Slashdot Mirror
SpamSlayer - should we DDOS spammers?
pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them.
Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
"
From TFA:Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?
Also from TFA:That's what I thought...what does Blue Security have to say in their defense?
Again from TFA:Sorry, Reshef, but what you are describing is a textbook example of a DDOS attack. Whether the site in question is actully shut down, or merely incapacitated, is beside the point.
This whole caper is a non-starter, especially so since a precedent for this sort of thing has already been established by Lycos Europe.
____
~ |rip/\/\aster /\/\onkey
Wouldn't it just be easier to slashdot a site owned by a spammer company?
I'm sorry, acting just like a criminal for revenge purposes, no matter how satisfying, is wrong. It just brings you down to their level.
All it'll take is one spammer to file a lawsuit against these guys to stop them dead in their tracks.
A couple of guys told everyone on Usenet about their latest green card scheme.
Should we bomb them into oblivion?
Or should we listen to the voice of reason and tolerate this behavior as a necessary evil, integral to the total freedom of the global Internet?
Sometimes I think we chose wrong.
We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
-- Thou hast strayed far from the path of the Avatar.
Sorry, but I can't feel bad for spammers (or sites that support them) who get DDoS'ed. They make their $ by annoying millions in the hopes that hundreds will be gullible enough to buy their crap. What goes around comes around... and I fully support the use of DDoS attacks against these loosers.
Furthermore.. the repeated HTTP requets should include in their USER_AGENT header the following so it shows up in the logs ("LOOKS_LIKE_YOUR_WEB_SERVER_NEEDS_SOME_V1aGrA")
When you start trusting someone else to tell you who's spamming and who isn't, you invite them to abuse that power; what guarantees do you have that Blue Security will never go to a legitimate site owner, and threaten to tell SpamSlayer users that the legitimate site is spamvertised unless Blue Security receive enough money?
I appear to have a blog. Odd.
This beggs me to ask, do twon wrongs make a right?
I don't know, but if two wrongs do make a right then your above sentence contains no spelling errors whatsover.
...because it's illegal to castrate them.
Weaselmancer
rediculous.
If you catch someone in the act of doing harm to you or to someone else, don't wait. Act. Stop the harm being done, or being threatened.
It may be necessary, in the process of stopping the harm, to inflict harm on the attacker. Take care that your response isn't more harmful than that which had been threatened.
Failing to act in that circumstance is at best a reverse tragedy of the commons, in the general case laziness, and at worst is sheer cowardice.
After the fact it becomes mere revenge, which is a waste of time.
sigs, as if you care.
DoS attacks are very effective against phishing sites. Most phishing scams utilize a CGI that e-mails the captured data to an e-mail address somewhere. By using a script which generates random data (see my sig), you can quickly render a phisher's data collection. Several factors can contribute to this. First, the flood of fake data can obscure the data that was captured from actual victims, Secondly, you can overflow the SMTP server that the phisher is using to process the captures. Finally, you may be able to fill the mailbox to which the captured data is being sent, although this is a bit harder with things such as GMail. However, the flood of mail from a single host may trigger sanctions at a free e-mail provider.
As a sidebar, I'm going to be releasing a new version of my anti-phishing tools in the next few days. I've added functionality which generates real-looking names and e-mail addresses and credit card numbers with valid checksums.
Chris
How long before the RIAA gets permission to DDoS file-sharers, or entire P2P networks?
Didn't...this already happen? I can't find an article offhand (Googling mostly gives back results about the RIAA website getting DOSd. I'm not sure of the outcome, but I do know that a few years ago, the RIAA sought amnesty from laws regarding DOS attacks, so that they could DOS "known pirates". I'm not sure if they were ever granted anything relating to this though..but judging by the fact that I can't find anything relating to the subject, I'd guess that nothing ever came of it.
--- What
My mail server got hacked and ( )\/\/ |\| ) by some sleazebag spammer. It ended up sending a bunch of spam that had a URL to click on to "sign up" for their wonderful offer. After recovering and updating the mail server I wrote a quick little program that ran overnight that filled in this web form with garbage, but not random garbage that could be filtered out. To a machine each record looked valid. I ended up inserting over 200k records into their database making it worthless. I did it again a few times when I was able to get an IP address that didn't get blocked at the server.
Was it right? Probably not. Did it feel good, HELL YES.
Blue Frog clients do not arbitrarily perform DDoS on spam sites. They complain about specific spam messages received in mailboxes belonging to our users. Our users exercise their right to complain about the spam they receive. They are merely responding to invitations to the spammer's website.
The Blue Frog enters the site and sends a complaint just as a user would do manually. It does not consume more resources from the site or from its ISP than a user could do manually. Many users have tried sending complaint to spammers at some point requesting to unsubscribe. We merely allow the users to do it in a safe and automated manner.
Our goal is to force spammers to comply with the Do-Not-Intrude Registry - to clean out our users' addresses from their mailing lists. When they do so, they will not receive even one single complaint from community members.
We perform thorough manual (human) validation on the spam messages we act upon, to prevent Joe Jobs and to make sure we minimize any possible impact on third parties.
Guy Rosen
Blue Security, Director of Operations
http://www.bluesecurity.com/
There's another name for this sort of activity: "Lynching" There's a good reason why one isn't supposed to take the law into one's own hands. It's because, however noble your intentions, there are no checks or balances on your actions; no safeties or limits.
I HATE spammers. When I'm bored, I shut them down by tracking relevant data about them, and reporting them to their hosts and domain registrars. But who decides who the next "spammer" is? When I get spammed, even that isn't strong enough evidence for me. My next step is to ensure that it isn't an isolated incident, and so I go search the web to see if they've been added to a database/blacklist, or are on any of a number of spammer watchlists. Once I've got enough evidence to be able to convince a host/registrar, as well as myself, THEN I take action. But... how many vigilantes would take these extra steps? How many would simply go along with the crowd? "Hey! It's a spammer! GET HIM!!!"
As much as I hate what spammers do, I simply can't condone this kind of action, without some kind of safety net for false positives. We're seeing something of a double standard here. What if, instead of discussing actions against "spammers", we were discussing actions against "terrorists"? Biometric tracking? Millimeter wave scanners? RealID? We've all seen how many people get strip-searched, end up on no-fly lists, get arrested for not having the right paperwork or IDs, and have any number of other civil rights violated. We're constantly demanding that we have some sort of guarantee that we're not going to end up flagging the wrong individuals. I agree wholeheartedly; we'd damn well better ensure we're flagging the right people, or the system is pointless, and the "terrorists" will end up laughing all the way back to the compound. So... where's our safety net here, folks?
If we could legitimately do something like this, there wouldn't be a need for it, because it would mean the authorities would already be doing so. What happens on the day someone decides that Bob's Direct Mail service is "close enough" to spam, and we should start targeting them? How about Bob's Direct Mail Order? Bob's Direct Shipping? Bob's Joint? Who decides the next target? What if it's just a personal vendetta, and isn't even accurate? What happens when 20,000 people take that person's word for it, without doing any of their own research?
Yes, something needs to be done about the spammers, but this sets a dangerous precident. What's the solution? Hell if I know, though I suspect it's a combination of legislation and education. I just know that this has enough problems to have been condemned by almost everyone here, if it had come from the opposite direction.