One encouraging sign of our effectiveness in confronting Holocaust deniers and neo-Nazi elements on the Internet was a recent (January 2, 1996) attempt to flood Ken McVay's mailbox with mail from Netcom mailing lists -- in other cases where this has been done, users have been faced with hundreds upon hundreds of email messages from mailing lists that they did not subscribe to, and do not want.

In Mr. McVay's case, however, it was little more than a minor annoyance, as the system's mail filtering permitted him to quickly respond and automatically reject the unwanted mail.

We took it as a back-handed compliment from someone with too much time on his hands.

Although we didn't keep track of the numbers, since most of the defense process was automated, estimates are that Mr. McVay was subscribed, via forged email messages to Netcom's Majordomo list server, to about 200 different mailing lists (out of a possible 972).

The attacker's planned flood of electronic mail didn't materialize; about 30 messages arrived during a two-day period, and then the attacker apparently gave up. Our "gatekeeper" did the rest.

We trust that the he was appropriately gratified by what he must have thought to be a "major Aryan victory." Whatever satisfaction he took, however, could not have lasted long.

Concerned that our Aryan Warrior, frustrated by his failure, would simply switch targets, and pick on a user without the tools to deal with the flood of mail, we co-operated fully with Netcom, and Xensei.com, where the forgeries originated.

It is possible that this was an attack upon Netcom, rather than the Nizkor Project, although we doubt it. During the holiday period, a user at Carleton Freenet was not only flooded with unwanted mailing lists, but saw forged cancels issued for all of his articles as well. The culprit, perhaps to let Mr. McVay know he was the next target, sent him copies of all the cancel messages, and probably gloated.

It was an instructive exercise, because we learned of the existence of other extremist lists at Netcom, and we also learned how to fine-tune our defense system.

We also provided both Netcom.com and Xensei.com security with a copy of the probable forger's identity. It seems that one Xensei.com user, Jeff Dranetz, had openly bragged about his willingness to spam a user on the Stormfront mailing list only one day after he had begun his attack upon Nizkor -- January 3, 1996.

That same day, but a short time later, our intrepid Aryan hero asked for a user's email address, so he could "silence [that person] for a while."

Somewhat later that day, our hero received advice from Don Black and Milton Kleim, but, by then, it was already too late, whether he accepted that advice or not. His ego would not permit him to stop, since he had been having so much fun, although, perhaps in the vain hope he could cover his rear, he sent a note to Stormfront, saying that he wasn't going to do such naughty things. By then, of course, he had already done such naughty things to more than one user.

Round Two, if you could call it that, began on January 9, when a single "Welcome to our list" message got through our defenses, and was dealt with manually. A second subscription "Welcome" was automatically cancelled at 6:00 A.M. on January 10th by our automated gatekeeper. The battle, if that's what you want to call it, ended with a whimper.

On January 3rd, we notified Netcom's security, and sent them a copy of Mr. Dranetz's boastful letter, and asked for their co-operation. On January 10th, Netcom responded, and provided us with a copy of their mailer logs, which pointed directly at our Hero's service provider, Xensei.com.

We reminded Netcom of the material we had sent them, and provided additional updates as well, and advised them that we believed this same forger had been the one who had hit the Carleton Freenet user, and sent cancels to Mr. McVay. We provided Carleton with everything we had at the time, and asked them to compare Netcom's sendmail logs with theirs. We await the result with great glee.

Meanwhile, Xensei.com helpfully provided us with copies of their own sendmail logs and their dial-up accounting logs. (The relevant sections of those logs were sent to us in email, along with an explanation and an update.) These confirmed that the email to Netcom.com was indeed sent by Jeff Dranetz's account. Mr. Dranetz's account was suspended, pending an investigation into this matter. As the Xensei.com administrator wrote:

A cross reference of our dial-up accounting logs (also attached) shows that this IP address was in fact in use by the Xensei account "jeffd" at the time this message was received by our server for delivery.

The next day, Mr. Dranetz admitted to having been the forger, and his xensei.com account was removed.

The irony of this is that Mr. Dranetz, thinking he'd gotten off scot-free, just couldn't keep his mouth shut -- on January 5th, he had to tell somebody how terribly clever he was. He had overlooked one tiny little fly in the ointment. Namely, he had made some seriously flawed assumptions about how service providers handle their system logs:

Yes, it is indeed easy to change ones reply to address. But the true origin may be seen if your mailer allows a detailed veiw of the "header". It may not reveal the actual address, but it will reveal the server of origin and a number, a number the internet provider can use to look up the identity. The only "safe" way of using this technique to change ones address is to subscribe others to email lists. This is because as soon as the subscription takes place the original email message is destroyed in most systems. This saves the server a tremendous amount of drive space. Since it is destroyed, and only a record of the subscription exists, they can only see that someone subscribed to the list. They assume that the reply to is the true address.

His need to brag about his knowledge, rather than feeding his ego, must cap his embarrassment, because he completely overlooked the sendmail logs, and failed to realize that the server's logs were not even needed. A little learning is indeed a dangerous thing! (Many system administrators keep their logs for extended periods of time; we follow that practice here at Nizkor.)

As the final irony, Mr. Dranetz then advised the group on how to trace unwanted or abusive email -- defining, in succinct terms, precisely what we expect will now happen to him:

Look at the header. See if you can see the server of origin. Contact someone like webmaster@ helpdesk@ , etc to get to someone in the internet access provider company. Send copy of message. Tell them that death threats are a serious matter. Tell them you request their cooperation in the identification of the sender. Then with the info, contact the authorities. They do it to us. Turn the same laws against these liberal zealots that they use to silence the movement.

One cannot help but chuckle. Not only did he expose his ignorance in that final message, he also sealed his fate. All of his messages followed his attacks. Had they preceded them, he could have then claimed (although with the log's damning evidence, it wouldn't have helped much) that someone else, seeing his suggestion, had acted upon it in an attempt to frame him for the crime. With his own words, he had removed that alibi, and has left all the evidence pointing straight to him.

Mr. McVay was apparently subscribed to another Netcom mailing list, on January 14, at 23:45, but we did not discover this abortive attack until the following morning, when we checked our logs. The automated gatekeeper had notifed Netcom, and unsubscribed Mr. McVay from the list without human intervention.

[ Index ]

Home ·  Site Map ·  What's New? ·  Search Nizkor