E-mail "cluster bombs" a disaster waiting to happen, computer scientists say

Internet users can be blind-sided by e-mail “cluster bombs” that inundate their inboxes with hundreds or thousands of messages in a short period of time, thereby paralyzing the users’ online activities, according to a new report by researchers at Indiana University Bloomington and RSA Laboratories in Bedford, Mass.

IUB computer scientist Filippo Menczer and RSA Laboratories Principal Research Scientist Markus Jakobsson describe in the December 2003 issue of ;login: a weakness in Web sites that makes the e-mail cluster bombs possible. A miscreant could, the authors say, pose as the victim and fill out Web site forms, such as those used to subscribe to a mailing list, using the victim’s own e-mail address.

One or two automated messages would hardly overload an e-mail inbox. But Menczer, associate professor of informatics and computer science, said special software called agents, web-crawlers and scripts can be used by the bomber to fill in thousands of forms almost simultaneously, resulting in a “cluster bomb” of unwanted automatic reply e-mail messages to the victim. The attack can also target a victim’s cell phone with a sudden, large volume of SMS (short message service) messages.

“This is a potential danger but also a problem that is easy to fix,” Menczer said. “We wanted to let people know how to correct the problem before a hacker or malicious person exploits this vulnerability, causing real damage.”

The barrage of messages would dominate the bandwidth of an Internet connection, making it difficult or impossible for the victim to access the Internet. This is called a distributed denial-of-service attack, because a large number of Web sites attack a single target.

The attack works because most Web forms do not verify the identity of the people — or automated software agents — filling them out. But Menczer said there are some simple things Web site managers can do to prevent attacks.

“Often, subscribing to a Web site results in an automatically generated e-mail message asking the subscriber something like, ’Do you want to subscribe to our Web site?’” Menczer said. “We propose that Web forms be written so that the forms do not cause a message to be sent to subscribers at all. Instead, the form would prompt subscribers to send their own e-mails confirming their interest in subscribing. This would prevent the Web site from being abused in a cluster bomb attack.”

Menczer was an assistant professor of management sciences at the University of Iowa’s Henry B. Tippie College of Business when the study was initiated. Funding for the study came from an National Science Foundation Career Grant and the Center for Discrete Mathematics and Theoretical Computer Science at Rutgers University.

Media Contact

Indiana University

All latest news from the category: Communications Media

Engineering and research-driven innovations in the field of communications are addressed here, in addition to business developments in the field of media-wide communications.

innovations-report offers informative reports and articles related to interactive media, media management, digital television, E-business, online advertising and information and communications technologies.

Back to home

Comments (0)

Write a comment

Newest articles

NASA: Mystery of life’s handedness deepens

The mystery of why life uses molecules with specific orientations has deepened with a NASA-funded discovery that RNA — a key molecule thought to have potentially held the instructions for…

What are the effects of historic lithium mining on water quality?

Study reveals low levels of common contaminants but high levels of other elements in waters associated with an abandoned lithium mine. Lithium ore and mining waste from a historic lithium…

Quantum-inspired design boosts efficiency of heat-to-electricity conversion

Rice engineers take unconventional route to improving thermophotovoltaic systems. Researchers at Rice University have found a new way to improve a key element of thermophotovoltaic (TPV) systems, which convert heat…