Slashdot Mirror
SpamSlayer - should we DDOS spammers?
pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them.
Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
"
From TFA:Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?
Also from TFA:That's what I thought...what does Blue Security have to say in their defense?
Again from TFA:Sorry, Reshef, but what you are describing is a textbook example of a DDOS attack. Whether the site in question is actully shut down, or merely incapacitated, is beside the point.
This whole caper is a non-starter, especially so since a precedent for this sort of thing has already been established by Lycos Europe.
____
~ |rip/\/\aster /\/\onkey
Wouldn't it just be easier to slashdot a site owned by a spammer company?
For those who complain that ISPs end up footing the bill because the spammers don't pay, well, I guess they'll need to be more careful about vetting their customers next time. As if there are any really "innocent" ISPs hosting Internet "pharmacies" or "Rolex" dealers.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
I'm sorry, acting just like a criminal for revenge purposes, no matter how satisfying, is wrong. It just brings you down to their level.
Not only is this immoral, but in many places it's outright illegal. This is not the direction to go.
All it'll take is one spammer to file a lawsuit against these guys to stop them dead in their tracks.
1. Spam in Name of Competitor 2. ? 3. PROFIT
A couple of guys told everyone on Usenet about their latest green card scheme.
Should we bomb them into oblivion?
Or should we listen to the voice of reason and tolerate this behavior as a necessary evil, integral to the total freedom of the global Internet?
Sometimes I think we chose wrong.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
What if only once a bad guy manages to blame someone innocent who get's DDoSed? Should we hazard the consequences?
I don't suffer from insanity, I enjoy every minute of it.
What exactly are the "requests"? Are they e-mails? Packets? Also wouldn't one company sending the requests simply be a DOS attack not a DDOS since the extra D is "Distributed" and be easily blocked by the spammer?
This beggs me to ask, do twon wrongs make a right?
This also brings out the same issues of mob mentality. Who decides who is bad or good? Who leads the mob?
Evolution or ID?
Two wrongs don't make a right...
The best way to predict the future is to invent it. -Alan Kay
Would you feel better if we agreed to call it using the Slashdot Effect against spammer.
If you shoot me and take my wallet, you are a murderer and a thief.
If I shoot you before you do so, being reasonably certain that you intend to shoot me and take my wallet, I have acted in self defense, and there is no crime.
Not really a one-for-one analogy, but it does illustrate that shooting someone does have different consequences depending on the situation and purpose.
Is it just my observation, or are there way too many stupid people in the world?
Why are they doing this, when they could put their energy into tracking the spammers so they can be prosecuted.
Only sending spammers to jail AND taking away ALL their assets (cash/cars/houses) is going to deter them.
Instead of unsubscribing thousands of emails, how about subscribing thousands of fake emails ... which in turn would lower their return ratio and might even result in fail delivery messages, using up more resources.
-Rick
Does sco.com have an unsubscribe link? ;)
500GB of disk, 5TB of transfer, $5.95/mo
Spam wouldn't be a problem if people didn't actually click on the links. I've seen studies somewhere about the return rate on spam. While it is quite low, it's still high enough to make it worth their while.
Maybe we should establish a site that lists all the companies that support spam, and then boycott them. We could even have a plugin in firefox that would warn or block a site that was known to have used spam.
Since when did operating systems become a religion?
-- Thou hast strayed far from the path of the Avatar.
If you contact me, then IMHO you have agreed to accept my answer, which may consist of more than you expected. Want to stop it? Stop contacting me. Yes, I am aware that this might hurt "innocent" owners of compromised machines. If they can't handle what their machines start, then they're free to take them offline.
DDOS is messy but necessary at this point.
Perhaps it could be "tuned" to more agressively hit the ISPs that allow spam to freely be sent. Then the ISP would have to filter out spam to provide adequate service levels.
Ultimately spam must die from lack of interest. People must not respond to spam.
Help end the use of Sigs. Tomorrow
I think this is the link http://news.bbc.co.uk/2/hi/technology/4051553.stm to the BBC story about the Lycos screensaver that "slows" down spam site. They had to shut it down though because it started taking site down instead of slowing them down.
Basically this comes down to the moral idea of whether or not iit's ok to do things to those guilty of crimes (or other unacceptable actsl ike spamming) that would not be ok to do to an innocent person or entity.
So, do we cut off the hands of thieves?
As a side note, the idea of internet vigilantism is a rather interesting topic, and one that as the internet continues to expand could become inevitable.
Just a boy doing unproffesional IT work that's way above his head.
This is a common practice. I did some consulting work for a co-owner for one of the early email harvesting/organizing/sales/distrobution companies. (Not on his evil project though) He went through 6 IPs that year. Basicly, DDOSers would attack the entire node he was on, not just him, they would threaten the ISP. The ISP looks at the profit potential of one company, versus the cost of losing all of their customers and would boot him off their grid.
All in all a pita for him. But the thing that will shut down a spammer... Charge Backs. Anyone who deals with online sales and credit cards knows that the quickest way to lose your online sales abaility is to have a few people return their goods and demand their money back. CC companies hate this, and if you get more then a few over a year, you can bet your account is going to get revoked. And getting an ISP is a hell of a lot easier than getting a CC carrier.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Sorry, but I can't feel bad for spammers (or sites that support them) who get DDoS'ed. They make their $ by annoying millions in the hopes that hundreds will be gullible enough to buy their crap. What goes around comes around... and I fully support the use of DDoS attacks against these loosers.
Furthermore.. the repeated HTTP requets should include in their USER_AGENT header the following so it shows up in the logs ("LOOKS_LIKE_YOUR_WEB_SERVER_NEEDS_SOME_V1aGrA")
Spammers use unsuspecting third party email "from" addresses to to send spam. Spammers could also use fake unsubscribe links to redirect to innocent people's sites. Those people would be incidentally taken offline and might end up with tremendous bandwith bills. So this is just another bad idea.
When you start trusting someone else to tell you who's spamming and who isn't, you invite them to abuse that power; what guarantees do you have that Blue Security will never go to a legitimate site owner, and threaten to tell SpamSlayer users that the legitimate site is spamvertised unless Blue Security receive enough money?
I appear to have a blog. Odd.
For argument's sake, let's assume their stealth is better than your stealth and the wrong person gets targeted.
Who's going to profit from that?
Ok this is a dumb move on many levels. For one it is going to be illegal activity in many places and will give the "spammers" a legitimate reason to sue the people behind the attack. This also seems like an asanine solution to the problem itself. So spam emails take up so much bandwidth and we should solve that by chewing up even more bandwidth in order to shut down them down... If your stated goal is to knock these people offline then why not just directly try to penetrate their box and disable their computer vs. a DDOS. In both cases the activity is going to be illegal and in both cases your goal is the same so take the route that is more virulent to the target while causing less disruption for other users riding shared bandwidth...
News Reporters Make Tasty Polar Bear Treats!
...to make the world safer. I guess the ends justifies the means when we are doing our good deeds.
What would Alan Cox do?
Alan has shown enough reason, good judgement, and overall technical prowess to be the voice of reason in these matters. Ask him. If he says, "Sure. It can only help", then sign me up. But I don't think that he'll be saying that anytime soon.
But how do you correctly identify which sites to target. It will probably cause even more collateral damage than dns block lists.
Fighting fire with fire usually results in damage to both sides (friendly fire anyone?)
Creating a DDoS attack against a known spam source, although stress reliving and good clean fun, is not worth the potential legal risk. Aside from that, any action taken against spam retailiators takes attention away from the true problem, the spammers themselves. Courts are already ruling in favor of scumware vendors based on esoteric loopholes in laws that aren't to par with the technology they regulate, the last thing we need to do is getting people in trouble for taking shots at these morons. Once the laws of the land tell me I can use every avaliable bit on my internet pipes to blow these dirtbags out of the water, I won't do it. I hate spam, but I hate lawyers more.
Yes Lisa, two wrongs DO make a right.
Your personal mail server is blacklisted, or a production server is mistakenly blacklisted. "The whole company network is down? Because an AOLien said we spammed them? Well, that's ok... we'll just stop doing business until the DDOS attack is over." Ok, this is an extreme example that I'm sure will never happen, but you cannot tell me that any safeguards put in place will be 100%, or won't give the real spammers sufficent warning to stave off the attack.
Something everyone should remember is that unless you are directly connected to the spammer's LAN, you aren't sending packets to him directly. Every packet you send out travels many hops. Your ISP and everyone in between have to use resources to forward that packet.
I don't know about everyone else but I don't want my cable connection bogged down just because my neighbor feels like being an activist. Let's let the legal system do its job and use distributed computing for protein folding or other more worthy causes.
Even regardles of collateral damage, it's plain wrong, immoral and either illegal or it should be.
Don't you hate it when a new sentence starts in the middle The editors must really have been asleep on this one...
1, 2, 3, 4, 5... That's the combination on my luggage!
We can always start taking right nuts...
The truly evil spammers aren't going to follow the email advertising rules. They will hide where they are coming from or pay someone else to do it.
If the U.S Post Office sends people mail they take it.
When people watch TV they are inundated with 20 mins of commericals per hour; no choice.
Yet if a company follows the current federal laws on sending email they still get hammered. Just once I want to see a story about someone dumping an 18 wheeler truck of mail they got from the Post Office back in their parking lot.
The hypocracy of the hipster-dufus-script-writing-underemployed-geekdo
Cogito Ergo Sum
Regardless of the ethical issues involved, any DDoS does a lot of collateral damage. I've been on a subnet before where someone else's machine was attacked, but it made my own site inaccessible at the same time, and probably strained other people upstream. Retaliation attacks are likely to hurt a lot more people than just the spammers, however irritating they are.
Its not that difficult to stay off spammer's lists.
1. don't let people send you chain mail unless you are BCCd
2. Don't send out mail that will be forwarded.
3. Don't post your e-mail address on websites in NAME@dom.top form.
4. Don't subscribe to hoaky mailing lists.
I have done this, and I haven't had a problem, yet. If more people would learn how to manage their email, they wouldn't have to worry about spammers.
US Census publishes lists of first and last names, which can then be used by a script to generate fake e-mails, which then can be submitted to the unsubscribe website.
The idea is to fill the spammer's list of "unsubscribed" e-mails with worthless e-mail address, thus diluting the value of the list.
This method can also be used against ph15hers, too.
Making a DDoS attack SOP against spammers introduces other problems. Most of these spammer websites are on cheap shared webhosts meaning that when you DDoS the spammer's website you're likely also attacking many innocent websites.
Even if it's determined that attacking a known spammer isn't actively prosecuted, the fact that you're attacking perhaps many other people as well will most likely get attention.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
I know how to stop spammers from making money. No one buy what they advertise. Don't just ignore the ads, make a note to never buy from the companies in the ads. Unless they are *imagining* that spam increases revenue, this would have to work. Of course, I am surprised to think that someone buys the crap now.
My major concern as a sysadmin is to make my usage of bandwidth as effective as possible, and a high-volume spam day can be rough, esspecially dealing with limited resources. I didnt rtfa, but I'd imagine somthing like this would be implemented server-side, and it concerns us sysadmin types. DoSing the spammers would only increase your problems maintaining a healthy site. Spam is easy enough to filter out of end users mail, and frankly it gives me somthing to do when my thumbs come out of my ass. You know I'm right.
dustin
They need to upgrade from a DOS attack to a Windows attack! If all the spammers' machines were infected with Windows, surely some would subsequently crash and less spam would be sent out. That would be more effective than a DOS attack.
Constitutionally Correct
Or at least an arm's race and anyone who thinks that sunday school models of good behavior and just plain ol being nice is a better way to proceed, is being childish.
I wouldn't stop at email requests. I would hurl massive amounts of big frames at them all day like a REAL D/DOS attack. All you have to do is increase their cost of doing business a few percentage points.
I've heard of this being done with the annoying faxes coming in all the time; you know, vacations, mortgages and the like. Anyway, the guy I knew would fax the sheet back to the company, but to the telephone no. you were supposed to call. A few score of those would flood their phone system with faxes instead of customers.
untill the spammers website is hosted on the cablemodem of someone on your block.
symetrix. We are building a religion, a limited edition.
With SpamVampire you set your browser to continuously load images from a spammer's site. It doesn't deny service but it eats bandwidth which (theoretically) increases his/her costs.
Unless you want to publish pr0n,viagra or trips to Cancun on slashdot "SPAM" section.
/.'ers would skip the ads and jump right to the good articles.
Which I doubt it'll work, because most
Nice try, tho.
Two wrongs don't make a right. Three lefts make a right, such as attacking their ISP with complaints. [Considering they forgot about proxies]. Although I dont know what that has to do with turning left.
Should Saddam have been left in power, ensuring the termination of a million more?
Like 20 years of UN "Stop! or we'll say 'Stop!' again!" resolutions did any good.
Can we get a "-1 Wrong" moderation option?
Great guys now everyone is running to spammers defence. Spammers dont care about they do to you why do you care about their websites? They deserve to be in jail more than having their sites shut down.
These type of things are exactly what everyone *wants* to do to spammers, but we need to remember that they have rights just like everyone else. We can't go DDOSing a spammers site, and then get upset if someone were to DDOS a site we like.
Voice your opinion!
As much as I feel this would be total vigilantism, I look at my spam statistics and see we're averaging between 50,000 and 100,000 spams per day and I feel that something has to be done - if only because of the sheer volume.
While I'd never DDOS a spam site myself, it's only because I'm concerned about the penalty. If I knew someone else who was doing it, I'd certainly have no problem looking the other way.
Sit, Ubuntu, sit. Good dog.
...because it's illegal to castrate them.
Weaselmancer
rediculous.
If you catch someone in the act of doing harm to you or to someone else, don't wait. Act. Stop the harm being done, or being threatened.
It may be necessary, in the process of stopping the harm, to inflict harm on the attacker. Take care that your response isn't more harmful than that which had been threatened.
Failing to act in that circumstance is at best a reverse tragedy of the commons, in the general case laziness, and at worst is sheer cowardice.
After the fact it becomes mere revenge, which is a waste of time.
sigs, as if you care.
Yeah, it's probably illegal--but illegality can be defined with nails. Tap tap tap...
Two wrongs not making a right and all that... we know the drill. But it is undeniably wrong that spammers do what spammers do. With that in mind, we can either (a) wait until they see the error of their ways, (b) wait until sufficient legislation is enabled that will actually work or (c) do something about it ourselves.
A and B aren't working. C, at present, is the only answer we have available to us.
I want to say for the "record" (whatever that means) that marketing through email is okay with me so long as people WANT to recieve it. If someone out there WANTS to buy some descrete penis pills or any other "plain brown wrapper" item that's fine with me. And let there be a means for them to subscribe to the stuff. The key is Opt-in explicitly and without any tricks or gimicks and more significantly, an "instant off" function that will not require 4-6 weeks to update their databases (which is utter horse shit). Okay I said it... now let's move on.
We do everything we can to block these people. They do everything they can to avoid being blocked. Their attempts at evasion is proof positive that they know they are pissing off the world for profit. How many other business models work at public expense for personal gain? In effort to prevent at-large vigilante-ism, where should the line be drawn? As much as I'd like to pull over and beat the crap out of people with ridiculously loud stereos playing in their cars, it's wrong (and dangerous) to do.
I'm at a loss for what we should do about the problem. These people are essentially polluting the internet and it needs to stop. But how?
Yes, that's going to be extremely useful, because those unsubscribe links actually do anything at all, and the spammers without a doubt send all their mail from that webserver ... Now, excuse me while I go roll my eyes for a bit.
Mr. President, we are rapidly approaching a moment of truth both for ourselves as human beings and for the life of our nation. Now, truth is not always a pleasant thing. But it is necessary now to make a choice, to choose between two admittedly regrettable, but nevertheless *distinguishable*, postwar environments: one where you got twenty million people spammed, and the other where you got a hundred and fifty million people spammed. Hello? Hello, Dimitri? Listen, I can't hear too well, do you suppose you could turn the music down just a little? Oh, that's much better. Yes. Fine, I can hear you now, Dimitri. Clear and plain and coming through fine. I'm coming through fine too, eh? Good, then. Well then as you say we're both coming through fine. Good. Well it's good that you're fine and I'm fine. I agree with you. It's great to be fine. Now then Dimitri. You know how we've always talked about the possibility of something going wrong with the spam. The spam, Dimitri. The email spam. Well now what happened is, one of our base commanders, he had a sort of, well he went a little funny in the head. You know. Just a little... funny. And uh, he went and did a silly thing.
Hmm... should we kill our neighbors because their leaf blower is too loud?
Should we slaughter the wives and children of these spammers because they are infidels?
Should we fly planes into their buildings and gloat at the blessed terror?
For all the talk about how much better the world would be if it were run by geeks, I'm not sure as a group they've differentiated themselves from the current class of world leaders.
I don't know about you, but a majority of the spam i recieve has an unsubscribe link that goes to a website, or ip address, that doesnt exist, or is too slow to use in the first place. What's the point of DDoS'ing a site which doesnt work very well in the first place.
But to answer your question, on whether or not we should DDoS the next guy we don't like, Yes. He floods our inboxes with spam, lets flood his server with packets.
DDOS everything that gets posted on slashdot.
One of my company's customers has a nasty habit of sending extremely abusive emails to any spammers and scammers he finds signed up to his webmail system. The upshot of this has been his domain being joe-jobbed and our mail server being inundated with bounce messages. The upshot of this is much slower mail delivery and the people who received the spam complaining that we had been spamming them when we had nothing to do with it.
While I applaud the sentiment of taking the fight to the spammers and trying to hit them where it hurts, it's much easier for them to do whatever illegal thing they want to get back at you. Making yourself a target is a dangerous game and knowing how bizarre the law is these days I could easily see a lawsuit where a spammer sues and wins against someone who DDoS'ed their site.
If unsub sites get overloaded on a regular basis then I would not be suprised to see even the weak protections of CANN-SPAM lifed. Some companies really do unsubscribe people, and this defense would be gone, leaving us with more garbage then ever and a useless tool. You are also gonna hurt "legitmate" spammers who follow the rules more then phishers, scammers and other hucksters.
It seems the company chose a cute frog to head their anti-spam initiative.
Spam Slayer is the name of the column in PC World that the poster linked to, the company's product is called Blue Frog...
If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
I already tried this, and it's harder than you'd think to take microsoft.com down...
If thousands of people do a joint DDOS against web site I suppose these legal web sites and companies will strike back. Yes they are most of them legal even though their acts are ethically wrong and sometimes their acts are legally wrong. This means they might want to go against my provider and sue it because it cant do legal selling on the Internet. It is really easier to sue a few ISP rather than john does or zomby computers.
;) If that is not users who decide whether a site is spamming but if that's a judge who decides so, I don't think he will tell users groups to launch a DDOS attack on the given website.
How long do you thing ISP will stand if legal companies want them millions of $ because of lost sales because their website went down ?
That is a good idea but it cant work unless supported by a law, and i do not think law will permit vigilant groups to decide by themselve whether a website / company is having wrong / illegal business behaviour. Or is the Internet like old Far West ?
The world belongs to those who get up early. - I'm far from being the king of Earth then
Below is a little perl script to load a spammers web site a whole lot, and keep track of how much bandwidth one "uses". Since they spam me to look at their web site.. I certainly look at it. Not in a DOS type of way but sequentially over and over for months. Since a lot of spammers(and people in general) pay per Gig of bandwidth this adds up.. Especially those people hosted on yahoo where you can actually watch the hundreds of dollars tick away. Step 1: Find a URL that is fairly large. You can do this by wget URL and see how large of a chunk is pulled down. Step 2: ./eat-bandwidth.pl URL 00
This will do it over and over again. If you want to only do 1000 interations put 1000 instead of 00. This script is just thrown together and I figured I'd offer it since it is fairly on topic.
By the way.. I don't claim to be a very good programmer but this script does the job and is pretty readable I think. It's free for all and for any use so do whatever you like with it.
Slashdot wouldn't let me inline-posted it so it's available at this URL:
http://208.36.232.50/eat-bandwidth.pl
Enjoy.
While I don't think it's a good idea to let IT vigilantes stop spam by launching what would otherwise be an illegal DDOS attack, it might be a good idea to allow this sort of thing as a formal punishment for uncooperative spammers.
Kind of like when the city boots your car when you refuse to pay your parking tickets, having law enforcement DDOS a spammer's site when they refuse to pay fines or show up in court might be an effective way to enforce anti-spam laws.
Over the weekend I got about 20 messages fed back from AOL members who tagged a message from a mailing list I manage as spam. This is an opt-in US government mailing list with subscribe confirmation and a clear unsubscribe link. The message was US government content. In other words, a list that does everything right.
Vigilantism relies on the vigilante's ability to accurately identify the evildoers. Such an ability is woefully lacking, even among smart people.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
This is definitely a bad idea, for a whole lot of reasons.
Firstly, as other posters have mentioned, this is illegal in most nations. Let's not stoop down to the criminal level.
Secondly, in conjunction with the first point, why should we all collectively bend down to play dirty to beat the spammers? Shouldn't we spend our energy and effort on something less destructive and low-brow? I honestly believe that someone (or someones) will eventually come up with a system to more or less replace the current email standard with equal user-friendliness (at least to the end-user, which ends up being the driving force, but user-friendly at the admin level would be great too) but also with built-in security mechanisms that make spamming unprofitable while keeping regular usage cheap.
Whether this system emerges from the current examples of hash-cash or somewhere else, I would say it is our best chance to stop the problem without stooping to criminality with what is basically a path-work solution.
And yes, I am aware that all systems have vulnerabilities, but to just throw up our hands in despair and say, "But the spammers will get into the new system eventually!" is to give up. We shouldn't just sit idly by and collectively play poor-me; we should be thinking of some new system and how to seamlessly get it into place (yes, Virginia, there'll be a time lag, it took about 25 years for email to become mainstream). Then, whenever the spammers figure out a way in (I'm hoping for never), we'll already have had time to think about, research, and develop a further system.
Let's apply a little brain-power to the problem instead of using what is essentially crude and criminalistic tactics. I, for one, am fully willing to devote my time and knowledge to solving the problem.
---
You can use any kind of HTML formatting that Slashdot accepts.
Generated by SlashdotRndSig via GreaseMonkey
You can't defeat physics.
There are plenty of RBLs that exist, they just tend to list originators rather than the companies being advertised.
The problem is when the people maintaining the lists don't handle the lists in a consistent manner, and start adding companies that they don't like for whatever reason, or don't provide some means for a company to clear their name, and be delisted. (and paying the list provider doesn't qualify).
In the early days, RBLs were effective -- but then people started automating submissions (spamcop), and people were throwing legitimate opt-in lists into the mix... the egos started kicking in, and they've since grown to the point where in my opinion, they're not effective anymore. (I'd rather get 50 spam, than lose one legitimate e-mail... but your values may be different)
A few forged e-mail messages, and you could effectively DOS a site by getting them listed when they shouldn't be -- that doesn't help anyone. The real solution is to track down the asshole spammers and deal with them directly and force them to lose money -- preferably making an example of them, to keep others from thinking they can continue to ruin things for everyone else.
Build it, and they will come^Hplain.
should we DDOS spammers?
If you believe we should rape rapists, then yes.
Why not? If it's legal for them to send unsolicited junk to us, it should be legal for us to send unsolicited junk to them. As already mentioned, this is pretty much the only way we will ever end SPAM. Laws against it are pathetically difficult to enforce.
Nothing to see here. Move along.
The only way it could turn out bad, is if the spammers learned a way to handle the traffic, and in turn, learn a way to defeat that method of handling the traffic.
Time is comparison of movement to other movement.
If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
I never understood this kind of argument. The idea is to DDOS the spammer who is launching a DDOS on your inbox. The punishment fits the crime.
It's like talking about killing someone in self defence and some asshat replying, "If it's okay in this instance, it it okay to kill the next guy who does something we don't like?" No, because that person isn't trying to murder you.
Setting aside the legal and moral issues for a moment and just thinking about this from a technical point of view I don't think it makes sense. Spam increases the use of bandwidth and wastes resources. If anything the DDOS will just overload networks even more, and not just the spammers connection. If the DDOS is bad enough the effects can be felt by upstream providers, who may not yet have realized they have a spammer using their network. Also, consider that spammers tend to use rotate servers fairly frequently. If the box doesn't exist any more or is taken off the network, then the only one hurt by the DDOS is spammers internet provider. Yes, you can blame a provider for not kicking the spammer off quickly, and say they are part of the problem, but it is not fair to blame them if it just the normal amount of time for the abuse to be offically reported and confirmed before the account is suspended.
So many email programs and ISPs offer vacation messages. "I am on vacation, please call back later."
What if there was an "please unsubscribe me" option?
Assuming there is a good way to eliminate messages with forged headers, then when a spam score is high enough, an automated "please unsubscribe me" is sent out?
Forged headers get "attention forged headers on your network" to the closest to the spammer, upstream ISP's abuse address.
Considering modern spam blocking techniques, such has having 10 numbers attached to your email whenever you email out and discarding any "sub-email" that receives spam (i.e. the gmail trick), I wonder why denial of service things still show up.
I, for one, welcome the dying of our spam overlords as soon as gmail is out of beta!
Microsoft is pure dog-ma. FreeBSD is pure cat-ma.
but in the senate dont they call this kind of manuver a filibuster?
I understand the hatred of DDoS attacks, but would you support a program that made phishing sites less frightening?
(e.g. a program that populated all sorts of random account/password/ssn data into a phishing site's database, thus making their collection of actual account info significantly less useful?)
What phishing site is going to sue you for DDoSing them?
Whether there is a 'D' in there or not it is still denial of service.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
Maybe /. should have a 'Spam Site of the Day' link, where it would link directly to the poor loser who contracted spammers for marketing their products...
Hopefully someone, somewhere, is actually paying for the bandwidth...
But what if the spammers somehow spoof where the emails are coming from? I've seen before where I click on an unsubscribe link and it doesn't go to a site at all, but instead just times out because the link isn't accurate. What if they put my website for instant in and then my site gets DDOS'ed?
I'm not an IT guy by any means... just interested in reading about it. So if my logic is way off, just let me know.
Finance tutorials and more! Understandfinance
No good. We want spammers to STOP SPAMMING OUTRIGHT!.
Plus they do a big NO-NO: they tell spammers to "download our address registry to clean their lists". So, basically, when you put your address in blue frog, you are basically putting that address on a list that's going to be available to spammers.
Who in his right mind would do this???
Evil will always triumph over good, because good is dumb -Rick Moranis --Spaceballs
I recently found myself without net access - strong storm, network devices burned in the whole area. Great, finally time to test my phone GPRS capablities. In no time I had my network back up, first time wirelessly online. A bit slow, but will do. One major drawback - paid per byte, and A LOT to that. Ok, switching image loading in Firefox off, ssh to a shell account in other city for some IRCing...
But no email. Because my email gets filtered locally. And I get about 10M of spam for each 10k of data in email. Downloading it would cost me a fortune. Effectively - spammers cooperatively DDoSed my mailbox.
Why shouldn't I repay them?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Two of the companies I worked for were classified as spammers. One earned the title rightly for one month's worth of email ten years ago, the other earned the title because of a VP who liked to forward jokes to everyone he knows.
In each case, just that designation made it hard to do business. The domain name for each company was blacklisted in some places, including Yahoo. For a technology company, losing the ability to send email to real customers is a curse.
Even posting on message boards online (ahem) has gotten my email address (not associated with the above companies) used as a spam reply to. I get please remove messages from people, bounced SPAM, etc. It's to the point Yahoo even randomly checks my ID to see if I'm really a person. I'm paying the price for these spammers to do business. Should I pay more of a price because I post to usenet? Should people flood my email account with malware because someone else used my address as a replyto?
The problem with SPAM is it works and works well. It costs a few dollars to generate thousands of leads, meaning if you sell one thing to one of them, you make money. The month of SPAM was how that first company really got it's start, after that it went to more traditional forms of marketing. Only once SPAM stops working will the problem go away. Odds are against that happening. People are too stupid. Violent methods of stopping SPAM hurt everyone, more than SPAM itself does. That's a little like saying if we shoot drug smugglers, they'll stop sending drugs. And, established SPAMers make much more than drug runners.
Here's to losing my Karma Bonus again....
I think any argument that DDOS'ing a spammer is made completely moot by looking at the example the Government has set with its regards to launching military attacks on other countries.
:)
DDOS away. It's not like we'll be killing children, is it
A few years back I was helping out a bio=-tech company with there IT secuirty issues. One such issue was constant spamming. ANyhow one day the head of IT thought, hmmm lets just bounce all this spam back. End result was a quiet word from the law of the land saying, whilst they agree in his approach, they could not condone such actions and poilitly asked him never to do it again or he might get in trouble.
Now if you bounce one back saying any further emails will constitute a charge if sent unsolicited, of course more legalised and at the top of the emil (lol how many emails from companies to you get with at the end a disclaimer saying if your not the correct reciepient do not read) and script a little billing bot to send out bills to the sender and there ISP. I'm sure you will at elast feel better and might get somewere other than the darn spammers stress syndrome.
How about this:
A bit of anti-spamware that (1) detects when a piece of incoming e-mail is SPAM and (2) downloads the page and submits forms with bogus information.
The spammer would then only get as many hits as SPAM messages he sent out. And, he can't complain about a DDOS attack, as he solicited every single response.
So frame someone as a spammer, send a few emails, get them shut down.
Sounds great.
The problem is that we have trouble properly identifying the spammers, and when they do the local jurisdiction may not impose a penalty.
But at least if we have their identity we can attack them.
What the heck is spam anyways? Ever since gmail, I haven't gotten a letter of spam.
My solution therefore was to simply filter it out and delete it - instead of downloading the email into an email client, my Linux server now filters it with procmail and SpamAssassin. Now I never see 95% of the spam I was getting - apart from an entry in procmail's log file to say particular messages were deleted.
As far as I am concerned now, that's my "victory" over the spammers and I consider it a "test of wills" to create or modify filtering rules to capture the spams that do occasionally get through.
I agree that spam is a big problem and big resource waster for corporates but they're the ones with the lawyers and budget to go after these spammers if it gets to that stage of proceedings.
For me, the little guy, it's about using my ingenuity against the spammers and, so far, I'm beating them because I detect and delete the majority of their trash before I ever get the opportunity to cast my eyes over it.
Sorry but as far as I am concerned, the people for whom spam is a problem are the people who refuse to simply go invest some time in learning about how the Internet and IP services actually *work* and actually do some "passive" combatting themselves.
At the end of it all, if most of us took some responsibility for our Internet life, viruses and worms would be a thing of the past and spamming would stop because no-one would ever see it and reply to it.
The sooner "newbie" users get off their backsides and stop treating their PC like a "closed box", the better it will be for all of us.
Let the legal system go after the spammers, life's far too short to worry about another crappy P2P application...
Gentoo Linux - another day, another USE flag.
I started out writing a comment very against this idea on the premise that the use of force is never an acceptable tool. However, spam itself is using force. If you are attacked first, I believe the use of force is acceptable, and this is the only time. The real problem is deciding who is a spammer and who is not. I'm not sure this is cut and dry and we risk running down a slippery slope.
What if each person who received spam fired back 10 unsubscribe messages, assuming the mail has a valid sender address. This is a complex issues, to say the least.
My email server is receiving 25,000 junk emails a month, and that's only the ones that SpamAssassin detects as spam. I get about 30 a day in my inbox that make it past SpamAssassin.
I'm so sick of seeing stock info, drug offers, and now porno crap that I'm about ready to just close the doors and give up on email.
Is this what the spammers want? Do they want email to go away?
Something has to be done about spam.
The above is not worth reading.
If they were legitimately just trying to unsubscribe people from the spam that would be one thing, but they seem to be here actually outright admitting to be intentionally performing a DOS. That kind of changes things, even if the DOS isn't so heavy as to take the spammer all the way offline.
DOSes are bad. DOSes are bad for many reasons, the main one being that they result in quite a lot of collateral damage. Yeah, you'll slow down the spammer. You'll also slow down anyone else who just happens to be leasing some of the same pipes as the spammer...
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Vigilante justice often becomes just as much of a problem as a solution, as its a system that lacks checks and balances. If this is popularized, I can see their standards devolving, and legitimate sites becoming victims, and that is unacceptable.
on the other hand, 90% of email is spam. CAN-SPAM is useful only as a punchline, and there is no forseeable solution forthcoming. MS's grand posturing about their new registration system is likely to turn into just smoke and innefectual mirrors. If this system can win back the mailboxes of the average citizen, I cant say I wont welcome it. Saying the ends justify the means is always dangerous, but are some ends worth the risk?
To err is human, to really foul up requires a computer
http://www.brendamake.com/numbers/
We should definitly do it like this http://ars.userfriendly.org/cartoons/?id=19990807& mode=classic
Why would the spammer care? If they are smart their html stupid take off my email website is hosted on a seperate computer/connection then their spam computer and so they will just keep spamming away but now anyone else who wants to unsubscribe will be unable to do so.
This would make more sence since TFA seems to assume that there is an unsubscribe link at the bottom of most spam.
Since most spam is illegal, why would they bother to put an unsubscribe link on their e-mails. If they do now, after this, they'll just remove it.
The best thing to do is to slashdot the spam URL's where one would click to actually buy something.
we're talking thousands of requests per day
Oh my gosh, that could almost be as many as one email every 8.5 seconds! How can their servers take it?!
DoS attacks are very effective against phishing sites. Most phishing scams utilize a CGI that e-mails the captured data to an e-mail address somewhere. By using a script which generates random data (see my sig), you can quickly render a phisher's data collection. Several factors can contribute to this. First, the flood of fake data can obscure the data that was captured from actual victims, Secondly, you can overflow the SMTP server that the phisher is using to process the captures. Finally, you may be able to fill the mailbox to which the captured data is being sent, although this is a bit harder with things such as GMail. However, the flood of mail from a single host may trigger sanctions at a free e-mail provider.
As a sidebar, I'm going to be releasing a new version of my anti-phishing tools in the next few days. I've added functionality which generates real-looking names and e-mail addresses and credit card numbers with valid checksums.
Chris
This is just another form of spamming. Anyone who generates unnecessary network traffic is a menace to the Internet.
Policing the Internet and making it an unwelcoming place for spammers is not "unnecessary." It's necessary if e-mail is to remain a viable, cost-effective means of communication.
Spammers love the kind of prissy-assed, holier-than-thou, arguments about ethics that people like you put up every time someone actually tries to combat spam. Bullsh*t. Enough is enough. If two or three months of attacks on a spammer's servers could get him to stop pissing off a million or more people a day, then let the attacks begin! If it makes a Chinese ISP stop writing web hosting contracts for spammers, then let's get going. If you don't have a viable plan to combat the ever-increasing volume of spam, then get out of the way and let those who do take action.
One of the reason this type of practice doesn't work (attacking back) on the internet, beside the obvious right/wrong arguments is that these attacts can be redirected. What I mean is that if I'm a spammer I could just use a competetors opt out site address, send spam and watch my competor be DOSed. Its not hard to do.
Just like it's "okay" to punish people with fines and imprisonment who do things society doesn't like. Or it's "okay" to go to war and start killing people in another country if those people are trying to kill you. Justice is usually just a form of sanctioned revenge.
Of course there's all this fear talk about vigalantism or "becoming just like them"... but frankly I don't care in this case. Pardon the drama, but as far as spam goes in the online world, we're at war, and a little retalliation is probably quite appropriate. In fact it is probably the only thing that will work.
As people are so happy to point out around here, none of the commonly proposed methods of dealing with spam will work. But perhaps that's just because we're not willing to use our greatest power. Nearly every spam advertises a site. If these sites were DDOS'd as soon as the spam went out, it might help.
Legitimate companies getting DDOS'd...? Well, we should be careful. But casualties of war are unavoidable sometimes.
Cheers.
(PS - I use a trained bayesian filter and only about 1 or 2 of the 500+ spam per day I get get through. But I still find the ever increasing spam epidemic outrageous).
Spammers operate at many levels and use many techniques. I question the use of legally murky tactics to shut them down. The community approach works best to solving this issue. Innovation from different groups each working to solve a small part of the SPAM problem.
They constantly change tactics to work around anti-spam software for example. They are sophisticated and are not going to just go away.
We must adapt and evolve. No one technique or strategy is going to get rid of them.
This is pretty simple. The internet is much like the old wild west of America with outlaws and vigilantes being chased by the rancher with good intentions or the vaunted sheriff on his white horse. In the end, they all shoot each other.
While today we allow police to carry guns and kill dangerous criminals, the average citizen is not allowed to just accept a higher calling to cleanse the world of annoying people, no matter how much junk mail they send out. Why? because it hurts society, everyone, when someone dies.
Ddos attacks are the same thing. There is extra traffic for everyone when a Ddos attack happens, it uses massive amounts of bandwidth which had limits... that's why it works. There is a reason why they are illegal.
On the other hand, if we decide that we like censorship, we can yield to a new overlord of the net and allow them to Ddos whoever they don't agree with. I guess it is your choice.
"Our Constitution was made only for a moral and religious people. It is wholly inadequate to govern any other" -John Ada
Let's add my email addresses to an easily downloadable file for spammers to use. Reminds me of an old Gary Larson cartoon where a bear had a "shoot me" sign on his back, it was called "pratical jokes of the wild".
I recieve many 100's of spam a day. I want to see it stop, and I have yet to see a spam message that was remotly intresting to me.
Now here is a thought, what if some people copted a zombie net and launched a DOS atack at the spammers and virus writers. for instance turn the zombie net to attacking the site that issues it's orders.
as to the DOS attak on spammers, all for it make them feel the pain they inflict!
How long before the RIAA gets permission to DDoS file-sharers, or entire P2P networks?
Didn't...this already happen? I can't find an article offhand (Googling mostly gives back results about the RIAA website getting DOSd. I'm not sure of the outcome, but I do know that a few years ago, the RIAA sought amnesty from laws regarding DOS attacks, so that they could DOS "known pirates". I'm not sure if they were ever granted anything relating to this though..but judging by the fact that I can't find anything relating to the subject, I'd guess that nothing ever came of it.
--- What
Blue security says that each member complains ONCE about EACH spam message received into HER email account. True, those email accounts are honeypot accounts, and yes, the complaint are sent automatically to the spamvertised sites. But so what? Since when is complaining unethical or illegal?
Do you really suggest we have no right to complain about spam sent to us? That we should sit silently while spammers shove their spam into our email boxes?
I think it is really about time we DO something to stop those spammers, and this looks like a really cool way to do so
Speak truth to power.
Until citizens can trace back spammers, and force ISP's to kill their accounts, the way RIAA/BSA does regarding copyright acts, then I guess it's all fair in love & war.
the only permanence in existence, is the impermanence of existence.
I would never participate in a DDOS attack against spammers. But I have to say, as bad as vigilante justice is, sometimes it just makes you feel good. I wouldn't look up a spammers home address and send him 50 pizzas - but I understand. I wouldn't hit Bill Gates in the face with a pie - but I understand. Honestly, spammers are asking for it. You keep polluting the internet and pissing off people long enough, this will happen. What do they honestly expect, that they aren't going to become targets? You reap what you sow.
My beliefs do not require that you agree with them.
If I were a carrier/backbone level provider, I certainly wouldn't want all this extra garbage traffic on my network.
I'm sure the rest of the network doesn't appreciate the potential increase in latency and packet loss these attacks can result in, either.
DDoS attacks are never a solution to a problem. They may hurt the target, but at the cost of wasted bandwidth for everyone else using the paths to that target.
Let's not start down this path. Please.
-Z
The way they tout it as a 'public beta' makes me certain that they'll try to sell this shite later. Who would want to pay for this?
- 31&res=l
Blue Security: "Hey, give us some money, we'll DDOS evil spammers for you!"
Me: "How do I know that's what you'll do with my money?"
BS (heh): "That's why you give us some fake emails."
M: "Well, that's nice, but in no way constitutes any kind of proof that your 'service' is actually doing anything. Much less anything effective/useful."
BS: "Did we mention that you get THREE fake email addresses? Three!"
Reminds me of this Penny Arcade strip:
http://www.penny-arcade.com/view.php?date=2001-03
Step 1: Offer to DDOS spammers for free
Step 2: ???
Step 3: Profit!
What's the stock symbol?
While I have little sympathy for spammers being attacked on the network, I think it's a bad BAD idea to attack spammers through their unsubscribe facility.
Think about it. If that facility is disconnected or nonexistent, as many of them are, they don't suffer. If on the other hand it's honest and it works, they're punished. And future spammers will simply know not to have such a facility.
Attack them through their smtps instead, please.
My mail server got hacked and ( )\/\/ |\| ) by some sleazebag spammer. It ended up sending a bunch of spam that had a URL to click on to "sign up" for their wonderful offer. After recovering and updating the mail server I wrote a quick little program that ran overnight that filled in this web form with garbage, but not random garbage that could be filtered out. To a machine each record looked valid. I ended up inserting over 200k records into their database making it worthless. I did it again a few times when I was able to get an IP address that didn't get blocked at the server.
Was it right? Probably not. Did it feel good, HELL YES.
If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
-------
wow thats some deep musing on machiavellian political/liberty/justice theory, maaaannnnn. what a faggot. how many times has this dumbfuck topic beend iscused
This is exactly the sort of choice that incapacitates most people and/or organisations.
I think we can all agree that Spammers are a pest, and cost recipients of those messages (ISP's as well as their customers) millions, just to reduce that spam-avalanche into manageble proportions.
Yet nobody seems to have any kind of solution to halt this kind of collateral damage (that has to be payed, directly or indirectly, outof our pockets).
Should we just "lay down, and think of England", or should we have the right, *by absence of anyone else who can*, to defend ourselves against those who continuously seek to, among others, invade our privacy ?
Thats how feeble this "civilized" world has become : Everyone seems to have the right to do about anything they like, but responding to abusive actions (because nobody else can or wants to) seems to be *absolutily* forbidden.
Is this vigilantism ? No, as nobody seems to be able, or even actually wants to take that upon them (gouverments/police/ISP's). And no, I don't think that just *talking* about "getting tough with spammers" equals "doing something".
Blue Frog clients do not arbitrarily perform DDoS on spam sites. They complain about specific spam messages received in mailboxes belonging to our users. Our users exercise their right to complain about the spam they receive. They are merely responding to invitations to the spammer's website.
The Blue Frog enters the site and sends a complaint just as a user would do manually. It does not consume more resources from the site or from its ISP than a user could do manually. Many users have tried sending complaint to spammers at some point requesting to unsubscribe. We merely allow the users to do it in a safe and automated manner.
Our goal is to force spammers to comply with the Do-Not-Intrude Registry - to clean out our users' addresses from their mailing lists. When they do so, they will not receive even one single complaint from community members.
We perform thorough manual (human) validation on the spam messages we act upon, to prevent Joe Jobs and to make sure we minimize any possible impact on third parties.
Guy Rosen
Blue Security, Director of Operations
http://www.bluesecurity.com/
If you do decide to go vigilante and DDOS them, how do you know you have the right person/server? What if they DDOS you back? What if they hack your network and use it for spamming, thus incurring DDOS attacks on your network? I would be very careful fighting slimy characters with slimy techniques -- they might decide they *really* don't like you and gang up on you! XP XP XP
Computers are useless. They can only give you answers.
-- Pablo Picasso
If 1 million people contract with ACME Unsubscribers Inc. and authorize them to access their spam-inboxes, process them, and send unsubscribe messages to the spammers, then if a spammer sends a million spams and gets a million unsubscribe request, well, that's the way it should be.
If, on the other hand, unsubscribe requests are sent on behalf of a spam-victim without his authorization, that's creates two victims - the original spammer for DDOS, and the original spam-victim, for acting as his agent without permission.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Sounds like the lycos idea a while back, Make Love not Spam
They justified it by saying that there system didn't saturate the spamming site but throttled back when it used up 95% of the bandwidth in order to drive up the costs making it unproductive. Not fully saturated therefore not DDOS.
The bbc news site also ran an article on it
Warning, comments may not have been passed by the sanity department of my brain.
No, it's completely different...the individuls participating willingly would be more accountable for their actions than the ones whose machines are infected. Why shouldnt people that are infected be held accountable? Just because they didnt know they were infected? Seems to me in the court of law if I own a gun and it gets stolen due to my negligence in locking it up and making sure where it was at all the time and someone commits a crime with it, I would be held accountable to some degree in a court considering the crime was commited with my gun. Criminal negligence is a fickle thing in this country. Ever heard of kids dieing from playing with their mom or dads gun then the parents going to jail for not "securing" their gun inside the house. Case closed. Move along Matlock
This is an informal declaration of Net-War. This reminds me of the Scientology tactics years ago with the cancel and repost 'bots. The end result is that we all lose. The Net gets polluted with an endless barrage of spam versus spam --and what does it accomplish?
What we need here (and I'm not advocating anyone's system) is a way to charge for sending "certified" e-mail. It should be a small amount. Most of us would not notice the extra cost if it were just 1/100 of one cent per-email. But a Spammer would.
An e-mail "postage stamp" server of some sort would be an appropriate response for this problem. --Not the waste of bandwidth suggested by Blue Security.
Nearly fifty percent of all graduates come from the bottom half of the class!
*goes send spam in the name of all his competitors*
for this guy.
And after he's got in, his missions statement will morph into using our machines to spread spam as well as to attack his competition.
This is such an obvious scam I'm surprised he's still alive.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
The spammers can find a response to that kind of behaviour. They will add serveral outside URLs in their HTML mails, hidden to a human visitor (such as blank over blank or a link to a dot) but that a program will consider. And we'll end up DDOS legitimate websites that have nothing to do with the spams. And the DDOS on their site will be less, and the legitimate websites will sue us.
Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees?
Yes. If it works. We need something that works NOW against spammers more than we need ethical debates about how to prevent people from stealing large amounts of a de-facto public resource for their own personal gain.
The ability to send near instant character-based messages to anyone, anywhere for nearly no cost using ultra-high speed digital data links is a public good. Filling these channels with hundreds of millions of unwanted and unrequested commercial messages by taking advantage of a technical feature permitting the same message to be sent to millions of people at no cost is a theft of a new public community (abet a global community) resource.
We no longer permit private individuals or corporations to take unlimited amounts of other public resources like air, water, and frequency spectrum for private benefit. Why should we question the necessary means that are employed to prevent the theft of the newest public resource?
Spammers must be deterred. So at this time, whatever works to prevent this destruction of a new and fragile global public resource should be accepted.
For those of you saying Distributed Denial of Service (DDOS) attacks are illegal, please note that so is spamming, at least, in most of the countries where DDOSing is illegal. The "law", and even the legality of a law, means nothing to someone hosting a website in Zobimbique, where neither action is illegal and the Internet is considered science fiction.
Lycos's tool, which loaded images/websites over and over again via a screensaver, is a perfectly legitimate tool for increasing the cost to spammers. Many indicated that it was a DDOS attack, I do not believe so. That's akin to saying that sitting on CNN or Fox News's website and refreshing to get "the latest news" is okay unless other people are doing it.
We have two options for the future of our Internet. We back down and let lawmakers from our countries establish rules and conventions and eventually strip away our rights. Microsoft just bought Claria (makers of Gator, one of the notorious spy/adwares) and they have stripped the software from their spyware trials and (inside knowledge here) hired some of their technical staff to work on rootkit developement for Longhorn in ADVANCE, so that Claria will have an advantage in the spyware market. How's that for sanity and trust in our lawmakers?
The best thing we can have to law on the Internet is vigilante justice if we intend to perserve our freedoms.
OMG i just got spammed from bluesecurity.com! We better rush out and DDOS them.
Seriously, what's to stop a spammer from sending spam on behalf of a competitor, and laughing while BlueSecurity shuts down their website?
And who decides what is spam? BlueSecurity employees? A poll of users? A 13 yr old who scripts a bunch of canned messages to "BS" and says Microsoft spammed him?
Spam is Evil, but so is fighting spam *with* Evil.
-David
Network spam is bad in ALL of its forms. Ideally, the network would be nothing but 100% legitimate consensual traffic. Of course, that is impossible what with the huge amount of spam sent. But if we reply to spam by essentially sending out even more spam, we just overload the network with even more junk traffic. An eye for an eye leaves everyone blind, and if everyone resolved their net issues by sending out a massive number of unsolicited packets the whole thing would collapse under the traffic. We simply must remain mature and handle the spammers in a manner that does not have such a detrimental effect to overall network health.
Cyde Weys Musings - Scrutinizing the inscrutable
This is a a stupid idea which must be the grandfather of all stupid ideas! Doesn't ANYONE remember Canter and Siegel, and the numerous DDoS attacks on their ISPs back in 1995?
It's been a decade, and a DDoS attack is the best thing they can come up with in response to spam?
--Og
All,
I think Reshef should do what he wants to spammers. However, basing a legitimate company on DDoS attacks against spammers will only lead to ruin.
If he wants to do this stuff he needs to keep quiet about what he is doing. Otherwise the spammers will take him to court and win. He needs to operate the way they do, in the shadows....
He is a vigilante, and we'll get the same guilty pleasure from hearing about his actions as we got from watching Charles Bronson in the Death Wish movie series. Make no mistake tho... technically a vigilante is a criminal, whether his heart is in the right place or not.
A vigilante's work is very lonely and the smart ones don't call attention to themselves.
l8,
AC
...a lot of people taking the moral "high ground" on this one and deriding these types of tactics. Let me draw another picture:
Rather than taking an offensive stance, let design a system that runs in a distributed way (a network) that can detect a particular spam email as it is sent out to millions of addresses. Then, merely in response to that event, the nodes on the network coordinate to create an automated reply to unsubscribe from that piece of email.
Now, I am sure there are those among you that would argue that this is a DDoS type approach. And it is. Except I think you'd stand a very good chance in court (if it ever even made it that far) of arguing that is perfectly legal. Spamming is illegal, and they are required to provide a link to unsubscribe. In the case that they do not, some nodes on the network could sleuth down the appropriate address to send the request to and provide it to other nodes. Thus, the network would never initiate an attack, it would merely recognize and respond (using the channels provided for in law) to the emails that are sent out. Sure, the end effect would be a DDoS, but so is a Slashdotting - and that isn't illegal.
I haven't done my homework on the wording of the law that makes a DDoS illegal (besides, in whose jurisdiction is it illegal?), but there are so many DDoS-like events on the web that the law cannot make them ALL illegal, and if Slashdotting is OK, I'm sure the scheme outlined above would be OK, too.
As long as the requests come from identifyable email addresses, and as long as there is no coordination between nodes to synchronize, the mere crap-flooding of spammers ought to be supportable. If for example, corporation were established with n number of departments, each with their own name - ie BasketGrapeKnittingDepartment@weluvspam.com - each of which choose to express thier desire not to be spammed by means of a shared "DoNotSpam" registry - which happened to be occassionally sorted with the worst spammers first - the operation could be entirely above board - what makes spammers illegal is that they hide their identity - as long as a registered business unit were offering the service - it would be legal - if a spammer didn't like it they could show up in court and er. get their ass arrested for spamming.
AIK
I just asked if all I have to do is to spam them.. Makes sense, if I hit them with a little made up spam, maybe they'll hit me back.. If they do, I'm gonna love it for sure.
Does this keep coming up? Hello, here's an idea you're on a network with OTHER PEOPLE.
Sure ddos [say] slashdot.org you'll also take down osdl, anyone at the colo with slashdot, etc, etc...
Seems every 6 months someone comes up with the briliant idea of flooding networks.
You know how you stop spam? You make it totally non profitable. You know how you do that? You stop using a 30 yr old e-mail protocol and add a hashcash or something.
For most uses of email hashcash is good enough. For things like mailing lists a whitelist would work as well.
But of course that's SO F'ING OBVIOUS that nobody will implement it.
Someday, I'll have a real sig.
There's another name for this sort of activity: "Lynching" There's a good reason why one isn't supposed to take the law into one's own hands. It's because, however noble your intentions, there are no checks or balances on your actions; no safeties or limits.
I HATE spammers. When I'm bored, I shut them down by tracking relevant data about them, and reporting them to their hosts and domain registrars. But who decides who the next "spammer" is? When I get spammed, even that isn't strong enough evidence for me. My next step is to ensure that it isn't an isolated incident, and so I go search the web to see if they've been added to a database/blacklist, or are on any of a number of spammer watchlists. Once I've got enough evidence to be able to convince a host/registrar, as well as myself, THEN I take action. But... how many vigilantes would take these extra steps? How many would simply go along with the crowd? "Hey! It's a spammer! GET HIM!!!"
As much as I hate what spammers do, I simply can't condone this kind of action, without some kind of safety net for false positives. We're seeing something of a double standard here. What if, instead of discussing actions against "spammers", we were discussing actions against "terrorists"? Biometric tracking? Millimeter wave scanners? RealID? We've all seen how many people get strip-searched, end up on no-fly lists, get arrested for not having the right paperwork or IDs, and have any number of other civil rights violated. We're constantly demanding that we have some sort of guarantee that we're not going to end up flagging the wrong individuals. I agree wholeheartedly; we'd damn well better ensure we're flagging the right people, or the system is pointless, and the "terrorists" will end up laughing all the way back to the compound. So... where's our safety net here, folks?
If we could legitimately do something like this, there wouldn't be a need for it, because it would mean the authorities would already be doing so. What happens on the day someone decides that Bob's Direct Mail service is "close enough" to spam, and we should start targeting them? How about Bob's Direct Mail Order? Bob's Direct Shipping? Bob's Joint? Who decides the next target? What if it's just a personal vendetta, and isn't even accurate? What happens when 20,000 people take that person's word for it, without doing any of their own research?
Yes, something needs to be done about the spammers, but this sets a dangerous precident. What's the solution? Hell if I know, though I suspect it's a combination of legislation and education. I just know that this has enough problems to have been condemned by almost everyone here, if it had come from the opposite direction.
Unfortunately we do need to throw DDOS attacks at the spammers, because dragging them out of their caves, putting them on live television, and punching in their eye sockets and teeth with a claw hammer is not currently legal.
Using DDOS against spammers would be like the immature admins on game servers. If you're winning, you must be hacking, so they kick/ban/etc you. It's like the "herd" mentality. For example, you're not in our club/gang/group so we take steps against you. Two bad methods don't equal right. Let's prosecute them under the current laws or lobby for better legislation to cost the spammers money. If you cost them money they will stop or slow down dramatically.
As I watch my server crawl with thousands of spam smtp requests on one screen and read this story on another...I think, let the war begin!
T o: "uzhl"
Now sending floods to unsubcribe lists, is not the way to be doing it however.
The attacks should be directed at the injecting IP.
In the example below, I direct a ping flood to: 219.86.51.137
Further, you could parse the body for the web sites actually hosting the spam.
As well, you can have scripts automatically send notifications to blacklisters and abuse departments of the upstream providers.
net.tw ---> http://www.pigo.cn/index.htm gets abuse complaint.
(Now if I could only write in chinese)
Further, you could hack the injecting box:
Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-07-18 10:40 MDT
Interesting ports on 219-86-51-137.dynamic.tfn.net.tw (219.86.51.137):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp filtered msrpc
1025/tcp open NFS-or-IIS
Looks like some juicy ports.
Example Spammer Header:
>From ahzu6.j93m6@yahoo.com Mon Jul 18 10:22:54 2005
Return-Path:
Received: from 142.127.184.144 (219-86-51-137.dynamic.tfn.net.tw [219.86.51.137])
by ns.qualico.ca (8.9.3/8.8.7) with ESMTP id KAA23411;
Mon, 18 Jul 2005 10:22:54 -0600
Message-Id:
From: =?Big5?B?dzahuTahuTYyMzo1MjoyMQ==?=
Subject: =?Big5?B?GwgYsdAUsXoVvHYCpPkDsMURv+gIIRMhEggI?=
Content-Type: text/html;
charset="BIG-5"
Sender: "w66623:52:21"
Reply-To: ahzu6.j93m6@yahoo.com
Date: Mon, 18 Jul 2005 23:55:06 +0800
X-MimeOLE: Produced By Mircosoft MimeOLE V6.00.2600.0000
And how long will it take before a bitter spammer sends out 100 million emails including links to anti-spam sites or ISPs who have kicked them off in the past?
I generaly don't like using clichés, but I think this one is called for. Two wrongs don't make a right. We're supposed to be better and more disciplined on the net than spammers. DDOSing them will bring us down to their level. There's more than one way to skin a cat.
Specks
Batteries not included
Yeah, I saw it. Didn't like it.
That principle is older than Batman Begins, though, or even Batman, and probably older than the written word.
sigs, as if you care.
Is going to the DMV and waiting on line a DDOS? no, it is following the procedure as it has been recommended by the provider.
Before you can ask if using the function is a denial of service answser this question: Is sending spam a denial of service attack? I have had to cancel email accounts because of all the spam. Did the spammers attack me? Did they deny me access to my email by raising the noise to signal ratio to the point that I could not use it anymore? I certainly feel that they did.
Now, the only reason that the spammers would have a technical issue is if they were not prepared for all the cancellation requests that come through. In that sense it is like a slashdotting. When a site gets slashdotted we laugh and say the site should have been on a better server, with more bandwidth, etc, etc. So...if the spammer cannot handle the cancellation requests maybe it's his fault. Maybe he should have vetted his mailing list and not sent emails to uninterested parties. Maybe 10 year old boys dont need viagra, cheap diabetic supplies, and hot lesbian horse action. Some discretion and discipline in advertising practices could help alleviate this problem.
Fact of the matter is that each spam email out is supposed to offer a chance to cancel the mailings and get off the list. If the spammer cant do that he is in violation of the law. I dont care if he has too many cancellation requests. I dont care if everyone who recieves it cancels.
If they dont want attention then they should not advertise.
It seems that this is counter to what we shoul dbe doing. While some spammers use the unsubscribe links to verify your address, others actual use it to unsubscribe you. Do we really want to make it so every spammer will not unsubscribe you? It seems we should be encouraging unsubscribe links (and the proper use of them) rather than discouraging them.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
What's a spammer going to do, call the cops? Seriously, sometimes vigilante action is the only way to deal with criminals, particularly on the internet where law enforcement is nonexistant. If law enforcement were capable of fixing this problem, we wouldn't even be discussing it right now. Instead, I'm receiving 2500+ spams per day, all illegal.
Do you have ESP?
I have seen a common thread in many of failings of society to deal with the evil de jour.
Do spy cameras in our cities cause crime to drop to zero, no.
Does the criminalizing of handguns prevent shootings, no.
If the money spent on the lobbying of the two above issues and development of detection technology had been spent on developing ways to minimize damage when someone does something stupid instead of trying to prevent them from doing it, these things would be non-issues.
The same can be said about spam. Don't try to prevent spammers from spamming. Spend your development on filters to minimize their effect.
You will never have control over "the other guy", nor should you. Focus on protecting yourself instead of controling others.
BTW - I get maybe 1 spam per day in my personal email. I have good filters. Yeah, it's not zero, but the filters are getting better faster than the spam is.
DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
Everyone has overlooked one very obvious perspective with all this discussion about spam, DDoS, vigilante-ism, etc: It's all part of God's plan. There's a reason spam exists just like there's a reason DDoS attacks exist. Just because we may not know that reason now, doesn't mean that it doesn't exist.
How about faith as a firewall? I doubt God gets many e-mails about Viagra...
The fact that so many people are seriously considering vigilante-oriented solutions to these problems calls attention to the woefully inadequate enforcement resources we have.
I am still dumbfounded as to why ANY of the ~200 (or less) spam-gangs (as documented by Spamhaus) who are responsible for 80% of all spam haven't been taken down? I don't buy the jurisdictional problem excuse -- most of them are in the states and all of us know they can be easily traced. Almost every one of these spammers are engaging in multiple criminal activities, including computer tampering, fraud, copyright infringement, RICO violations, identity theft, ponzi schemes, and more.
The biggest casualty of spam is the theft of bandwidth and network resources. DDOS'ing the spammers, while effective in that it may increase their cost of doing business, compounds the problem.
However, at this point, since the feds seem incapable of doing anything about this, I'm unwilling to write off any approach that might wake them up and get them into action. Our country does have a history demonstrating that civil disobedience can be an effective catalyst when the status quo is ambivalent. With that being said, I wouldn't personally endorse anything of questionable legality, but at the same time, I can't help but respect the role of such tactics in history.
Still, it just boggles me that a few FBI agents haven't done something as simple as toss up a few PCs on a cable connection with a packet sniffer, and begun documenting the propagation of worms and how the spammers are operating. It would take no more than a week to build a solid case against so many of these operations, you could pick-and-choose which perpetrator would be the easiest to prosecute. So why hasn't this been done?
First, spammers that use their own machines DO pay for raw bandwidth, so they DO have a higher cost for sending a million emails a day than for a thousand.
Second, spam-friendly ISPs, if there are any left, charge a LOT more because they can.
Rather than charging $0.01 in cold hard cash, where greed can become a factor, do what many have suggested for ages - send a challenge that will take several tenths of a second to several seconds of CPU time on a typical PC per message to solve. Give "trusted" servers a free pass.
Now, as for the spammers that use stolen cycles, "Book 'em, Danno."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's about time.
trace back where the spammers are tring to get customers to go and blast em.
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
We've been doing this for some years in the Netherlands now and even got a special word for the html-page filling in the forms on the spammers website, it's called a "braatolizer". The process of filling in is called "braten". It's really effective against spammers. Ok, so it's illegal... It's also illegal to send spam. Ok, so you overload the network of the host, they shouldn't be hosting the website at all. There's a simple remedy, take the website offline.
http://spamdos.sourceforge.net/
but as my signature and journal entry show, legitimate methods of complaining to service providers often don't work.
I'd give 'em an award for "most idiotic business plan of the year" but that already went to Lycos Europe for the same "DDOS The Spammers" idea.
... a DDOS network. Hope you have a bigger internet stashed away somewhere to do this with.
If spam were mostly coming from dedicated "bulletproof" spamhauses, then great, I'd say "dodge this" and let 'em have it. Most spam is coming from zombied machines. So their plan effectively involves DDOS'ing
I am no longer wasting my time with slashdot
I always wondered why is it that companies that use spammers cannot be targeted or prosecuted. If we stop companies or those small web shops from using spammers, we will stop spamming, at least that is how my logic works :)
There is always an address, phone number or a website of some "provider" in those spam messages, otherwise what's the point of advertising.
Can it be done, or am i missing something?
I remember last year Symbiot came out with a system called iSims or something for a similar purpose... http://www.symbiot.com/
-tom
All we need to do is post their URL on /. - that way, all the traffic is legitimate visitors, just checking out another "cool link". For example, this site, which sends out tons of spam to my inbox: http://www.xacm.tearnmorbout.com/
http://www.dscg.outhatutfile.com/
They are located in the British Virgin Islands, but I bet I could see the smoke from their crumbling servers here in Northern Canada. I for one say Nuke The Bastards. Maybe not a very Canadian attitude, I know, but I am sick and tired of loosing the war on spam by fighting ethically. Once in a while it's nice to kick your opponent in the balls and watch them drop to their knees in agony and surprise.
"Apparatus dignosco occultus, satis non supernus."
Let's assume the law passes and spammers are exempt from no-DDoSing laws.
The way to determine whether DDoSing is okay is by having a trial to determine whether the party which is about to be DDoSed is, indeed, a spammer. But, once a spammer is being determined to be a spammer by a court of law, such vigilante tactics are no longer needed.
This law is the equivalent to having a law making it legal to shoot criminals in the head. The only way to determine whether someone is a criminal would be to try them, and by the time this is done, vigilante justice would have no point.
The spammers drew first blood.
Eternity: will that be smoking, or non-smoking? I Corinthians 6:9-10
OK, we all know that those unsubscribe links/instructions in spams are almost completely useless, and that spammers often just use them to validate their mailing lists.
But what if there really were a machine-automated mechanism to automatically unsubscribe from all the spams you receive? I mean, it's not their fault if, incidentally, the more spam you receive the more unsubscribe requests you send, possibly killing their server. And if they do honor unsubscribe requests, then this service would still be valuable.
I think framing it as a DDoS attack is bad, but the underlying idea of using machines to send unsubscription requests are good. If spammers realize that almost every e-mail they send out will get bounced back by a machine-generated unsubscribe, regardless of whether or not they're reaching real eyeballs, that may very well invert the incentives for spamming.
Haha, man, that "smouldering ashes of your mail server" put the funniest picture in my mind. You just made my Monday a whole lot better. =D
Bring them here, and slay them in my presence. Sounds pretty "vigilante" to me.
"I'm just here to regulate funkiness."
A year or two back, Dalnet (one of the largest IRC networks) went down for a few weeks in what looked like a spectacular and sustained DDOSing. When they came back, they had changed the rules about allowing warez/etc channels, and had a pre-emptive "This is not because the RIAA/MPAA put pressure on us" FAQ... Official line or not, I'd say the RIAA/MPAA has already experimented with DDOSing their enemies.
Not thousands of requests! What ever will they do?!
-- 'The' Lord and Master Bitman On High, Master Of All
I hear alot of comments saying this would be a good idea, if it weren't for the innocents who would be harmed. Well guess what, Blue Security sends the ISP a notice that they have a spammer site. If they don't remove it (illegal to be hosting them anyways), then they simple have thousands browse the site and drive up the spammers bill. The ISP has every chance to protect its legit customers.
> whiny limp-wristed liberals crying
Oooh, tough guy, huh.
You 'overweight budget busting conservatives' love throwing those talking points around at your low IQ fan base.
Got any real ideas that aren't straight from the 'this is how you think' RNC emails?
Without your buzzwords you last about 5 seconds in a political debate. Just put your fingers in your ears and shout "Lewinski! Lewinski!".
Phony tough guys like the rest of the American fringe right wing.
I, as an ISP admin would kill the account of a user helping DDOS another system and/or block their blue security application from calling home to momma. While I hate spam, I will not tolerate use of system bandwidth to kill another system, or any other illegal act, regardless of their reasoning.
DDOS is an offensive maneuver. Here's an old but interesting article about a more defensive approach to inflict pain on spammers... a "dynamic tarpit" that identifies incoming messages as spam AS THEY ARE RECEIVED and then slows down the socket so the spam takes longer to deliver, consuming less resources at the receiving end and more at the sending end.
The overall theme seems to be "Oh my goodness we shouldnt DDOS spammers", yet we collectively do the same to several sites a day, every day while sipping coffee.
I have no reservations about DDOS against ppl who make a living from annoying ppl with scam/nearly-scam products and messages hiding behind bogus email addresses.
The only PT Boat Journal on the web: http://www.PT171.org
a.k.a. the end of spam.
Use it now with DSPAM, CRM114, SpamProbe, or Popfile. Pretty much anyway you get your mail, you can use language classification based tools to ELIMINATE spam, right now.
-Lod
Hey, maybe one of those obnoxious companies that patents everything could patent spam! Their experience suing everyone else would lend them great success in the fight against spammers!
As much as I'd love DDOS spammers, regardless of whether or not it's legal, this trick doesn't work. Spammers, or anyone for that matter, can abuse this system to DDOS by sending out spam with the URL of their competetors and pretty soon every site on the net's down. On second thought, "doesn't work" might be a poor choice of words.
Your about to enter a fight with another person. You have a knife, and they have a gun. Who will win? Not fair? Well this is what the spammers are doing. They are setting the rules, and we have to use the rules against them. If they take any legal action, then they have to expose themselves and become open to further legal action against them.
"Your having a bad day when the voices in your head put you on hold"
I am in a place where be bounce over 1,000,000 messages a day. Spam is the biggest cance on the internet. I have no problem with "gettin' biblical" on spammers. I think that SPAM is such an extreem plague that not only DDoS em but whip thier ass too.
Would you feel better if we agreed to call it using the Slashdot Effect against spammer.
I don't hate spam for the same reasons most people hate spam. I suspect most people are just annoyed with the deluge of crap that ends up in their inbox. I don't care, it gets filtered out 80% of the time and it takes me about a minute each morning to click the "yes, that's spam too" button in thunderbird.
What *I* hate about spam is the fact that there's so much of it that it accounts for a good measurable percentage of the total traffic on the net. Think about it. Spam is usually small messages, sent to thousands of recipients all over the world. So every bit of spam branches out from the spammers local mail relay and induces a small amount of traffic to a great many parts of the network.
There are lots of spammers. They send lots of spam to lots and lots of people. That makes up a huge collection of packets that have to be routed all over the globe, all day long. I heard a figure somewhere saying it might be as high as 60% of total traffic.
My ping times to various game servers are seldom better than 70ms, and quite often over 100ms. I'm willing to bet that if all that crap weren't being flushed all over the net, the overall latency would drop by a good 20ms.
(Don't get me wrong, I'd rather have a nice T3 and be high enough up to not have the extra latency to begin with... but... I can only hold my breath so long.)
Using DDoS attacks against them would just induce even more garbage onto the network, and make it even slower.
The "right" way to deal with it is to (a) change the SMTP protocol so it requires some form of identification (perhaps a public key signature) -- if I don't recognize the caller-id on my phone, it goes to voicemail, why should email be different?, (b) go back to batch processing of email -- why do you NEED email to get there in 30 seconds, use an IM for real-time. Let mail servers send mail every 4 hours so at least that end can be more efficient. Use compression while you're at it. And (c) make spamming a crime, punishable by firebombing of the offenders house *grin*. If (a) happens, it should be possible to locate the spammer's property and eliminate it. That would remove the incentive for spamming, since all that "hard-earned" money would be lost.
"YES! There is no discussion!" -Lewis Black
I would advocate DDOSing a spammer's life support system if it stops even a small percentage of spams...but I'm a bastard like that.
And what happens when they're sued by the spammers
Pass a federal law that basically says that if a spammer sues someone, they get laughed out of court.
I mean, damn, if your activity is illegal, you shouldn't be able to sue someone who actively or passively prevents you from doing it.
Furthermore, if you try to sue someone who is preventing you from carrying out illegal activities, and the court finds out, not only are you laughed out of court, but you have to pay all related legal / attorney fees for everyone involved.
Create a new kind of DNS RBL, with a very short data lifespan. Any new entries get expired within hours, and the time-to-live is also specified as appropriately short.
Mail servers which receive an inbound connection from a host in the RBL will still accept the message, but do so very slowly... keeping the TCP connection open on the spammer's side for several minutes per message.
This would create a per-message connection overhead on the spamming side, which would consume memory overhead, tie up TCP connections on the spammer's server. On the spam recipient side, the overhead "per message" would be the same, but there would be fewer messages per server and thus fewer tcp connections... so there might be negligible side effects on the receiving side.
The best part is that if you're an individual whose IP has been erroneously added to the RBL, your message still goes through with very little added delay... and you probably wouldn't even perceive any difference.
This would not be considered a "denial of service attack" or really an attack of any kind; yet the effect on the spammer's productivity would be similar to what one tries to achieve with a DDOS, with none of the "Joe job" vulnerabilities inherent in a DDOS implementation.
It'd become very easy to ddos a competitor using spam. Just be sure that the spam advertises something the competitor doesn't offer, because you don't want to accidentally give them increased sales.
I think that DDoS attacks are a very bad idea, both for the infrastructure of the internet, for innocent bystanders, and for the slippery slope it is. A better solution would be to replace email with something reasonable. For example, digitally sign your email address (public key on the email server) to ensure that it is from you. Another thing is have the sender do a puzzle/calculation, say 10 - 100 ms per email (subject to a whitelist), else the message gets dropped.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
The slippery slope argument is for people who don't know how to draw the line at the end of what they're okay with. DDOS away.
If someone is beating me up, I would strongly prefer that the police come and drag him away. If the police ignore the situation, self-defense is justified. I think the analogy is relevant. YMMV.
There is always a catch: vigilante justice is never the most exact form of justice. Obviously you could end up DDOSing a zombie machine, or a hosting company, and end up shutting them down due to their direct, or indirect, contact with the spammer. Also, it opens the question that seems to be often brought up here -- when is this justifiable? What constitutes something somebody has done that is 'wrong' and 'needs to be stopped?' What happens to the next guy that comes along that nobody likes?
Let's look at is this way -- vigilante justice should not be something that is just strewn about randomly. Spammers are a real problem, and if you think that us DDOSing them is any worse than massive spewing of advertisement e-mail and clogging up anybody and everybody's e-mail... guess again. A DDOS is not the best solution, but is about the only option, and still better than what they do to us.
we could make a thunderbird/evolution/etc plugin that automatically wgets all the links in a message flagged as junk a few times. if enough people decide the email is unwanted, the problem takes care of itself. this is a bit of an added safeguard because its sort of a vote rather than one person or company deciding what is spam and what is not.
eBayDig 1s a typo saerch engien
You're partially right. The government has no business regulating spam. However, I like to picket things I don't care for. That's what I consider this to be.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
There is no law on the internet. Some countries punish spammers via the law but this only works for spammers within the borders of those countries, or reciprocating countries, and only if the spammer is actually caught. Crime prevention on the internet has been a laughable exercise in futility from the get-go regardless of the 'high-profile' cases touted about as a bizarre metric of success.
You're dealing with a system that really doesn't give a shit what the law is in any one country, or any one group of countries. And since only the insane among us want a world government, that leaves with the question of what to do when law enforcement is essentially ineffective. Which it has been, and will be, no matter what laws the U.S. decides to pass or what the penalties are. U.S. law, after all, stops at U.S. borders.
So long as there are countries that'll host spammers there'll be mountains of spam to contend with.
If the law can't control the problem, what does that leave you? Seems to me that vigilantism doesn't sound so bad when the alternative is "bend over and grab your ankles".
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
I know most of you are too young to remember the old days of the Internet but before DDOSing was illegal this was the method to stop spammers. That and brute force attacks aginst their servers. If you where a spammer then you were an open target.
This worked too. Spam increased only after the laws pretaining to network attacks came into effect.
I I guess that if someone breaks into your house watches your TV and eats all your food this is ok as long as they don't carry anything out. Still your left with the electric bill for running the TV and now you also have another mouth to feed. Guess your made of money. Well I am not and if you break in here you will be dealt with accordly and I will call the Cops only to come and carry away your corpse.
So if you stick your hand in my pocket to take my money and I cut off your hand am I the bad guy for cutting you? If you hadn't put your hand in my pocket in the first place I would have never hurt you. This is the same thing spammers stick their hands in my pocket everytime they send their shit. So if I cut off their hand by DDOSing them am I wrong? Personally I don't think so.
Remember THEY contacted me first.
The laws are no good. Ever called the FTC about this? Even being a ISP they will not presue your case. Their only answer is send us an email. Even when you have a mountian of evidence against them. Laws aren;t worth the paper it is written on if they are not enforced and the CAN-SPAM Act is just an illusion to appear that the goverment is doing something about it.
OK guys you can flame me now....
In order to DDOS systems successfully, you have to have software installed on a large number of "zombie" systems to make it work. Otherwise it is hardly a DDOS. Under what justification do they want to use my bandwidth to carry out such an attack? Is this going to be an "opt in to DDOS the bad guys" sort of issue, or what else? More likely I could see the client being distributed the way adware or spyware is distributed today. Because we know the good guys wouldn't go out and compromise other systems to recruit zombies to fight the bad guys, right?
Now a large company with many network access points could conceivably DDOS someone all by themselves. But smaller firms cannot do this. So why would we want to give large firms (Microsoft) and large cartels (MPAA, RIAA) this sort of privilege?
BTW, I am not sure that what they do is really a classical DDOS system. And if it is not, it would be trivial to deal with. Thousands of requests a day? 100,000 syn packets use up how much bandwidth? And if these originate from a small block of IP addresses they could easily be blocked by a simple firewall. If it really is a classic DDOS attack originating from a wide range of IP addresses, that might be different.
Even if you specify an incorrect source address as part of a syn flood, I would think that there would likely be sufficient ways to detect and deal with this too (tracking by IP seqence number might be a possibility), so these guys are just out there to stir a pot of controversy.
LedgerSMB: Open source Accounting/ERP
That will merely 1mpr0ve the s1ze of their ordering system!
;)
maybe we should market such spam to spammers....
One thing I cannot get is why people (good people, BTW), that are willing to actively protect their rights and other people's rights in their "real" lives (rather than cyber-lives) are so passive and self righteous when it comes to Net etiquette. Sure, this initiative may fail and it may just not work, but it's a step in the right direction. Reading what some people wrote makes me wonder if any any of them actually read what these guys have to say. Seems to me they thought it through rather nicely. Take a look at their site and blog and see they try to have the right safeguards in place making sure no Joe Jobs or mistakes take place. I, for one, will give it a chance. Eric
I thought everyone was of the opinion that we should be publically humiliating spammers, and then proceeding to torture them to death, very very slowly. When did this change? DDOSing them sounds a bit wussy.
should we DDOS spammers? Absolutely! If they get a taste of their own medicine, maybe they will know how it feels to be on the receiving end. Sure, fill up their inbox so they can't use it, maybe then they will understand how their victims feel.
How 'bout people just stop buying from them? Well, Pink Floyd re-united for Live8, so this might happen too, right? ;-)
The Blue Frog scheme is not a DDOS attack. It is not flooding a server with repetitive requests with the aim of taking the system down. It is simply making it achievable for the spam recipient to safely post unsubscribe requests. If you think that is a DDOS attack you don't understand the distinction, you are a fool and probably a spammer ;)
The situation you are likening things to probably doesn't work as you suspect.
Do you think the West was tamed by vigilante gangs, citizen lynchings, and the like? Do you believe this is what civilized the West?
Or rather, was it the coming of the railroad, the influx of honest people, the extension of the hands of law enforcement, the implementation of new laws and their enforcement, etc.
I submit that the Wild West was a place of murderers, vigilante gangs (murderers), hired guns (ditto), the precursor of the corporate army (likewise sometimes), and citizens who were sometimes willing to backshoot a dangerous stranger or lynch him without due process.
Now, all I'm getting at is reverting to the same type of action as the spammers is sort of like admitting you can't come up with anything better, more civilized, or more effective. That smacks of giving up, of throwing up your hands and saying "we can't beat 'em, better join 'em".
There are any number of existent laws and if the agencies that enforced them were a bit better funded and there was better international cooperation, we'd see a fairly marked decrease in some of this sort of traffic. Fighting spam is as much an international diplomatic/legal/bureaucratic issue as it is a technical one.
I mean, think of it in another way. You've got a dark room and you have a door onto it. You know the dark room has some nasty critters in it, and one might wander into your lighted door and try to eat you. I don't think the solution is releasing alternate strains of nasty critter. That's just magnifying the problem. Instead, you'd put a door on with a peep hole, you'd install a mantrap or two, and you might find out which other room is popping monsters out and send a group of people to that room to speak with them about it.
I figure we can win this war another way, we just have to decide to spend the money and put it as a priority for our law makers, law enforcers, and budget allocators for same. And of course, arm-twist some offshore havens into rethinking their policies.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Next time you receive junk mail, open it and look carefully for a reply envelope that says "Postage pre-paid...permit #(whatever number)". What this means is you don't need a stamp to send this envelope to the business on the front of the reply envelope.
Now that you have this reply envelope, stuff it with as much other junk mail you obtained during the week to cause it to be overweight (over 3.3 oz) possibly requiring a premium. Ok, you're thinking "wtf am I wasting my time doing this for?". Here's why:
If that envelope gets sent, the business sending that junk mail gets charged for a reply envelope and its contents being mailed back to them. If you don't send it and throw it away (what they hope you do with it if you don't "sign up" with their service/card/etc), they don't get charged. Simple enough. The business will likely also have to pay for that premium weight since the letter is overweight, though not always.
You're sending them an envelope that they supplied to you with other junk mail (which is, basically, what they sent you - junk). You're not breaking the law.
Though this doesn't stop junk mail, but rather eventually, it might stop them from including bulk postage pre-paid envelopes with their crap. In the mean time, it's gratifying to know that they're paying anywhere from $0.27 to $0.33 per envelope they receive back with (you guessed it), mail that they don't want on top of paying that much just to get it to you in the first place! I don't just hate spam in my email box, I don't like it in my snail mail box either. Spam is spam.
Oh the irony...anyways, it would be nice to apply this to email spam, but is much more difficult as email address spoofing is rampant while the URLs they want to to visit are normally legit. The article's method simply won't work, but a little script to reload the spammer's web site they sent you every 5 or 10 seconds would be enough to hopefully annoy them. 5 or 10 seconds isn't a DDoS to me - hey, I wouldn't want to miss any brand new deals on CAALlS, \/ALUUM, \/llGRA, XANA, L0RAAZEPAM, etc.
BTW - thanks eBay/paypal for allowing my email address to be handed over to spammers, you fucking cock knockers.
Content Management System: A pretentious way of saying "text editor."
If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
That's a pretty bad generalization.
A better one is "if it's OK in this instance, is it OK to DDOS the next guy who does something that violates the law?"
Beware: In C++, your friends can see your privates!
Could an unofficial policy be instituted whereby people decided to respond (unsubscribe, visit websites, etc) to any spam messages they recieved (or think they recieved as spam) since the previous day at the same time (say 9:00 GMT)? That way a person would only respond to the individual e-mails that he or she has recieved, but if many e-mails were sent out, the sender might have to deal with many responses at the same. I guess it's kind of like the voting something as spam or not format but in a more proactive way. Spammers may just start rejecting responses from 9-9:30 in this example, but a least it puts a dent into things. I don't think it would count as a DDoS attack since you're not asking people to all go to one site at the same time, but just do what they were going to do with spam e-mails all at the same time.
I am fence sitting on this one. I joined the site and downloaded the blue frog client and may use it if only because my one computer isn't enough to make any difference in internet traffic by itself anyway. In this kind of war no one soldier makes much of a difference to the outcome.
However I am concerned about starting a large scale netwar with the spammers, effectively shutting down the internet. This is essentially what happened for me locally during the whole makelovenotspam fiasco. The spammers faught back with everything they had. It was not pretty. Also, as a rabid e-pirate complete with parrot and eye patch, I am concerned that the war could be an excuse for RIAA/MPAA sponsored attacks as well. The fact is that the internet is a very fragile system which can be easily broken. Some people are arguing that maybe it should be until our governments are willing to pass enforceable spam laws with actual teeth. But I'm not so sure I'd be willing to go that far.
I think a better long term system would be to get large groups of people to join an anti-spam organization which would accept donations and membership dues or whatever to fight against companies that advertise with spam in the real world. Something like a shady, vigilante, version of the EFF. The idea would be to hurt and put out of business companies that advertise with spam as much as possible. Moebius faxes, war dialing of 800 numbers, junk mail attacks, publishing of personal contact information for everyone in management positions including cellphone numbers, email and snail mail addresses. Maybe even opportunistic vandalism in a car-keying, sugar in the gas tank, potato in the tailpipe, spray-painting "spam sucks" onto windshields, kind of way. Presumably a professional organization could come up with even more nuisance ideas. Maybe a freesite could keep track of the exploits.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
Basically, usera@server1.com sends a message to userb@server2.com. server1.com keeps a record of that outgoing message (with some sort of hash). Once server2.com receives the message they create the hash and send it back to server1.com. If the message was originated by server1.com then a confirmation is sent back. When a message NDR's the hash is removed from server1.com.
This solution is fairly processor intensive since you'd have to create a lot of hashes, but I'm not sure how much stress that would create for legitimate mail. If the recepient and sender are tied into the hashing it would make sending out mass mails much more processor intensive.
or other more worthy causes.
Who gets to decide what is 'worthy'? I don't think it's really the concentrated attacks against spamvertisers that will clog the internet pipes. I think it will be the combination of that and the inevitable retaliations. It happened with makelovenotspam and from their perspective it must have seemed a very effective defense. It will only encourage them for the next skirmish. Although I don't think the retaliations would last long. If it didn't have the anticipated effect of shutting down the blue frog client, I'd give them no more than a month before they grew tired of it.
Quite an experience to live in fear, isn't it? That's what it is to be a slave.
Submitting thousands of requests to a website... *clicks link from slashdot* Oh they've been slashdotted...
As far as I can tell, when over 50% of the percentage of email sent is spam, the gloves are off. It is costing billions of dollars to businesses that have to deal with all this spam. I don't want anyone inicent to get hurt, but surely you can track down the ones who sent you spam?
If someone innocent is used to send spam, at least a DDOS will make them aware of that their email-server is being abused?
I'm tired of spam, and I can't say that I care whatsoever for the spammers or those who are used by the spammers to spam. Anyone who owns a machine that has been hijacked is responsible for that computer's low security, and thus deserves to pay for inflicting damage to other people on the internet.
Further, since there really isn't any other good solutions to spam, I kinda feel that this is an efficient way to cripple those spam-bastards.
When I get snail mail with a postage return envelope, I fold all the brochures, pamphlets, certificates of approval, etc. that they sent me, and shove them all into the return envelope along with a request to remove my name from their mailing list. That way, they pay to send the junk to me, and they pay to get the "no sale" back. They may also have to pay extra for the bulky envelope.
"I'm not impatient. I just hate waiting." - My Dad
"Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees?"
The way? No. A way? Yes. The best way? Probably not. Will it work? Probably so. It is, after all, what they're doing. To work it just needs to be done better.
"If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?"
It's not OK. Lots of workable solutions that are adopted are not OK. OK or not, it's being done all the time. So the good guys get less good by adopting some of the bad guys' tactics to make the bad guys stop bothering the good guys. And thereby the definitions of good and bad get mixed muddied and found to be subjective, as if they weren't all along. Welcome to life on Earth.
"What we need are a few good old fashioned hangings." -- FTC Commissioner Orson Swindell at the 2003 FTC Spam Conference
1985 called. You're never, ever going to get your "good until proven otherwise", "all viewpoints tolerated", "we have to prove we're above all that" internet back.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
Remember the Boondock Saints.
I think the real problem is the ISPs. Internet service providers have these spammers as customers. Not only the spammers themselves but also the companies they spam for. There is no law that says you have to take a customer. It would be cheaper to not take these customers and save their bandwith.
DDOS attacking is not the answer; taking their network connection is!
MidnightBSD: The BSD for Everyone
This kind of vigilantism is custom made for spammers to use to attack those they hate. There is no way to tell, from the spam, if the site they advertise is their own, or that of someone they wish to hurt. Go google on the term "joe job" for more details.
Stop being part of the problem.
Stop helping spammers.
I have read somewhere that they are going to let UN(United Nation) to control the top domain. How about have them fight the spammer as well? since the US law doesn't affect the spammers from other country.
-=-=-=-=-=-=-=-=-=-=-=-=-=- If picture worth a thousand words, how many megapixels is it? -=-=-=-=-=-=-=-=-=-=-=-=-=-
what concerns me is that if this becomes an acceptable practice that we have say 10,000 machines hitting one IP, another 10,000 hitting another, then more and more and more PCs are flooding and the next thing you know everythings halted on the net and NO ONE can use the net. the joyz that would bring.
Turn your back on spam. Use the best protection you can, hit delete, change emails once in a while, don't post your primary to suspicious sites or public places. It's pretty each. I don't get a lot of spam.
;))
It's a lot like weather, if you just live with it it's not that bad. I used to get all freaked out about those profiteering on the internet, because I was around a little before it really got commercial (when Mosaic came out and playboy.com started
It's symptomatic of our society--we're a marketing based economy. Almost everyone already has most of what they NEED here in America (food, shelter, medicine, etc.) therefore it's necessary to TEMPT us with things we just WANT and the essence of marketing is WANT. Need doesn't require extensive marketing to match up potential customers, they come looking for you.
Turn your back on spam and all marketing, don't buy into it if you want it to go away. But you should know just by looking at your friends and relatives that it's not going to go away. Everyone buys something because of a brand name or something like that. Nike shoes, Pepsi Cola, pft. We are all part of the problem so we can't really complain.
However, what I didn't like especially about your post was the comment about getting "lawmakers" involved. Ahem, what you are saying is taking the greatest invention furthering freedom of expression and thought and speech since the printing press and REGULATING it because you don't want to delete a few emails?! The price you pay for freedom is high isn't. You poor thing, having to suffer for like 2 or 3 minutes a day sorting through your email.
WE CAN'T WIN THIS WAR. Just like we can't "WIN" the "War on Fear" as I like to call the current stance of the U.S. Law Enforcement/Miltary/Political triumverate. This isn't a war on "Spam", this is a war on "Annoyance." You might as well start writing letters to your congressperson so maybe they can make it illegal for people to talk on a cell phone in a public place or, how about this, have a dog that barks or a rice burner with a loud stereo.
That's all annoying stuff but guess what, WE PUT UP WITH IT. We're ADULTS and it's just a part of life. If you let every little nitpicking thing get to you then you will die a nervous wreck!
Spam, as I see it, is just an annoyance.
What I DON'T like is Spyware. THAT'S a legitimate thing to declare war on. It invades your computer, sends your private information to others, makes a computer unusable, sends your web browser to it's own pages. That's an INVASION.
Annoyances, well.. I can live with those.
Please don't get the law involved with annoyances. Or next thing you know, they'll take your dog away. Then your computer, so you can't annoy me with your silly wars.
Cool! Amazing Toys.
DDOS-ing the spammer?
just like responding the terrorism with war.
this discussion has been debated since long..
In the immortal words of Booger:
"I say we blow their fucking houses up"
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
is participating in a DDOS attack the way to bring spammers to their knees?
No, but a chainsaw to the legs sure will.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Yeah, I mean, we got away with going into Iraq.
In most European countries, spam is directly illegal. Before sending spam, the user must opt-in.
And the spammers are also stealing ressources. Whenever I set up a honeypot, spammers think they send 100.000+ e-mails through it per day. It takes less than a week to get that amount of spam.
Since the USA does not protect freedom of our mailboxes, but only freedom of commercial interests over the freedom of its people, we have to fight back.
IMHO, USA should think less about supporting people that often defrauds other people, and make spam illegal. Use the Air Force for what it does best. Take out the spammers surgically.
Oneday I was sitting at the console of my gateway pouring over the logs. I noticed that the requests for port 25 was unusually high. Mostly resolving to .cn. Anyhow I banged out this one liner and let it run for a few hours, and had tcpdump keep track of everything from another upstram box.
/dev/random | nc -l -p 25
(not verbatim, but you get the point)
# cat
Entertainment soon ensued as they threw every script they had at the box trying to figure out WTF it was.
Yes, spam is annoying, but so is life, and so is going to work every day. I would rather get paid for deleting spam than for actually being productive. In fact, when I'm at work and don't feel like doing anything, I check my email and delete spam for relaxation. I should have gone into the spam business years ago. Then I would have been able to make money working for myself and bringing joy to others. Oh well, another missed opportunity.
Here's the problem...
Most if not all spamvertised websites aren't actually sending the spam. These lowlifes buy into "master spammer" systems that hold and send spam to valid email accounts. These "master spammers" don't share their recipient lists with "customers". In my case, the spammer doesn't even seem to share his list with other "master spammers". I've been getting precisely 28 spams a day (no more, no less) for the past two years since he/she has gotten hold of my address.
How can BlueSecurity effectively have email accounts removed from spammer lists by attacking spamvertised sites when these people have no control over them?
I think I see one method that could be used to filter out your entries.
Got a spam once that included a mobile phone number. Rang it to verify that it did indeed belong to the sender of the spam. Now our local health insurer has a handy service that will send you daily text alerts to remind you to take your contraceptive pill. Pity the earliest you can sign up for your daily reminder is 6am...
Er... excuse me? I never said I didn't condone vigilantism. I said I didn't condone this kind of action, which would likely have tens of thousands of uninformed individuals attacking a target they knew nothing about. The question was "Should we DDOS Spammers?" So, I fail to see how my giving reasons about why we should not, thereby taking a "no" position is in any way invalid, or without value. I can't condone a bunch of people randomly DDOSing people who are allegedly spammers. However, I would condone such activity if there was a method for controlling it, and preventing abuse and false positives.
I wasn't trying to "be right". I thought I made it clear at the beginning of my statement that I personally go after spammers in my spare time. I *do* condone some sorts of vigilantism when it's clear that it's necessary. In this case, come up with a method for ensuring that the DDOS is not directed at an innocent, and I'm all for it. I did something similar to a spammer's phone system once, with the blessings of both the Berkeley and Los Angeles Police Departments. I don't see a problem when one does one's proper homework. But by default, the question here doesn't involve a few concerned citizens who will do their due diligence. It must, by nature, either involve massive numbers of the "me too" crowd, or a few individuals who will take over thousands of machines. The only exception would be something like the Lycos product. But even then, who makes sure Lycos is doing the right thing? It's much more likely that a centralized authority would be more careful than the average spamavenger, but it's still a dangerous precedent.
Show me a way to do this safely, without paving the way for massive abuse of the system, and I'm all for it. But what prevents this system from being turned on someone who's server becomes compromised without his/her knowledge? (Don't give me any crap about "they should have secured their server." There's always a new exploit, and most good admins know that there's no such thing as 100%. Education solves *that* kind of issue, not blindly attacking them.) Even worse, what prevents someone with a bone to pick (as most activists do) from attacking someone who might or might not deserve it, but that the individual targetting the attack decides needs to serve as an example? Let me put it another way: Would you be okay with the idea of a law being passed allowing any cop who decides that someone is guilty to beat the truth out of them? Obviously, the potential for disastrous abuses are tremendous. Unless there's a method for controlling that abuse... no, I can't condone it. I've been to countries where these kinds of protections just don't exist, and every time I return, I feel grateful. I realize that, despite the many problems cropping up, the massive powers being handed over to various federal and local authorities, and the many other things that I consider to be making a farce of our supposed "freedoms", I still love my country, and know that I'm better off here than almost anywhere else.
Allow me to re-explain my position: I think some types of vigilantism is a VERY necessary thing. I personally tend to get involved in situations that would otherwise result in the severe injury of other people, were I not present. Four days ago I stopped a psychologically unbalanced individual from attacking a few elderly people in a hospital, while I was filling a prescription. If not for vigilantism, I would not have survived my childhood. But it's an interesting word, "vigilantism". It doesn't just mean one who ta
*cough*slashdot*cough*
Seriously, the only difference here is intent. Slashdoters doen't intend (usually) to DDOS a site. They intend to look at it.
By "We are just trying to slow these sites down so much the spammers can't earn money" he means 'we are trying to unsubscribe as many people as possible as fast as possible'.... honest... that's what he means. Even if it isn't what he means, it's a damn good excuse.
All he needs to do is cover the actions 'intent' and get away with it.
Just spoof an email from the spammer to the "Letters to the Editor" in the NYT criticising the Scientologists.... that spammer'll be slapsuited into oblivion.
-- Howto: Get +5 (1) Whine about M$ (2) Namedrop Gentoo (3) Casually Abuse Mods (4) Namedrop Early Computer Model
You're right of course, but I don't think anyone is seriously claiming that going after spammers like this is the ideal or correct solution or that it's "in the public's best interest" as you say.
The difference seems to be that some people say all defensive action is wrong and shouldn't be done and other people are saying that it's too bad it has past the point for reasonable action, so get ready for the counterattack.
Sorry if it sounded like too personal of an attack.
These master spammers must have a pretty good link to their customers after all. I just started trying the blue frog thing out, and sent all of my saved up old spam to the honepots. I typically get 30+ per day. I have had nothing for 3 days. I think it's working!
(If at first you don't succeed, do it different next time!)