Slashdot Mirror
SpamSlayer - should we DDOS spammers?
pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them.
Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
"
From TFA:Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?
Also from TFA:That's what I thought...what does Blue Security have to say in their defense?
Again from TFA:Sorry, Reshef, but what you are describing is a textbook example of a DDOS attack. Whether the site in question is actully shut down, or merely incapacitated, is beside the point.
This whole caper is a non-starter, especially so since a precedent for this sort of thing has already been established by Lycos Europe.
____
~ |rip/\/\aster /\/\onkey
For those who complain that ISPs end up footing the bill because the spammers don't pay, well, I guess they'll need to be more careful about vetting their customers next time. As if there are any really "innocent" ISPs hosting Internet "pharmacies" or "Rolex" dealers.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
I'm sorry, acting just like a criminal for revenge purposes, no matter how satisfying, is wrong. It just brings you down to their level.
What if only once a bad guy manages to blame someone innocent who get's DDoSed? Should we hazard the consequences?
I don't suffer from insanity, I enjoy every minute of it.
If you shoot me and take my wallet, you are a murderer and a thief.
If I shoot you before you do so, being reasonably certain that you intend to shoot me and take my wallet, I have acted in self defense, and there is no crime.
Not really a one-for-one analogy, but it does illustrate that shooting someone does have different consequences depending on the situation and purpose.
Is it just my observation, or are there way too many stupid people in the world?
Why are they doing this, when they could put their energy into tracking the spammers so they can be prosecuted.
Only sending spammers to jail AND taking away ALL their assets (cash/cars/houses) is going to deter them.
Instead of unsubscribing thousands of emails, how about subscribing thousands of fake emails ... which in turn would lower their return ratio and might even result in fail delivery messages, using up more resources.
-Rick
Spam wouldn't be a problem if people didn't actually click on the links. I've seen studies somewhere about the return rate on spam. While it is quite low, it's still high enough to make it worth their while.
Maybe we should establish a site that lists all the companies that support spam, and then boycott them. We could even have a plugin in firefox that would warn or block a site that was known to have used spam.
Since when did operating systems become a religion?
-- Thou hast strayed far from the path of the Avatar.
When you start trusting someone else to tell you who's spamming and who isn't, you invite them to abuse that power; what guarantees do you have that Blue Security will never go to a legitimate site owner, and threaten to tell SpamSlayer users that the legitimate site is spamvertised unless Blue Security receive enough money?
I appear to have a blog. Odd.
Something everyone should remember is that unless you are directly connected to the spammer's LAN, you aren't sending packets to him directly. Every packet you send out travels many hops. Your ISP and everyone in between have to use resources to forward that packet.
I don't know about everyone else but I don't want my cable connection bogged down just because my neighbor feels like being an activist. Let's let the legal system do its job and use distributed computing for protein folding or other more worthy causes.
And when the "necessary evil" is more than half the email traffic on the net and starting to drown out the things we are supposed to be gaining by putting up with this necessary evil? The moral of the tragedy of the commons is that nobody wins.
Two wrongs not making a right and all that... we know the drill. But it is undeniably wrong that spammers do what spammers do. With that in mind, we can either (a) wait until they see the error of their ways, (b) wait until sufficient legislation is enabled that will actually work or (c) do something about it ourselves.
A and B aren't working. C, at present, is the only answer we have available to us.
I want to say for the "record" (whatever that means) that marketing through email is okay with me so long as people WANT to recieve it. If someone out there WANTS to buy some descrete penis pills or any other "plain brown wrapper" item that's fine with me. And let there be a means for them to subscribe to the stuff. The key is Opt-in explicitly and without any tricks or gimicks and more significantly, an "instant off" function that will not require 4-6 weeks to update their databases (which is utter horse shit). Okay I said it... now let's move on.
We do everything we can to block these people. They do everything they can to avoid being blocked. Their attempts at evasion is proof positive that they know they are pissing off the world for profit. How many other business models work at public expense for personal gain? In effort to prevent at-large vigilante-ism, where should the line be drawn? As much as I'd like to pull over and beat the crap out of people with ridiculously loud stereos playing in their cars, it's wrong (and dangerous) to do.
I'm at a loss for what we should do about the problem. These people are essentially polluting the internet and it needs to stop. But how?
This is just another form of spamming. Anyone who generates unnecessary network traffic is a menace to the Internet.
Policing the Internet and making it an unwelcoming place for spammers is not "unnecessary." It's necessary if e-mail is to remain a viable, cost-effective means of communication.
Spammers love the kind of prissy-assed, holier-than-thou, arguments about ethics that people like you put up every time someone actually tries to combat spam. Bullsh*t. Enough is enough. If two or three months of attacks on a spammer's servers could get him to stop pissing off a million or more people a day, then let the attacks begin! If it makes a Chinese ISP stop writing web hosting contracts for spammers, then let's get going. If you don't have a viable plan to combat the ever-increasing volume of spam, then get out of the way and let those who do take action.
If I were a carrier/backbone level provider, I certainly wouldn't want all this extra garbage traffic on my network.
I'm sure the rest of the network doesn't appreciate the potential increase in latency and packet loss these attacks can result in, either.
DDoS attacks are never a solution to a problem. They may hurt the target, but at the cost of wasted bandwidth for everyone else using the paths to that target.
Let's not start down this path. Please.
-Z
OMG i just got spammed from bluesecurity.com! We better rush out and DDOS them.
Seriously, what's to stop a spammer from sending spam on behalf of a competitor, and laughing while BlueSecurity shuts down their website?
And who decides what is spam? BlueSecurity employees? A poll of users? A 13 yr old who scripts a bunch of canned messages to "BS" and says Microsoft spammed him?
Spam is Evil, but so is fighting spam *with* Evil.
-David
There's another name for this sort of activity: "Lynching" There's a good reason why one isn't supposed to take the law into one's own hands. It's because, however noble your intentions, there are no checks or balances on your actions; no safeties or limits.
I HATE spammers. When I'm bored, I shut them down by tracking relevant data about them, and reporting them to their hosts and domain registrars. But who decides who the next "spammer" is? When I get spammed, even that isn't strong enough evidence for me. My next step is to ensure that it isn't an isolated incident, and so I go search the web to see if they've been added to a database/blacklist, or are on any of a number of spammer watchlists. Once I've got enough evidence to be able to convince a host/registrar, as well as myself, THEN I take action. But... how many vigilantes would take these extra steps? How many would simply go along with the crowd? "Hey! It's a spammer! GET HIM!!!"
As much as I hate what spammers do, I simply can't condone this kind of action, without some kind of safety net for false positives. We're seeing something of a double standard here. What if, instead of discussing actions against "spammers", we were discussing actions against "terrorists"? Biometric tracking? Millimeter wave scanners? RealID? We've all seen how many people get strip-searched, end up on no-fly lists, get arrested for not having the right paperwork or IDs, and have any number of other civil rights violated. We're constantly demanding that we have some sort of guarantee that we're not going to end up flagging the wrong individuals. I agree wholeheartedly; we'd damn well better ensure we're flagging the right people, or the system is pointless, and the "terrorists" will end up laughing all the way back to the compound. So... where's our safety net here, folks?
If we could legitimately do something like this, there wouldn't be a need for it, because it would mean the authorities would already be doing so. What happens on the day someone decides that Bob's Direct Mail service is "close enough" to spam, and we should start targeting them? How about Bob's Direct Mail Order? Bob's Direct Shipping? Bob's Joint? Who decides the next target? What if it's just a personal vendetta, and isn't even accurate? What happens when 20,000 people take that person's word for it, without doing any of their own research?
Yes, something needs to be done about the spammers, but this sets a dangerous precident. What's the solution? Hell if I know, though I suspect it's a combination of legislation and education. I just know that this has enough problems to have been condemned by almost everyone here, if it had come from the opposite direction.
Is going to the DMV and waiting on line a DDOS? no, it is following the procedure as it has been recommended by the provider.
Before you can ask if using the function is a denial of service answser this question: Is sending spam a denial of service attack? I have had to cancel email accounts because of all the spam. Did the spammers attack me? Did they deny me access to my email by raising the noise to signal ratio to the point that I could not use it anymore? I certainly feel that they did.
Now, the only reason that the spammers would have a technical issue is if they were not prepared for all the cancellation requests that come through. In that sense it is like a slashdotting. When a site gets slashdotted we laugh and say the site should have been on a better server, with more bandwidth, etc, etc. So...if the spammer cannot handle the cancellation requests maybe it's his fault. Maybe he should have vetted his mailing list and not sent emails to uninterested parties. Maybe 10 year old boys dont need viagra, cheap diabetic supplies, and hot lesbian horse action. Some discretion and discipline in advertising practices could help alleviate this problem.
Fact of the matter is that each spam email out is supposed to offer a chance to cancel the mailings and get off the list. If the spammer cant do that he is in violation of the law. I dont care if he has too many cancellation requests. I dont care if everyone who recieves it cancels.
If they dont want attention then they should not advertise.
The fact that so many people are seriously considering vigilante-oriented solutions to these problems calls attention to the woefully inadequate enforcement resources we have.
I am still dumbfounded as to why ANY of the ~200 (or less) spam-gangs (as documented by Spamhaus) who are responsible for 80% of all spam haven't been taken down? I don't buy the jurisdictional problem excuse -- most of them are in the states and all of us know they can be easily traced. Almost every one of these spammers are engaging in multiple criminal activities, including computer tampering, fraud, copyright infringement, RICO violations, identity theft, ponzi schemes, and more.
The biggest casualty of spam is the theft of bandwidth and network resources. DDOS'ing the spammers, while effective in that it may increase their cost of doing business, compounds the problem.
However, at this point, since the feds seem incapable of doing anything about this, I'm unwilling to write off any approach that might wake them up and get them into action. Our country does have a history demonstrating that civil disobedience can be an effective catalyst when the status quo is ambivalent. With that being said, I wouldn't personally endorse anything of questionable legality, but at the same time, I can't help but respect the role of such tactics in history.
Still, it just boggles me that a few FBI agents haven't done something as simple as toss up a few PCs on a cable connection with a packet sniffer, and begun documenting the propagation of worms and how the spammers are operating. It would take no more than a week to build a solid case against so many of these operations, you could pick-and-choose which perpetrator would be the easiest to prosecute. So why hasn't this been done?
The situation you are likening things to probably doesn't work as you suspect.
Do you think the West was tamed by vigilante gangs, citizen lynchings, and the like? Do you believe this is what civilized the West?
Or rather, was it the coming of the railroad, the influx of honest people, the extension of the hands of law enforcement, the implementation of new laws and their enforcement, etc.
I submit that the Wild West was a place of murderers, vigilante gangs (murderers), hired guns (ditto), the precursor of the corporate army (likewise sometimes), and citizens who were sometimes willing to backshoot a dangerous stranger or lynch him without due process.
Now, all I'm getting at is reverting to the same type of action as the spammers is sort of like admitting you can't come up with anything better, more civilized, or more effective. That smacks of giving up, of throwing up your hands and saying "we can't beat 'em, better join 'em".
There are any number of existent laws and if the agencies that enforced them were a bit better funded and there was better international cooperation, we'd see a fairly marked decrease in some of this sort of traffic. Fighting spam is as much an international diplomatic/legal/bureaucratic issue as it is a technical one.
I mean, think of it in another way. You've got a dark room and you have a door onto it. You know the dark room has some nasty critters in it, and one might wander into your lighted door and try to eat you. I don't think the solution is releasing alternate strains of nasty critter. That's just magnifying the problem. Instead, you'd put a door on with a peep hole, you'd install a mantrap or two, and you might find out which other room is popping monsters out and send a group of people to that room to speak with them about it.
I figure we can win this war another way, we just have to decide to spend the money and put it as a priority for our law makers, law enforcers, and budget allocators for same. And of course, arm-twist some offshore havens into rethinking their policies.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."