Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

"What is Scientology?" (ARSBOMB) Spam Team FAQ for Los Angeles Area ISPs


[ Usenet FAQs | Web FAQs | Documents | RFC Index | Counties ]
Archive-name: scientology/spam-team-faq
Posting-Frequency: monthly, on or about the 15th of the month
Last-modified: 1997/04/11
Version: 1.7 -- Final
URL: http://www.panix.com/~tbetz/WIS_Spam_Team_FAQ.html

See reader questions & answers on this topic! - Help others by sharing your knowledge
PREFACE:
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

Because the Spam Team stopped its attack sometime in December, 1996, and 
(as of the second week of April, 1997) they have shown no sign of 
restarting it, this is the final appearance of this monthly FAQ on Usenet.  

I shall retire it after this posting.

Because of its value to novice ISPs as a reference for spammer-
fighting techniques, I shall maintain a copy of the 22 Dec 1996 release 
posted below at <http://www.panix.com/~tbetz/WIS_Spam_Team_FAQ.html> 
for the indefinite future.   

Should the attack recommence, I shall, of course, resume posting the FAQ.

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-


The "What Is Scientology?" Spam Team FAQ for Los Angeles Area ISPs

Version 1.7  -- 22 Dec 1996

    Do you run an Internet Service Provider or Internet-connected
    Bulletin Board Service in the metro Los Angeles area?

    Has a woman (or two women) come to your office recently to
    open a temporary SLIP or PPP account "for my son" or "for my
    brother who will be staying with me for a month on vacation"
    -- happy, maybe even insisting, on paying for the month in
    cash, or paying for the account using a credit card with a name 
    on it other than the name they give for the account holder?

    Has a man called you and asked you to set up a temporary 
    account "for a friend who is coming to visit?"

    The odds are extremely good that this account is about to be
    abused by the "What Is Scientology?" Spam Team, as part of 
    an ongoing theft-of-service and denial-of-service attack on a
    Usenet Newsgroup.

    Do yourself a big favor; go lock the account they opened -- 
    then come back and read the rest of this FAQ.

*-----------------------------------------------------------------*

This FAQ attempts to answer the following questions:

1)  What is the "What Is Scientology?" Spam Attack?

2)  Who is the "What Is Scientology?" Spam Team?

3)  How does the "What Is Scientology?" Spam Team work?

4)  Where does the "What Is Scientology?" Spam Team operate?

5)  What ISPs have been victimized by the "What Is Scientology?" 
    Spam Team?

6)  Does the "What Is Scientology?" Spam Team ever just leave 
    an ISP?

7)  What will happen if I just ignore the "What Is Scientology?" 
    Spam Team while it's using my system?

8)  Spamming isn't illegal.  Why should I care about the 
    "What Is Scientology?" Spam Team?

9)  I think the "What Is Scientology?" Spam Team may have purchased 
    an account on my system.  What should I do?

10) I'm getting reports from people about the "What Is Scientology" 
    Spam Team using my system, but I don't know what to do.  How can 
    I identify which accounts they are using?  How can I stop them
    from spamming?

*-----------------------------------------------------------------*

1)  What is the "What Is Scientology?" Spam Attack?

Put simply, the "What Is Scientology?" (WIS) Spam Attack is an 
apparent attempt by someone -- either the Church of Scientology, its
employees or its sympathizers -- to stifle the speech of people who
discuss, on the Usenet Newsgroup alt.religion.scientology, the past
and present wrongful practices and criminal acts of the Scientology
organization, its leadership, its corporate entities, and its
employees.

This attack has been in progress since May 19, 1996, and more 
than 100,000 posts have been flooded into alt.religion.scientology to
date, in an apparent effort to "harass and discourage[1]" the regular
participants in the ongoing discussions there.

More information may be obtained at the following URLs:

  http://wpxx02.toxi.uni-wuerzburg.de/~krasel/CoS/spam/info.html
  http://www.now.com/issues/15/44/News/feature.html
  http://pathfinder.com/Netly/daily/960923.html

2)  Who is the "What Is Scientology?" Spam Team?

The WIS Spam Team appears to consist of at least three people;  a man
of undetermined age, a young woman, and an older woman. Investigators
have yet to make a complete identification, though certain names seem
to keep coming up in the investigation.  In the month of October 1996, 
the Spam Team appears to have developed new cover stories, and have 
been using these new stories to open accounts.  They may also have 
recruited new personnel.  As investigation turns up new cover stories, 
they will be included in future versions of this FAQ.


3)  How does the "What Is Scientology?" Spam Team work?

The WIS Spam Team's _modus_operandi_ (M.O.) is fairly invariant.  As
described in the opening paragraphs of this FAQ, they typically open a 
temporary SLIP/PPP account on an ISP, paying for a month in advance.  
The account may remain idle for weeks, while the WIS Spam Team abuses
other system's accounts in the following manner:

    They find several open NNTP servers they can abuse.   Once
    they begin to abuse an NNTP server, they will continue to
    post through it (using multiple forged From: addresses) between a
    dozen and 2000 articles a night, repeating sets of about 700
    different articles (usually excerpts from the book "What Is
    Scientology?", or old Scientology press releases, always
    advertising several official Scientology Web sites), at a rate of
    up to ten per minute.  They have been known to post 10,000
    articles non-stop over a single weekend, sometimes using more 
    than one account simultaneously.

    They will not stop until forced to stop, either by the
    victimized NNTP server being closed to them, or by losing
    their account when the ISP identifies it.  Some ISPs have
    reported closing more than one account at a time, either
    paid for in cash or using a third-party's credit card bearing a
    name other than the name given by the account holder. Addresses
    and phone numbers given by the WIS Spam Team are invariably phony.

    Put simply, they lie. They are reported to be very convincing liars.

When the other accounts are closed by the other ISPs, your system's turn
comes around.


4)  Where does the "What Is Scientology?" Spam Team operate?

At present, the WIS Spam Team operates out of somewhere in the 
metropolitan Los Angeles area.  There have been small spams not 
following the standard MO run out of other locations (including
one using bitwise.net in Boston, and small spams from AOL) but 
they seem to be attempts at distraction from the standard pattern.

WIS Spam Team accounts have been closed all over the L.A. area, 
after being used by the WIS Spam Team to post thousands of articles 
to alt.religion.scientology, using NNTP servers all over the world[3].


5)  What ISPs have been victimized by the "What Is Scientology?" 
    Spam Team?

directnet.com, westworld.com, wdc.net, barepower.net, netroplex.com,
interline.net, instanet.com, linkonline.net, loop.com, k-net.net,
dsphere.com, wavenet.com, internetconnect.net, cyberesc.net, 4link.net 
and annex.com are just a FEW of the ISPs who have suffered from hosting 
WIS Spam Team accounts.


6)  Does the "What Is Scientology?" Spam Team ever just leave 
    an ISP?

No.  Once begun, these attacks will continue for days (sometimes
weeks) at a time.  To my knowledge, the WIS Spam Team has never just 
left an ISP.  They only stop when the ISP closes their account.


7)  What will happen if I just ignore the "What Is Scientology?" 
    Spam Team while it's using my system?

Because the newsgroup under attack, alt.religion.scientology, is one
of the most-read Usenet newsgroups, the hounds of virtual hell come
down on the WIS Spam Team's unfortunate ISP for the duration of the
attack.  Complaints come pouring in by email, fax, and telephone,
along with megabytes of Spam article headers -- which may be useful to
match logs against posting times when one tries to identify the
offending account, but which tend to clog system administrators'
inboxes.

Some systems have had to spend WEEKS (and hundreds of person-hours)
identifying the offending account, all the while suffering flames --
by email and posted all over Usenet -- from victimized readers of
alt.religion.scientology, and from other anti-net-abuse activists. 
It's unpleasant, to say the least.

Also, ISPs that demonstrate an inability or unwillingness to stop the
WIS Spam Team's attacks often attract the attention of unsavory
commercial Usenet spammers, who flock to those ISPs in the hope of
perpetrating their own spams unhindered.  Such customers, and the
complaints they inevitably generate, are more trouble than the income
from them is worth.  Their activity is likely to further damage your
system's reputation, and you may lose many of your respectable
customers as a result.


8)  Spamming isn't illegal.  Why should I care about the 
    "What Is Scientology?" Spam Team?

Small-scale spamming may not be illegal;  but the kind of spam-flood
the WIS Spam Team engages in -- attempting to make impossible the
regular use of alt.religion.scientology -- falls in the category of
Denial Of Service Attack, which is clearly illegal under 18 USC sec.
1030 [4].  (By the way, section 1030(g) provides for civil actions by
injured parties, so once the Spam Team is caught, there is likely to
be a long list of Federal civil suits brought against them, as well.) 

Furthermore, by using NNTP servers other than those belonging to their 
ISPs to post thousands of articles without authorization from the owners 
of those servers (usually making use of little-known security holes in 
INN to post through NNTP servers not intentionally left open[5] -- the 
equivalent of picking the lock of a stranger's door to go into his 
house and make prank phone calls from the stranger's phone), the WIS 
Spam Team is committing Theft Of Services, also illegal under state 
laws in every one of the United States.

To compound their criminality, in the course of their attacks, the WIS
Spam Team has been known to post (unauthorized, of course) through
.gov and even .mil NNTP servers -- which is Unauthorized Use of
Federal Computing Resources, illegal under 18 USC section 1030(a)(3).

The US Department of Energy is currently investigating just such
abuses of Federal computing systems at Lawrence Berkeley Laboratory.


9)  I think the "What Is Scientology?" Spam Team may have opened 
    an account on my system.  What should I do?

The FBI is also investigating this ongoing attack.  If you think you
may have innocently opened an account for the "What Is Scientology"
Spam Team, give a call to one of the following FBI agents, each of
whom has been briefed on this case:

   Agent Hugh McLean                  Agent Charles Neal
   Phone: 1-202-324-9164              Phone: 1-310-996-3854
   Fax:	1-202-324-6363

And in the meantime, if you haven't already done what I suggested
earlier, save yourself a whole lot of wasted time and trouble.

Lock the account now.

If you suspect IN THE SLIGHTEST that you may be a victim of the "What
Is Scientology" Spam Team, or if you have opened an account in a
manner that fits the M.O. described above, lock the suspect account.  

Just lock it. 

Don't send a warning or an inquiry.  These criminals do not respond 
to warnings or inquiries. The WIS Spam Team, after they have received
past warnings or inquiries, just remained logged on to the ISP's system 
24 hours a day, pumping out the spam as long as they could get away with 
it, until the account was finally locked and their access was revoked.

If you lock the account and your suspicions are correct, you will probably
not hear from the WIS Spam Team again.  Once an account is locked, they do
not complain;  when the jig is up, they just move on to another unfortunate 
provider.  While they have recently begun to return to providers where 
they had once before held accounts, it was only after having been elsewhere 
for several months.

If someone calls to complain about the locked account, the odds are
good (unless the WIS Spam Team changes its M.O., which IS possible)
that it's a legitimate account, and you can simply fix the "technical
problem" and everything will probably be all right.

But please don't take any unnecessary chances.  A few minutes of
prevention here can save you many hours of cure.

If the holder of the suspect account does call and complain
(especially if the account hasn't been used yet) it's probably a good
idea to ask for (and make a record of) a telephone number you can call
back for confirmation that the person calling is indeed the account
holder.  You can say that the callback is a necessary security
measure.  

Then call that number, and confirm that the person who called you is
actually at that number, before unlocking the account.  The WIS Spam
Team will not give you a legitimate phone number (except, perhaps, the
number of a public pay telephone) to call back, because it might be
used later to identify them.

If you want to confirm the legitimacy of the telephone number, and you
don't have access to a reverse telephone directory or a CD-ROM
telephone directory, your telephone company will probably tell you if
a particular telephone number is indeed that of a public pay telephone.

10) I'm getting reports from people about the "What Is Scientology" 
    Spam Team using my system, but I don't know what to do.  How can 
    I identify which accounts they are using?  How can I stop them
    from spamming?

There are a number of ways you can identify the accounts the Spam 
Team is using:

A) When they set up the account (or accounts) they are using, these 
   people gave your staff false names and telephone numbers.  The 
   account may have been opened by one or two women who came into 
   your office and paid cash for a brother/son who was going to visit 
   them for a month;  or a man may have called and opened an account 
   over the phone with a promise to send in a check that has not come;
   or a man may have called up and asked you to set up an account 
   "for a friend who was coming to visit"; or they may simply have 
   opened a "free trial account", if you happen to offer them.

   They were using a credit card (in a name different from the names
   they gave for themselves and the account holder) for a while, but
   they stopped that practice around July or August of 1996 -- though 
   they may start doing that again at any time, especially if you 
   require a credit card number to open a free trial account.

   To identify which accounts are likely to be the Spam Team's, go 
   through your recent new accounts, within the last month or so.  
   Find out which of them fit these patterns.  Try calling the numbers 
   they gave you at different times of the day.  If you get no answer, 
   or if you get a message that it is a bogus number (or an office of 
   the Church of Scientology), or if the phone company tells you it 
   is a telephone booth, lock the account.

B) A harder (but surer) way is by gathering spam headers and checking
   the logs for the dialups listed in the NNTP-Posting-Host: header
   lines against the posting times in those headers, to determine which
   user matches all the times.  This method is a lot more work, and it
   takes longer, but once you make the connection, it is certain.
   Then shut that account down. This is the system that several ISPs
   have used.

C) The third way may inconvenience some of your legitimate users
   who may legitimately use outside NNTP servers, but if all else
   fails, you may have to do what some other victimized ISPs have
   done -- ask your provider to filter outgoing NNTP connections
   from your site.

D) This Spam Team usually likes to operate through the night,
   because the small ISPs it likes to abuse tend not to have staff 
   monitoring systems late at night, and they are less likely to 
   get caught.  During times when the Spam Team is likely to be 
   active, use network monitoring tools like "netstat" under SunOS 
   to check what ports are active between your dial-in server and 
   the NNTP ports on other machines. A perl or shell script run 
   from "cron" could easily log this activity with a minimum of 
   mess.

E) Obtain the Caller-ID information from your dial-in lines. 
   The Hylafax freeware for UNIX systems (you can find it at 
   <ftp://ftp.sgi.com/sgi/fax> provides both dial-in and fax-
   in/out software that's very powerful and very friendly. It 
   automatically collects Caller-ID from any modems that support 
   the feature.  It also easily supports mailfax gateways for 
   your users (billed to their accounts with a bit of programming 
   added) or only your staff, for faxing forms and bills to your 
   customers. It also handles configuring modems for dialup and 
   PPP rather well.

F) Sometimes the simplest measures can be the most effective. 
   If your modems are external, walk over to them and watch the 
   traffic on the LED's for a while when the Spam Team is likely 
   to be working.  The perpetrator is almost entirely *transmitting* 
   data, for hours and hours. This is extremely unusual for dialup 
   lines, which will more frequently download for extended periods.

G) You can make your system less inviting for the Spam Team if, 
   in your contracts and connection messages on your systems, you 
   remind users that you reserve the right to monitor their activity 
   for security reasons.

Method A is generally the quickest and has proved over time to be 
the most effective;  but a combination of the other methods may 
prove to be most useful for you, if you are unfortunate enough to 
be hosting the WIS Spam Team.

Good luck.

And be careful out there.

Footnotes:

[1] In 1955, L. Ron Hubbard wrote in
_A_Manual_on_the_Dissemination_of_Material_ (one of the Sacred
Scriptures of the Church of Scientology), "The purpose of a lawsuit 
is to harass and discourage rather than to win. Don't ever defend. 
Always attack. Find or manufacture enough threat against them to 
cause them to sue for peace. ... The law can be used very easily to
harass, and enough harassment on somebody who is on the thin edge
anyway, well knowing that he is not authorized, will generally be
sufficient to cause his professional demise. If possible, of course,
ruin him utterly."   This practice continues to this day, and the
present spam-flood of alt.religion.scientology is merely the latest
means of harassment being employed by this cult.  For evidence that it
IS the cult engaging in this harassment, I need only point out that
all of the articles being spammed are (c) copyright Church of
Scientology International, and no legal action is being taken against
the perpetrator, while hundreds of persons who have quoted as few as
seven lines of Scientology scripture on alt.religion.scientology
received email from hkk@netcom.com <Helena K. Kobrin>, attorney for
the Cult, threatening legal action; and several cases are now pending
in Federal courts against persons who quoted larger fair-use extracts 
of Cult scripture in discussion on alt.religion.scientology[2].

[2] See <http://www.tiac.net/users/modemac/cos.html>, 
<http://www.cybercom.net/~rnewman/scientology/home.html> and
<http://www.icon.fi/~marina/rnewman/index.htm> for more information.

[3] The WIS Spam Team has only used its own ISP's NNTP server once,
after having been on that system for a month, just as the account was
due to expire (and its admins had just closed a second account on the
same system).  It was a sort of parting shot, one last insult added to
the injury.

[4] See <http://www.panix.com/~eck/computer-fraud-act.html> for the 
text of 18 USC Section 1030.

[5] All official releases of INN through 1.4sec2 allow "blind" posting 
to any group on the server by anyone with posting authorization for 
any group. This is fixed in more recent versions. 

The latest version is 1.5 -- See <http://www.isc.org/isc/> for details.


-- 
|We have tried ignorance       |      Tom Betz       (914) 375-1510            |
|for a very long time, and     | Want to send me email? First, read this page: |
|it's time we tried education. | <http://www.panix.com/~tbetz/mailterms.shtml> |
|<http://www.pobox.com/~tbetz> |   I mock up my reactive mind twice daily.     |

User Contributions:

Comment about this article, ask questions, or add new information about this topic:


[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
tbetz@pobox.com





Last Update March 27 2014 @ 02:12 PM