Lycos Declares War on Spam Servers
Psychotext writes "The Register have posted a story about a new screensaver from Lycos that targets known spam servers (taken from spamcop and verified by hand) with traffic in order to raise their bandwidth costs and hopefully price them out of the game. Lycos state that this is not a DDOS as Lycos monitors the site's responsiveness and throttles back when the site starts to falter. The screensaver is available here for Mac OSX, Mac OS9 and Windows, though you might need to lie about what country you are from." Reader JohnGrahamCumming writes "As part of preparing for the MIT Spam Conference I've put together a survey on what people are experiencing out there with spam, what they are doing about and followed it up with a test of different views of an inbox filled with spam and ham. You can take the test and be part of the survey results in January."
I like how they state, even though that this screensaver overwhelms the server with requests, and can from many different sources, IT IS NOT A DDOS!
Actually, it's a great idea, now only if a cool Open source dev would make an open version of this and take away that whole throttling thing.. who would they sue?
It would be the gnutella of ddos's!
Excuse me, I don't mean to impose, but I am the ocean
Isn't this the same as the "Artists against 419" site is doing?
The real "Libtards" are the Libertarians!
Now, they aren't the first to come up with this sort of attack against spam. Lots of geeks (myself included) have run continuous wget fetch sessions against particularly annoying spammer sites. There's a program called "Spam Commando" or something similar which fills out spammers' web forms with bogus but real-looking inquiries, thus wasting the spammers' time. I've thought several times about writing a little win32 app to do what Lycos' screensaver is doing, but couldn't get past the obstacle of "why would people trust my list of spam sites and use the program?" I should have thought of partnering with Spamcop
In any case, this is the first time that a company, as opposed to some guy in his spare time, has stepped up and said "Hey, we think this is a good idea." And that's all it takes. This sort of thing generates press. The press will probably lead to lawsuits, as you point out. The lawsuits will inevitably lead to Lycos disabling the screen saver.
But here comes the beautiful part:
That's where a few geeks step in and take over.
Look at Gnutella. Nullsoft got bitch-slapped by AOL and told "you can't do that." The rest of the internet replied, "maybe you can't, but we sure as hell can."
Mark my words, if legal action shuts down Lycos' screensaver, a free, open-source, anonymously distributed alternative (or three) will take their place.
Thanks, Lycos, for shouldering the initial risk.
Kungsgatan 6
Stockholm, 111 43
SE
[Administrative contact] Brockman, Didde
Starring Ltd AB
Kungsgatan 6
111 43 Stockholm
SE
Email: technical@starring.se
Phone: +46 8 6144600
Fax: +46 8 6144610
The sites use Lycos logos, but it's not at all clear that Lycos has anything to do with this. While these sites link to Lycos, there's no obvious link to it from the Lycos main page.
(on a business network) many of your users install and run the screensaver and suck up your own bandwidth as well as that of the spammers.
I installed it and it doesn't seem to use much bandwidth (MacOS X). It does, however, seriously cut into the Folding@Home CPU cycles, so I'm not sure how long I'll play with it. I think I'd rather help cure diseases than DDOS spammers, even though the latter is immensely satisfying...
I wrote a proof of concept once, similiar to your form filling script.
Someone said that you can't spam and hide it.
I wrote a script to prove you could. It took about 20 minutes to put together to my satisfaction.
I had 3 files. A names file, a domains file, and a words file.
It would take one to three words from the "names" file, and generate a name. It would take some combination of those, sometimes with a random character or two, and then take a random domain from the "domains" file, to form an Email address.
I'd then take the "words" file, and make a subject line 2 to 15 words long, and a message body that was between 10 and 100 words long.
To some of the messages, I attached arbitrary length attachments (generated as it ran), with filenames from the 'words' file, and I think 8 common extensions (.doc,
I then used a common misconfiguration in web proxy servers (allowing CONNECT), and set it up to randomly select proxy servers to mail through, all over the world.
Then I said "are you sure about what you said 20 minutes ago?"
He said "yes".
I ran the script. He was receiving about 1000 messages per minute, and couldn't tell what was real and what wasn't. They only thing he knew is that he saw text scrolling by on my screen (a little status information for myself), and me laughing my ass off.
There was absolutely nothing consistant with the messages. Different senders, different bodies, different attachments (if they existed at all), and all coming from different "mail servers". The receiving mail server assumes the IP it received from is the previous mail server, so those proxies showed up in the header.
I never did run it against a spammer. It wasn't worth it. You know the 'from' address is bogus anyways. Any address they may list on their site is probably bogus ( remove_me@bad.spammer.com ? ha!). It was proof of the concept that anything can come from anywhere. He couldn't identify that it was me, because the was nothing to identify that it was me. The only way he could have possibly found out that it was me (other than my laughing), was to try to contact these ISP's with misconfigured proxy's, and ask them to give him the IP who sent it through. Good luck. I don't speak any Chinese, and at least 100 of those proxy servers were over there.
Serious? Seriousness is well above my pay grade.