Slashdot Mirror
Lycos Pulls Vigilante Anti-spam Campaign
davidwr writes "Eweek reports that Lycos is scrapping it's anti-spam campaign: 'On Friday, Lycos Europe gave up the ghost, posting a 'Stay Tuned' note on the MakeLoveNotSpam.com Web site it was using to distribute the screensaver. The Lycos Europe home page, which heavily promoted the screensaver all week, was also scrubbed clean of any references to the screensaver.' See previous Slashdot coverage from Nov. 26, Dec. 1, and Dec. 2."
fighting fire with fire doesn't always work
I can't believe the execs at Lycos even had the balls to O.K it as a plan, let alone develop and support it. Corporate sponsored DDoS attacks? What would have been next; MPAA sponsored screen savers that attacked BitTorrant link sites? SCO sponsored screen-savers that attacked kernel.org and Slashdot?
... i always wanted to be part of a botnet
Now if only spammer would follow the suit!
::day dreaming::
errr..
**"I find the anti-spam downloadable DDoS tool to be without a doubt irresponsible, possibly illegal, sets a really bad precedent, gives the wrong impression to users, and possibly the dumbest thing I have heard of this week," said Adrien de Beaupre, an incident handler with the SANS Internet Storm Center (ISC).**
besides than that.. anyone care to pull ye olde form and tick the right places for this particular 'solution for spam'?
world was created 5 seconds before this post as it is.
Really it's not that complex of a product to make and given that it seems to have been somewhat successful at accomplishing it's goal (or in fact too successful by actually DOSing the spammers) I don't see it as that unlikely that someone will go and create a new screensaver that is even more destructive.
Clearly there is at least some interest in fighting spam with DDOS even though it's not the best solution.
Personally I think this is a bit of a shame. I know a lot of people here weren't too keen on the aggressive style and dubious legal grounds of this scheme, but to tell the truth, if there was a possibility it would eradicate or at least slow spam down, then I'd have to say I'm all for it.
Perhaps the problem here is that with Lycos being the single point of failure, as well as being a customer facing organisation, its position was just untenable.
There has certainly been lots of talk about building in such a system to mail clients, and perhaps having a distributed spam-attack system that way - perhaps this will be legally more tenable (they actually emailed you personally) as well as more resilient to pressure.
This sig has been deprecated.
What about existing users of the screensaver? Will it continue to work (i.e., flood spam sites)?
quidquid latine dictum sit altum videtur.
But who's to say it isn't still beneficial? Lycos probably caused some problems for spammers with this, or made them feel less secure, in the week this stunt was running. More importantly, look at all the publicity Lycos got out of this; if it wasn't for this spam thing I probably wouldn't have even thought about Lycos's existence once in the second half of this year, and probably you or most of the other people here wouldn't have either. Instead, thanks to makelovenotspam, they've been rescued for at least a moment from obscurity and irrelivance and they've been all over the headlines for a week. Meanwhile, by getting out now Lycos possibly avoids the otherwise-almost-certain legal problems from all of this.
... well probably.
Was makelovenotspam, in its short life, effective? Almost certainly not. Was makelovenotspam a public good? I'd bet not. Was makelovenotspam good for Lycos?
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Your post advocates a
( ) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which vary from state to state.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires cooperation from too many of your friends and is counterintuitive
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
( ) Ideas similar to yours are easy to come up with, yet none have ever worked
( ) Other:
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(x) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
(x) Bandwidth costs that are unaffected by client filtering
( ) Outlook
( ) Other:
and the following philosophical objections may also apply:
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures cannot involve wire fraud or credit card fraud
(x) Countermeasures cannot involve sabotage of public networks
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
( ) Other:
Furthermore, this is what I think about you:
( ) Nice try, dude, but I don't think it will work.
(x) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
How am I supposed to fit a pithy, relevant quote into 120 characters?
Lycos did win a minor victory in getting it's company name in the news again. Before this I'm sure most people forgot this company existed. Even bad publicity can be good "sometimes".
I propose Slashdot's editors agree to "accidentally" incorrectly rewrite one submitted link per week to point to the site of a major spammer. It will have exactly the same effect as the Lycos DDOS screensaver, fulfilling its necessary service now that Lycos has backed out, but lack the legal risks and require no new technological infrastructure.
Why not build this feature into an email client (e.g. Thunderbird). When you get a spam, you put it in a special folder and the client repeatedly accesses the site (a la the Lycos screensaver). That way nobody can be cited for orchestrating a DDoS or unfairly blacklisting. Each recipient can make their own spammer determination.
Whether the client uses the exact URL in the email (which often has identification codes for the recipient of the spam or the affiliate who sent it) is a matter of debate. On the one hand, I don't want to identify myself to any spammer or show that my email is live.
On the other hand, I would want the spam site to know that using my email address will only bring it grief. As a side bonus, it might even bankrupt the site when it has to pay its spammer affiliates for all the automated clickthroughs. If a greater percentage of people clickthrough via automated means (but don't buy), it harms both the spam-marketed site (in bandwidth and affiliate charges) and it hurts the spammer when sites reduce their clickthough payment rates. I can only hope that this will cause spammer-using sites to crack down on spammers that are too aggressive.
Two wrongs don't make a right, but three lefts do.
Netcraft is reporting this too. Check out there story here. I wonder if the fact that several Internet backbones were blocking Lycos's site had anything to do with them finally deciding to pull it. My guess is simply that this was creating too much bad publicity. Everyone was talking about how Lycos was using unethical tactics to try to stop spam. Lycos probably figured it was not worth it.
You do realise many spammers are from the Russian Mafia? Please don't be surprised when you find a horse's head on your pillow, and don't expect any sympathy from people who told you being a vigilante moron with the delusions of moral superiority is a Bad Thing(TM).
I stopped trusting Lycos the day I started finding this bloody thing on my customers computers. That they tried and failed at something so shady in the first place doesn't seem like much of a surprise to me. This was just some poorly done publicity stunt, probably dreamed up in by some PHB deep in the dungeons of their marketing department.
DOS'ing spammers has potential to make a serious dent in spamming revenue and actually lessen the amount of spam we see in our mailboxes. This is why spammers fought back so quickly against Lycos; they saw their bottom line being compromised. A big company like Lycos is not best organization to lead an attack against spammers because they are an easy target for spammer retaliation on the internet and have a lot to lose legally and financially.
Instead if a lose group of spam haters worked together to develop open source version of the "Make Love Not Spam" screensaver or something similar, you would end up with a much more formidable foe to spamming. The OSS version would need handle redirects (and not follow them) and would need to have a decentralized mechanism for distributing target information. If Lycos can put together 100,000 volunteers in a week or two, then it's not far fetched to see another similar open source project pulling similar numbers. Especially if it were available for both Windows and *NIX.
I know a lot of people don't agree with the concept, but I do. The law is getting better but it hasn't handled the spam problem yet. Making the business model invalid is a great idea.
Think of it as free speech... by having everyone visit the website, it's just like having an old fasioned sit in so the company can't do business.
Agile Artisans
While Lycos was on unsteady legal footing in terms of their targets (i.e. it's often tough to connect a web site to the spam sender) the MPAA and RIAA can easily prove that a particular user or BitTorrent link site is sharing/hosting/providing copyrighted material. It may be just a matter of time before earlier efforts to legalize RIAA and MPAA DDOS attacks are resurrected.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Vigilante really means "someone who thinks they are above everyone else and the law" which is basically the same definition as a criminal. In fact I would even go as far as to say Lycos are worse than spammers in principle - spammers don't target individuals they mail everyone they can find, and separate spam groups don't collaborate to fill your box, they are all independently adding their contribution. Vigilantes often make mistakes and because of their revenge attitude their punishment is often worse than the original crime. Take the recent Mexico City lynch mob, not only did they get the wrong people, but their burning someone to death demonstrated that they were far sicker than even the worst of those they were trying to target. Vigilantes are just wrong. Lycos should be prosecuted if they've broken the law on this, otherwise the law needs to be revised.
We can find a solution to spam and it doesn't need to involve stupidity.
This comment does not represent the views or opinions of the user.
Next, the spammers will start converting all the zombie PCs they now use for distributed email attacks into web servers that provide their advertisers a distributed source of order-taking. This means that unsuspecting PC owners everywhere will soon rack up astounding bandwidth overruns as URLs that point to their PC get entered into the SBS program.
Nevertheless, an SBS does strike directly at the spammers, raising the hoop a bit higher and perhaps winnowing out the less 'professional' among them.
The only sure cure for spam, of course, is to take the battle one step further, by consuming all the resources of the advertisers directly - call their phones, request literature, place fraudlent orders with non-existant CC numbers (that, of course, pass Luhn MOD 10 checking) and provide contact phone numbers that ring forever. This will swamp them with orders that tie up their sales staff, cost them money and ultimately starve them.
The only problem with "the final solution" for spam is that it takes individual effort on a daily concerted basis. So spam endures by riding on the backs of those so clueless that they actually order products from spammers and those of us too lazy to do anything about it.
Ain't humanity grand?
Call it what you want but it probably was working. I recorded a drop in spam that started last thursday and was proportional to the number of screen savers in operation. By the time it hit 104,000 savers in operation daily spam was down over 80%. I actually had three solid hours with no spam (that hasn't happened since 9/11). Historically spam rises during this time frame.
It's odd that attacking websites seemed to have dropped the amount of spam. Makes me wonder just how close the spam servers are to the spam website servers. Maybe the innocent victems we are so worried about are really the spammers.
Come on all you people - this was a probe - yack about good or evil and POST YOUR RESULTS!
What did this really do. I can't be the only one who tracks spam. Admins, what do you say?
i report every piece of spam i get and one thing i've noticed since lycos announced this program is the inclusion of the nvidia.com and yahoo.com domain names as active links in the spam.
this is no doubt an attempt to direct the ddos over to innocent bystanders.
lycos is going to have to realize that the only way to stop spam is to remove the financial reward to those who do spam.
don't buy from spamvertised companies and you'll see the spam problem diminish.
Is it 5:30 yet?
For the first time, the angry mob (people around the world with email accounts) have tasted blood and they want more. "The beast is wounded, quick, go for the eyes!"
It hardly seems important whether the notion of DOS-styled retribution is appropriate or even legal - no such moral or legal considerations have managed to control people's decision to download mp3's and movies for free.
This is history in the making, and as I see it, the real story is this; we have been victims with no means of defending ourselves, while our frustration and anger grow without end. Suddenly a revolutionary appears on the scene and give us hope, showing us how we can fight back.
It's no longer an issue of whether or not we will, or should fight back - the mob has tasted blood and will have more. As far as I'm concerned, it falls to forums like this one to "think-tank" relatively responsible solutions, and I've heard some good ideas here in the last week.
We all know someone is sitting in their basement right now, pulling an all-nighter, writing the next tool of mass-retribution, fueled by strong coffee and an even stronger hatred of spam. I suggest that if cooler heads are to prevail in any manner, it will be by creating a less-malicious tool of retribution, one which attempts to focus the attacks on legitimate "military targets" by requiring manual human selection of the targets, not by letting some distributed software select the targets automatically. Better hurry, the latter approach is probably more tempting to programmers who have succumbed to the blood-lust...
I've seen several mentions of "have your email program open all the links in spam."
I'm betting someone is modding Thunderbird to do this with any message that winds up in the spambox as we speak.
Of course, this would make everyone using such a program an unwitting participant in a Joe Job:
I want to bring down a web site, so I spam a link to it, and a million anti-spammers's mail programs visit the URL in a short period of time, knocking it offline or raising the bandwidth costs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Instead of attacking the site, the screensaver instead should have merely hit each URL in the email body once, just as the users EMail client would do. It should then take the most prevelant URL to the website in the spam (prevelant meaning the one appearing most) and fetch the page and again fetch each image (etc) url on that page, just as what would happen if the user had clicked on the link in the email.
Why do this? Well, for one, it will make the spammer a very very lot of money very quickly. But two, it will cost the spammers customer a huge amount of money without any sales. The cost of doing business this way would be too high (assuming enough screensavers to do this). and spammers would either have to shift their model or pick another industry.
Worked. Got "lycos" on the tips of everyone's tongue. Got people to talk about spam. Got Lycos's brand in the news again. Now I'm suddenly seeing Lycos's logo everwhere where I never noticed it before, like at Wired News. No, its not new, I just never "saw" it.
This is a win-win. They exploited the anti-spam fervor and got attention which might translate into profits, loans, etc.
If those machines are dDOSed their zombie problem will get fixed in a hurry (because the ISP/owner won't want to pay for the traffic, which they will have to notice because the line is going to be completely saturated). I fail to see that as a bad thing.
Spammers invariably spoof the return path so it doesn't achieve anything (except for adding yet more useless traffic to the Internet).
It's more like taking the garbage off your lawn an scattering it up and down the street.
They didn't use it themselves.
They fully disclosed to users the functions of this screen saver.
The users intentionally downloaded it, agreed to the terms, and knowingly ran it.
I'd think blaming Lycos is legally dubious, at best.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The word's laws aren't protecting us, so this sort of thing is needed. These people are committing crimes of theft of service (including bandwidth, server resources, man-hours), and possibly hacking laws, with some of the methods they use (VERIFY, the use of mangled headers to bypass SMTP server protections, etc)
What happens when the law won't protect you? Sure, you possibly endure the crime being committed and lobby for laws. Or you go vigilante on them.
What happens when you're on the Internet with hundreds of different governments? You can't lobby them all and when you get laws in one country, they just move their operations to another.
You're essentially shit out of luck here, and vigilantism/mob justice is in order. You don't have to like it, but don't stop us.
fighting fire with fire doesn't always work
Actually Lycos is BRILLIANT. Just a year ago I would have agreed with you but careless Internet computing (primarily unsecured(able) Windows machines) and commercial spamers are ruining the experience for all.
Maybe it is time to fight back. I have no problem in running a program where if I click on a spam button, the senders IP gets 1-5% of my bandwidth for a day. This would raise their costs and throttle their output. Perhaps the upstream ISP would take note and cut them off like they should have done along time ago.
I also find it amusing that some network providors would cut off this site yet let spammers go wild. Using a method like this hurts them for their irresponsible and inconsiderate trespasses into our mail boxes.
What are the authorities going to do if 5% of the worlds PC users slam a spammer? Naybe that is a good name for this service, "spammerslammer".
OK programmers, give us an open source "Spammer Slammer"!!!
That a spammer's attack is spread out over millions of individuals is irrelevant. That's like trying to say it's wrong to steal $100,000 from one bank, but it's ok to steal $10 from 10,000 banks. You've still stolen $100,000 and that's what you should be punished for. If a spammer sends out 10 million spams, and it takes each recipient 0.1 seconds to deal with that spam, the spammer has still cost the recipients 278 hours of productivity. That's 7 weeks of work at 40 hours a week. Saying it's distributed over millions of people is just trying to hide the scope of the problem.
I would like to find a program from trusted distributor (open source preferably) that would do the following things:
:)
Would "suck" bandwidth from:
a) spamvertised sites I find in my e-mailbox; or
b) spamvertised sites other people I trust received in their e-mail box'es.
On a)
So I would pick from my e-mails web-sites I want to go down and feed the to the program. It is absolutely LEGAL. They SPAMED me, They PROVIDED their website, and they WILL PAY for extra bandwidth. I am free to post on the web these websites as BAD, NEVER-TO-GO-TO&SUCK-BANDWIDTH-FROM WEB-SITES.
On b)
I trust a few spam-busting sites, and I would be happy if some of those people *would publish addresses of spamvertised sites they received*. (Once again - perfectly legal). This could be published in RSS to which I would link from my program.
Final Result: many people would be getting addresses automatically from spam-busting sites via RSS every 4-6 hours. Those on spam-busting sites would update their RSS as soon as they see spamvertised sites going down, so resources of "bandwith-suckers" would not be wasted
This would hurt those who pay spammers and affect economy spam is based on.
For those who argue, that spammers would fight back and become more mean/ would apply illegal tactics: This is GOOD. The more illegal things they will do, the more likely they are going to be busted by law enforcement.
I quess eferything is legal in my proposal: everybody is free to publish spamvertised web-sites he/she received and everybody is free to "suck" bandwidth from web-sites.
P.S. Of course program should pick only IP's from RSS, sucking should be made in non-rerotable manner and so on, but this is just technical details programmers would take into account.
Assuming you stick to actual spammers, who's going to sue Lycos over this? The spammers? Doubtful - they'd probably have to give up personal info in such a lawsuit. And my goodness, but wouldn't THAT be some kinda fun that we could all get into?
Life Insurance in Canada
You really don't understand much about this area do you?
Your confusing desktop architecture somehow with
SMTP and network topologgy along with most of the other aspects of modern computing and laying it at MSFT's doorstep.
I don't care for MSFT but you need to go read some
of the 'DUMMY' series of books. Start with
'Knowledge for Dummies' and work up from there.
Then drop msft and windows. Go to Linux. You will still get spammed. If the whole world stopped using Windows it still wouldn't matter. There will be spammers until they are slowly bleed out.
MSFT didn't create SMTP or any other email protocol ASAIK.
They did do many other things very very poorly. Like put out a sicko product like XP. You don't have to use it.
Anonymous Coward wrote on Saturday December 04, @08:50AM (#10996046)
Sadly, no, it wouldn't have the same effect. Links anywhere are subject to redirection by meta refresh tag and by DNS modification to point Web traffic to any other host on the planet.
Something like this has to be done the way Lycos was doing it, with human qualification of the target sites, retrievals by mechanisms less intelligent than browsers, and with monitoring of host/IP settings to catch DNS redirection.
Of course the open source community could come up with a substitute potentially even better than the Lycos tool...
Design for a Free Open Source Spamsite Hammer
The key to the legitimacy of a user doing this is that SPAM emails contain explicit invitations to visit the spamvertized Websites. There can be no implied or inferred limit to the browsing an invitee does on a publicly accessible Website, at least not within the range of what a human could or might do, even an obsessive-compulsive human who can't resist clicking on all the links he or she finds on the site that extended the invitation. Nor can there be any limit to the use of automated tools, as those have legitimate roles in off-line browsing of downloaded Websites. To the end of making the tool's HTTP requests indistinguishable from regular browser requests the retrieval tool could intelligently construct "Referer" headers and use a very common "User-agent" header, and request actual documents as a browser would instead of formulating invalid requests as the Lycos screen saver did. This would simply make it very difficult for a spamsite operator to figure out who is who and who is doing what.
The short version of the design spec:
The email-based target list builder should, if the final retrieved web page is determined by the user to be spammy, add to the target list any and all redirection sites along the way. Often the SPAM email contains the URL of a middleman redirector and it's not unusual for the second site to also be a redirector.
Once the user has confirmed that the target is a spamvertized Website, all redirectors leading there are added to the target list and the host/domain(s) and IP address(es) are logged.
The background process works from the target list, perhaps at a rate that is somewhat configurable by the user.
Using low-level TCP to retrieve objects should make it possible to avoid malicious HTTP redirection to innocent sites. Qualification of a target site and all normal spam response redirector sites leading to it is accomplished merely by the go/no-go determination by the user of the spamminess of the ultimate Web page retrieved.
The background process would do a forward DNS loo
Look at the bright side: there's always seppuku.