Lycos Declares War on Spam Servers

Psychotext writes "The Register have posted a story about a new screensaver from Lycos that targets known spam servers (taken from spamcop and verified by hand) with traffic in order to raise their bandwidth costs and hopefully price them out of the game. Lycos state that this is not a DDOS as Lycos monitors the site's responsiveness and throttles back when the site starts to falter. The screensaver is available here for Mac OSX, Mac OS9 and Windows, though you might need to lie about what country you are from." Reader JohnGrahamCumming writes "As part of preparing for the MIT Spam Conference I've put together a survey on what people are experiencing out there with spam, what they are doing about and followed it up with a test of different views of an inbox filled with spam and ham. You can take the test and be part of the survey results in January."

Lycos?

[Saeger]

I can barely hear what Lycos is saying... but it sounds like... "I'm not dead yet!"

--

Re:Lycos?

[TWX]

A company that brands a product "Lycos Sidesearch" that Ad Aware finds as spyware isn't going to get me to install their screensaver; I don't care how long the name has been a brand on the Internet.

Horrible Idea

I'm sure Lycos will love it when the spammer updates their DNS to point to Lycos.

Re:Horrible Idea

[gyratedotorg]

if they start changing their dns records, they wont have an online presence to sell their crap. in this case, wont they lose anyway?

This is NOT A DDOS!!

[Eric(b0mb)Dennis]

I like how they state, even though that this screensaver overwhelms the server with requests, and can from many different sources, IT IS NOT A DDOS!

Actually, it's a great idea, now only if a cool Open source dev would make an open version of this and take away that whole throttling thing.. who would they sue?

It would be the gnutella of ddos's!

Re:This is NOT A DDOS!!

[logic+hack]

Actually, it's a great idea, now only if a cool Open source dev would make an open version of this and take away that whole throttling thing

I believe it's called a slashdotting.

LAW SUIT

[drsmack1]

This will never survive the legal challenges it will face. At least some of these companies can claim to be "legitimate" businesses. Of course if they just produce the list of addresses we can surely work out something involving wget for ourselves.

Re:LAW SUIT

This will never survive the legal challenges it will face.

It doesn't matter. What Lycos is doing here is showing an idea to the world, and rather selflessly opening themselves up to legal issues in the process.

Now, they aren't the first to come up with this sort of attack against spam. Lots of geeks (myself included) have run continuous wget fetch sessions against particularly annoying spammer sites. There's a program called "Spam Commando" or something similar which fills out spammers' web forms with bogus but real-looking inquiries, thus wasting the spammers' time. I've thought several times about writing a little win32 app to do what Lycos' screensaver is doing, but couldn't get past the obstacle of "why would people trust my list of spam sites and use the program?" I should have thought of partnering with Spamcop ;)

In any case, this is the first time that a company, as opposed to some guy in his spare time, has stepped up and said "Hey, we think this is a good idea." And that's all it takes. This sort of thing generates press. The press will probably lead to lawsuits, as you point out. The lawsuits will inevitably lead to Lycos disabling the screen saver.

But here comes the beautiful part:

That's where a few geeks step in and take over.

Look at Gnutella. Nullsoft got bitch-slapped by AOL and told "you can't do that." The rest of the internet replied, "maybe you can't, but we sure as hell can."

Mark my words, if legal action shuts down Lycos' screensaver, a free, open-source, anonymously distributed alternative (or three) will take their place.

Thanks, Lycos, for shouldering the initial risk.

Re:LAW SUIT

[JWSmythe]

I wrote a proof of concept once, similiar to your form filling script.

Someone said that you can't spam and hide it.

I wrote a script to prove you could. It took about 20 minutes to put together to my satisfaction.

I had 3 files. A names file, a domains file, and a words file.

It would take one to three words from the "names" file, and generate a name. It would take some combination of those, sometimes with a random character or two, and then take a random domain from the "domains" file, to form an Email address.

I'd then take the "words" file, and make a subject line 2 to 15 words long, and a message body that was between 10 and 100 words long.

To some of the messages, I attached arbitrary length attachments (generated as it ran), with filenames from the 'words' file, and I think 8 common extensions (.doc, .txt, .zip ....)

I then used a common misconfiguration in web proxy servers (allowing CONNECT), and set it up to randomly select proxy servers to mail through, all over the world.

Then I said "are you sure about what you said 20 minutes ago?"

He said "yes".

I ran the script. He was receiving about 1000 messages per minute, and couldn't tell what was real and what wasn't. They only thing he knew is that he saw text scrolling by on my screen (a little status information for myself), and me laughing my ass off.

There was absolutely nothing consistant with the messages. Different senders, different bodies, different attachments (if they existed at all), and all coming from different "mail servers". The receiving mail server assumes the IP it received from is the previous mail server, so those proxies showed up in the header.

I never did run it against a spammer. It wasn't worth it. You know the 'from' address is bogus anyways. Any address they may list on their site is probably bogus ( remove_me@bad.spammer.com ? ha!). It was proof of the concept that anything can come from anywhere. He couldn't identify that it was me, because the was nothing to identify that it was me. The only way he could have possibly found out that it was me (other than my laughing), was to try to contact these ISP's with misconfigured proxy's, and ask them to give him the IP who sent it through. Good luck. I don't speak any Chinese, and at least 100 of those proxy servers were over there.

What a move...

[NiTr|c]

This doesn't seem like a very constructive solution. Hiking up bandwidth costs of spammers will certainly not solve any portion of the problem, as we've seen how much these people rake in. Not to mention the questionable ethics in a process like this. Lycos would be better off trying to work with other companies to try and somehow blacklist or filter all this garbage traffic instead of adding to it. As it stands, this is just some pathetic pissing match. Nice going, Lycos.

Re:Lame

[anagama]

• ...too bad this also wastes bandwidth across the net.

It's like investing in the future. If it works and makes it too expensive to run a spam destination site, spam destination sites will fade into history. This may be wishful thinking but the other option is to do nothing until 98% of internet traffic is spam related. I say "yeah" - if for no other reason than because it feels good. Of course, I'll have to wait for the linux equivalent - or maybe I'll go google for some ready made scripts - failing that, using this list and wget, I'll make my own. Sounds like a fun and righteously vindictive activity!

Re:Fighting spam with more crap?

[typhoonius]

Yeah, but...they're spammers.

It's like the Indiana Jones movies. Melting people's faces is bad. Melting Nazi's faces is awesome. Because, honestly, they're Nazis.

I'm not saying spammers are Nazis, just that we should melt their faces.

it seems to me ...

[Rev.LoveJoy]

Tools whose purpose is to waste bandwidth will have a good deal of collateral damage. When pipes need to be upgraded to account for more traffic (regardless of said traffic being "good" or "bad") we all pay the price. That is, unless one of you out there owns a major backbone carrier (in which case, I'm single).

Bad idea, Lycos - nobody (no human, anyhow) likes spam - but the rest of us have so far refrained from crap flooding the net to stop it.

-- Cheers,
-- RLJ

Don't sign me up

[scott9676]

What is to stop the spammers from doing a reverse DDOS on you? They would have your IP address, and would enjoy wasting your bandwidth too. My guess is they have a lot more bandwidth than most of us do. They aren't exactly people I want to mess with. If nobody buys their stuff, they would go away. Unfortunately that's the only solution I see to 'fix' the problem.

aa419.arg anyone?

[whoever57]

Isn't this the same as the "Artists against 419" site is doing?

Re:Fighting spam with more crap?

[legend]

12 year old kids running Kazaa are WAY more of a threat to ahem, overloaded core routers, than this screensaver.

Clairify ...

[SuperDuG]

This _IS_ a DDoS (Distributed Denial of Service) attack program. While they may verify that the site does not "stop", this will clog the servers with requests. While it may be a PR move to not call this a DDoS, it most certianly is. The only way it may not be is if your definition of DDoS implies that the server will eventually stop responding to all non "client that creates multiple connections" IP's.

Note also that this is for Europe only. While there is nothing from stopping you from downloading and running this program outside the US, it is technically for europe only.

Even if you check the site, it explains how site it "targets" are slowing response times.

Is this shady, yes.

Question? If you are being harmed by something and want it to stop and there is no other recourse but to take the matter into your own hands, is that wrong?

Answer: It's up for debate.

If someone was on a daily basis causing me to sift through hundreds of emails, losing important messages, having the spam filter delete it accidentally, or having to wait for everything to update in order to assure that I have all my mail, then yeah this is justified.

They care not about your resources, time, or anoyance levels, why the hell should you?

Vigilante justice is not pretty, but it does get the job done.

Lycos DDoS

[JWSmythe]

Oooohh, this is such a bad idea on so many fronts.

1) They're going to get sued. Not just sued, sued a whole lot. Asses in a sling kinda sued. Spammers that are making good money have the budget to sue, and really Lycos is completely in the wrong here. Morally, sure spam sucks. But you can't do it this way.

2) It's against so many different TOS's that isn't even funny. With very very very few execptions, users can't legally run it (check your provider's TOS). They're opening every user up for:

a) federal charges.

b) lost ISP connection.

c) Lawsuit for damages from the spammers.

3) So you flood a facility with an OC3. Now not only have to screwed up one guy's day, you've screwed up everyone's day at that facility. Or worse, the screen savers send such a load to knock down a server, that they inadvertantly overload a few major peerings instead.

How about this for a proof of the point. I have a GigE connection in 3 different cities. My provider has multiple OC192's heading all over the place.

I rig up something that can handle a 1Gb/s through it, that can take the abuse, and still appear to be functional. Come on, think creatively, it's not that hard to do. I can serve 1Gb/s of web traffic with 6 machines. Actually, I do with 15 machines, at a very low percentage of their capability. So no matter what they throw at me, they can't take the servers or my line down.

Or worse yet, they attack me, so I flood them back with 3Gb/s. I'd bet I can swamp lycos.com. Sure, they'll bitch. They'll moan. They'll threaten lawsuits, but I returned exactly what they were doing. More than likely they'll lose in court.

Isn't there a rule for iptables to redirect traffic coming into one IP, into another one? a one-liner, if I remember right.

Lycos DDoS's me. I set up machines to redirect the abusive traffic to say whitehouse.gov, ftc.gov, or lycos.com. Ah, lets play nice here, lets redirect the traffic to google.com, and watch the lawsuits really fly. So Lycos makes a valiant attempt to knock Google offline. That'll go over really well in court.

Or, as one comment in here already said, if they do it by DNS names, just change the DNS record.

bad.spammer.com. IN CNAME lycos.com.

or

bad.spammer.com. IN A 209.202.248.202
bad.spammer.com. IN A 209.202.216.27

(That's what Lycos resolves as for me)

or just negate it entirely.

bad.spammer.com. IN A 127.0.0.1

or have a little fun.

bad.spammer.com. IN A 255.255.255.255

And [insert deity here] forbid, someone compromises the machine which controls this action. If I were an evil hacker (hush you people in the crowd), that'd be a great play toy. Wanna knock off some competition, just point Lycos to them, and turn off their ability to throttle.

I'd be *REALLY* pissed if I was hosting one, or there was a compromised box somewhere off in a corner that I didn't know about, and they decided to knock one of my networks offline.

Most spammers move around so frequently, attacking a particular hostname or provider really doesn't freakin' matter. They change the domain the links go to, and start sending again. The usable age of a spam is only 3 days. Spammers consider if it hasn't been read in 3 days, it's not going to be read.

I wish them luck, and hope they have a big enough budget to keep their executives who came up with this brilliant scheme out of federal prison. I sure as hell hope they don't accidently point at me for being a target, 'cause sure as hell they won't be on line long.

Actually, with an announcement like this, they've opened themselves up for being the blame of almost any DDoS attack.

Re:Fighting spam with more crap?

[vyruss000]

(raising clenched fist looking at the sky)

DAMN YOU, GODWIN! :)

Re:Two words:

[qengho]

(on a business network) many of your users install and run the screensaver and suck up your own bandwidth as well as that of the spammers.

I installed it and it doesn't seem to use much bandwidth (MacOS X). It does, however, seriously cut into the Folding@Home CPU cycles, so I'm not sure how long I'll play with it. I think I'd rather help cure diseases than DDOS spammers, even though the latter is immensely satisfying...

Time to bring out the old warhorse...

[cortana]

Actually filling this one in was harder than I thought it would be. I guess because I'm too lazy to think up new catagories that consicely summarise the objections we've seen. Nevertheless...

Your post advocates a

( ) technical ( ) legislative ( ) market-based (x) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(x) Laws expressly prohibiting it [well, we'll find out if this is illegal once Ralsky et al. sue]
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam [providing Ralsky et al. with enough funds to make the court case long and bloody]
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Inethicality of slowing the entire Internet down, when a handful of spammers are responsible for 99% of our spam
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!