Lycos Anti-Spam Site Compromised [Updated]

An anonymous reader writes "Lycos, shortly after producing a screen saver to fight spammers using a DoS-style attack appears to have been hacked. Attempting to download the screen saver from lycos results in this message 'Yes, attacking spammers is wrong, you know this, you shouldn't be doing it. Your ip address and request have been logged and will be reported to your ISP for further action.' Or maybe it's just a joke -- can you ever tell?" Update: 12/01 15:07 GMT by T : According to Lycos, the defacement reports were actually just a hoax.

Lad Vampire unaffected

[Lost Race]

Lad Vampire [aa419.org] is still going strong. It's similar to the Lycos thing but only targets 419 scammers.

This link still works

[lou2ser]

If anyone is interested, this link still works:

http://download2.makelovenotspam.com/screensavers/ MLNS_screensaver_en.exe [makelovenotspam.com]

MD5 sum as of 11/26

[david_594]

I downloaded the installer on 11/26 when the first /. article came out and the MD5 sum of that file was: 237ee99dc7f35d2e2c0a8640086167bf

Re:"Fighting" spammers

[metlin]

Really well said.

Vigilante style justice does not always work out. For one, you open yourself up to illegal attacks from them, too.

If I legally took a spammer to court and if he DDoSed me, it would only strengthen my case. I have the legal recourse to support my stand.

However, if you did something like what Lycos did, what're you going to tell the judges? They hacked me for hacking them?

As much as I'd love to see spammers get kicked in the nuts, this is not the path to take. It makes us no different from them.

legally

[nilbog]

Since they have hacked Lycos's server, they are just as much, if not MORE in the wrong then people who are fighting back against them. As far as I understand, LEGALLY their records can still be used as evidence, since it was not a police agency who obtained the data illegaly

The screensaver put my processor usage up to 100% though, so I stopped using it after one day.

Re:This link still works

[aqua]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OSX version of the screensaver downloaded on the afternoon of 26th
November, compared to download just now (second checksum for reference,
download it yourself as a hedge against a compromised server giving back
good data to hosts known to have already downloaded the file).

Lines wrapped to reduce mangling.

- -rw-r--r-- 1 aqua staff 1120108 26 Nov 14:19 \ .Trash/MLNS_screensaver_en.dmg
ea8c53d0fb0f30faf3 6b93064936c6cf .Trash/MLNS_screensaver_en.dmg

- -rw-r--r-- 1 aqua staff 1120108 1 Dec 00:41 \
Desktop/MLNS_screensaver_en.dmg
ea8c53d0fb0f30faf 36b93064936c6cf Desktop/MLNS_screensaver_en.dmg

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBrYfGU5XKDemr/NIRApqmAKDXGuZG5gWvp/9QS7dU Aq REuUfYWwCeJ4hL
+fP7YMmg3DwVFCspiLqze+g=
=4LKC
- ----END PGP SIGNATURE-----

read again

[tota]

Because the spammers call it DoS does not make it so.

The point of this screen saver is to increase the running costs of those website.

Who do you believe?

Re:There we go again...

[evilviper]

You're wrong on so many counts here, it's amazing...

The following are clearly completely untrue:

(x) Mailing lists and other legitimate email uses would be affected

(x) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
(x) Microsoft will not put up with it
(x) Requires immediate total cooperation from everybody at once
(x) Anyone could anonymously destroy anyone else's career or business
(x) Jurisdictional problems
(x) Dishonesty on the part of spammers themselves
(x) Countermeasures must work if phased in gradually

All the rest are HIGHLY unlikely to be correct. For instance you suggest this is illegal by selecting several options, yet you haven't pointed to any laws outlawing it.

Re:obligatory

[iwan-nl]

Including an image from a spam server != *diplaying* it. Just size it 1x1 pixels or something. The bandwidth usage will still be the same.

Re:An alternative and legal idea

[Blitzenn]

BTw, we sell hardware. We do not send out unsolicited email. Your method would wrongfully harm a number of upstanding companies that hate spam too. YOu have to identify which ones are the culprites before your proceed down a road like that.

Wrong.

[blanks]

You dont get the blacklists from lycos.

"The sites targeted will come from blacklists generated by Spamcop and other anti-spam organizations"

http://www.spamfo.co.uk/News/Software/Lycos_anti sp am_screensaver/

From a previous news article I had read lycos is just making it available to download, and marketing it so to speak, but another company developed it, and im guessing since the site is down/comprimised,and that you can not access the black list its hosted somewhere other then lycos. But I could be wrong.

Re:Not at all

[stilwebm]

Can anyone in the U.S. who is getting the h4x0r3d message verify this IP?

Querying a U.S. DNS server and a European DNS server yeilds the same result:

dig @198.6.1.3 www.makelovenotspam.com
;; ANSWER SECTION:
www.makelovenotspam.com. 3471 IN A 83.241.136.230

dig @195.69.128.141 www.makelovenotspam.com
;; ANSWER SECTION:
www.makelovenotspam.com. 14020 IN A 83.241.136.230

Both have the same Authority Section as well:

;; AUTHORITY SECTION:
makelovenotspam.Com. 172419 IN NS ns.scannet2.dk.
makelovenotspam.Com. 172419 IN NS ns2.scannet2.dk.

Does anyone know of a DNS server that yeilds something differnet?

Re:Not at all

[Zarendahl]

I can, and the IP comes back to a DGC Systems in Sweden

If someone else can pull the whois information and verify that as well?

person: Jimmie Clareus
address: Softroom GDC
address: Box 1088
address: S-161 02 BROMMA
address: SE
e-mail: jimmie.clareus@softroom.se
phone: +46 8 410 22 600
mnt-by: DGCSYSTEMS-MNT
nic-hdl: JC2251-RIPE

Some ISPs DO detect and block owned PCs

[feepcreature]

when I've attempted to contact the ISP's about these owned machines and having them approach their customers, they do nothing.

Some ISPs do. A friend of mine found one day when he tried to connect that all he could get was a site that told him "download this tool and clean out the worm that's making your PC spew out more infection, or we won't let you back on the net". That was NTL (in the UK) but I believe some other ISPs do that sort of thing too. And good for them!

He downloaded and ran it. That problem was solved. Shame he didn't realise that there were other viruses in there too (or wasn't told that there might well me). Still, it's more than many ISPs do...

Tracing web page sources

[Anonymous Coward]

Anybody can write a message like that. The interesting part is not what the message says, but where it comes from.

Try finding out exactly what URL you are looking at, and preferrably also what IP address the server name resolves to (in case someone has messed with the DNS). Then fetch a copy of the page, HTML and everything, using wget or some similar tool. Examine it offline, perhaps using a browser with a non-contaminated cache, to determine if the message is indeed found in that page.

I have always considered page visit counters evil. Even more so when they come as inline images, from an external site. It's ten o'clock. Do you know where your inline images are?