Slashdot Mirror

user@my-box:~$ host aa419.org
aa419.org has address 127.0.0.1
aa419.org mail is handled by 5 mail.aa419.org.

Most of "top 10" list appears to be composed of reactive solutions, which rely on user reports. A proactive one automatically detects if a user is entering what appears to be a credit card or debit card number over an http or unsigned https connection - a common trait for most phishing sites.

Based on the article, Google Safe Browsing should either be at the top or bottom of the list, and not obscured by having a reactive entry in a more prominant position.

As a side note, these phishing sites want as much traffic as possible. We should give it to them - Lad Vampire handles the traffic, and the fake name generator gives the database entries.

Slashdotting = HTTP request flooding which is a legitimate DoS tactic, albeit a relatively shitty one which only works with a large pool of attacking IPs and a target too stupid to set up mod_evasive or suchlike. It gets used more frequently than you might suppose because it's relatively easy for the non-technical to do, just throw up a page based on the LAD vampire script on some free host then get people to visit it. This tactic was recently used to hilarious effect against crazy racist Hal Turner.

Can't you imagine: Spammer sitting in his recliner one spring evening. There is a knock on the door. He opens the door and there is a crowd of Slashdotters with baseball bats (disguised as Gandalf, stormtroopers or Neo). The spammer gets wooden shampoos and is "encouraged" to change his ways or he will receive another visit.

Damn! So now its illegal to use a script to flood a phishing site with dummy credit card info.
Or to load the ladvampire to use up the daily file transfer allowances on 419er's fraudulent "banks"....

Spam vampire - sap the bandwidth of spamming web sites. Copy and paste the urls from the spam you receive into the config file (make sure to check them first), or just pick someone elses below. Leave it on all day.

http://thescambaiter.com/antispam/SpamVampire/inde x.htm (scroll down to "Other Vampires")
http://www.feedbackarchive.com/spamvampire/
http://spamdot.sourceforge.net/

One that targets 419 and bank sites:

http://aa419.org/vampire/ladvampire.php

Oh, and for you pussies that think fighting fire with fire is wrong, you can kiss our asses. They probably smell better than what is in your inbox anyway.

Well, Artists Against 419 have already beaten you to that idea.

They seem to do pretty well at blowing them off the net, too.

http://www.aa419.org/fake-banks/fakebankslist.php

I'm surprised nobody's mentioned Artists Against 419, you let the link run in an extra tab, and it sucks bandwidth from 419ers and fake banks. Lad Vampire

http://www.aa419.org/vampire/ladvampire.php
Let your bandwidth do the work.

Another way to help out (besides baiting) is to join in on the Halloween Flash Mob. Temporarily take down the fake bank sites that the scammers use to convince victims theyre legit (and are often used for identity theft) by eating up their bandwidth! More info at http://www.aa419.org/

Can also use the lad vampire 24/7 to help take these fake bank sites down http://aa419.org/vampire/ladvampire.php

While not as fun as baiting, it helps to save numerous victims and requires virtually no time on your behalf :)

Another way to help out (besides baiting) is to join in on the Halloween Flash Mob. Temporarily take down the fake bank sites that the scammers use to convince victims theyre legit (and are often used for identity theft) by eating up their bandwidth! More info at http://www.aa419.org/

Can also use the lad vampire 24/7 to help take these fake bank sites down http://aa419.org/vampire/ladvampire.php

While not as fun as baiting, it helps to save numerous victims and requires virtually no time on your behalf :)

No, it's completely different...the individuls participating willingly would be more accountable for their actions than the ones whose machines are infected.

Lycos, the popular (sort of) internet portal, once tried this, launching a screensaver that would, when activated, essentially DDoS spamming/phishing sites and other such nasties. It got pulled pretty quickly because of, amongst other things, fear that the network could get hacked (or the phishers pointing their DNS records back to Lycos, essentially reflecting the DDoS back onto them) and doubts over the legality of such an attack, especially with someone with as deep pockets as Lycos to sue if it all came out on top - it was a hacker's and a lawyer's wet dream and it was duly pulled.

Remember, a DDoS is a DDoS is a DDoS, no matter how unsavoury the target. (though if you're feeling mischevious, you could try the LadVampire site, which pretty much does the same thing, only it's on the web rather than on your computer.

A different, somewhat less problematic approach has been used by Artists Against 419 They link to images from 419 web sites to slurp their bandwidth which often shuts them down for a while when they exceed bandwidth limitations imposed by their hosting provider.

http://www.aa419.org/vampire/ladvampire.html

I'm hijacking this spot to repeat an important post made further down the page.

EVERYBODY, open that URL in a new window/tab and let it run. You can have it in the background or minimise it. Bookmark it. In fact, make it your start page if you don't already have any useful start page.
"The Lad Vampire" automatically reloads images from fake bank websites used by scammers, exhausting their bandwidth quota.

Let's use the Slashdot effect for something good - overloading nigerian scammers' fake websites.

http://www.aa419.org/vampire/ladvampire.html

Just repeating the URL for clarity's sake.

EVERYBODY, open that URL in a new window/tab and let it run. You can have it in the background or minimise it. In fact, make it your start page if you don't already have any useful start page.

Let's use the Slashdot effect for something good - overloading nigerian scammers' fake websites.

Just leave this website up in a tab in the background whenever you can: http://www.aa419.org/vampire/ladvampire.html

There are web pages that send a "flash mob" to their sites. You disable your browsers cache and then open the web page and it repeaditly loads images from the 419 sites. If a lot of people have the page open it will consume all of the bandwidth of the 419 sites. Kind of like the Make Love Not Spam screensaver that Lycos made. Essentially by a bunch of people constandly downloading the images from the sites it creates a DDoS attack on the site. I'm not too sure about the legality of an "attack" like this, but it is a cool idea.

There are web pages that send a "flash mob" to their sites. You disable your browsers cache and then open the web page and it repeaditly loads images from the 419 sites. If a lot of people have the page open it will consume all of the bandwidth of the 419 sites. Kind of like the Make Love Not Spam screensaver that Lycos made. Essentially by a bunch of people constandly downloading the images from the sites it creates a DDoS attack on the site. I'm not too sure about the legality of an "attack" like this, but it is a cool idea.

It'll cost you your bandwidth, but it's not as much a threat to your geek identity... The lad vampire DOS's phishing and fake bank sites.

There are two different mechanisms that this approach uses. One is that many of the scammers run on free or cheap web pages with monthly traffic quotas, so if you burn their quota they're out of business. Another is that many sites charge for bandwidth based on 95th percentile usage, so if everybody gangs up on them for 5% of a month (about a day and a half) you can jack up their bill and then move on to the next target. It's especially effective for the few scammers who are actually running their websites in Nigeria, since that's mostly expensive satellite bandwidth, but they're more likely to be in some random European or Chinese web hosting farm.

Obviously it's only useful to run if you've got a network connection that doesn't have monthly bandwidth quotas of your own, because you don't want to slashdot yourself, but most US cable modem and DSL services don't. (Now if we could only get the Koreans to run this stuff :-)

A technical comment on AA419 - it's not very efficient, because it's simply using a browser to display the illustrations. That's fun to watch, but burns a lot of CPU, so if you're running the various SETI@Home types of CPU sinks, they won't get any work done. It would be really simple to build a shell script that loops wget>/dev/null requests (with caching turned off) which doesn't waste time displaying the targets. On the other hand, using the current site is a no-brainer for times that you're not busy.

There are two different mechanisms that this approach uses. One is that many of the scammers run on free or cheap web pages with monthly traffic quotas, so if you burn their quota they're out of business. Another is that many sites charge for bandwidth based on 95th percentile usage, so if everybody gangs up on them for 5% of a month (about a day and a half) you can jack up their bill and then move on to the next target. It's especially effective for the few scammers who are actually running their websites in Nigeria, since that's mostly expensive satellite bandwidth, but they're more likely to be in some random European or Chinese web hosting farm.

Obviously it's only useful to run if you've got a network connection that doesn't have monthly bandwidth quotas of your own, because you don't want to slashdot yourself, but most US cable modem and DSL services don't. (Now if we could only get the Koreans to run this stuff :-)

A technical comment on AA419 - it's not very efficient, because it's simply using a browser to display the illustrations. That's fun to watch, but burns a lot of CPU, so if you're running the various SETI@Home types of CPU sinks, they won't get any work done. It would be really simple to build a shell script that loops wget>/dev/null requests (with caching turned off) which doesn't waste time displaying the targets. On the other hand, using the current site is a no-brainer for times that you're not busy.

I have nothing against the site. I, too, have run the Lad Vampire on occasion. Haven't tried Spam Research tool or others much yet, though.

Googlebombing by using sneaky techniques to promote your "403 Weapons of Mass Destruction Not Found" and "Miserable Failure"->"whitehouse.gov" pages was technically similar to SEO lying - but it was clever and amusing metacontent, and deserved its 15 minutes of fame, and watching the sleazy Republicans reply in kind was amusing too, but it's Been Done Now.
--
Bill Stewart
Slashdot Scammers

Can't a DDOS attack be a flood of HTTP requests too?

From http://aa419.org/content/bandwidth.php:

"Every image on our web site is hosted on a 419er's server."

So when you load their website, it also pulls images from 419-scam sites. Do you understand?

http://www.aa419.org/mm/

Tell me where a "real" site is listed there, each and every URL targetted belongs to the FAKE site.

Perhaps that might be a start for you guys.

That's what I get for posting after being up all night working...

Well, a couple of my points still apply. Such as the fact that a server owner may or may not be aware of the content hosted on their customers' web sites until after their box has been flooded off the Internet. I actually read through the site to see how it works, but right now one of the links (from the FAQ page) that lists their targets is 404'ed at the moment. The other one (which is also showing PHP errors) lists over 2000 taken down, but given the ease of which a new domain name could be acquired, redesigned, and pushed online, this appears to only be a stopgap measure anyway.

That's what I get for posting after being up all night working...

Well, a couple of my points still apply. Such as the fact that a server owner may or may not be aware of the content hosted on their customers' web sites until after their box has been flooded off the Internet. I actually read through the site to see how it works, but right now one of the links (from the FAQ page) that lists their targets is 404'ed at the moment. The other one (which is also showing PHP errors) lists over 2000 taken down, but given the ease of which a new domain name could be acquired, redesigned, and pushed online, this appears to only be a stopgap measure anyway.

Yeah, it's called "Lad Vampire", it's also at Artists Against 419, and you can find it here.

Yeah, it's called "Lad Vampire", it's also at Artists Against 419, and you can find it here.

I giggled when I read one of the fake banks was named fichnet.net. At least some of the scammers have a sense of humor.

One of the links from the flashmob page is for bash scripts suitable for Linux/*nix (and presumably OS X et al).

One of the links from the flashmob page is for bash scripts suitable for Linux/*nix (and presumably OS X et al).

I like this, but prefer the lad vampire at the same site. There is something somehow more satisfying about watching the images flash by.

Just put it in a browser tab and let it run!

I think it's important to make a distinction at least morally of who got hit with the $2mil damages.

For example, I'm pretty sure the lad vampire has done some significant ddos damage, but stealing from fake banks is cool with me.

The Lad Vampire From http://www.aa419.org/ ROCKS

What happens when a 419er exceed his bandwidth limit?

His server will produce an error 509. Another 419 fake bank web site is temporarily closed! Game over! To steal them even more bytes please use our best bandwidth tool The Lad Vampire (stealing scammer's bandwidth 24 hours / 7 days a week!), visit our gallery now or learn more about 419 fake banks here!

All the attention focused on who sends the spam and how, and from where it comes, leads nowhere.

Filtering, if you get really good at it, keeps your inbox fairly clean but does nothing about the huge volumes of spam flying around the Internet.

The only tactics that have hurt spammers are those that have increased the costs of the sponsoring Websites. The Lycos screen saver was delicious but failed because it depended on a central server and because a bunch of complete nitwits clucked and wrung their hands over the appropriateness or lack of same in hammering spamvertized Websites. Meanwhile spam continues and those same whiners do nothing meaningful about it.

The one controlling fact that seems to have escaped most of the discussion about spamfighting tactics is that almost all spam contains explicit invitations to visit sponsors' URLs. It's really that simple. If a sponsoring Website hires a spammer to send out millions of emails advertising the Website, the sponsor can't complain if millions of people accept the invitations and visit. Visitors to a Website have no obligation to buy anything.

Active spamfighting was first articulated in 2003 by Paul Graham in Filters That Fight Back. Graham is the person who popularized Bayesian filtering in 2002, about a year before he suggested that filters might actively punish the spamvertized sites they identify. To date no good tools have emerged for independent, distributed spamfighting of this type although many individuals have built scripts for using curl or wget to download files from spamvertized sites.

Until an open source, personal spamfighter is developed and released, the best way to fight back against spam is to use one of the Web-based "vampire" pages, either as maintained by someone else or customized to hit the sponsors of the spam you receive. They are called "vampires" because the suck bandwidth from the spamsites, thus increasing the costs of running spamvertized businesses.

• SpamVampire
• LadVampire downloads files from fake bank sites
• Spam Research Tool downloads files from current spamvertized sites

Any of the SpamVampire-type pages may be saved locally and modified. Once you have one of them running in your browser just right click and Save As to your desktop or other convenient place, then edit the list of sites/files at the end of the HTML page. The pages run just as well from your own hard drive as they do from servers.

Of course it's a pain in the butt to keep such an HTML page current, so there's something to be said for running someone else's updated page if it targets spamvertized sites of interest to you. LadVampire, for instance, targets fake bank sites that scam people out of millions. The Spam Research Tool is updated to target spamvertized sites and redirectors manually identified from spam received at its several hosted domains.

One of these days someone will build a bridge between the excellent URL de-obfuscation and identification contained in many of the filtering tools on the one hand and local spamsite downloaders like the SpamVampire genre. Then we'll be able to quickly and easily verify our own spamsite targets and pass the information to our own spammerhammers.

hit the spammers with your slashdot effect:

http://www.aa419.org/ladvampire.html

thank you.

just block the spammers networks and make your western/modern-world backbone providers also act and disconnect their networks from the chinese spam/scam networks.

send abuse also to your upstream/hosting/broadband/peering providers and make them block the fucking asian and southamerican spam/scam/virus-infected networx

• Blocklists are of course a critical tool - identify the spammers or the relays/proxies/zombies they exploit, publish their addresses so that people can reject mail from them.
• Sugarplums and other spam poisoners generate web pages full of bogus trap addresses for spammer address harvesters, so that they can DDOS themselves. Infinite-loop web pages, bogus email addresses, email addresses of other spammers, email addresses of teergrubes, spambait addresses on your machines that tell you to block anything from that IP address. Imagine if everybody set your 404-not-found page to include a few bogus addresses for spammers to email to...
• Teergruben are modified tarpit mail servers that answer SMTP v...errrrryyyyyyyy... sssssssllllloooooooowwwwwwwlllllllly, and can keep SMTP senders that talk to them tied up for minutes or hours. If you're running real SMTP on the same machine, you can configure the tarpit function to only happen for recognized spammer IP addresses, or else you can run a dedicated server (e.g. if you're not running your own SMTP on your DSL or cable modem.) One of these doesn't make much difference. Lots of teergrubes can tie up lots of spammers.
• Bandwidth Suckers like Artists Against 419 repeatedly download images from spammer websites to tie up their bandwidth. Because many web sites and ISPs charge for bandwidth on a 95th percentile basis, two days of heavy downloads can totally jack their bandwidth bill for a month, and small sites (e.g. free web pages) that have quotas can be taken out for the month by aggressive downloads (1GB is about 6 hours at 384kbps, so you can blow out a small quota overnight.)

You have not looked at artists against 419, have you? It's not a bot, just a few web pages that continuously reload images from spammers' sites, but it seems to be effective.

like the famous lycos screensaver but much better and more performant. surf the spammers and hit them with your bandwidth.

http://www.aa419.org/ladvampire.html

open in your favourite webrowser and run it on huge broadbandconnections all day long 24/7 if you dont pay for bandwidth. dont use http-proxies for this page.

it will generate huge traffic for the scam/spam sites, and hopefully providers to shut down those damn pages.

thank you

... instead to fight the damn scammers and scammers:

http://www.aa419.org/ladvampire.html

open in your favourite webrowser and run it on huge broadbandconnections all day long 24/7 if you dont pay for bandwidth. dont use http-proxies for this page.

it will generate huge traffic for the scam/spam sites, and hopefully providers to shut down those damn pages.

thank you

surf this webpage if you have broadband to make the spammers stop

www.aa419.org/ladvampire.html

www.aa419.org/ladvampire.html

generate traffic to the spammers and scammers websites, fake banks, and more. spammers gotta pay for their bandwidth, and if everybody slashdotts their sick sites, they will go out of business.

thank you.

for example:

http://www.aa419.org/ladvampire.html

reloads pictures from spam pages every few seconds and eating up their bandwidth.

--
jail all spammers and scammers

There are different kinds of high-volume attacks against spammers. Some, like the Artists Against 419 web page just download lots of images from the spammer, burning their bandwidth quotas and their 95%ile billing systems. Some submit requests to the spammer's web forms filling them up with junk or complaints. Some send lots of complaint emails to the ISP. All of those seem perfectly fair, particularly if they're directed at the spammers' web pages which are usually cheap services. And yes, some of them try to take down the machine through various mechanisms, which can be rude.

On the other hand, the articles on Lycos didn't explain exactly how their attacks worked, but if they're submitting lots of database queries to the spammer web pages to fill them up with garbage, it doesn't need as much bandwidth as a bandwidth-sucking attack.

On the other hand, the articles on Lycos didn't explain exactly how their attacks worked, but if they're submitting lots of database queries to the spammer web pages to fill them up with garbage, it doesn't need as much bandwidth as a bandwidth-sucking attack.