming article."

Despite patterns in the cancelbot messages that might indicate the user was targeting certain newsgroups, Adams believes the user was accessing random newsgroups and deleting all new postings over the weekend.

"This person attacked everything. He canceled every article that arrived at his site," Adams said. "He didn't actually read the articles. It looks like his program just sat there and pretended to be another computer and sucked the entire distribution down."

In creating the delete messages, the user typed in certain words as category labels or descriptions of types of postings, according to Adams. For instance, all computer-related postings were tagged as "geekcancel." Of the 25,536 cancellation messages discovered, 14,757 had "geek" labels, while others related to gays and pornography and used ethnic and other slurs, Adams said.

"The canceling thing has always been a problem," he said, downplaying the seriousness of the attack. Adams characterized it as a "serious nuisance" and "petty vandalism."

"The root problem is a hole in the way that Usenet works," said Stanton McCandlish, program director at the Electronic Frontier Foundation in San Francisco. "There's no real authentication process for canceling posts." Canceling wars have been going on for years, most notably with the Church of Scientology canceling postings of former members who they accused of illegally posting copyright protected texts. However, users have figured out ways to broaden the scope of the cancellations and do more damage, said McCandlish.

"There's no law that really covers this. It's possible that the `interference with data in storage' law could come into play, but that probably won't work," he said. "This is an issue that's probably going to have to be solved at the technical level." The key to preventing abuse while maintaining the privacy of users is to only allow the originator of a posting to be able to delete it, McCandlish said.

The Internet Engineering Task Force (IETF) is looking at ways to stop this and other types of attacks on the Internet, according to Don Heath, president and CEO of the Internet Society.

"As time goes on, the Internet will be less of a novelty and more of a functioning part of society, but people are playing with it and abusing it in the process," he said. "We will find ways to build tools into the network to stop it. People are working literally 24 hours a day to beat that technologically."

Dave Kennedy, director of research at the National Computer Security Association in Carlisle, PA, said finding a technology solution to cancelbot messages would be tricky. He said he's not sure of a way to stop cancelbots.
--Elinor Mills, IDG News Service, San Francisco Bureau

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-10-1996/swol-10-usenetnews.html
Last modified: