E-mail 'cluster bombs' a disaster waiting to happen, computer scientists say

December 10, 2003

BLOOMINGTON, Ind. -- Internet users can be blind-sided by e-mail "cluster bombs" that inundate their inboxes with hundreds or thousands of messages in a short period of time, thereby paralyzing the users' online activities, according to a new report by researchers at Indiana University Bloomington and RSA Laboratories in Bedford, Mass.

IUB computer scientist Filippo Menczer and RSA Laboratories Principal Research Scientist Markus Jakobsson describe in the December 2003 issue of ;login: a weakness in Web sites that makes the e-mail cluster bombs possible. A miscreant could, the authors say, pose as the victim and fill out Web site forms, such as those used to subscribe to a mailing list, using the victim's own e-mail address.

One or two automated messages would hardly overload an e-mail inbox. But Menczer, associate professor of informatics and computer science, said special software called agents, web-crawlers and scripts can be used by the bomber to fill in thousands of forms almost simultaneously, resulting in a "cluster bomb" of unwanted automatic reply e-mail messages to the victim. The attack can also target a victim's cell phone with a sudden, large volume of SMS (short message service) messages.

"This is a potential danger but also a problem that is easy to fix," Menczer said. "We wanted to let people know how to correct the problem before a hacker or malicious person exploits this vulnerability, causing real damage."

The barrage of messages would dominate the bandwidth of an Internet connection, making it difficult or impossible for the victim to access the Internet. This is called a distributed denial-of-service attack, because a large number of Web sites attack a single target.

The attack works because most Web forms do not verify the identity of the people -- or automated software agents -- filling them out. But Menczer said there are some simple things Web site managers can do to prevent attacks.

"Often, subscribing to a Web site results in an automatically generated e-mail message asking the subscriber something like, 'Do you want to subscribe to our Web site?'" Menczer said. "We propose that Web forms be written so that the forms do not cause a message to be sent to subscribers at all. Instead, the form would prompt subscribers to send their own e-mails confirming their interest in subscribing. This would prevent the Web site from being abused in a cluster bomb attack."

Menczer was an assistant professor of management sciences at the University of Iowa's Henry B. Tippie College of Business when the study was initiated. Funding for the study came from an National Science Foundation Career Grant and the Center for Discrete Mathematics and Theoretical Computer Science at Rutgers University.

To speak to Menczer, contact David Bricker at 812-856-9035 or brickerd@indiana.edu. For more information about e-mail cluster bombs and how to prevent them, a more detailed description of the problem and solution can be retrieved from the World Wide Web at http://arxiv.org/abs/cs.CY/0305042.
-end-


Indiana University

Related Internet Articles from Brightsurf:

Towards an unhackable quantum internet
Harvard and MIT researchers have found a way to correct for signal loss with a prototype quantum node that can catch, store and entangle bits of quantum information.

Swimming toward an 'internet of health'?
In recent years, the seemingly inevitable 'internet of things' has attracted considerable attention: the idea that in the future, everything in the physical world -- machines, objects, people -- will be connected to the internet.

Everything will connect to the internet someday, and this biobattery could help
In the future, small paper and plastic devices will be able to connect to the internet for a short duration, providing information on everything from healthcare to consumer products, before they are thrown away.

Your body is your internet -- and now it can't be hacked
Purdue University engineers have tightened security on the 'internet of body.' Now, the network you didn't know you had is only accessible by you and your devices, thanks to technology that keeps communication signals within the body itself.

What's next for smart homes: An 'Internet of Ears?'
A pair of electrical engineering and computer science professors in Cleveland, Ohio, have been experimenting with a new suite of smart-home sensors.

Child-proofing the Internet of Things
As many other current, and potentially future, devices can connect to the Internet researchers are keen to learn more about how so called IoT devices could affect the privacy and security of young people.

Quantum internet goes hybrid
ICFO researchers report the first demonstration of an elementary link of a hybrid quantum information network, using a cold atomic cloud and a doped crystal as quantum nodes as well as single telecom photons as information carriers.

Connecting up the quantum internet
Major leap for practical building blocks of a quantum internet: Published in Nature Physics, new research from an Australian team demonstrates how to dramatically improve the storage time of a telecom-compatible quantum memory, a vital component of a global quantum network.

Internet searches for suicide after '13 Reasons Why'
Internet searches about suicide were higher than expected after the release of the Netflix series '13 Reasons Why' about the suicide of a fictional teen that graphically shows the suicide in its finale, according to a new research letter published by JAMA Internal Medicine.

Weaponizing the internet for terrorism
Writing in the International Journal of Collaborative Intelligence, researchers from Nigeria suggest that botnets and cyber attacks could interfere with infrastructure, healthcare, transportation, and power supply to as devastating an effect as the detonation of explosives of the firing of guns.

Read More: Internet News and Internet Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.