![](\"https:\/\/media.wired.com\/photos\/5a03978c63bb7742c185e410\/master\/pass\/Unknown-10.jpeg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Julia Angwin| Date: Thu, 09 Nov 2017 12:00:00 +0000<\/strong><\/p>\n It was 10 <\/span>am on a hot, humid Tuesday in August when I decided I could finally relax. After a frantic weekend of finishing a big story\u2014and typing so much that my forearms tingled\u2014I needed to decompress.<\/p>\n I placed my phone on do not disturb, turned on my air conditioner, and blissfully spent an hour contorting myself into various poses on the yoga mat next to my bed.<\/p>\n Precisely at 11 am, my yoga routine finished, I turned my phone back on to see a text message from my colleague Lauren Kirchner: \u201cI am under some kind of email attack.\u201d<\/p>\n This article was co-published with ProPublica<\/a>, where author Julia Angwin is a senior reporter.<\/em><\/p>\n I was chagrined but not surprised. Lauren had been harassed all weekend, a result of an article we had coauthored about companies such as PayPal, Newsmax, and Amazon whose technologies enabled extremist websites to profit from their hateful views<\/a>. Simply in the interest of journalistic fairness, Lauren had sought comment from about 70 websites designated as hateful by the Southern Poverty Law Center and the Anti-Defamation League.<\/p>\n In return, her voicemail and her email inbox were filled with threats and insults. Her Twitter mentions were filled with people criticizing her appearance. Several of the sites she contacted posted negative articles about her, calling her a \u201cfascist\u201d and a \u201ctroll.\u201d Alarmed, she had asked the security guards in our building to not let anyone into the office who asked for her.<\/p>\n But then I looked at my inbox and realized that something troubling was happening to me too: 360 emails had poured in while I was pretzeling myself. Every single one was a confirmation of a newsletter subscription or account signup from a website I\u2019d never heard of.<\/p>\n \u201cThanks for signing up, here is your coupon!\u201d an email from the Nature Hills Nursery said. \u201cPlease Confirm Subscription\u201d Fintirement said. \u201cAccount details for xvwgnagycdm 1992 at ami-forum.org are pending admin approval,\u201d a Montessori organization in Australia said.<\/p>\n \u201cI am under some kind of email attack as well. Jesus,\u201d I texted Lauren. Then I messaged my colleague Jeff Larson, who had shared a byline with me and Lauren on the article. His inbox was flooded too. Fortunately the inbox of our part-time colleague Madeleine Varner, who also had a byline but whose email address is not published on our website, was quiet.<\/p>\n As a reporter who has covered technology for more than two decades, I am familiar with the usual forms of internet harassment\u2014gangs that bring down a website, haters who post your home address online, troll armies that hurl insults on a social network. But I\u2019d never encountered this type of email onslaught before. I wasn\u2019t sure what to do. \u201cHey Twitter\u2014any advice on what to do when somebody malevolent signs you up for a thousand email subscriptions, making your email unusable<\/a>?\u201d I tweeted.<\/p>\n At first it seemed like a funny prank, like ordering pizza delivered to an ex-boyfriend\u2019s house. \u201cTBH [to be honest] it\u2019s kind of a clever attack,\u201d I tweeted<\/a> again.<\/p>\n But as the emails continued to roll in, my sense of humor faded. By noon, the entire email system at our employer, ProPublica, was overwhelmed. Most of my colleagues could not send or receive messages because of the backlog of emails to me, Jeff, and Lauren that were clogging the spam filters.<\/p>\n The tech team advised that it would likely have to block all incoming emails to our inboxes\u2014bouncing them back to senders\u2014to save the rest of the organization. A few hours later, when ProPublica pulled the plug on our email accounts, I realized that what our attackers did was no joking matter; they had cut off our most important avenue of communication with the world. \u201cPreparing to say goodbye forever to my inbox,\u201d I tweeted. \u201cIt does seem like killing a reporter\u2019s email account is the definition of a chilling effect, no?\u201d<\/p>\n Email senders are not in the business of making it harder for people to receive their missives.<\/p>\n Later I learned <\/span>that the type of attack aimed at me and my colleagues is often called \u201cemail bombing\u201d or \u201csubscription bombing.\u201d It\u2019s clever jujitsu that turns one of the hallmarks of spam prevention\u2014the confirmation email\u2014into a spam generator. It works like this: The attacker uses an automated program to scan the web for any signup form that asks for an email address, from a newsletter subscription to an account registration. It then inserts the target\u2019s email address into each of the forms, flooding the victim with confirmation emails.<\/p>\n It\u2019s laughably easy to launch an email bomb. Anyone with decent technical skills can set up an automated program to enter email addresses across the web. Or they can buy a service that will automate the attack for $5 per 1,000 emails sent to an address, according to ads on online hacker forums<\/a>.<\/p>\n Despite its limited sophistication, email bombing is extremely difficult to defend against. Stopping it would either require every single website with an email entry form to take steps to identify and block automated entries, or some kind of network of email surveillance that would notice huge numbers of email signups and block the sending of confirmation emails. But neither approach is foolproof, and the latter could potentially erode the privacy of web users.<\/p>\n In other words, email bombing is a perfect parable for 2017, a time in which we appear to be collectively losing faith in the promise of the internet. For the first 20 years of this new communications medium, it seemed to hold out the promise of fostering democracy and shifting the balance of power from the powerful to the masses. In recent years, though, a depressing realization has taken hold: The internet is fragile and easily exploited by hackers, trolls, criminals, creepy corporations, and oppressive governments.<\/p>\n Social media in particular has become a battleground, filled with disinformation, hoaxes, and conspiracies\u2014some pushed by Russian trolls, we have learned, and some by our own homegrown harassers.<\/p>\n Most disturbing is the rise of hateful, inflammatory speech. At its worst, it veers into the territory of what researcher Susan Benesch calls dangerous speech<\/a>\u2014the type of propaganda that has historically been used in places like Rwanda and Hitler\u2019s Germany to convince people to commit violence.<\/p>\n A hallmark of dangerous speech is called accusation in a mirror\u2014in which the inciter asserts that the listeners are in severe danger from the target group, thus allowing them to commit or condone violent action. A classic example are the lynchings of African Americans that became commonplace after the Civil War. Often the lynchings were incited by false accusations of rape\u2014allowing the murderers to profess that they were acting in defense of themselves and their families.<\/p>\n On a much smaller scale, the assault on our inboxes may have been unleashed by similar assertions of victimhood. The websites that we had written about claimed to be under attack by Lauren\u2014because she had emailed them fact-checking questions\u2014allowing their followers to justify a tsunami of hateful attacks on us at ProPublica. One of Lauren\u2019s email correspondents called her an \u201cugly swine\u201d and hoped she would be raped by a Muslim refugee who threw acid in her face.<\/p>\n ProPublica is a <\/span>nonprofit newsroom dedicated to investigative journalism. We spend a lot of time and effort thinking about how to protect reporters, sources, and readers. We were one of the first major news outlets to launch a secure whistle-blower submission system<\/a>, and the first to publish<\/a> our site on the dark web so that readers could browse our stories anonymously.<\/p>\n And we have run our own email server so that we haven\u2019t had to rely on the big providers such as Google and Microsoft. Unlike telecommunications companies, which are prohibited by law from listening to their customers\u2019 phone calls, there is no restriction against email providers reading their customers\u2019 communications. In fact, Google has long monitored the inboxes of its users to determine what type of ads to show them. (Google recently said<\/a> it plans to stop scanning Gmail inboxes for ad purposes).<\/p>\n Our system was designed to fight the last war\u2014to defend against a traditional spam attack, in which an identical email is sent to multiple recipients. Its design didn\u2019t take into account the inverse strategy adopted by our harassers: thousands of unique emails sent to the same recipient. When our systems were overwhelmed, we didn\u2019t have the advantage of a major internet provider with massive capacity in its spam filter.<\/p>\n Life without our work email accounts was a little strange. ProPublica gave us temporary accounts with different user names, but since no one knew these new email addresses and we were afraid to publicize them, our inboxes were eerily silent.<\/p>\n I couldn\u2019t shake the worry that I was missing out on some important email that was being sent to my old address. Lauren had similar concerns. On the other hand, she says, \u201cI was intensely relieved that it had finally stopped. I could breathe.\u201d<\/p>\n Jeff was determined to find out who launched the attack. He noticed that many of the confirmation emails came from websites using WordPress, a popular open source blogging software. For nearly a decade, WordPress users have requested that WordPress implement a feature that would make it harder for automated bots to complete registrations. But the programmers who contribute to the open source software project have not chosen to include features to block automated email signups.<\/p>\n WordPress also has a commercial arm, Automattic, which offers paid services, including hosting. Automattic spokesman Mark Armstrong says the company only identified 312 emails to ProPublica that were likely part of the attack, and that the rest probably came from sites running WordPress that aren\u2019t hosted by Automattic. \u201cWe do not own, control, or have access to every single WordPress site in the world,\u201d he says.<\/p>\n Jeff wrote a program to automatically email the owners of nearly 500 of the WordPress websites that had been hijacked to send us email. These emails had been sent automatically to confirm that we\u2019d signed up for an account, usually for the purpose of being able to post a comment on a blog. \u201cI'm a reporter with ProPublica, a nonprofit news organization,\u201d Jeff wrote. \u201cEarlier this week, we started receiving thousands [of] emails in our inboxes. After investigating them, we found that someone was signing us up for new accounts on sites like yours.\u201d He asked them to send him any information for the accounts created under our names.<\/p>\n Only a handful of sites responded. One website owner, Raul Silva from Chicago, said he was shocked that his nearly abandoned blog\u2014he only posted once, in 2012\u2014was being used by bots. \u201cHoly crap! There are 2,800 registered users,\u201d Silva wrote to Jeff. \u201cMust be bots using the site as a launch board for spamming and scamming.\u201d<\/p>\n A small web hosting company, Alterhosting, provided server logs that showed the IP address of the person who registered for an email account at ABetterFitYou.com under Jeff\u2019s name. We hoped the server logs would help us find out who had attacked us, but the IP address was a dead end. It led to a Tor exit node in Luxembourg that calls itself HelpCensoredOnes<\/a>. It\u2019s not unusual for bad actors to mask their activities behind Tor, a web browsing technology designed to conceal the identity of its users.<\/p>\n \u201cEven though Tor is a force for good, it sometimes is used by evil people,\u201d says Shari Steele, executive director of the Tor Project. \u201cThe same tool that empowers activists in hostile regimes, journalists using off-the-record sources, and individuals trying to take back their privacy can also be used to launch email subscription bombs and do other nefarious deeds.\u201d<\/p>\n No sooner had ProPublica cleaned up from the attack than it was hit again.<\/p>\n The day after <\/span>we were attacked, ProPublica was email bombed again, this time in response to a colleague\u2019s article<\/a> about pro-Russian Twitter bots supporting white supremacists and their violent rally in Charlottesville, Virginia. ProPublica immediately blocked all incoming email to his address, preventing the spam filter from clogging.<\/p>\n That same day, Jeff noticed something strange: One of his tweets about the email barrage against us\u2014containing an image of his overflowing inbox\u2014had been retweeted<\/a> 1,200 times. Then Lauren realized that one of her tweets\u2014alerting people that her email was down and they should reach her by other means\u2014had also been retweeted<\/a> 1,200 times. Each of us had gained 500 new Twitter followers overnight.<\/p>\n Clearly someone had unleashed some Twitter bots on us. But it was confusing: What was the point of making us seem more popular than we really were? Jeff speculated that maybe they were hoping we had turned on Twitter notifications and were being deluged with them. Or perhaps they wanted to tout their success at shutting down ProPublica\u2019s emails.<\/p>\n It also wasn\u2019t clear whether the Twitter accounts swarming us were entirely automated or just humans following instructions. But the results were the same: They tweeted in formation, like synchronized swimmers. Twitter user @kirstenkellogg_ tweeted at us: \u201cProPublica is alt-left #HateGroup and #FakeNews site funded by Soros.\u201d Her tweet was retweeted<\/a> more than 23,000 times. Twitter user @yoiyakujimin<\/a> tweeted that we were \u201cpresstitutes.\u201d That message was retweeted<\/a> more than 20,000 times. (Investor George Soros is a funder of ProPublica, providing less than 3 percent of its revenues, through his Open Society Foundation.)<\/p>\n Jeff started to wonder how hard it was to actually launch a bot attack on Twitter. So he set up two fake Twitter accounts\u2014@FauxPublica<\/a> and @fauxpublicaru<\/a> in the Russian language. He tweeted from each account: \u201cThis is a tweet to show how many retweets we can buy.<\/a>\u201d<\/p>\n Then he went shopping for retweets. Turns out there are plenty of companies that openly sell Twitter followers\u2014even though it\u2019s against Twitter\u2019s terms of service. But not all of them were willing to take our business, particularly for the fake Russian account. RedSocial, which describes itself as offering \u201csocial media promotion services starting from $1,\u201d turned us down. \u201cPlease take your business elsewhere,\u201d RedSocial wrote on our order for 5,000 Twitter retweets on the FauxPublicaRU account. It didn\u2019t explain why, but perhaps there is some honor even in the netherworld of social media.<\/p>\n A company called Followers and Likes<\/a> had no such scruples. It sold us 10,000 retweets for the Russian FauxPublica account for $45, and 5,000 retweets for the English language FauxPublica account for $28. And we bought more expensive retweets from Devumi<\/a>, which charged $29 for 1,000, promising that its retweets will \u201clook 100 percent real.\u201d<\/p>\n For just about $100, we had mustered an impressive bot army. Soon our test posts had thousands of retweets.<\/p>\n Twitter declined to comment about our experience. It directed us to its policies that prohibit buying and selling Twitter accounts.<\/p>\n Within two days, we were discovered\u2014but not by Twitter. Journalist Brian Krebs spotted our Russian language tweet and called it out on Twitter<\/a>. Krebs, journalist and author of the noted cybersecurity blog Krebs on Security, was struggling with his own Twitter account. A week earlier, he had been followed by 12,000 Twitter bots and he was worried that they were malevolent<\/a>. Then some of his bots retweeted us, suggesting that his attacker had used the same paid services that we used.<\/p>\n I called Krebs and explained to him that we were just doing a test. But I also had a question for him: What was the harm of these bots? It all seemed kind of innocuous to me. Not at all, he said: Being followed by too many bots could cause Twitter to kick you off the platform\u2014which had happened to another journalist, Joseph Cox, who had his account suspended<\/a> temporarily after being followed by bots.<\/p>\n But after Krebs wrote about the bot surges aimed at us and him<\/a>, our new followers evaporated. And the bot harassment declined, perhaps scared away by the glare of public scrutiny.<\/p>\n Nowadays all that\u2019s left of the bots are two tweets that I get every morning<\/a>\u2014one directed at just me, and one at me and my colleagues. Every day they come in from a new account so that it is difficult to block them in advance:<\/p>\n \u201c@JuliaAngwin Why are all leftist bitches ugly?\u201d<\/p>\n and<\/p>\n \u201cFrom Russia with love: FUCK YOU! @lkirchner @JuliaAngwin @thejefflarson @iarnsdorf\u201d<\/p>\n It\u2019s not surprising <\/span>that Krebs was the one who spotted our bot shopping. Because his work takes him into the cyber underworld, Krebs is under constant attack and constantly alert to new forms of information warfare.<\/p>\n He jokes that he is the Alderaan of the internet, a dark-humored reference to the planet that Darth Vader blows up in Star Wars to test the Death Star\u2019s destructive capabilities. When cybercriminals want to test a new technique, they often try it on Krebs.<\/p>\n His website is often fending off distributed denial of service attacks in which thousands of computers try to connect to his site in the hopes of overwhelming it until it shuts down.<\/p>\n Krebs was the first person I knew to get \u201cswatted.\u201d Swatting is when an attacker uses a spoofed phone number\u2014using shady techniques to make it seem as if a phone call is coming from a different number\u2014to call 911 purportedly from the victim\u2019s house. The attacker tells a scary story of kidnapping or home invasion, which prompts the police to dispatch a SWAT team\u2014hence the term \u201cswatted\u201d\u2014to the scene of the supposed crime.<\/p>\n The victim first finds out about it when a SWAT team storms into the house in military gear. If he or she doesn\u2019t answer the door fast enough, SWAT teams may break it down with a battering ram and throw flashbang grenades inside. It is often difficult for the victim to explain, during the heat of the raid, that the call was not real.<\/p>\n Krebs tried to warn his local police that he was a likely swatting target, but that didn\u2019t stop them from dispatching a team to his house<\/a> in 2013 after he had exposed a criminal underground forum selling Social Security numbers and credit reports. \u201cThis is kind of the real problem with cybercrime in general\u2014the costs for launching these attacks are so low and the costs of defending or blocking or recovering can be just extraordinary,\u201d Krebs says.<\/p>\n In August 2016, a year before the email bombing of ProPublica, Krebs woke up on a Saturday morning to discover that his Gmail inbox was overflowing with newsletter subscriptions. Upon investigation, he learned that the attackers had also flooded the inboxes of more than 100 government email addresses<\/a> around the world. When Krebs wrote about<\/a> this attack, the companies that specialize in sending bulk email took notice. Email bombs had surfaced occasionally in the past, but the scale of the attack and the publicity on Krebs\u2019s blog prompted a new reckoning.<\/p>\n A widely respected antispam service, Spamhaus, notified<\/a> several email providers whose services were used in the attack that they needed to stop the abuse. Spamhaus recommended that the \u201csingle best thing that can be done<\/a>\u201d would be for email lists to include a test known as a CAPTCHA to distinguish between human and automated signups. Most internet users know CAPTCHAs as the squiggly words or sequence of photos that they are asked to identify.<\/p>\n Few companies adopted Spamhaus\u2019 recommendation. Email senders are not in the business of making it harder for people to receive their missives, especially when the people harmed by the sham signups are not their clients. And many individuals hosting email forms on their websites are not likely to install a bot detection system unless it\u2019s drop-dead simple. My personal website, for instance, uses WordPress for an email signup form. As we learned from the email bombing, WordPress is not designed for installing a CAPTCHA by default.<\/p>\n Instead, at the email industry\u2019s get-together in June, M3AAWG<\/a>, the Messaging Malware Mobile Anti-Abuse Working Group, came up with an email surveillance strategy. Their solution, which is voluntary for companies to adopt, would identify subscription confirmation emails<\/a> with a special technical header. That would allow email services to filter and block confirmation emails during a subscription attack. The header would include the location of the computer that signed up for the subscription, exposing a new detail of personal information.<\/p>\n The system also would make it easier for email inbox providers\u2014like Gmail\u2014to alert email senders to a possible subscription bomb attack.<\/p>\n Severin Walker, chairman of the messaging group, told me that some of the biggest email systems have already introduced the new practice. \u201cWhile we may never get to 100 percent adoption, some fairly critical systems are adopting it,\u201d he says.<\/p>\n MailChimp, one of the leading email sending services, said it has already introduced the technical header to help prevent subscription attacks. But at the same time, it has just announced it is dropping its practice of requiring confirmation emails<\/a> before signing people up for newsletters (except in the European Union, which has strict privacy laws).<\/p>\n Without that double confirmation, even more of the newsletters that I was unwittingly signed up for during the subscription attack would be sending me regular updates.<\/p>\n Piotr Mathea, director of anti-abuse at a Polish email sender called GetResponse<\/a>, says he is implementing the new header. \u201cI think it should help to weed out at least part of mail bombing,\u201d he says.<\/p>\n Mathea says that the header had allowed him to notice the attack on ProPublica, and to block the sending of additional confirmation emails from his service. But clearly it wasn\u2019t enough to stop the full attack on us.<\/p>\n