Lycos Anti-Spam Site Compromised [Updated]
An anonymous reader writes "Lycos, shortly after producing a screen saver to fight spammers using a DoS-style attack appears to have been hacked. Attempting to download the screen saver from lycos results in this message 'Yes, attacking spammers is wrong, you know this, you shouldn't be doing it. Your ip address and request have been logged and will be reported to your ISP for further action.' Or maybe it's just a joke -- can you ever tell?" Update: 12/01 15:07 GMT by T : According to Lycos, the defacement reports were actually just a hoax.
If there are only a few large spamming... erm... entities, then I wonder how and when they'll finally be caught.
The way to "fight" spammers is by following the law and litigating against them. Childish things like using illegal hacking tools just puts gasoline on an already out of control blaze. More stringent laws and serious punishments for spammers is the final key to doing away with the vast numbers of spammers.
The "technological" solution to spam has shown itself to be totally ineffective. The solution which has worked to not only put a small dent in the daily dose of spam but also enrich the general public has been to take the spammers to court and eventually to jail when necessary.
Spam is like selling kids crack cocaine. No one wants that kind of shit in the neighborhood, but the only people willing to "take back the streets" are ninnies and other gang members.
Yes, hacking websites is wrong, you know this, you shouldn't be doing it. Your ip address and your actions have been logged and will be reported to your ISP for further action.
Someone was worried.
...if you're remotely surprised that this happened.
...
...
...
Yeah, didn't think so.
If something like this is ever going to work, it's going to have to be a lot more underground, just like the spammers.
p
In Korea, long hair is for old people!
Not only because the command-and-control server can be hacked and the hosts running the screensaver turned into a botnet used to launch DDoS attacks, as we see - but because a) the veracity of the so-called 'target list' cannot be verified to the degree necessary to make this even theoretically sensible (i.e., it could be gamed by those submitting false spam reports to induce the system to attack innocents, not to mention the PCs of innocents which have been compromised as spam-proxies along with the network infrastructures of their ISPs), but outbound DDoS can be just as devastating as inbound DDoS.
This is the stupidest idea ever. I hope several someones end up suing Lycos over this, it's just moronic.
-All- security measures should be predicated upon the sentiment expressed in Hippocrates' _Epidemics_ (-not- the Oath, that's a popular misconception) - '. . . first, do no harm'.
This kind of tactic, if not outright illegal, is a grey area...now perhaps, if you simply made a script to go through the emails, put every link on a list, and used spare bandwidth to request pages from all of the links that have been sent, that could be legal, but still a grey area.
What I don't think is a good idea is a company deciding who deserves to be DDoSed. In that sense, it is little better than MyDoom, which also attacked unpopular companies.
Personally, I think we should try to take down companies that use spam for advertising legally, rather than using a DDoS. But I might not have the popular view, you never know.
I'm amazed that Lycos thinks this will actually work, simply from the fact that I do not know anyone that has downloaded a "screen saver" for their computer in the last year.
It used to be all the rage... yes, starting with AfterDark decades ago, and finally culminating in WebShots a few years ago. But does anyone really do this nowadays? Seriously?
Maybe if it showed a random "babe/hunk of the day" while doing its nasty work it would be downloaded by more people...
I hate spam as much as the next person, but I'm having serious doubts about this project. How easy might it be to target this system to a legitimate website and turn the thing into a botnet for DDoS-attacks, and stuff like that?
The problem with spammers is a hopelessly outdated protocol for sending and relaying e-mail on the one hand, and on the other, governments failing to produce adequate legislation to combat spammers, scammers, and the like on the Internet.
Then think that most companies and business-oriented lobby groups fight hard to keep e-mail available as a direct marketing medium, the same way they would thoroughly object to a ban on telephone-based telemarketing.
We don't need a bunch of cowboys arming themselves with guns and taking out everyone they see as a danger to society/Internet, we need decent, solid legislation, and government commitment to take out spammers.
Hiring geeks? How do you know it's not geeks themselves doing the spamming? Just because someone is smart and has networking/programming know how doesn't mean that they are immune to the draw of easy money.
And hacking websites that attack spammers is fine.
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
At 3:06 am you downloaded AN EXE file.
Do you know for sure it is the one you think it is?
Do you know for sure what your system is doing?
If the site had been compromised, how do you know that file is the one which was originally hosted there?
Attack those spammers! Someone needs to stand up to them!
Spam is a huge amount of traffic on the net, that is my problem with it. Turning clueless lycos users into antispambots will not DECREASE the traffic on the net but increase it. Also, if joe blow user gets a screen saver that DDOSs a.b.c.d and said spammer goes out of business resulting in cox cable giving my grandma a cable modem at a.b.c.d do you really think J Blow user is going to know to get his screensaver updated or are a large chunk of them going to run the initial screensaver as long as they ran Win 98 unpatched (forever)
The spammer's response is a strong indication that it's a pretty good idea, and one they really don't like and see as an actual threat to them.
I'm an American. I love this country and the freedoms that we used to have.
The main cost of spam is not the extra bandwidth it consumes. It's the human time lost in sorting the real mail from the crap every goddamn day. If by fighting it we (temporarily) double or triple the bandwidth wasted, I say, who cares?
What next? Users attack hardware vendors for not releasing drivers for graphics cards? Political parties make screensavers which overload the web servers of the opposition? We do not want to go there.
I guess this time they should consider themselves lucky that someone didn't manage to remove positive control over the screensavers from Lycos, effectively turning their DDoS zombie network into a tool for spammers. It would have been such a sweet irony of the very network of DDoS-agents created to thwart spammers would be turned into a spamming network.
Your company advocates a
() technical ( ) legislative () market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Extreme stupidity on the part of people who do business with Microsoft
( ) Extreme stupidity on the part of people who do business with Yahoo
(x) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
(x) This is a stupid idea, and you're a stupid company for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
That's the underreported part of this story. Our shining champion in the spam epidemic is long-time villain in the spyware epidemic. No thanks, I'll pass.
Play Command HQ online
(I'm not saying I think this is a good idea - but reading the article before making bogus critical claims would seem like a wise plan to me.)
I see the emotional reasoning behind what you wrote, but in all reality you could cause collateral damage on sites hosted by the same ISP, or even the same network provider.
What should be done is to simply put pressure on the ISPs hosting these spammers, and cut them off by blocking their mail-servers and even web-servers used to sell their goods.
The "spam attack" was a PR-stunt by Lycos (first tested in Sweden), which apparently back-fired now.
Even better. Include a file from that server in the main page of slashdot, such as an image. However, this is just vigilantism. I have more bandwidth than you, so I'm right. A war doesn't show who is right, just who is left.
Get your own free personal location tracker
OTOH, if spam goes away because of this are you going to complain?
My other car is first.
Does this make sense? Ive seen it suggested somewhere:
One of the problems with spam is all the companies selling software that 'sends ten million emails a day'. Given that this is hardly likely to be for legitimate use (does your company have 10 million subscribers?) heres a way to hurt their pockets.
Go to google
Search for bulk email software
Click once on every google ad on the RHS.
Repeat each day.
Every click costs the spam (sorry *direct marketing*) company maybe $0.05. If everyone on slashdot did it, these companies would be hit bigtime. Their ad budgets would be used up, and their conversion rate would be zero.
Its not going to rid us of spam, but it IS one way to fuck up the assholes that make this stuff so easy.
DRM-free indie games for the PC and Mac: Positech Games
It's more like a 'screendestroyer'
I downloaded this yesterday. What does it do apart from use up spammers bandwidth? It keeps essentialy the same non changing image up on the screen. Er no thanks. My shiny new 19" TFT isn't going anywhere near that.
I know CRTs can now cope with static images, but TFTs can't.
I don't know who is more ignorant, the people that really don't understand their computer or you, for that attitude.
Just because you don't understand something does NOT make you 'deserving' of harm.
You need to get it thru your head ( and others like you ) that the common man DOES NOT understand the risks NOR SHOULD THEY. They are USERS not TECHIES...
Until you require people pass a test to have a PC, then you can not expect the user to have any knowledge about it.
Would you expect a TV watcher to understand how their TV works? All the digital and analog components? How the electrons are formed and manipulated on their way to the screen? If they don't, they might see something offensive.. got to hold them responsible for lack of specific technical knowledge beyond their normal life.
Or how about nuclear power generation, because they might get shocked by the power..
Get over yourself... You are what gives us all a bad name.
Man, I shouldn't feed the trolls....
---- Booth was a patriot ----
You certainly have a point. If an ISP gets paid to host a spamvertised web site, they do not care. All of the spam comes either from off-shore servers or zombies. This does not affect the ISP. The Lycos approach is not making this the ISP's problem.
The thing that totally bugs me is that ISPs are not cracking down more on zombies. The terms of service should state that the ISP can read your outgoing mail if you send more than 500 emails a day. They can then shut down your connection if you are sending spam. If all of the zombies were cut off, spam would likely be reduced by 80%.
I downloaded and installed the screensaver a Monday night. I like it. I certainly do not think that this is the perfect solution. But at least is may accomplish something! Every other spam tactic that I have seen to stop the source has amounted to a big fat nothing. Filtering you mail still works, but is a pain.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
This looks like news forgery to me. Is there any indication of a security breach at Lycos? All we seem to have is "an anonymous reader" telling Slashdot that the screensaver was compromised, and at least one blog repeating what has been said on Slashdot. Maybe this is just another PR stunt by Lycos, or a spammer trolling Slashdot?
With Lycos relying on Javascript to get their message out, I sure won't waste my time trying to decipher it. If they can tell me where the spammer websites are, I'll be happy to evaluate their opinion and take appropriate action against those sites myself, after careful consideration. Lend Lycos my hardware and IP address, so that they can mastermind a DDoS attack disguised as me? Certainly not.
This is a very ineffective way of solving the problem. You remove the symptoms but not the root cause of the problem. You still have more than a million computers constantly trying to infect/crack other computers. And it's taking up a majority of the bandwidth on many networks.
The point is to go after the ISP's and make them responsible, but only in part. The ultimate responsiblity relies on the end user who owns the infected computer. It should be the ISP's responsibility to notify/contain those computers that are causing the damage.
When Code Red was first on the scene, there were reports of several ISP's who suspended certain accounts pending proof that the customers computers had been cleaned and updated to prevent reinfection.
If this practice by the ISP had become more main stream then many of the problems today would at least be reduced.
I for one think restricting port 25 is a good idea. :-) (esp. when you consider how many Zombies that stops dead in their tracks).
My ISP blocks 25 by default. If you contact tech support and request that it be enabled they bump you to tier3 support, who quiz you breifly to ensure you are capable of securing it and then open it for you. Not a bad deal all together. The quiz is really just a checklist:
1) You know port 25 is for a mailserver right?
2) Do you know how to configure your mailserver so it won't be an open relay?
3) Promise you won't send spam.
4) Port 25 is now open.
Works for me
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Spamming is prevalent because it is literally free of cost to the spammers. This tool threatens to raise the cost of spamming end via excessive bandwidth demands at the spammer server end. If the cost of spamming became prohibitive then spam would be extinct and they would not have the resources to retain hackers to carry out their malicious efforts like deceptive URLs and hijacking innocent PCs as spam boxes.
The Lycos tool makes that threat very real. The spammers know this and they have focused their attack on the tool.
If they take legal action arguing that attacks on their ISPs was damaging their liveliehood, the same can be said of spammers' attacks on our inboxes and compromised PCs. When you accuse someone by pointing at them, there are always three fingers pointing back towards you.
Legislative actions are ineffective thanks to lobbying efforts from direct marketing organizations of which spammers are a member. The CANSPAM accomplishes nothing and trumps more aggressive state laws. If the government cannot provide relief, then the private sector will seek alternatives without their help.
It was only inevitable that this happened.
Begun, the spam war has.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10