SpamSlayer - should we DDOS spammers? 587
pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them.
Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
"
Sophistry at its finest... (Score:5, Insightful)
From TFA:Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?
Also from TFA:That's what I thought...what does Blue Security have to say in their defense?
Again from TFA:Sorry, Reshef, but what you are describing is a textbook example of a DDOS attack. Whether the site in question is actully shut down, or merely incapacitated, is beside the point.
This whole caper is a non-starter, especially so since a precedent [pcworld.com] for this sort of thing has already been established by Lycos Europe.
Re:Sophistry at its finest... (Score:5, Funny)
Re:Sophistry at its finest... (Score:3, Interesting)
Re:Sophistry at its finest... (Score:5, Funny)
Oh, wait, I see what you mean. Okay guys, the next Viagra e-mail you receive, eveyone go to the site and buy something.
The vast flood of orders will overload their system and stress their payment systems. That'll teach them...
Re:That's exactly what they want! (Score:3, Interesting)
force them to invest in bigger servers, new software and more license, and even more bandwidth, then stop ordering and watch them go bankrupt.
I wonder who will go broke first?
Re:Sophistry at its finest... (Score:3)
Re:Sophistry at its finest... (Score:3, Insightful)
So I suppose it depends on which story/continuity you're discussing.
-Z
What do you really know about the West? (Score:3, Insightful)
Do you think the West was tamed by vigilante gangs, citizen lynchings, and the like? Do you believe this is what civilized the West?
Or rather, was it the coming of the railroad, the influx of honest people, the extension of the hands of law enforcement, the implementation of new laws and their enforcement, etc.
I submit that the Wild West was a place of murderers, vigilante gangs (murderers), hired guns (ditto), the precursor of
Just turn your back on it (Score:3, Interesting)
It's a lot like weather, if you just live with it it's not that bad. I used to get all freaked out about those profiteering on the internet, because I was around a little before it really got commercial (when Mosaic came out and playboy.com started
It's symptomatic of our society--we're a marketi
Re:Sophistry at its finest... (Score:2, Insightful)
Also from TFA:
Launching a distributed denial of service attack is illegal in the U.S. and in most European countries.
That's what I thought...what does Blue Security have to say in their defense?
Re:Sophistry at its finest... (Score:5, Funny)
Re:Sophistry at its finest... (Score:5, Funny)
No, I'm not talking about enacting more laws, I mean having the government declare a "war on spammers", where DDoS attacks are used against them by the military in a digital carpet-bombing campaign.
That would take care of the whiny limp-wristed liberals crying "slippery slope" and "no better than them", and it would satisfy the bloodlust of the neocons. We could even hold spammers indefinitely in military prison camps by labelling them "enemy combatants".
Think of the possibilities!
Re:Sophistry at its finest... (Score:5, Interesting)
Re:Sophistry at its finest... (Score:4, Insightful)
Re:Sophistry at its finest... (Score:4, Insightful)
If spammers are sending unsolicited emails to others, I have no moral problem with a system that sends coordinated unsolicited requests to their sites in response.
The legal issues are quite another matter.
Re:Sophistry at its finest... (Score:2)
It would immediatly double the amount of bandwitdh used by spammers.
Even if they filter (if they send to a box, drop responses from that box.) It'll still take some of their time and resources.
And legitimate emails wouldn't be harmed much. Sure I'd have more emails coming at my server. But I can handle double.
Re:Sophistry at its finest... (Score:5, Informative)
A really bad one.
> Start having all email servers reply message for message automatically.
The From address and Reply-to address are fake. They may be using YOUR email address.
How would you like that? Ten million spams all claiming to be from YOU and each one sending a reply to the smouldering ashes of your mail server.
Re:Sophistry at its finest... (Score:5, Insightful)
Doing things properly results in a more permanent fix. Vigilantism just gets innocent bystanders hurt and only works until the next guy comes along.
Re:Sophistry at its finest... (Score:5, Insightful)
Rule #1 Spammers lie
Rule #2 see rule #1
If an e-mail has false headers, what makes you think the reply-to or un-suscribe belong to the spammer. A DDOS against a third party (Joe Job) is not the way to shut down a spammer. You may be helping him shut down his legit competition. An obfuscated URL may point to amazon.com for example.
I liked the other aproach of repeatedly reloading the page used to buy the spammer's product. That's a way to have them melt or have the hosting company become less friendly to hosting spam product order websites.
Shared hosting (Score:2, Informative)
Even if it's determined that attacking a known spammer isn't actively prosecuted, the fact that you're attacking perhaps many other people as well will most likely get attention.
Re:Sophistry at its finest... (Score:2)
Everyone likens spam to junk mail, but it is significantly easier to throw away junk mail then to unsubscribe from each
Re:Sophistry at its finest... (Score:5, Insightful)
'or'test@yahoo.com'like'%
If the spammer uses sequel sewer or access rather than a real database, this will wipe their address list squeaky clean!
Re:Sophistry at its finest... (Score:3, Interesting)
'or'test@yahoo.com'like'%
If the spammer uses sequel sewer or access rather than a real database, this will wipe their address list squeaky clean!
At which point, the spammer gets to sue you for business damages due to lost potential revenue? The best part is, they can scale the damages based on thier potential lost revenue (IE - the bigger the spammer, the more they can hold you liable for).
Re:Sophistry at its finest... (Score:2)
But is it really the same if the individuals are participating willingly and not through some worm or virus?
No, it's completely different...the individuls participating willingly would be more accountable for their actions than the ones whose machines are infected.
Re:Sophistry at its finest... (Score:5, Insightful)
While it's certainly true that DDoS attacks are illegal, and that there is a precedence that sets these types of things firmly in the illegal category, I personally think that we should reexamine them. Set a statute that allows DDoS attacks against known spam hosts and the like.
That's one knot that I think would be best left untied. It may start out as an anti-spam tool, but it'll only be a matter of time before all manner of other uses are okayed. How long before the RIAA gets permission to DDoS file-sharers, or entire P2P networks? How long before Microsoft gets permission to DDoS servers hosting cracks for their software?
Legalized DDoS attacks as a tool for fighting spam just reeks of a Pandora's Box solution to the problem. Once we make it an acceptable method for netcrime fighting in one instance, it's only a matter of time before all manner of major corporations and organizations tug the leash they have around US lawmaker's necks and get the right to DDoS anything they don't like.
Wait a second (Score:5, Interesting)
Didn't...this already happen? I can't find an article offhand (Googling mostly gives back results about the RIAA website getting DOSd. I'm not sure of the outcome, but I do know that a few years ago, the RIAA sought amnesty from laws regarding DOS attacks, so that they could DOS "known pirates". I'm not sure if they were ever granted anything relating to this though..but judging by the fact that I can't find anything relating to the subject, I'd guess that nothing ever came of it.
Re:Sophistry at its finest... (Score:3, Insightful)
Re:Sophistry at its finest... (Score:3, Insightful)
So by saying that DDoSing warez servers is a bad thing? Or are you saying that they should be proteced and allowed to carry out illegal activities?
It could be. Say you own a small net-based business, small enough that you can only afford shared hosting. Now say one of those warez sites is on the same shared server as you. Microsoft (or Adobe, or Apple, or whomever) lays a DDoS attack on the server, now your site is down until the attack is over and you can no longer conduct business. Even worse, a part
Re:Sophistry at its finest... (Score:3, Informative)
Exactly. Instead of DDos'ing spammers and their hosting providers, why not use the bogus accounts to collect the information to turn the spammers over to the authorities. It looks like it could be quite a lucrative deal.
From the CAN-SPAM bill: [gigalaw.com]
"SEC. 11. IMPROVING ENFORCEMENT BY PROVIDING REWARDS FOR INFORMATION ABOUT VIOLATIONS; LABELING. The Commission shall transmit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee
Wasted bandwidth (Score:3, Insightful)
I'm sure the rest of the network doesn't appreciate the potential increase in latency and packet loss these attacks can result in, either.
DDoS attacks are never a solution to a problem. They may hurt the target, but at the cost of wasted bandwidth for everyone else using the paths to that target.
Let's not start down this path. Please.
-Z
Re:Sophistry at its finest... (Score:3, Interesting)
I'm not oversimplifying at all here. The difference between Blue Security's strategy and a Slashdotting is one of intent. Slashdotters don't intend to take down the site they are trying to view. Blue Security, however, has openly admitted that their strategy is designed to cripple spammers' web sites. While the actual content of Blue Security's traffic consists of perfectly valid unsubscribe requests, the fact remains that the primary objective is to bring spam websites to their knees through sheer volu
Slashdot (Score:5, Funny)
Collateral Damage (Score:2, Interesting)
Fighting fire with fire usually results in damage to both sides (friendly fire anyone?)
I don't think so (Score:2)
Which I doubt it'll work, because most
Nice try, tho.
Re:I don't think so (Score:2, Funny)
Jump to the what?
Hell yes! (Score:3, Insightful)
For those who complain that ISPs end up footing the bill because the spammers don't pay, well, I guess they'll need to be more careful about vetting their customers next time. As if there are any really "innocent" ISPs hosting Internet "pharmacies" or "Rolex" dealers.
No, no no no no... (Score:5, Insightful)
It depends on the timing. (Score:5, Interesting)
It may be necessary, in the process of stopping the harm, to inflict harm on the attacker. Take care that your response isn't more harmful than that which had been threatened.
Failing to act in that circumstance is at best a reverse tragedy of the commons, in the general case laziness, and at worst is sheer cowardice.
After the fact it becomes mere revenge, which is a waste of time.
Re:It depends on the timing. (Score:3, Interesting)
Unless it can be shown that he's in the habit of continuing to do it. Taking him out after an event is pre-emptive and self defense against the inevitable next event. It's the same reason that some women who kill their wife-beating husbands in their sleep are acquitted of murder.
Re:No, no no no no... (Score:2)
I wonder, would a spammer be treated the same way in prison as a child molester?
This is just a DDOS, and that's bad (Score:3, Informative)
Sounds like a lawsuit waiting to happen... (Score:5, Interesting)
Re:Sounds like a lawsuit waiting to happen... (Score:2)
I don't condone the illegal acts, because then you lower yourself almost to the level of the spammer (which is 1 step above a child molester on the morality scale).
Re:Sounds like a lawsuit waiting to happen... (Score:5, Informative)
All it'll take is one spammer to file a lawsuit against these guys to stop them dead in their tracks.
Read about the clean hands doctrine [law.com] and get back with us.
This is why you don't see drug dealers suing someone to collect a debt. Spammers are criminals, they simply cannot sue with regard to their criminal activities.
Re:Sounds like a lawsuit waiting to happen... (Score:5, Interesting)
Read up on the history of the Church[spit] of Scientology's lawsuits and of the lawsuits that were filed against MAPS in 2000 by spammers and get back with us.
One thing LRH got right: lawsuits under the US system are not all about who is right or about wins in court. They are often about which side can inflict the most damage on its opponent by careful strategic pursuit of the lawsuit.
Re:Sounds like a lawsuit waiting to happen... (Score:3, Informative)
Easy profit (Score:2, Interesting)
I remember when this debate started (Score:5, Interesting)
Should we bomb them into oblivion?
Or should we listen to the voice of reason and tolerate this behavior as a necessary evil, integral to the total freedom of the global Internet?
Sometimes I think we chose wrong.
Re:I remember when this debate started (Score:2)
Re:I remember when this debate started (Score:5, Insightful)
Re:I remember when this debate started (Score:5, Funny)
I can't wait until we can travel back in time and flog those two. Had they been slapped down hardcore when it first happened, we'd have:
* Less lawyers
* Less spammers.
I'm failing to see a bad side to this.
I don't think so ... (Score:3, Insightful)
Just a thought... (Score:4, Funny)
Re:I don't think so ... (Score:2)
Do two wrongs make a right? (Score:2)
This also brings out the same issues of mob mentality. Who decides who is bad or good? Who leads the mob?
Re:Do two wrongs make a right? (Score:5, Funny)
I don't know, but if two wrongs do make a right then your above sentence contains no spelling errors whatsover.
Different purposes, different results (Score:2, Insightful)
If I shoot you before you do so, being reasonably certain that you intend to shoot me and take my wallet, I have acted in self defense, and there is no crime.
Not really a one-for-one analogy, but it does illustrate that shooting someone does have different consequences depending on the situation and purpose.
Two wrongs don't make a right (Score:2, Insightful)
Only sending spammers to jail AND taking away ALL their assets (cash/cars/houses) is going to deter them.
Re:Two wrongs don't make a right (Score:2, Interesting)
Imagine if drug dealers were invisible, but drug buyers glowed in the dark.
Hate to break it to you, but (Score:2, Insightful)
Spam wouldn't be a problem if people didn't actually click on the links. I've seen studies somewhere about the return rate on spam. While it is quite low, it's still high enough to make it worth their while.
Maybe we should establish a site that lists all the companies that support spam, and then boycott them. We could even have a plugin in firefox that would warn or block a site that was known to have used spam.
Re:Hate to break it to you, but (Score:4, Informative)
http://www.nu.nl/news.jsp?n=556966&c=50&rss [www.nu.nl]
http://www.mirapoint.com/company/news_events/pres
Re:Hate to break it to you, but (Score:3, Interesting)
Re:Spam RBL? (Score:3, Informative)
Menace to the Internet (Score:5, Insightful)
Re: (Score:3, Insightful)
Re:Menace to the Internet (Score:3, Insightful)
Should we kill the criminals? (Score:2)
So, do we cut off the hands of thieves?
As a side note, the idea of internet vigilantism is a rather interesting topic, and one that as the internet continues to expand could become inevitable.
This has been going on for years (Score:2, Interesting)
All in all a pita for him. But the thing that will shut do
Instant Karma (Score:5, Funny)
Furthermore.. the repeated HTTP requets should include in their USER_AGENT header the following so it shows up in the logs ("LOOKS_LIKE_YOUR_WEB_SERVER_NEEDS_SOME_V1aGrA")
use of innocent email/web addresses (Score:2)
DDoSing spammers (Score:5, Insightful)
When you start trusting someone else to tell you who's spamming and who isn't, you invite them to abuse that power; what guarantees do you have that Blue Security will never go to a legitimate site owner, and threaten to tell SpamSlayer users that the legitimate site is spamvertised unless Blue Security receive enough money?
Can of Worms? (Score:2)
Re:Can of Worms? (Score:2)
DDoS attacks affect more than just the target... (Score:2, Insightful)
I don't know about everyone else but I don't want my cable connection bogged down just because my neighbor feels like being an activist. Let's let the legal system do its job and use distributed computing for protein folding or other more worthy
It's a jungle out there. It's war. (Score:2)
I wouldn't stop at email requests. I would hurl massive amounts of big frames at them all day like a REAL D/DOS attack. All you have to do is increase their cost of doing business a few percentage points.
It's all fun and games... (Score:2)
I prefer the SpamVampire method (Score:2)
Not going to work (Score:2)
Of course we have to DDOS them (Score:5, Funny)
...because it's illegal to castrate them.
What shall we do? (Score:4, Insightful)
A and B aren't working. C, at present, is the only answer we have available to us.
I want to say for the "record" (whatever that means) that marketing through email is okay with me so long as people WANT to recieve it. If someone out there WANTS to buy some descrete penis pills or any other "plain brown wrapper" item that's fine with me. And let there be a means for them to subscribe to the stuff. The key is Opt-in explicitly and without any tricks or gimicks and more significantly, an "instant off" function that will not require 4-6 weeks to update their databases (which is utter horse shit). Okay I said it... now let's move on.
We do everything we can to block these people. They do everything they can to avoid being blocked. Their attempts at evasion is proof positive that they know they are pissing off the world for profit. How many other business models work at public expense for personal gain? In effort to prevent at-large vigilante-ism, where should the line be drawn? As much as I'd like to pull over and beat the crap out of people with ridiculously loud stereos playing in their cars, it's wrong (and dangerous) to do.
I'm at a loss for what we should do about the problem. These people are essentially polluting the internet and it needs to stop. But how?
How I Learned to Stop Worrying and Love the Spam (Score:2, Funny)
Retaliation (Score:2)
While I applaud the sentiment of taking the fight to the spammers and trying to
Think about the end result (Score:2)
Effective punishment (Score:2)
Kind of like when the city boots your car when you refuse to pay your parking tickets, having law enforcement DDOS a spammer's site when they refuse to pay fines or show up in court might be an effective way to enforce anti-spam laws.
Anti-phishing (Score:5, Informative)
DoS attacks are very effective against phishing sites. Most phishing scams utilize a CGI that e-mails the captured data to an e-mail address somewhere. By using a script which generates random data (see my sig), you can quickly render a phisher's data collection. Several factors can contribute to this. First, the flood of fake data can obscure the data that was captured from actual victims, Secondly, you can overflow the SMTP server that the phisher is using to process the captures. Finally, you may be able to fill the mailbox to which the captured data is being sent, although this is a bit harder with things such as GMail. However, the flood of mail from a single host may trigger sanctions at a free e-mail provider.
As a sidebar, I'm going to be releasing a new version of my anti-phishing tools in the next few days. I've added functionality which generates real-looking names and e-mail addresses and credit card numbers with valid checksums.
Chris
Time for Ye Olde Standby (Score:5, Funny)
One time, at band camp... (Score:5, Funny)
Was it right? Probably not. Did it feel good, HELL YES.
Do-Not-Intrude Registry Service (Score:5, Interesting)
Blue Frog clients do not arbitrarily perform DDoS on spam sites. They complain about specific spam messages received in mailboxes belonging to our users. Our users exercise their right to complain about the spam they receive. They are merely responding to invitations to the spammer's website.
The Blue Frog enters the site and sends a complaint just as a user would do manually. It does not consume more resources from the site or from its ISP than a user could do manually. Many users have tried sending complaint to spammers at some point requesting to unsubscribe. We merely allow the users to do it in a safe and automated manner.
Our goal is to force spammers to comply with the Do-Not-Intrude Registry - to clean out our users' addresses from their mailing lists. When they do so, they will not receive even one single complaint from community members.
We perform thorough manual (human) validation on the spam messages we act upon, to prevent Joe Jobs and to make sure we minimize any possible impact on third parties.
Guy Rosen
Blue Security, Director of Operations
http://www.bluesecurity.com/ [bluesecurity.com]
Re: (Score:3, Interesting)
Spam from BlueSecurity.Com (Score:3, Insightful)
Seriously, what's to stop a spammer from sending spam on behalf of a competitor, and laughing while BlueSecurity shuts down their website?
And who decides what is spam? BlueSecurity employees? A poll of users? A 13 yr old who scripts a bunch of canned messages to "BS" and says Microsoft spammed him?
Spam is Evil, but so is fighting spam *with* Evil.
I see... (Score:3, Interesting)
Rather than taking an offensive stance, let design a system that runs in a distributed way (a network) that can detect a particular spam email as it is sent out to millions of addresses. Then, merely in response to that event, the nodes on the network coordinate to create an automated reply to unsubscribe from that piece of email.
Now, I am sure there are those among you that would argue that this is a DDoS type approach. And it is. Except I think you'd stand a very good chance in court (if it ever even made it that far) of arguing that is perfectly legal. Spamming is illegal, and they are required to provide a link to unsubscribe. In the case that they do not, some nodes on the network could sleuth down the appropriate address to send the request to and provide it to other nodes. Thus, the network would never initiate an attack, it would merely recognize and respond (using the channels provided for in law) to the emails that are sent out. Sure, the end effect would be a DDoS, but so is a Slashdotting - and that isn't illegal.
I haven't done my homework on the wording of the law that makes a DDoS illegal (besides, in whose jurisdiction is it illegal?), but there are so many DDoS-like events on the web that the law cannot make them ALL illegal, and if Slashdotting is OK, I'm sure the scheme outlined above would be OK, too.
The danger of vigilantism (Score:5, Insightful)
There's another name for this sort of activity: "Lynching" There's a good reason why one isn't supposed to take the law into one's own hands. It's because, however noble your intentions, there are no checks or balances on your actions; no safeties or limits.
I HATE spammers. When I'm bored, I shut them down by tracking relevant data about them, and reporting them to their hosts and domain registrars. But who decides who the next "spammer" is? When I get spammed, even that isn't strong enough evidence for me. My next step is to ensure that it isn't an isolated incident, and so I go search the web to see if they've been added to a database/blacklist, or are on any of a number of spammer watchlists. Once I've got enough evidence to be able to convince a host/registrar, as well as myself, THEN I take action. But... how many vigilantes would take these extra steps? How many would simply go along with the crowd? "Hey! It's a spammer! GET HIM!!!"
As much as I hate what spammers do, I simply can't condone this kind of action, without some kind of safety net for false positives. We're seeing something of a double standard here. What if, instead of discussing actions against "spammers", we were discussing actions against "terrorists"? Biometric tracking? Millimeter wave scanners? RealID? We've all seen how many people get strip-searched, end up on no-fly lists, get arrested for not having the right paperwork or IDs, and have any number of other civil rights violated. We're constantly demanding that we have some sort of guarantee that we're not going to end up flagging the wrong individuals. I agree wholeheartedly; we'd damn well better ensure we're flagging the right people, or the system is pointless, and the "terrorists" will end up laughing all the way back to the compound. So... where's our safety net here, folks?
If we could legitimately do something like this, there wouldn't be a need for it, because it would mean the authorities would already be doing so. What happens on the day someone decides that Bob's Direct Mail service is "close enough" to spam, and we should start targeting them? How about Bob's Direct Mail Order? Bob's Direct Shipping? Bob's Joint? Who decides the next target? What if it's just a personal vendetta, and isn't even accurate? What happens when 20,000 people take that person's word for it, without doing any of their own research?
Yes, something needs to be done about the spammers, but this sets a dangerous precident. What's the solution? Hell if I know, though I suspect it's a combination of legislation and education. I just know that this has enough problems to have been condemned by almost everyone here, if it had come from the opposite direction.
Is spam email a DDOS? (Score:4, Insightful)
Before you can ask if using the function is a denial of service answser this question: Is sending spam a denial of service attack? I have had to cancel email accounts because of all the spam. Did the spammers attack me? Did they deny me access to my email by raising the noise to signal ratio to the point that I could not use it anymore? I certainly feel that they did.
Now, the only reason that the spammers would have a technical issue is if they were not prepared for all the cancellation requests that come through. In that sense it is like a slashdotting. When a site gets slashdotted we laugh and say the site should have been on a better server, with more bandwidth, etc, etc. So...if the spammer cannot handle the cancellation requests maybe it's his fault. Maybe he should have vetted his mailing list and not sent emails to uninterested parties. Maybe 10 year old boys dont need viagra, cheap diabetic supplies, and hot lesbian horse action. Some discretion and discipline in advertising practices could help alleviate this problem.
Fact of the matter is that each spam email out is supposed to offer a chance to cancel the mailings and get off the list. If the spammer cant do that he is in violation of the law. I dont care if he has too many cancellation requests. I dont care if everyone who recieves it cancels.
If they dont want attention then they should not advertise.
This is an embarassment to law enforcement (Score:3, Insightful)
I am still dumbfounded as to why ANY of the ~200 (or less) spam-gangs (as documented by Spamhaus) who are responsible for 80% of all spam haven't been taken down? I don't buy the jurisdictional problem excuse -- most of them are in the states and all of us know they can be easily traced. Almost every one of these spammers are engaging in multiple criminal activities, including computer tampering, fraud, copyright infringement, RICO violations, identity theft, ponzi schemes, and more.
The biggest casualty of spam is the theft of bandwidth and network resources. DDOS'ing the spammers, while effective in that it may increase their cost of doing business, compounds the problem.
However, at this point, since the feds seem incapable of doing anything about this, I'm unwilling to write off any approach that might wake them up and get them into action. Our country does have a history demonstrating that civil disobedience can be an effective catalyst when the status quo is ambivalent. With that being said, I wouldn't personally endorse anything of questionable legality, but at the same time, I can't help but respect the role of such tactics in history.
Still, it just boggles me that a few FBI agents haven't done something as simple as toss up a few PCs on a cable connection with a packet sniffer, and begun documenting the propagation of worms and how the spammers are operating. It would take no more than a week to build a solid case against so many of these operations, you could pick-and-choose which perpetrator would be the easiest to prosecute. So why hasn't this been done?
Bad idea. (Score:3, Interesting)
What *I* hate about spam is the fact that there's so much of it that it accounts for a good measurable percentage of the total traffic on the net. Think about it. Spam is usually small messages, sent to thousands of recipients all over the world. So every bit of spam branches out from the spammers local mail relay and induces a small amount of traffic to a great many parts of the network.
There are lots of spammers. They send lots of spam to lots and lots of people. That makes up a huge collection of packets that have to be routed all over the globe, all day long. I heard a figure somewhere saying it might be as high as 60% of total traffic.
My ping times to various game servers are seldom better than 70ms, and quite often over 100ms. I'm willing to bet that if all that crap weren't being flushed all over the net, the overall latency would drop by a good 20ms.
(Don't get me wrong, I'd rather have a nice T3 and be high enough up to not have the extra latency to begin with... but... I can only hold my breath so long.)
Using DDoS attacks against them would just induce even more garbage onto the network, and make it even slower.
The "right" way to deal with it is to (a) change the SMTP protocol so it requires some form of identification (perhaps a public key signature) -- if I don't recognize the caller-id on my phone, it goes to voicemail, why should email be different?, (b) go back to batch processing of email -- why do you NEED email to get there in 30 seconds, use an IM for real-time. Let mail servers send mail every 4 hours so at least that end can be more efficient. Use compression while you're at it. And (c) make spamming a crime, punishable by firebombing of the offenders house *grin*. If (a) happens, it should be possible to locate the spammer's property and eliminate it. That would remove the incentive for spamming, since all that "hard-earned" money would be lost.
invalid on its face (Score:3, Interesting)
You're dealing with a system that really doesn't give a shit what the law is in any one country, or any one group of countries. And since only the insane among us want a world government, that leaves with the question of what to do when law enforcement is essentially ineffective. Which it has been, and will be, no matter what laws the U.S. decides to pass or what the penalties are. U.S. law, after all, stops at U.S. borders.
So long as there are countries that'll host spammers there'll be mountains of spam to contend with.
If the law can't control the problem, what does that leave you? Seems to me that vigilantism doesn't sound so bad when the alternative is "bend over and grab your ankles".
Max
Its a great idea! (Score:3, Interesting)
I know most of you are too young to remember the old days of the Internet but before DDOSing was illegal this was the method to stop spammers. That and brute force attacks aginst their servers. If you where a spammer then you were an open target.
This worked too. Spam increased only after the laws pretaining to network attacks came into effect.
I I guess that if someone breaks into your house watches your TV and eats all your food this is ok as long as they don't carry anything out. Still your left with the electric bill for running the TV and now you also have another mouth to feed. Guess your made of money. Well I am not and if you break in here you will be dealt with accordly and I will call the Cops only to come and carry away your corpse.
So if you stick your hand in my pocket to take my money and I cut off your hand am I the bad guy for cutting you? If you hadn't put your hand in my pocket in the first place I would have never hurt you. This is the same thing spammers stick their hands in my pocket everytime they send their shit. So if I cut off their hand by DDOSing them am I wrong? Personally I don't think so.
Remember THEY contacted me first.
The laws are no good. Ever called the FTC about this? Even being a ISP they will not presue your case. Their only answer is send us an email. Even when you have a mountian of evidence against them. Laws aren;t worth the paper it is written on if they are not enforced and the CAN-SPAM Act is just an illusion to appear that the goverment is doing something about it.
OK guys you can flame me now....
out of band attacks (Score:3, Interesting)
However I am concerned about starting a large scale netwar with the spammers, effectively shutting down the internet. This is essentially what happened for me locally during the whole makelovenotspam fiasco. The spammers faught back with everything they had. It was not pretty. Also, as a rabid e-pirate complete with parrot and eye patch, I am concerned that the war could be an excuse for RIAA/MPAA sponsored attacks as well. The fact is that the internet is a very fragile system which can be easily broken. Some people are arguing that maybe it should be until our governments are willing to pass enforceable spam laws with actual teeth. But I'm not so sure I'd be willing to go that far.
I think a better long term system would be to get large groups of people to join an anti-spam organization which would accept donations and membership dues or whatever to fight against companies that advertise with spam in the real world. Something like a shady, vigilante, version of the EFF. The idea would be to hurt and put out of business companies that advertise with spam as much as possible. Moebius faxes, war dialing of 800 numbers, junk mail attacks, publishing of personal contact information for everyone in management positions including cellphone numbers, email and snail mail addresses. Maybe even opportunistic vandalism in a car-keying, sugar in the gas tank, potato in the tailpipe, spray-painting "spam sucks" onto windshields, kind of way. Presumably a professional organization could come up with even more nuisance ideas. Maybe a freesite could keep track of the exploits.
Better than the option (Score:2)
Like 20 years of UN "Stop! or we'll say 'Stop!' again!" resolutions did any good.
Re:Wait a minute (Score:2)
Did you even read the article? These requests are coming not coming from the company's computers, the are coming from all of the company's customers computers
From the article: