During 5th August 1996, a number of unmoderated Usenet groups were deluged by computer generated spam.
Catherine Hampton, a group administrator for alt.religion.christian.boston-church, wrote:
We have a problem in alt.religion.christian.boston-church — a flood of vertical spam with varying From: lines, posted from different locations, and with no common string to allow us to killfile the slimeball.
The headers appear to be forged, and NNTP posting hosts don’t match Message IDs, which don’t match From: lines. Usually the Path: headers match the Message IDs. The majority of posting hosts/
sites appear to be European, and I recognize one as an open NNTP server used in the past for spamming/net abuse.
Both headers and message text consists of a string of unrelated English words, the majority long and somewhat complex.
Unfortunately, the Path headers have long since been stripped from the archived copies of the messages. However, we can get some idea of what they included from the workarounds Scott Forbes at Lucent suggested as it was all happening:
For YA-Newswatcher, use the following scorefile entries:
Kill where “Path” contains news.wvdp.com
Kill where “Path” contains news.speedline.ca
Kill where “Path” contains news.data.co.za
Kill where “Path” contains CINT_SRV02
For slrn, kill any post containing this header:
Nntp-Posting-Host: bagend.atl.ga.us
For trn 3.6:
/bagend.atl.ga.us/HNntp-Posting-Host:j
Other newsreaders:
If you can do string matching against arbitrary headers, kill any article
with the header “Nntp-Posting-Host: bagend.atl.ga.us”. Note that this is
*not* the same header as “NNTP-Posting-Host” — if your killfile only does
pattern matching against specified “standard” headers, don’t try this.
Which Usenet Groups Were Attacked?
Though there may well have been more, the groups I know to have been attacked were:
* news.admin.net-abuse.misc
* alt.religion.christian
* alt.religion.christian.boston-church
* misc.education.homeschool.christian
* pdaxs.religion.christian
* rec.music.christian
* uk.religion.christian
* alt.fan.jesus-christ
Oddly, some individuals also seem to have been attacked. Catherine Hampton wrote:
I have also been mailbombed by this idiot. I’m not sure how heavily, since after the first couple of messages appeared, I told procmail to send them to /dev/null and informed my ISP about this. I kept copies of the first two mailbomb messages, so if someone needs them to track the idiots down, let me know.
A Typical Message
Because MBOX files are just text files where the headers begin “From ” and there’s a double newline between the message headers and the message body, it’s quite straightforward to have a look at (most of) what was arriving. Here’s an archived message from alt.religion.christian.boston-church (though note that the “X-Deja-AN” line was almost certainly added later by Deja News, and the X-Google lines were added later by Google, who ended up owning the Deja News archives):
From 7995592138590870063
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: f788d,1ccdb08619d370e6,start
X-Google-Attributes: gidf788d,public
From: [email protected] (Dick Cerebrate)
Subject: Loft
Date: 1996/08/05
Message-ID: <d1pazxu [email protected]>#1/1
X-Deja-AN: 172316810
organization: Fodder
content-type: text/plain; charset=US-ACSII
mime-version: 1.0
newsgroups: alt.religion.christian.boston-church
treble pharmacology Arnold Sian pinball tsunami matte stockade heater
beauty paraffin keeshond inkling priori Romania proud Alphonse
prim histrionic ensconce meridional foil fob thereafter Thor Ronnie
belligerent Hoyt gerbil Ares boycott surprise Sandusky herb furlough
adoption Cahill accusation halogen plastisol drier Carib prank
Skopje devote uppermost negligent gibbet Rochester Linotype
The obvious things that emerge from reading even a few of these emails are:
* The “From:” email address field contents seem to be copied from a list (probably harvested from Usenet posts)
* The “From:” name (in brackets) is composed of a first name from a different list, followed by up to two words from the main list of body words
* The “Subject:” is composed of a word from a different list again, followed by up two two words from the main list of body words
* The words in the body seem to have been randomly pulled from a list of low-frequency words (again, probably harvested from Usenet posts)
* The “organization” header is filled in with a single word that appears to be randomized from a yet different list
So… Where Does “Markovian Parallax Denigrate” Fit In?
These three ‘signature’ words appeared more often than others in the body of postings to different Usenet groups (in the case of “Markovian”, roughly 8x as frequently as other body words, less so for the other two): but oddly, in alt.religion.christian.boston-church “Markovian” only appears twice in email headers, and never in any of the bodies.
So even though “Markovian Parallax Denigrate” has become the name by which these spam messages are generally known, the actual usage of them is much more nuanced than is generally thought or believed.
For instance, this was not at all true of the messages to the alt.religion.christian.boston-church group. There, most frequent spam words were “cindy” and “thimbu” (8 occurrences each), followed by “cress”, “pump”, “Denny”, “laissez”, “pussycat”, “photolysis”, “inflammation”, “millenarian”, “synergism”, “vet”, “Joss”, “Smithfield”, and “springboard” (7 occurrences each). “Markovian” only appears in two headers spammed to the alt.religion.christian.boston-church group. These are completely consistent with a purely random distribution, with no Markovian-style tweaking.
Yet at the same time, the rest of the body word list seems identical: for example, both contain “pornography” and “pornographer” but not “pornographic”. OK, there are too few words in the alt.religion.christian.boston-church spam messages to be completely sure (they only seem to use about a quarter of the overall body word dictionary), but this seems almost certain.
My suspicion is therefore that “Markovian” (plus “Parallax” and “Denigrate” to a lesser degree) may initially have been intended as trap words (i.e. for the spammer’s own killfile), e.g. so that he/she could easily filter out most/all spam traffic to news.admin.net-abuse.misc by deleting all messages with any of those words. I think this would have been important for the spammer, so that they could see the havoc they were wreaking as it happened, by reading the narked messages squeezed inbetween all the spam. The whole thing was, after all, surely a performance done more for the reaction than for the action itself, so where would the fun be in pissing admins off if you couldn’t see them being pissed off?
Who Was Behind This Attack?
At the time, Catherine Hampton posted:
There is some possibility that this is also a loon who hates Christians and/or Christianity, but IMHO it’s more likely that that side of things is a red herring to mislead people looking for the perpetrator.
It’s a little insulting to admit we’re probably irrelevant side-issues to this creep, but I think that’s the case. <sigh>
Since then, all manner of (to be honest, almost entirely speculative/rubbish) theories have emerged: one of the most famous of these was that the perpetrator was psychic-and-apparently-delusional “CIA asset” Susan Lindauer, because one of the email addresses used was susan_lindauer@…. However, in 2012 this theory was ably debunked by Kevin Morris, who showed that it had been a completely different Susan Lindauer (whose name had merely been randomly harvested, along with thousands of others), so we can leave both Lindauers and that theory well behind now. Which is nice.
Yet I think what we already know we can tell quite a lot about the spammer. The fact that he/she mailbombed Catherine Hampton would seem to me to be a sign that this was not one of America’s few angry atheists, virtually firebombing plucky Christians’ online temples: rather, I think this was instead a sign that the spammer was himself/herself a Christian (perhaps even one specifically living in Boston) who had been flamed or abused online, and had decided to pay back that grudge in a fairly public way. (Yet because the alt.religion.christian.boston-church group seemed to have purely random traffic (i.e. no “Markovian” trap word), it is possible that this was – as Catherine Hampton suspected – just a distraction from the news.admin.net-abuse.misc main event: so doubt remains.)
But even so: given that connection as a starting point, I strongly suspect that the choice of which groups to attack was also far from random. Rather, it would seem likely that the spammer was a subscriber to several (if not all) of those groups, and who held some kind of broader grudge. I’m sorry to have to point out the obvious, but from the 1996 group traffic I’ve gone through, online Christians had no obvious shortage of flamers (and indeed trolls) in their ranks: spam was already a significant Usenet-wide problem by then, and administrators were constantly having to cancel spam messages that sneaked past their extensive filters and killfiles.
So even though these were all unmoderated groups, the spammer still needed a pretty good knowledge of group post headers and spoofing tricks to get spam in: so we can say that this was someone who was very comfortable with the minutiae (and limitations) of current networking lore cirac 1996. (It would therefore seem reasonable to wonder whether he or she might well have been a group administrator at that time.)
Finally, from the number of different text lists that the spammer compiled to randomly fill the different fields, I think it is clear that he/she was someone who was not only computer literate, but also quite driven by the idea of producing unstoppable spam. I’m sure that this was an angry idea that (I think) had stewed and steeped over a period of time – that is, not something that impulsively happened in a single mad day (because nobody would produce so many different lists for merely a whim, however angry), but something premeditated that had built up over weeks or even months.
Bob Allisat?
The only non-Susan-Lindauer name I found suggested (trampolined by way of Emily D’s Ephemeral Curios) was by Phil Launchbury, who wrote (replying to Catherine Hampton on the same day):
The only common denominator is that the posting host has been set to Jan Isleys machine in Atlanta – probably as revenge for his legitimate cancelling activities.
The name of the perp that springs to mind is Bob Allisat… It may not be, but it has the same level of content and interest as the blank verse he spams across Usenet 🙂 He also has a long running (and on Bobs side) bitter feud with Jan & Atlanta in general.
To be honest, I’m quite certain that Bob Allisat’s not-really-very-good poetry – though he did resolutely spam it to multiple Usenet groups – has nothing at all in common with the whole Markovian ‘enterprise’. Though it is true that in 1995 he arranged an online “Poetry Slam [that] saw 15,000 plus wild poems, every poem differant, swamp the news.admin.net-abuse.misc newsgroup over the course of a few hours. The net.cops totally phreaked.” So I suspect Phil Launchbury may have named Bob Allisat just to annoy him back, rather than out of genuine suspicion. Just so you know. 🙂
In future poetry is all
that I'll be sharing with
you good folks out there.
I will be a plague of poetry,
an endless stream of poetry,
I will innundate you all with
poetry, I will flood every
discussion with poems, poems
and more poems. The world of
power guys and technotics
needs poetry to heal it's
twisted barbaric soulnessless
Could We Track Down The Markovian Spammer?
I think there is a reasonably good chance that the Markovian spammer subscribed to most (if not all) of the groups that were attacked during the year prior to 5th August 1996. Hence it might well be that if someone were to cross-check all the people who sent (genuine) posts to more than one of those lists during the previous year, we might have something resembling a short list of suspects (I’d expect no more than 4 or 5 people to remain). Looking for flamey reactions to their posts might also help order the list in terms of likelihood of being the spammer.
Perhaps someone has already tried this kind of forensic approach (Heaven knows the group admins were pissed off enough at the time): however, what remains of Internet commentary on “Markovian Parallax Denigrate” seems fairly lightweight, and I haven’t seen any clear attempt at doing so out there. Unless you know better?
