Slashdot Mirror

← Back to Stories (view on slashdot.org)

SpamSlayer - should we DDOS spammers?

Posted by ryuzaki0 on from the what-lines-to-cross dept.

pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them. Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like? "

16 of 587 comments (clear)

  1. Sophistry at its finest... by TripMaster+Monkey · · Score: 5, Insightful

    From TFA:
    The influx of tens of thousands of requests exactly at the same time floods the spammers' Web site, causing it to become inoperable.
    Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?

    Also from TFA:
    Launching a distributed denial of service attack is illegal in the U.S. and in most European countries.
    That's what I thought...what does Blue Security have to say in their defense?

    Again from TFA:
    Blue Security's Reshef bristles at the notion that his firm is involved with any type of DDoS attack. "We aren't trying to shut down any Web sites. We are just trying to slow these sites down so much the spammers can't earn money"
    Sorry, Reshef, but what you are describing is a textbook example of a DDOS attack. Whether the site in question is actully shut down, or merely incapacitated, is beside the point.

    This whole caper is a non-starter, especially so since a precedent for this sort of thing has already been established by Lycos Europe.
    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Sophistry at its finest... by JustinKSU · · Score: 5, Funny

      Isn't there some rule of thumb - never fight evil with evil? This is a vigilante approach which is reserved exclusively for BATMAN

    2. Re:Sophistry at its finest... by shokk · · Score: 5, Funny

      Easy! To get around all these little rules, we'll just hijack a bunch of PCs to our dirty work for us. I'm sure the owners will not mind helping out for a truly noble cause. Then, we'll use servers in countries with questionable laws to control the DDOS. Then, to raise money to help us out in our quest, we'll use these servers to also mail out requests to help us secure our target US$20mil by sending us a paltry US$20k. We've got the spammers beat in will power AND on the moral high ground!

      --
      "Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
    3. Re:Sophistry at its finest... by interiot · · Score: 5, Interesting

      How do you define DDOS? If spammers send millions of emails in a day to AOL, does that constitute a DDOS against AOL? If large ISPs automatically send an unsubscribe response for each spam they get, and the total bandwidth is less than what the spammer originally sent, does that constitute a DDOS? Is it a DDOS if the large ISP's intent in doing this is to shut the spammer down?

    4. Re:Sophistry at its finest... by Tinik · · Score: 5, Insightful

      Vigilatism may seem like a good idea at the time, but always leads to problems in the long run. It's better to work through proper channels to resolve these problems. If the proper channels can't resolve the problem, then work to fix them.

      Doing things properly results in a more permanent fix. Vigilantism just gets innocent bystanders hurt and only works until the next guy comes along.

    5. Re:Sophistry at its finest... by Technician · · Score: 5, Insightful

      Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?

      Rule #1 Spammers lie
      Rule #2 see rule #1

      If an e-mail has false headers, what makes you think the reply-to or un-suscribe belong to the spammer. A DDOS against a third party (Joe Job) is not the way to shut down a spammer. You may be helping him shut down his legit competition. An obfuscated URL may point to amazon.com for example.

      I liked the other aproach of repeatedly reloading the page used to buy the spammer's product. That's a way to have them melt or have the hosting company become less friendly to hosting spam product order websites.

      --
      The truth shall set you free!
    6. Re:Sophistry at its finest... by ArsenneLupin · · Score: 5, Insightful

      Personnally, I prefer to submit only one single unsubscribe request. My email address just happend to be ...:
      'or'test@yahoo.com'like'%
      If the spammer uses sequel sewer or access rather than a real database, this will wipe their address list squeaky clean!

  2. Slashdot by ZakuSage · · Score: 5, Funny

    Wouldn't it just be easier to slashdot a site owned by a spammer company?

  3. No, no no no no... by gmknobl · · Score: 5, Insightful

    I'm sorry, acting just like a criminal for revenge purposes, no matter how satisfying, is wrong. It just brings you down to their level.

  4. Instant Karma by ledbetter · · Score: 5, Funny

    Sorry, but I can't feel bad for spammers (or sites that support them) who get DDoS'ed. They make their $ by annoying millions in the hopes that hundreds will be gullible enough to buy their crap. What goes around comes around... and I fully support the use of DDoS attacks against these loosers.

    Furthermore.. the repeated HTTP requets should include in their USER_AGENT header the following so it shows up in the logs ("LOOKS_LIKE_YOUR_WEB_SERVER_NEEDS_SOME_V1aGrA")

    --


    /. my blog, I dare ya
  5. DDoSing spammers by farnz · · Score: 5, Insightful
    If you're sending an unsubscribe request to a spammer in response to a spam you've received, that's not intended as a DDoS; the spammer invited you to contact them and unsubscribe, and should have taken care to limit their list to avoid accidentally DDoSing their servers. In the same vein, I see nothing wrong with browsing a site advertised to you in a spam, despite intending to merely use up bandwidth, rather than make a purchase; again, if the spammer isn't happy, they shouldn't invite you to browse their site (in other words, they shouldn't send spam if they don't want to be visited).

    When you start trusting someone else to tell you who's spamming and who isn't, you invite them to abuse that power; what guarantees do you have that Blue Security will never go to a legitimate site owner, and threaten to tell SpamSlayer users that the legitimate site is spamvertised unless Blue Security receive enough money?

    --
    I appear to have a blog. Odd.
  6. Re:Do two wrongs make a right? by nurhussein · · Score: 5, Funny

    This beggs me to ask, do twon wrongs make a right?

    I don't know, but if two wrongs do make a right then your above sentence contains no spelling errors whatsover.

  7. Of course we have to DDOS them by Weaselmancer · · Score: 5, Funny

    ...because it's illegal to castrate them.

    --
    Weaselmancer
    rediculous.
  8. Anti-phishing by cjsnell · · Score: 5, Informative


    DoS attacks are very effective against phishing sites. Most phishing scams utilize a CGI that e-mails the captured data to an e-mail address somewhere. By using a script which generates random data (see my sig), you can quickly render a phisher's data collection. Several factors can contribute to this. First, the flood of fake data can obscure the data that was captured from actual victims, Secondly, you can overflow the SMTP server that the phisher is using to process the captures. Finally, you may be able to fill the mailbox to which the captured data is being sent, although this is a bit harder with things such as GMail. However, the flood of mail from a single host may trigger sanctions at a free e-mail provider.

    As a sidebar, I'm going to be releasing a new version of my anti-phishing tools in the next few days. I've added functionality which generates real-looking names and e-mail addresses and credit card numbers with valid checksums.

    Chris

  9. Do-Not-Intrude Registry Service by guyro · · Score: 5, Interesting
    There is no doubt that DDoS is an illegal and immoral action. As a security company we are the first to recognize that and live by that rule.

    Blue Frog clients do not arbitrarily perform DDoS on spam sites. They complain about specific spam messages received in mailboxes belonging to our users. Our users exercise their right to complain about the spam they receive. They are merely responding to invitations to the spammer's website.

    The Blue Frog enters the site and sends a complaint just as a user would do manually. It does not consume more resources from the site or from its ISP than a user could do manually. Many users have tried sending complaint to spammers at some point requesting to unsubscribe. We merely allow the users to do it in a safe and automated manner.

    Our goal is to force spammers to comply with the Do-Not-Intrude Registry - to clean out our users' addresses from their mailing lists. When they do so, they will not receive even one single complaint from community members.

    We perform thorough manual (human) validation on the spam messages we act upon, to prevent Joe Jobs and to make sure we minimize any possible impact on third parties.

    Guy Rosen
    Blue Security, Director of Operations
    http://www.bluesecurity.com/

  10. Re:Sounds like a lawsuit waiting to happen... by wkcole · · Score: 5, Interesting
    Read about the clean hands doctrine and get back with us.

    Read up on the history of the Church[spit] of Scientology's lawsuits and of the lawsuits that were filed against MAPS in 2000 by spammers and get back with us.

    One thing LRH got right: lawsuits under the US system are not all about who is right or about wins in court. They are often about which side can inflict the most damage on its opponent by careful strategic pursuit of the lawsuit.