Slashdot Mirror
Lycos Declares War on Spam Servers
Psychotext writes "The Register have posted a story about a new screensaver from Lycos that targets known spam servers (taken from spamcop and verified by hand) with traffic in order to raise their bandwidth costs and hopefully price them out of the game. Lycos state that this is not a DDOS as Lycos monitors the site's responsiveness and throttles back when the site starts to falter. The screensaver is available here for Mac OSX, Mac OS9 and Windows, though you might need to lie about what country you are from." Reader JohnGrahamCumming writes "As part of preparing for the MIT Spam Conference I've put together a survey on what people are experiencing out there with spam, what they are doing about and followed it up with a test of different views of an inbox filled with spam and ham. You can take the test and be part of the survey results in January."
...too bad this also wastes bandwidth across the net.
I'm sure Lycos will love it when the spammer updates their DNS to point to Lycos.
Seems like they're just sinking down to the level of the spammers in order to try and fight them. As much as I hate spam, I cannot get behind this kind of activity. They're just adding more useless traffic, in the name of justice. Sorry, nice idea in theory, but I sincerely hope it never takes off.
This will never survive the legal challenges it will face. At least some of these companies can claim to be "legitimate" businesses. Of course if they just produce the list of addresses we can surely work out something involving wget for ourselves.
Humor from a Genetically Molested Mind
With all the blackhole lists, private IP filters and now screensaver-based DDOS, large parts of the IPv4 address space are becoming wastelands that won't be inhabitable even after spammers are driven out. Heck, a friend of mine just heard that a few class A blocks were just assigned to APNIC and immediately firewalled them off. There's got to be a better solution!
This doesn't seem like a very constructive solution. Hiking up bandwidth costs of spammers will certainly not solve any portion of the problem, as we've seen how much these people rake in. Not to mention the questionable ethics in a process like this. Lycos would be better off trying to work with other companies to try and somehow blacklist or filter all this garbage traffic instead of adding to it. As it stands, this is just some pathetic pissing match. Nice going, Lycos.
Try actually thinking for yourself. It's quite refreshing.
they can call it "NOT a DDOS" all they want, but it doesn't really change the facts. Technically speaking, they are right, because they are not trying to cause a Denial of Service, but I think that really in spirit it's not much different enough. While I certainly have no sympathy for spammers, I know that this is certainly not something that I'm going to be installing, as someone living in the US, because it seems to me that it's certainly possible for someone to win a lawsuit against the company or the people running this software.
Famous Last Words: "hmm...wikipedia says it's edible"
Bad idea, Lycos - nobody (no human, anyhow) likes spam - but the rest of us have so far refrained from crap flooding the net to stop it.
-- Cheers,
-- RLJ
Lycos is wrong on this one. Part of the problem with SPAM is that despite the appearance of email being free, there are hidden costs (Kind of like environmental impact costs). In the case of SPAM the costs are bourne by the ISP / bandwidth providers and the recipients time, energy, and money. Lycos makes the problem worse for the ISP.
Hell, if I were a SPAMMER, why not add some third party advertisements to my SPAM page. Perhaps each hit from these screensavers would generate revenue for me!
I'm also having trouble seeing how they claim this is not a DDOS attempts. Obviously by increasing the number of screensavers in use, the load increases on the target sites. Perhaps a new concept--the DDOP--distributed denial of performance? Keep flooding until ping time of site is > 30 seconds. Still sounds illegal to me.
What is to stop the spammers from doing a reverse DDOS on you? They would have your IP address, and would enjoy wasting your bandwidth too. My guess is they have a lot more bandwidth than most of us do. They aren't exactly people I want to mess with. If nobody buys their stuff, they would go away. Unfortunately that's the only solution I see to 'fix' the problem.
GREAT IDEA!
Provided one's server isn't mistakenly targeted (and I'm positive they'll eventually either friendly-fire or mistype an IP).
An effective signature identifies a particular user amongst a base of thousands.
I don't want my IP in the hands of someone with the morale of a spammer [server logs].
Let alone any "carefully picked host", certainly not at times I'm not there to observe what happends with my machine[screensaver].
Nah-uh.
I think we can keep recursing like this until someone returns 1
Note also that this is for Europe only. While there is nothing from stopping you from downloading and running this program outside the US, it is technically for europe only.
Even if you check the site, it explains how site it "targets" are slowing response times.
Is this shady, yes.
Question? If you are being harmed by something and want it to stop and there is no other recourse but to take the matter into your own hands, is that wrong?
Answer: It's up for debate.
If someone was on a daily basis causing me to sift through hundreds of emails, losing important messages, having the spam filter delete it accidentally, or having to wait for everything to update in order to assure that I have all my mail, then yeah this is justified.
They care not about your resources, time, or anoyance levels, why the hell should you?
Vigilante justice is not pretty, but it does get the job done.
Ignore the "p2p is theft" trolls, they're just uninformed
This is a stupid idea and will only serve to irritate the rest of the Internet. As much as they'd like to think it's not a DDos, it most certainly is, and they're just sinking to the spammer's own level.
I hope Lycos rethinks their plans, or I fear the retributions will be far more damaging. Any net user who downloads this software is going to leave themselves open to prosecution.
Oooohh, this is such a bad idea on so many fronts.
1) They're going to get sued. Not just sued, sued a whole lot. Asses in a sling kinda sued. Spammers that are making good money have the budget to sue, and really Lycos is completely in the wrong here. Morally, sure spam sucks. But you can't do it this way.
2) It's against so many different TOS's that isn't even funny. With very very very few execptions, users can't legally run it (check your provider's TOS). They're opening every user up for:
a) federal charges.
b) lost ISP connection.
c) Lawsuit for damages from the spammers.
3) So you flood a facility with an OC3. Now not only have to screwed up one guy's day, you've screwed up everyone's day at that facility. Or worse, the screen savers send such a load to knock down a server, that they inadvertantly overload a few major peerings instead.
How about this for a proof of the point. I have a GigE connection in 3 different cities. My provider has multiple OC192's heading all over the place.
I rig up something that can handle a 1Gb/s through it, that can take the abuse, and still appear to be functional. Come on, think creatively, it's not that hard to do. I can serve 1Gb/s of web traffic with 6 machines. Actually, I do with 15 machines, at a very low percentage of their capability. So no matter what they throw at me, they can't take the servers or my line down.
Or worse yet, they attack me, so I flood them back with 3Gb/s. I'd bet I can swamp lycos.com. Sure, they'll bitch. They'll moan. They'll threaten lawsuits, but I returned exactly what they were doing. More than likely they'll lose in court.
Isn't there a rule for iptables to redirect traffic coming into one IP, into another one? a one-liner, if I remember right.
Lycos DDoS's me. I set up machines to redirect the abusive traffic to say whitehouse.gov, ftc.gov, or lycos.com. Ah, lets play nice here, lets redirect the traffic to google.com, and watch the lawsuits really fly. So Lycos makes a valiant attempt to knock Google offline. That'll go over really well in court.
Or, as one comment in here already said, if they do it by DNS names, just change the DNS record.
bad.spammer.com. IN CNAME lycos.com.
or
bad.spammer.com. IN A 209.202.248.202
bad.spammer.com. IN A 209.202.216.27
(That's what Lycos resolves as for me)
or just negate it entirely.
bad.spammer.com. IN A 127.0.0.1
or have a little fun.
bad.spammer.com. IN A 255.255.255.255
And [insert deity here] forbid, someone compromises the machine which controls this action. If I were an evil hacker (hush you people in the crowd), that'd be a great play toy. Wanna knock off some competition, just point Lycos to them, and turn off their ability to throttle.
I'd be *REALLY* pissed if I was hosting one, or there was a compromised box somewhere off in a corner that I didn't know about, and they decided to knock one of my networks offline.
Most spammers move around so frequently, attacking a particular hostname or provider really doesn't freakin' matter. They change the domain the links go to, and start sending again. The usable age of a spam is only 3 days. Spammers consider if it hasn't been read in 3 days, it's not going to be read.
I wish them luck, and hope they have a big enough budget to keep their executives who came up with this brilliant scheme out of federal prison. I sure as hell hope they don't accidently point at me for being a target, 'cause sure as hell they won't be on line long.
Actually, with an announcement like this, they've opened themselves up for being the blame of almost any DDoS attack.
Serious? Seriousness is well above my pay grade.
[standard disclaimers about letting your users install their own software apply here]
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
90% of the spam I get is coming from zombies attached to cable or DSL. The only this will do is make network access slower for the owner of said compromised computer, and it's probably already slow as hell because of all the spyware and trojans on it. It's just going to raise costs for the rest of us on cable that aren't unwillingly sending spam.
Additionally, what about the mom and pop ISP with 2 T-1's and a bunch of DSL customers? All you are going to do is saturate their lines, doing almost nothing to harm the spammer. I suppose it will force smaller ISP's to implement a deny outgoing port 25 rule, which they should all do anyway. My ISP does this, however, I can call them and tell them I run my own mailserver, and they open it for me. It's the people that are clueless that they worry about.
Need Free Juniper/NetScreen Support? JuniperForum
So they're creating a service designed to cost spammers money. It seems to me that computer crime generally gets classified as using computer resources in a way not intended by the provider and in a way that costs the provider money. Lycos isn't just opening themselves up to lawsuits, they're inviting criminal prosecution. Anyone using the client would be subject to the same kind of risk.
Actually filling this one in was harder than I thought it would be. I guess because I'm too lazy to think up new catagories that consicely summarise the objections we've seen. Nevertheless...
Your post advocates a
( ) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it [well, we'll find out if this is illegal once Ralsky et al. sue]
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam [providing Ralsky et al. with enough funds to make the court case long and bloody]
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Inethicality of slowing the entire Internet down, when a handful of spammers are responsible for 99% of our spam
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Having been on the wrong end of a spam cop report several times, I feel for the innocents who are about to start having their mail blocked AND get bombarded with extra traffic. Just how many lawsuits will ensue?
Will anyone win but the laywers?
paul reinheimer
I like the idea because its grounded in destroying the economics that make spam profitable. Why not make it hurt more:
For example take a piece of spam advertising a site which provides no contact information and which replys on form submsissions to promote a product. Take random (but meaningful) data, such as fortune strings, delimited to smallish lengths for each field, and wget form submissions every few hours | minutes | seconds. Any legitimate inquiries are lost in (likly literally) an unceasing email bomb sponsored by lycos.The destinction here, is that rather then costing them more you are litterally losing them the tiny fraction of respondents which make spam profitable, this renders the model unprofitable and makes any attempt to offset the cost ineffective.
I take great satisfaction in ensuring that a spammers time is wasted to a greater degree then my own. Given the products that are often peddaled via spam a quick forward can often ensure this, for instance forwards to enforcement@sec.gov have resulted in six lawsuits (and counting) this month alone. There is a great forward for almost any ware, but medication, promotional stock tips, and cheap (generally pirated or edu version) software are some of the most fun - despite my dislike of Microsoft and the Government I relish the thought of their respective legal teams gunning down a newbie floridian who mistakenly purchased my address.
How do I keep track of people who are fingering
Second that. Producing more crap to fight crap leaves only losers.
Knowing how sneaky spam operations work (zombie networks etc.), I think that filtering/counter measures will never truly solve the spam problem, and that an effective solution will be economics-based.
One reason for the huge amounts of spam is that each single message has on average very little value for the recipient, and IMHO a good approach would be to increase that value. In a way: help spammers to reach an interested audience in a more targeted, specific way. So that not 1 in a million, but eg. 1 of every 50 mails sent produce a paying customer. Less effort for the spammer, less traffic, less annoyance, basically a win-win for everyone.
For that, you would need a way for recipients to 'advertise' what they're interested in: how many messages they want to receive, product types, type of organisations they'd like to hear from etc. Maybe in a system similar to publishing a PGP key or the "Geek Code". If a recipient has a way of indicating that (s)he is interested in viagra pills, then a spammer/advertiser can focus on that group, instead of spamming a huge amount of random people. Something that lets you tell 'the world' what you consider useful (or not) to find in your inbox, so that spammers/advertisers don't need to bother millions of uninterested folks to find a dozen customers. This would also put the burden of finding customers (selecting a target audience) on the spammer, instead of on the recipient (spam filtering). Ofcourse you could devise such a system in 1001 ways (preferably highly automated). Food for ongoing research...
How long will it be before we see an open source clone of that on sourceforge?
Of course it will do nothing for zombie sites that are hosted on trojan/worm/virus hacked machines. That would just punish the technically incompetent victim of spammers.
Microsoft is pure dog-ma. FreeBSD is pure cat-ma.
Course that's only 100 people, imagine a few hundred or thousand, it could easily shutdown small online vendors or personal websites, hurting average people if the idea is altered a little and falls in the wrong hands.
my karma will be here long after I'm gone
Interesting lead, I followed it trough some more and checked their site
Luckily, that explained the situation, starring is a marketing company, that were contacted by spray(a Lycos company in Sweden) to Get more people to start using Spray's e-mail service.
There you have it, it is all a marketing campaign to attract more users to Spray(and Lycos) mail. I guess they made it quite well, mentioned on slashdot and all...
This is really hilarious. They are expressly trying to use up the portion of bandwidth spammers *aren't using*, and getting everybody to install a Lycos screensaver! And they aren't even addressing the fact that a spam-serving network is undoubtedly well-resourced and has more heads than medusa. Hah! Too funny. Well except for anybody who happens to actually need bandwidth for non-spam purposes. It's like setting fire to a spider web, you just burn yourself out.
This is not a DoS (well it would be if it worked). It is just PR. Suddenly it got everbody saying "Lycos", front page on slashdot, etc., and it probably isn't even aimed at people who could figure out the problem. Most people will say great Lycos is taking a courageous stand, etc.
If Lycos was really serious about stopping spam, they should put the technical, managerial, and public relations resources they are dumping into this and go after the spammers one at a time. There are a finite number of people doing this in the world, and a corporation that wants to hunt them down can do it. Just follow the money, maybe buy some spam from these guys to confirm it. Then decide what to do about it. They might even consider posting a list of spammers, companies that profit from spam, and spam purchasers, on the net. Though that might make it hard to do subsequent investigations into spammers.
Well that's one thing they ought to do instead of this. Personally I think it would be better PR if they actually made some positive results in reducing spamming (with scientific proof) and publicized *that*. So this could maybe be called a half-assed DoS and a half-assed attempt at PR for mainstream technophiles, but on the whole it is just silly and wasteful. Thank god my fiber connection is nowhere near them.