Do you run an Internet Service Provider or Internet-connected Bulletin Board Service in the metro Los Angeles area?
Has a woman (or two women) come to your office recently to open a temporary SLIP or PPP account "for my son" or "for my brother who will be staying with me for a month on vacation" -- happy, maybe even insisting, on paying for the month in cash, or paying for the account using a credit card with a name on it other than the name they give for the account holder?
Has a man called you and asked you to set up a temporary account "for a friend who is coming to visit?"
The odds are extremely good that this account is about to be abused by the "What Is Scientology?" Spam Team, as part of an ongoing theft-of-service and denial-of-service attack on a Usenet Newsgroup.
Do yourself a big favor; go lock the account they opened -- then come back and read the rest of this FAQ.
This FAQ attempts to answer the following questions:
1) What is the "What Is Scientology?" Spam Attack?
2) Who is the "What Is Scientology?" Spam Team?
3) How does the "What Is Scientology?" Spam Team work?
4) Where does the "What Is Scientology?" Spam Team operate?
5) What ISPs have been victimized by the "What Is Scientology?" Spam Team?
6) Does the "What Is Scientology?" Spam Team ever just leave an ISP?
7) What will happen if I just ignore the "What Is Scientology?" Spam Team while it's using my system?
8) Spamming isn't illegal. Why should I care about the "What Is Scientology?" Spam Team?
9) I think the "What Is Scientology?" Spam Team may have purchased an account on my system. What should I do?
10) I'm getting reports from people about the "What Is Scientology" Spam Team using my system, but I don't know what to do. How can I identify which accounts they are using? How can I stop them from spamming?
1) What is the "What Is Scientology?" Spam Attack?
Put simply, the "What Is Scientology?" (WIS) Spam Attack is an apparent attempt by someone -- either the "Church" of Scientology, its employees or its sympathizers -- to stifle the speech of people who discuss, on the Usenet Newsgroup alt.religion.scientology, the past and present wrongful practices and criminal acts of the Scientology organization, its leadership, its corporate entities, and its employees.
This attack has been in progress since May 19, 1996, and more than 100,000 posts have been flooded into alt.religion.scientology to date, in an apparent effort to "harass and discourage[1]" the regular participants in the ongoing discussions there.
More information may be obtained at the following URLs:
http://wpxx02.toxi.uni-wuerzburg.de/~krasel/CoS/spam/info.html
http://www.now.com/issues/15/44/News/feature.html
http://pathfinder.com/Netly/daily/960923.html
2) Who is the "What Is Scientology?" Spam Team?
The WIS Spam Team appears to consist of at least three people; a man of undetermined age, a young woman, and an older woman. Investigators have yet to make a complete identification, though certain names seem to keep coming up in the investigation. In the month of October 1996, the Spam Team appears to have developed new cover stories, and have been using these new stories to open accounts. They may also have recruited new personnel. As investigation turns up new cover stories, they will be included in future versions of this FAQ.
3) How does the "What Is Scientology?" Spam Team work?
The WIS Spam Team's modus operandi (M.O.) is fairly invariant. As described in the opening paragraphs of this FAQ, they typically open a temporary SLIP/PPP account on an ISP, paying for a month in advance. The account may remain idle for weeks, while the WIS Spam Team abuses other system's accounts in the following manner:
They find several open NNTP servers they can abuse. Once they begin to abuse an NNTP server, they will continue to post through it (using multiple forged From: addresses) between a dozen and 2000 articles a night, repeating sets of about 700 different articles (usually excerpts from the book "What Is Scientology?", or old Scientology press releases, always advertising several official Scientology Web sites), at a rate of up to ten per minute. They have been known to post 10,000 articles non-stop over a single weekend, sometimes using more than one account simultaneously.
They will not stop until forced to stop, either by the victimized NNTP server being closed to them, or by losing their account when the ISP identifies it. Some ISPs have reported closing more than one account at a time, either paid for in cash or using a third-party's credit card bearing a name other than the name given by the account holder. Addresses and phone numbers given by the WIS Spam Team are invariably phony.
Put simply, they lie. They are reported to be very convincing liars.
When the other accounts are closed by the other ISPs, your system's turn comes around.
4) Where does the "What Is Scientology?" Spam Team operate?
At present, the WIS Spam Team operates out of somewhere in the metropolitan Los Angeles area. There have been small spams not following the standard MO run out of other locations (including one using bitwise.net in Boston, and small spams from AOL) but they seem to be attempts at distraction from the standard pattern.
WIS Spam Team accounts have been closed all over the L.A. area, after being used by the WIS Spam Team to post thousands of articles to alt.religion.scientology, using NNTP servers all over the world[3].
5) What ISPs have been victimized by the "What Is Scientology?" Spam Team?
directnet.com, westworld.com, wdc.net, barepower.net, netroplex.com, interline.net, instanet.com, linkonline.net, loop.com, k-net.net, dsphere.com, wavenet.com, internetconnect.net, cyberesc.net, 4link.net and annex.com are just a FEW of the ISPs who have suffered from hosting WIS Spam Team accounts.
6) Does the "What Is Scientology?" Spam Team ever just leave an ISP?
No. Once begun, these attacks will continue for days (sometimes weeks) at a time. To my knowledge, he WIS Spam Team has never just left an ISP. They only stop when the ISP closes their account.
7) What will happen if I just ignore the "What Is Scientology?" Spam Team while it's using my system?
Because the newsgroup under attack, alt.religion.scientology, is one of the most-read Usenet newsgroups, the hounds of virtual hell come down on the WIS Spam Team's unfortunate ISP for the duration of the attack. Complaints come pouring in by email, fax, and telephone, along with megabytes of Spam article headers -- which may be useful to match logs against posting times when one tries to identify the offending account, but which tend to clog system administrators' inboxes.
Some systems have had to spend WEEKS (and hundreds of person-hours) identifying the offending account, all the while suffering flames -- by email and posted all over Usenet -- from victimized readers of alt.religion.scientology, and from other anti-net-abuse activists. It's unpleasant, to say the least.
Also, ISPs that demonstrate an inability or unwillingness to stop the WIS Spam Team's attacks often attract the attention of unsavory commercial Usenet spammers, who flock to those ISPs in the hope of perpetrating their own spams unhindered. Such customers, and the complaints they inevitably generate, are more trouble than the income from them is worth. Their activity is likely to further damage your system's reputation, and you may lose many of your respectable customers as a result.
8) Spamming isn't illegal. Why should I care about the "What Is Scientology?" Spam Team?
Small-scale spamming may not be illegal; but the kind of spam-flood the WIS Spam Team engages in -- attempting to make impossible the regular use of alt.religion.scientology -- falls in the category of Denial Of Service Attack, which is clearly illegal under 18 USC sec. 1030 [4]. (By the way, section 1030(g) provides for civil actions by injured parties, so once the Spam Team is caught, there is likely to be a long list of Federal civil suits brought against them, as well.)
Furthermore, by using NNTP servers other than those belonging to their ISPs to post thousands of articles without authorization from the owners of those servers (usually making use of little-known security holes in INN to post through NNTP servers not intentionally left open[5] -- the equivalent of picking the lock of a stranger's door to go into his house and make prank phone calls from the stranger's phone), the WIS Spam Team is committing Theft Of Services, also illegal under state laws in every one of the United States.
To compound their criminality, in the course of their attacks, the WIS Spam Team has been known to post (unauthorized, of course) through .gov and even .mil NNTP servers -- which is Unauthorized Use of Federal Computing Resources, illegal under 18 USC section 1030(a)(3).
The US Department of Energy is currently investigating just such abuses of Federal computing systems at Lawrence Berkeley Laboratory.
9) I think the "What Is Scientology?" Spam Team may have opened an account on my system. What should I do?
The FBI is also investigating this ongoing attack. If you think you may have innocently opened an account for the "What Is Scientology" Spam Team, give a call to one of the following FBI agents, each of whom has been briefed on this case:
Agent Hugh McLean Agent Charles Neal
Phone: 1-202-324-9164 Phone: 1-310-996-3854
Fax: 1-202-324-6363
And in the meantime, if you haven't already done what I suggested earlier, save yourself a whole lot of wasted time and trouble.
Lock the account now.
If you suspect IN THE SLIGHTEST that you may be a victim of the "What Is Scientology" Spam Team, or if you have opened an account in a manner that fits the M.O. described above, lock the suspect account.
Just lock it.
Don't send a warning or an inquiry. These criminals do not respond to warnings or inquiries. The WIS Spam Team, after they have received past warnings or inquiries, just remained logged on to the ISP's system 24 hours a day, pumping out the spam as long as they could get away with it, until the account was finally locked and their access was revoked.
If you lock the account and your suspicions are correct, you will probably not hear from the WIS Spam Team again. Once an account is locked, they do not complain; when the jig is up, they just move on to another unfortunate provider. While they have recently begun to return to providers where they had once before held accounts, it was only after having been elsewhere for several months.
If someone calls to complain about the locked account, the odds are good (unless the WIS Spam Team changes its M.O., which IS possible) that it's a legitimate account, and you can simply fix the "technical problem" and everything will probably be all right.
But please don't take any unnecessary chances. A few minutes of prevention here can save you many hours of cure.
If the holder of the suspect account does call and complain (especially if the account hasn't been used yet) it's probably a good idea to ask for (and make a record of) a telephone number you can call back for confirmation that the person calling is indeed the account holder. You can say that the callback is a necessary security measure.
Then call that number, and confirm that the person who called you is actually at that number, before unlocking the account. The WIS Spam Team will not give you a legitimate phone number (except, perhaps, the number of a public pay telephone) to call back, because it might be used later to identify them.
If you want to confirm the legitimacy of the telephone number, and you don't have access to a reverse telephone directory or a CD-ROM telephone directory, your telephone company will probably tell you if a particular telephone number is indeed that of a public pay telephone.
10) I'm getting reports from people about the "What Is Scientology" Spam Team using my system, but I don't know what to do. How can I identify which accounts they are using? How can I stop them from spamming?
There are a number of ways you can identify the accounts the Spam Team is using:
A) When they set up the account (or accounts) they are using, these people gave your staff false names and telephone numbers. The account may have been opened by one or two women who came into your office and paid cash for a brother/son who was going to visit them for a month; or a man may have called and opened an account over the phone with a promise to send in a check that has not come; or a man may have called up and asked you to set up an account "for a friend who was coming to visit"; or they may simply have opened a "free trial account", if you happen to offer them.
They were using a credit card (in a name different from the names they gave for themselves and the account holder) for a while, but they stopped that practice around July or August of 1996 -- though they may start doing that again at any time, especially if you require a credit card number to open a free trial account.
To identify which accounts are likely to be the Spam Team's, go through your recent new accounts, within the last month or so. Find out which of them fit these patterns. Try calling the numbers they gave you at different times of the day. If you get no answer, or if you get a message that it is a bogus number (or an office of the "Church" of Scientology), or if the phone company tells you it is a telephone booth, lock the account.
B) A harder (but surer) way is by gathering spam headers and checking the logs for the dialups listed in the NNTP-Posting-Host: header lines against the posting times in those headers, to determine which user matches all the times. This method is a lot more work, and it takes longer, but once you make the connection, it is certain. Then shut that account down. This is the system that several ISPs have used.
C) The third way may inconvenience some of your legitimate users who may legitimately use outside NNTP servers, but if all else fails, you may have to do what some other victimized ISPs have done -- ask your provider to filter outgoing NNTP connections from your site.
D) This Spam Team usually likes to operate through the night, because the small ISPs it likes to abuse tend not to have staff monitoring systems late at night, and they are less likely to get caught. During times when the Spam Team is likely to be active, use network monitoring tools like "netstat" under SunOS to check what ports are active between your dial-in server and the NNTP ports on other machines. A perl or shell script run from "cron" could easily log this activity with a minimum of mess.
E) Obtain the Caller-ID information from your dial-in lines. The Hylafax freeware for UNIX systems (you can find it at ftp://ftp.sgi.com/sgi/fax provides both dial-in and fax- in/out software that's very powerful and very friendly. It automatically collects Caller-ID from any modems that support the feature. It also easily supports mailfax gateways for your users (billed to their accounts with a bit of programming added) or only your staff, for faxing forms and bills to your customers. It also handles configuring modems for dialup and PPP rather well.
F) Sometimes the simplest measures can be the most effective. If your modems are external, walk over to them and watch the traffic on the LED's for a while when the Spam Team is likely to be working. The perpetrator is almost entirely *transmitting* data, for hours and hours. This is extremely unusual for dialup lines, which will more frequently download for extended periods.
G) You can make your system less inviting for the Spam Team if, in your contracts and connection messages on your systems, you remind users that you reserve the right to monitor their activity for security reasons.
Method A is generally the quickest and has proved over time to be the most effective; but a combination of the other methods may prove to be most useful for you, if you are unfortunate enough to be hosting the WIS Spam Team.
Good luck.
And be careful out there.
Footnotes:
[1] In 1955, L. Ron Hubbard wrote in A Manual on the Dissemination of Material (one of the Sacred Scriptures of the "Church" of Scientology), "The purpose of a lawsuit is to harass and discourage rather than to win. Don't ever defend. Always attack. Find or manufacture enough threat against them to cause them to sue for peace. ... The law can be used very easily to harass, and enough harassment on somebody who is on the thin edge anyway, well knowing that he is not authorized, will generally be sufficient to cause his professional demise. If possible, of course, ruin him utterly." This practice continues to this day, and the present spam-flood of alt.religion.scientology is merely the latest means of harassment being employed by this cult. For evidence that it IS the cult engaging in this harassment, I need only point out that all of the articles being spammed are (c) copyright "Church" of Scientology International, and no legal action is being taken against the perpetrator, while hundreds of persons who have quoted as few as seven lines of Scientology scripture on alt.religion.scientology received email from hkk@netcom.com (Helena K. Kobrin), attorney for the Cult, threatening legal action; and several cases are now pending in Federal courts against persons who quoted larger fair-use extracts of Cult scripture in discussion on alt.religion.scientology[2].[2] See http://www.tiac.net/users/modemac/cos.html, http://www2.thecia.net/users/rnewman/scientology/home.html and http://www.icon.fi/~marina/rnewman/index.htm for more information.
[3] The WIS Spam Team has only used its own ISP's NNTP server once, after having been on that system for a month, just as the account was due to expire (and its admins had just closed a second account on the same system). It was a sort of parting shot, one last insult added to the injury.
[4] See http://www.panix.com/~eck/computer-fraud-act.html for the text of 18 USC Section 1030.
[5] All official releases of INN through 1.4sec2 allow "blind" posting to any group on the server by anyone with posting authorization for any group. This is fixed in the more recent versions. The latest version is 1.5 -- see http://www.isc.org/isc/ for details.