Lycos Anti-Spam Site Compromised [Updated]

An anonymous reader writes "Lycos, shortly after producing a screen saver to fight spammers using a DoS-style attack appears to have been hacked. Attempting to download the screen saver from lycos results in this message 'Yes, attacking spammers is wrong, you know this, you shouldn't be doing it. Your ip address and request have been logged and will be reported to your ISP for further action.' Or maybe it's just a joke -- can you ever tell?" Update: 12/01 15:07 GMT by T : According to Lycos, the defacement reports were actually just a hoax.

No surprise

[JuggleGeek]

I'm not surprised. Spammers, phishers, and other scammers have obviously been hiring geeks to write software for them for some time. Without that, they wouldn't have armies of owned machines ready to send out their spam for them, etc.

The Lycos screensaver has gotten a lot of press, and could certainly put a crimp in the spammers pocketbooks, and spammers aren't honest, so why wouldn't they hack Lycos?

Re:No surprise

[kasper37]

Hiring geeks? How do you know it's not geeks themselves doing the spamming? Just because someone is smart and has networking/programming know how doesn't mean that they are immune to the draw of easy money.

But ... they were "ready"

[Joosy]

Clearly it must be a joke, since a Lycos rep is quoted as saying: "There's a risk we will receive some denial of service attacks in the next few days but we are ready."

obligatory

[Neo-Rio-101]

Lycos, shortly after producing a screen saver to fight spammers using a DoS-style attack appears to have been hacked. ....and now totally slashdotted off the map to boot.

"Fighting" spammers

[Dancin_Santa]

The way to "fight" spammers is by following the law and litigating against them. Childish things like using illegal hacking tools just puts gasoline on an already out of control blaze. More stringent laws and serious punishments for spammers is the final key to doing away with the vast numbers of spammers.

The "technological" solution to spam has shown itself to be totally ineffective. The solution which has worked to not only put a small dent in the daily dose of spam but also enrich the general public has been to take the spammers to court and eventually to jail when necessary.

Spam is like selling kids crack cocaine. No one wants that kind of shit in the neighborhood, but the only people willing to "take back the streets" are ninnies and other gang members.

Re:"Fighting" spammers

[Nykon]

Technology moves much faster then any of the law making parts of our government. A blanket law could harm innocent people, look at the rampant abuse of the DMCA? It had good intentions but was too broad and was abused for other purposes.

Heck, even people in the infosec community have enough trouble keeping up with spammers from a defensive corporate security aspect, more less waiting for the government to do enough research to put together a law that may or may not be valid by the time it is voted on and put into action.

Unfortunetly I think the spammers know this, and the best we can hope for is maybe stiffer fines. Then again with the money most of the big guys make off "email marketing", chances are they can afford a good enough lawyer to get them off the hook or a fine that will barely dent their pocket.

Let's not forget the fact that laws are only valid for US spammers. You get a spammer using zombies or even servers in a country that could care less about American policy and laws, and all we have to fall back on is "technology' to aide us.

Re:"Fighting" spammers

[Anne+Thwacks]

Since its pretty clear that the US law enforcement officers are unable to attack a doughnut, let alone anything to do with computers, I would not hold out much hope. Two spammers in 20 years is not a successful campaign.

And dont tell me its not Americans that are responsible ... how comes all the adverts are for American companies?

Follow the money. If American banks had their licence removed if they passed money to spammers, there would be no spam.

Re:"Fighting" spammers

[ajs318]

The problem is, spam is already illegal. We don't need new laws: we just need to enforce the ones we've got.

It's been said on Radio Four that the biggest change ever to happen in the English courts was the one Joseph Swan made. That's far from saying anything is old-fashioned -- what it really means is we got the law about right years ago. Just because someone's using a computer doesn't mean the old rulebook doesn't apply. Freakin' think about what these guys are doing and try to metaphorise it into pre-computer terms. In the Olden Days, the nearest thing to "botnet spamming" would be breaking into my house, stealing my envelopes and stamps, and posting fraudulent and unsolicited messages to people {including some you looked up in my address book}.

Using someone else's computer without consent is quite clearly simple trespass. That's a civil offence. If you discover that your computer has been misused by someone else, you can sue them for trespass to chattels. Simple trespass becomes aggravated trespass -- a criminal offence -- if the intention is to commit another criminal offence {such as fraud, drug dealing, breach of copyright or trading in counterfeit goods}. It's also quite likely that whoever trespassed with your computer either used force {breaking and entering} or deception {burglary artifice} in order to access it. If they turned your computer into part of a botnet then they are quite probably guilty of aiding and abetting other criminal offences. You're probably in the clear because ignorance of the fact is a defence.

The only thorny question now is, what about the fact that someone can be around the other side of the world as they are committing these offences? For the answer, we need to think about what would happen if somebody was standing on a boundary line between two jurisdictions committing an offence. Also, if someone commits an offence in one country which is also an offence in another country, then they can be extradited to stand trial in that other country {unless they would face the death penalty abroad but not at home; in which the Home Secretary / Minister of the Interior / analogous government person would usually intervene}.

What we certainly don't need are more laws.

Lad Vampire unaffected

[Lost+Race]

Lad Vampire is still going strong. It's similar to the Lycos thing but only targets 419 scammers.

Stupidest idea ever.

[Mordant]

Not only because the command-and-control server can be hacked and the hosts running the screensaver turned into a botnet used to launch DDoS attacks, as we see - but because a) the veracity of the so-called 'target list' cannot be verified to the degree necessary to make this even theoretically sensible (i.e., it could be gamed by those submitting false spam reports to induce the system to attack innocents, not to mention the PCs of innocents which have been compromised as spam-proxies along with the network infrastructures of their ISPs), but outbound DDoS can be just as devastating as inbound DDoS.

This is the stupidest idea ever. I hope several someones end up suing Lycos over this, it's just moronic.

-All- security measures should be predicated upon the sentiment expressed in Hippocrates' _Epidemics_ (-not- the Oath, that's a popular misconception) - '. . . first, do no harm'.

Re:Stupidest idea ever.

[flyingsquid]

I agree. We should not be going after spammers with internet attacks.

We should be going after them as angry mobs armed with pitchforks and torches.

lol, bring it on

[Mia'cova]

Report me? haha. Knowing my ISP, they'd probably increase my bandwidth.

I hope the guys who attacked Lycos are getting hit hard by their service. Keep it up Lycos! You're obviously hitting a nerve.

Re:Attack!

[FREELZEE]

WTF... i can't tell if it's slashdot attacking these links or the spammers screwing them up. i guess we'll never know

Re:Simple Way To Counter Lycos Threat

[Streyeder]

So, what happens when Lycos points their DNS servers right back at them? Maybe it would create a cyber time-space vortex that would suck websites back into the past? ;) An internet wormhole of sorts... Ok, time to turn off DS9 and get back to hw...

People still download screensavers?

[Prairiewest]

I'm amazed that Lycos thinks this will actually work, simply from the fact that I do not know anyone that has downloaded a "screen saver" for their computer in the last year.

It used to be all the rage... yes, starting with AfterDark decades ago, and finally culminating in WebShots a few years ago. But does anyone really do this nowadays? Seriously?

Maybe if it showed a random "babe/hunk of the day" while doing its nasty work it would be downloaded by more people...

MD5 sum as of 11/26

[david_594]

I downloaded the installer on 11/26 when the first /. article came out and the MD5 sum of that file was: 237ee99dc7f35d2e2c0a8640086167bf

"...is bad, you know this"

[Romancer]

And hacking websites that attack spammers is fine.

Re:Works for me

[Pathwalker]

At 3:06 am you downloaded AN EXE file.

Do you know for sure it is the one you think it is?
Do you know for sure what your system is doing?

If the site had been compromised, how do you know that file is the one which was originally hosted there?

Re:Attack!

[mr_z_beeblebrox]

Attack those spammers! Someone needs to stand up to them!

Spam is a huge amount of traffic on the net, that is my problem with it. Turning clueless lycos users into antispambots will not DECREASE the traffic on the net but increase it. Also, if joe blow user gets a screen saver that DDOSs a.b.c.d and said spammer goes out of business resulting in cox cable giving my grandma a cable modem at a.b.c.d do you really think J Blow user is going to know to get his screensaver updated or are a large chunk of them going to run the initial screensaver as long as they ran Win 98 unpatched (forever)

hopefully it's written better than that

[frovingslosh]

I have not downloaded the screen saver and don't know how it works, but it would be a no-brainer to have written it to get it assignments when it goes active. After all, it certainly has Internet access (or it's can't run up the spammer's usage anyway). So it just has to check a site, get one or more assignments, and start running up the spammer's bill. Not a bad concept.

The spammer's response is a strong indication that it's a pretty good idea, and one they really don't like and see as an actual threat to them.

DOS

[Gilesx]

"DOS style attack"? Hardly - it actively monitors the servers to prevent them going off line. A DOS attack goes all out to take a server down.

All Lycos is doing is send hits out to slow down a server. How is that different to posting a link in a news article in Slashdot? We all know that will get slashdotted, yet links are still posted. In both Lycos' and Slashdot's cases, something deliberate is done which causes a degredation in server perfomance. I don't see how it's any more of a DOS style attack than slashdotting a site.

An alternative and legal idea

[cliffski]

Does this make sense? Ive seen it suggested somewhere:

One of the problems with spam is all the companies selling software that 'sends ten million emails a day'. Given that this is hardly likely to be for legitimate use (does your company have 10 million subscribers?) heres a way to hurt their pockets.

Go to google
Search for bulk email software
Click once on every google ad on the RHS.
Repeat each day.

Every click costs the spam (sorry *direct marketing*) company maybe $0.05. If everyone on slashdot did it, these companies would be hit bigtime. Their ad budgets would be used up, and their conversion rate would be zero.

Its not going to rid us of spam, but it IS one way to fuck up the assholes that make this stuff so easy.

Re:There we go again...

[evilviper]

You're wrong on so many counts here, it's amazing...

The following are clearly completely untrue:

(x) Mailing lists and other legitimate email uses would be affected
(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
(x) Requires immediate total cooperation from everybody at once
(x) Anyone could anonymously destroy anyone else's career or business
(x) Jurisdictional problems
(x) Dishonesty on the part of spammers themselves
(x) Countermeasures must work if phased in gradually

All the rest are HIGHLY unlikely to be correct. For instance you suggest this is illegal by selecting several options, yet you haven't pointed to any laws outlawing it.

Cost more than a nickle my friend

[Blitzenn]

Those ads cost more than a nickle to click on my friend. Depending on the populatiry of the search, one click can cost as much as $20.00, (that I have seen myself). My company uses this advertising method and it has been successful so far. Our per click advertising average is about $13.00. That's definatelyy per click too. I am sure other people who use this form of google ad can confirm this.

Re:Attack!

[harrkev]

You certainly have a point. If an ISP gets paid to host a spamvertised web site, they do not care. All of the spam comes either from off-shore servers or zombies. This does not affect the ISP. The Lycos approach is not making this the ISP's problem.

The thing that totally bugs me is that ISPs are not cracking down more on zombies. The terms of service should state that the ISP can read your outgoing mail if you send more than 500 emails a day. They can then shut down your connection if you are sending spam. If all of the zombies were cut off, spam would likely be reduced by 80%.

I downloaded and installed the screensaver a Monday night. I like it. I certainly do not think that this is the perfect solution. But at least is may accomplish something! Every other spam tactic that I have seen to stop the source has amounted to a big fat nothing. Filtering you mail still works, but is a pain.

Re:Attack!

[networkBoy]

I for one think restricting port 25 is a good idea.
My ISP blocks 25 by default. If you contact tech support and request that it be enabled they bump you to tier3 support, who quiz you breifly to ensure you are capable of securing it and then open it for you. Not a bad deal all together. The quiz is really just a checklist:
1) You know port 25 is for a mailserver right?
2) Do you know how to configure your mailserver so it won't be an open relay?
3) Promise you won't send spam.
4) Port 25 is now open.
Works for me :-) (esp. when you consider how many Zombies that stops dead in their tracks).
-nB