Recently I was asked “What did I do that I couldn’t go to Canada”, and before I was able to dialogue the tale I immediately heard “wasn’t it that thing with the felonies?”
The quick answer was “no”, but then I was asked to tell the story about “the felonies.” I still have the email that caused it all…
The Email
From mastakraqur@yahoo.com Fri Feb 19 22:09:29 1999
X-Apparently-To: kraqur@yahoo.com via mdd101.yahoomail.com
Return-Path: <mastakraqur@yahoo.com>
Received: from web507.yahoomail.com (128.11.68.74) by mta102.yahoomail.com with SMTP; 19 Feb 1999 12:58:33 -0800
Message-ID: <19990219205254.24122.rocketmail@web507.yahoomail.com>
Received: from [166.102.113.48] by web507.yahoomail.com; Fri, 19 Feb 1999 12:52:54 PST
Date: Fri, 19 Feb 1999 12:52:54 -0800 (PST)
From: "im thamasta" <mastakraqur@yahoo.com> | Add to Address Book
Subject: Final List 2-19-1999
To: kraqur_omega@yahoo.com, kraqur_kid@yahoo.com, cracker_the_bitch@yahoo.com, milnko_98@yahoo.com, hackerboy_99@yahoo.com, j_liv@hotmail.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Length: 882
Ok, this list is final....
If you feel like spamming during the weekend, it's cool.
Joelle Conti (whoever she is) told me to go to hell...
have fun!
-----------------------List
NHS list, slightly reduced:
all @ st.falcon.wnyric.org
Amy_Catanese
Nikki_Simmons
Ashley_Barnes
Corrie_Minton
Amanda_Nelson
Joelle_Conti
Elizabeth_Doud
Lisa_Hedstrand
Rebecca_Ball
Sarah_Lawson
Teacher List:
all @ ad.falcon.wnyric.org
leeann_richir
susan_leach
colleen_tompkins
maryann_whitney
jane_fosberg
richard_kestler
keith_kresconko
robert_sigler
sandra_arnold
michelle_black
cory_emory
william_kilmartin
lisa_lindquist
anita_searle
administrator
2 New ones.....
Kitty_Spicer - Attendance...finally...
Richard_Rodriguez - V.P. Have fun...This email is as it reads: A simple list of email addresses to send specific messages to. Emails with no subject, no body, as many as possible.
The sourced IP address 166.102.113.48 was owned by a company called Alltel, now Windstream, and was handed out to Dial-Up internet users.
The Bug
Yahoo Mail was one of the titans when it came to Free Email in the pre-millennium days. They made it easy to sign up, send, and receive emails through their intuitive web interface. It came as no surprise that their ease of use would be one of the best ways to commit an amplification attack without fully realizing.
When composing an email you place the destination address in the To: line, write a subject, a body, click SEND, et voila your recipient gets your communiqué. You could also use a semicolon (;) to send an email to multiple recipients in the To: line. It didn’t take long before I realized you could use the same email address, semicolon-separated, in the To: line and send the same email multiple times to the same recipient. Repeat this same List of recipients in the Cc: and Bcc: lines of the composed email and you could send one email 40 times.
Not only was this a main issue with how Yahoo Mail did not cull or unique the destination addresses, but once you submitted an email you could use the Back button and Yahoo would have the entire form filled in with all the information you just posted. With this weapon already pre-loaded you could click Send again, repeat, and within one minute fire off hundreds of emails.
Back in 1999, on dial-up, with schools and businesses using leased lines and having limited expensive disk space and processing to store and sort messages this became an amazing way to cause issues with little effort.
The Plan
A couple of friends of mine wanted to create some grief with a teacher (*not naming names), and we knew that classroom attendance was sent through the email to report who was/was not in classes. We conceived that delaying this system would be both hilarious as well as an acceptable level of grief. For some reason that escapes me the idea grew legs and we learned that people in the National Honor Society also had access to email, so they also became grief targets.
The plan was simple: Create a Yahoo account and, for 1 hour, send blank emails. No subject, No body. Just send as little data as possible, and do it for an hour.
The Effect
I started my day in English, 1st Period. My teacher had announced we’re having a quiz. Everyone got their paper, pencils were out, heads were down. My teacher walked through the middle of the class to the back of the room where her computer was and she turned it on. A couple minutes later after she opened up her email she softly exclaimed “Oh My!”, got up, walked over to the phone to the side of the room and placed a call stating that she can’t really do attendance due to email not stopping from coming in. A small giggle emanated from me.
Lunchtime came and we all gathered around our meeting spot to revel both in how long we spent on the task the night before as well as the visible impact of that day. Our grief had been done; Our lust had been satiated; We were happy teenagers.
The Phone Call
About a month later my mother received a phone call from the Buffalo Police Department. Shortly thereafter we had made the 70 mile drive to Court Street to talk with Officer Scott Patronik with the Computer Crime Unit. Being 17 at the time the happenstance could’ve easily fallen to my parents and I could’ve easily walked. Unfortunately, as it was explained to me, the combined attack ferried a couple million messages that required a couple days to clean up and someone had to pay for this.
The Aftermath
Court was in West Seneca, New York, and we had to make the drive every month or so. It was difficult to find a lawyer since Crimes involving a computer and state lines were all felonies per charge, and each email was a charge. A million felonies. Lawyers would hear about this or see this and immediately inform my parents that they wouldn’t’ take the case and/or that I’m just sunk.
A brave soul, Peter J. Todoro, Esq, took my case.
Within 2 years I was sentenced to probation, a monthly check-in and restriction of not touching a personal computer.