Lycos Declares War on Spam Servers 567
Psychotext writes "The Register have posted a story about a new screensaver from Lycos that targets known spam servers (taken from spamcop and verified by hand) with traffic in order to raise their bandwidth costs and hopefully price them out of the game. Lycos state that this is not a DDOS as Lycos monitors the site's responsiveness and throttles back when the site starts to falter. The screensaver is available here for Mac OSX, Mac OS9 and Windows, though you might need to lie about what country you are from." Reader JohnGrahamCumming writes "As part of preparing for the MIT Spam Conference I've put together a survey on what people are experiencing out there with spam, what they are doing about and followed it up with a test of different views of an inbox filled with spam and ham. You can take the test and be part of the survey results in January."
Lycos? (Score:5, Funny)
--
Re:Lycos? (Score:4, Informative)
Re:Lycos? (Score:5, Informative)
Lame (Score:2, Insightful)
Re:Lame (Score:5, Insightful)
It's like investing in the future. If it works and makes it too expensive to run a spam destination site, spam destination sites will fade into history. This may be wishful thinking but the other option is to do nothing until 98% of internet traffic is spam related. I say "yeah" - if for no other reason than because it feels good. Of course, I'll have to wait for the linux equivalent - or maybe I'll go google for some ready made scripts - failing that, using this list and wget, I'll make my own. Sounds like a fun and righteously vindictive activity!
clone that on sourceforge? (Score:3, Insightful)
How long will it be before we see an open source clone of that on sourceforge?
Of course it will do nothing for zombie sites that are hosted on trojan/worm/virus hacked machines. That would just punish the technically incompetent victim of spammers.
Re:Lame (Score:3, Insightful)
Currently, it's a completely miniscule undetectable amount of traffic when compared to whatever else is banging around the net. 100MB in 40 minutes across everyone running it currently? That's less than the speed of a 512kbps DSL connection, for just under 10,000 screen savers they have installed & running at the momen
Re:Lame (Score:3, Interesting)
I agree with you about this being more wrong than spam however. You don't fight fire with fire. Personally, their tactics don't make them any diffe
Re:Lame (Score:2)
Besides, IN THE ARTICLE they say that the tool uses about 3.4Mb per day. Big deal.
Re:Lame (Score:3, Interesting)
The estimates I saw just a day or so back were about 65%. This is NOT trivial. I'm reminded of the Mouse that Roared. I think its time we mice roared loud enough to be heard. Each one of us is a trivial squeek, but if 40 million did it, that would be a roar that no regulatory agency on the planet would dare touch with a 1000 foot pole.
If 10% of the planet jumped on this particular bandwagon, the problem would be self solveing within a week. Then we woul
Horrible Idea (Score:5, Insightful)
Re:Horrible Idea (Score:2)
Comment removed (Score:5, Insightful)
Re:Horrible Idea (Score:4, Informative)
There are other ways they make money, and some is just random guessing to find valid emails (via various mechanism) for re-sale to other spammers.
I'd swear some of this spam is pure bs to entertain the spammer who could care less about making $$ than simply seeing how many people he piss off with idiot e-mails and chain letters(AOL in conjuction with microsoft and the fda are tracking this e-mail, send it to 183 close friends in the next 27.34 minutes or we kill a kitten and you'll come down with warts!).
Mycroft
Re:Horrible Idea (Score:3, Informative)
I'm not sure which spam gang does this at the moment, but Empire Towers would be the best bet. (They use tricks like asymetric routing to spoof the source of a TCP connection. They can make it lo
Re:Horrible Idea (Score:3, Informative)
Fighting spam with more crap? (Score:4, Insightful)
Re:Fighting spam with more crap? (Score:2, Funny)
Re:Fighting spam with more crap? (Score:5, Insightful)
Why not use the resources used to develop this program to work on better spam filtering software? If nobody sees the messages, nobody buys the spamvertised products, and the spammers go away.
Re:Fighting spam with more crap? (Score:5, Insightful)
Re:Fighting spam with more crap? (Score:4, Insightful)
Re:Fighting spam with more crap? (Score:4, Insightful)
Re:Fighting spam with more crap? (Score:3, Informative)
Linky to your 5-15% stats?
Re: (Score:3, Insightful)
Re:Fighting spam with more crap? (Score:2, Insightful)
Re:Fighting spam with more crap? (Score:2)
All those mail order catalogues slashdot sent to Ralsky? Would make a great bonfire to stake him on top of.
Comment removed (Score:5, Funny)
Re:Fighting spam with more crap? (Score:5, Funny)
DAMN YOU, GODWIN!
Re:Fighting spam with more crap? (Score:2)
Make spam less crappy (Score:3, Insightful)
Second that. Producing more crap to fight crap leaves only losers.
Knowing how sneaky spam operations work (zombie networks etc.), I think that filtering/counter measures will never truly solve the spam problem, and that an effective solution will be economics-based.
One reason for the huge amounts of spam is that each single message has on average very little value for the recipient, and IMHO a good approach would be to increase that v
Re:Make spam less crappy (Score:3, Interesting)
It wouldn't help. We'd just have this targetted spam PLUS the shotgun spam we have now. As long as sendng spam is virtually free, in cost and penalty, there will be plenty of assholes willing to use it to the fullest extent possible.
Re:Fighting spam with more crap? (Score:5, Insightful)
There's a sort of hierarchy of ways to deal with people. At the base is physical force, and the top is reason.
If someone won't listen to reason, the only way to deal with them is to go down the list of ways to respond. How far down the list you go depends on the morality and importance of the problem (for example, if someone is wearing white after labor day, you might try to reason with them, or convince them with emotional arguments, but you probably won't pass a law or (going to the very bottom of the list) threaten to kill them for it).
Spammers won't listen to reason or laws, so you have to either go down the list (in this case, meet them at their level), or let 'em be. For example, I wouldn't advocate violence against a spammer (except prison time, but just barely, like 6 months max or something), but wasting their money (like they do to me?), count me in!
RE: dynamic IPs (Score:4, Informative)
Part of verifying IPs as spam sites should include the obvious; checking to make sure it's not an IP in some ISP's dynamic IP pool.
This type of checking is already implemented by some ISPs when deciding if email should be accepted or not by their mail server. (My boss set up a small mail server on his Charter cable connection, for example. Charter, instead of issuing him a true static IP, decided to give him a "fixed dynamic IP". Basically, they just punched his network card's MAC address into their DHCP server and told it to always issue him the same IP out of their dynamic pool.) This causes his mail server to be unable to handle emails destined for AOL, because they know his IP is in a dynamic range for Charter.
Sometimes, I've seen my own dynamic IP come up as blacklisted on services, but a closer inspection typically shows they just blacklisted the whole ISP, or at least their whole pool of dynamic addresses. These types of bans are usually temporary measures put in place because they're having problems coming from somebody on that ISP and they can't afford to wait around until that ISP co-operates with them to track down the individual doing it.
This is NOT A DDOS!! (Score:5, Interesting)
Actually, it's a great idea, now only if a cool Open source dev would make an open version of this and take away that whole throttling thing.. who would they sue?
It would be the gnutella of ddos's!
Re:This is NOT A DDOS!! (Score:2)
They explicitly state that they will not overwhelm the servers to the point of service denial, simply force the servers to expend more bandwidth, and in the process, money.
It's certainly distributed, but it's not a Denial of Service.
Re:This is NOT A DDOS!! (Score:4, Funny)
Re:This is NOT A DDOS!! (Score:3, Informative)
the
if I were to type in '/me ducks for cover' into a IRC session, it would show on the screen something like this
AC: blah blah blah blah
NeuroKoan: bleh blah bleh blah
AC: hahahahaha
NeuroKoan ducks for cover
AC: lol
Re:This is NOT A DDOS!! (Score:5, Interesting)
No, to be a DoS attack, they must attempt to deny service.
If I take an extra 100Mb/s on a 1Gb/s line, does it slow down my network? No. Was it an attempt to do so? Yes.
Several years ago, Some kid got on two boxes at his university. They had a T3. We had a T3 (like I said, several years ago). They were pushing 30Mb/s constantly at my one box for two days. It started on a Saturday night. It wasn't enough to knock my box down.
I sent a nice email over to the school with all the information I had. Needless to say, there was hell to pay over at the school. They were terribly concerned why *THEIR* network was having problems all weekend. They were very thankful that I informed them.
Now, was that an attempt at a DoS? Yes.
Was it enough traffic to actually break anything? No.
Did the kid get expelled from the school? Yes.
Now the bigger question, if the school hadn't handled it, where do I go next? To their ISP. Well, actually my ISP, who would contact their ISP, and threaten to block whatever block size necessary to stop it. a
"Sorry, we're going to null route your
That'd go over really freakin' well, I'm sure, especially if my provider is big enough.
If they're on the same provider, someone's service is getting immediately disconnected. Yes, I've been in on those calls, both for DoS attacks, and for spam.
ISP: "There's a customer on x line that's spamming"
Me: "Well, not that my opinion matters, but I would have already shut them off."
ISP: "We did about 5 minutes ago."
But hey, however they want to play the game. It's their company.
Re:This is NOT A DDOS!! (Score:5, Funny)
Re:This is NOT A DDOS!! (Score:2)
Wishful thinking all around, though.
LAW SUIT (Score:5, Insightful)
Re:LAW SUIT (Score:5, Interesting)
Now, they aren't the first to come up with this sort of attack against spam. Lots of geeks (myself included) have run continuous wget fetch sessions against particularly annoying spammer sites. There's a program called "Spam Commando" or something similar which fills out spammers' web forms with bogus but real-looking inquiries, thus wasting the spammers' time. I've thought several times about writing a little win32 app to do what Lycos' screensaver is doing, but couldn't get past the obstacle of "why would people trust my list of spam sites and use the program?" I should have thought of partnering with Spamcop
In any case, this is the first time that a company, as opposed to some guy in his spare time, has stepped up and said "Hey, we think this is a good idea." And that's all it takes. This sort of thing generates press. The press will probably lead to lawsuits, as you point out. The lawsuits will inevitably lead to Lycos disabling the screen saver.
But here comes the beautiful part:
That's where a few geeks step in and take over.
Look at Gnutella. Nullsoft got bitch-slapped by AOL and told "you can't do that." The rest of the internet replied, "maybe you can't, but we sure as hell can."
Mark my words, if legal action shuts down Lycos' screensaver, a free, open-source, anonymously distributed alternative (or three) will take their place.
Thanks, Lycos, for shouldering the initial risk.
Re:LAW SUIT (Score:5, Interesting)
I wrote a proof of concept once, similiar to your form filling script.
Someone said that you can't spam and hide it.
I wrote a script to prove you could. It took about 20 minutes to put together to my satisfaction.
I had 3 files. A names file, a domains file, and a words file.
It would take one to three words from the "names" file, and generate a name. It would take some combination of those, sometimes with a random character or two, and then take a random domain from the "domains" file, to form an Email address.
I'd then take the "words" file, and make a subject line 2 to 15 words long, and a message body that was between 10 and 100 words long.
To some of the messages, I attached arbitrary length attachments (generated as it ran), with filenames from the 'words' file, and I think 8 common extensions (.doc,
I then used a common misconfiguration in web proxy servers (allowing CONNECT), and set it up to randomly select proxy servers to mail through, all over the world.
Then I said "are you sure about what you said 20 minutes ago?"
He said "yes".
I ran the script. He was receiving about 1000 messages per minute, and couldn't tell what was real and what wasn't. They only thing he knew is that he saw text scrolling by on my screen (a little status information for myself), and me laughing my ass off.
There was absolutely nothing consistant with the messages. Different senders, different bodies, different attachments (if they existed at all), and all coming from different "mail servers". The receiving mail server assumes the IP it received from is the previous mail server, so those proxies showed up in the header.
I never did run it against a spammer. It wasn't worth it. You know the 'from' address is bogus anyways. Any address they may list on their site is probably bogus ( remove_me@bad.spammer.com ? ha!). It was proof of the concept that anything can come from anywhere. He couldn't identify that it was me, because the was nothing to identify that it was me. The only way he could have possibly found out that it was me (other than my laughing), was to try to contact these ISP's with misconfigured proxy's, and ask them to give him the IP who sent it through. Good luck. I don't speak any Chinese, and at least 100 of those proxy servers were over there.
Re:LAW SUIT (Score:4, Insightful)
Eventually there won't be any IPv4 left! (Score:4, Insightful)
Re:Eventually there won't be any IPv4 left! (Score:2)
Re:Eventually there won't be any IPv4 left! (Score:2)
a friend of mine just heard that a few class A blocks were just assigned to APNIC and immediately firewalled them off
APNIC is the authority for 62 countries [arin.net] in the Asia-Pacific region including Australia, China, India, Indonesia, Korea, Malaysia, New Zealand, and Singapore. Obviously his actions were totally reasonable.
Re:Eventually there won't be any IPv4 left! (Score:2)
TONS of spam comes from them and enforcement of complaints to Abuse@ is nil. What, of use to a Westerner, could they offer to counter that?
Re:Eventually there won't be any IPv4 left! (Score:5, Insightful)
TONS of spam comes from them and enforcement of complaints to Abuse@ is nil. What, of use to a Westerner, could they offer to counter that?
What do you mean "them"? A billion people live in "APNIC", dozens of countries. A few thousand spammers. As for "Westerners"; I happen to be a white Caucasian male born in Australia, living in Hong Kong.
Because of attitudes like yours I have to use devious methods to email people on AOL, as they've blocked my normal domain for reasons they don't even deign to explain. Most of the world's spam originates in Florida. Do somethng about that first.
Re:Eventually there won't be any IPv4 left! (Score:3, Informative)
Question? You mean "What, of use to a Westerner, could they offer to counter that?", where "that" is spam, presumably? Your "atttitude is based on facts"? Such as "TONS of spam comes from them"? Okay,if you block every continent that produces spam, you're left with an Internet comprising Antarctica. I repeat: America generates most of the world's spam. (I'll refe
Re:Eventually there won't be any IPv4 left! (Score:3, Informative)
This is an interesting statistic. Do you have a source for it?
Guardian Unlimited: Mail out of order [guardian.co.uk]:"Boca Raton in Florida is...the spam capital of the world....There are really only 150 spammers doing 90% of all the spam we get in the US and Europe... at least 40 of them are in Boca Raton."
Also see ROKSO [spamhaus.org].
That is actually funny! (Score:5, Funny)
Now we got: This is NOT a DDOS!!
Oh well, we gotta try a few things to try and bring the spam down
Re:That is actually funny! (Score:3, Funny)
What a move... (Score:5, Insightful)
Moral ambiguity (Score:3, Interesting)
"though you might need to lie about what country you are from."
While I'm all for taking down the illegal scammers, making this a battle of dirty tactics doens't really seem to have an upside. Seems like it is too easy to backfire as spammers have already showing lack of morals in pairing with virus and trojan writers. This is like two armies of zombies fighting each other as the master's watch from afar. I think I have seen this on a TV show one. The side of evil believes the conflict makes is stronger while the side of light also manipulates the lessers. How will this all end? "In fire!"
Isn't is illegal? (Score:2)
A rose by any other name... (Score:5, Insightful)
Re:A rose by any other name... (Score:2, Flamebait)
There are hundreds of thousands of mail servers out there, and many of them are overwhelmed by the sheer volume of spam which they recieve. Some of them to the point of being denied service.
If any of these spammers cry foul... they either lose the lawsuit and are screwed because their cost of operations will skyrocket, or they win AND MAIL SERVER ADMINS WILL SUE THE SPAMMERS.
Either way, the rest of the internet is doing to spammers what spammers have been doing to the rest of the i
Re:A rose by any other name... (Score:3, Insightful)
No matter how you cut it, this is not a DDOS, because the goal isn't to deny service (which is the spirit of the term you refer to). The idea is to make it unprofitable to spam. Similar? Absolutely. Essentially equivalent?
it seems to me ... (Score:5, Insightful)
Bad idea, Lycos - nobody (no human, anyhow) likes spam - but the rest of us have so far refrained from crap flooding the net to stop it.
-- Cheers,
-- RLJ
Re:it seems to me ... (Score:2)
If the collateral damage goes up exponentially, maybe people will start paying more attention to the _source_ of the problem. Get rid of the spammers, and all of the enormous energy, bandwidth, and time that goes into fighting them will be dropped. That's a theory, at least.
I don't know if it'll work--I don't think anyone will, until it's been tried.
Re:it seems to me ... (Score:2)
If so, then Slashdottings are equally evil, no? The recipient pays for infrastracture upgrades for everyone, but it's definitely definitely evil.
Re:it seems to me ... (Score:3, Interesting)
Regardless, you have a choice: use a little extra bandwidth to fight spam, come up with a better idea, or keep the status quo. In lieu of a better idea, and in response to the failings of the status quo, you gotta pay the price to get what you want. In this case, it's usi
A modest proposal? (Score:5, Insightful)
Hell, if I were a SPAMMER, why not add some third party advertisements to my SPAM page. Perhaps each hit from these screensavers would generate revenue for me!
I'm also having trouble seeing how they claim this is not a DDOS attempts. Obviously by increasing the number of screensavers in use, the load increases on the target sites. Perhaps a new concept--the DDOP--distributed denial of performance? Keep flooding until ping time of site is > 30 seconds. Still sounds illegal to me.
Copied from Swedish ISP Spray (Score:2)
The campaign goes under the name "Make Love Not Spam", and you can find it here [spray.se].
Don't sign me up (Score:5, Insightful)
I Don't Quite Get It (Score:2)
It seems to me that any problem with blacklisting certain hosts would translate to a similar problem with the (not) DDOS approach (for instance, spammers changing hosts or compromising more machines).
Not to mention, this creates yet more traffic for the internet to handle. I'm sure it's up to the task, but it seems like there's no need to creat
Re:I Don't Quite Get It (Score:2)
I'm not sure it's a good answer, but it's better than filters.
aa419.arg anyone? (Score:5, Interesting)
Not a cool idea (Score:2)
Zombies (Score:5, Insightful)
Let alone any "carefully picked host", certainly not at times I'm not there to observe what happends with my machine[screensaver].
Nah-uh.
Re:Zombies (Score:3, Funny)
Clairify ... (Score:5, Insightful)
Note also that this is for Europe only. While there is nothing from stopping you from downloading and running this program outside the US, it is technically for europe only.
Even if you check the site, it explains how site it "targets" are slowing response times.
Is this shady, yes.
Question? If you are being harmed by something and want it to stop and there is no other recourse but to take the matter into your own hands, is that wrong?
Answer: It's up for debate.
If someone was on a daily basis causing me to sift through hundreds of emails, losing important messages, having the spam filter delete it accidentally, or having to wait for everything to update in order to assure that I have all my mail, then yeah this is justified.
They care not about your resources, time, or anoyance levels, why the hell should you?
Vigilante justice is not pretty, but it does get the job done.
Two wrongs != One right (Score:5, Insightful)
I hope Lycos rethinks their plans, or I fear the retributions will be far more damaging. Any net user who downloads this software is going to leave themselves open to prosecution.
Lycos DDoS (Score:5, Insightful)
1) They're going to get sued. Not just sued, sued a whole lot. Asses in a sling kinda sued. Spammers that are making good money have the budget to sue, and really Lycos is completely in the wrong here. Morally, sure spam sucks. But you can't do it this way.
2) It's against so many different TOS's that isn't even funny. With very very very few execptions, users can't legally run it (check your provider's TOS). They're opening every user up for:
a) federal charges.
b) lost ISP connection.
c) Lawsuit for damages from the spammers.
3) So you flood a facility with an OC3. Now not only have to screwed up one guy's day, you've screwed up everyone's day at that facility. Or worse, the screen savers send such a load to knock down a server, that they inadvertantly overload a few major peerings instead.
How about this for a proof of the point. I have a GigE connection in 3 different cities. My provider has multiple OC192's heading all over the place.
I rig up something that can handle a 1Gb/s through it, that can take the abuse, and still appear to be functional. Come on, think creatively, it's not that hard to do. I can serve 1Gb/s of web traffic with 6 machines. Actually, I do with 15 machines, at a very low percentage of their capability. So no matter what they throw at me, they can't take the servers or my line down.
Or worse yet, they attack me, so I flood them back with 3Gb/s. I'd bet I can swamp lycos.com. Sure, they'll bitch. They'll moan. They'll threaten lawsuits, but I returned exactly what they were doing. More than likely they'll lose in court.
Isn't there a rule for iptables to redirect traffic coming into one IP, into another one? a one-liner, if I remember right.
Lycos DDoS's me. I set up machines to redirect the abusive traffic to say whitehouse.gov, ftc.gov, or lycos.com. Ah, lets play nice here, lets redirect the traffic to google.com, and watch the lawsuits really fly. So Lycos makes a valiant attempt to knock Google offline. That'll go over really well in court.
Or, as one comment in here already said, if they do it by DNS names, just change the DNS record.
bad.spammer.com. IN CNAME lycos.com.
or
bad.spammer.com. IN A 209.202.248.202
bad.spammer.com. IN A 209.202.216.27
(That's what Lycos resolves as for me)
or just negate it entirely.
bad.spammer.com. IN A 127.0.0.1
or have a little fun.
bad.spammer.com. IN A 255.255.255.255
And [insert deity here] forbid, someone compromises the machine which controls this action. If I were an evil hacker (hush you people in the crowd), that'd be a great play toy. Wanna knock off some competition, just point Lycos to them, and turn off their ability to throttle.
I'd be *REALLY* pissed if I was hosting one, or there was a compromised box somewhere off in a corner that I didn't know about, and they decided to knock one of my networks offline.
Most spammers move around so frequently, attacking a particular hostname or provider really doesn't freakin' matter. They change the domain the links go to, and start sending again. The usable age of a spam is only 3 days. Spammers consider if it hasn't been read in 3 days, it's not going to be read.
I wish them luck, and hope they have a big enough budget to keep their executives who came up with this brilliant scheme out of federal prison. I sure as hell hope they don't accidently point at me for being a target, 'cause sure as hell they won't be on line long.
Actually, with an announcement like this, they've opened themselves up for being the blame of almost any DDoS attack.
Yes (Score:5, Funny)
Fun toy bit no dice (Score:3, Interesting)
I mean, most hard core spammers are using malware to get clueless users to spam for them and the rest are being hosted by companies who are either offshore or just don't care about what their users do with their bandwidth.
For me, a locked down sendmail server+procmail loaded with SpamAssasin+Razor and to top it off, a Bayesian enabled POP3 Clients all come together to eliminate approx 99% of my spam, so I only see a few per week.
That to me is what the world needs -- every sendmail server not allowed to relay, inboxes protected and every email client using filters.
Then and only then will the spammers be truly hurt -- when clueless idjits don't get those emails in the first place and thus, can't click those f*cking links.
Considering AOL, Earthling and other ISP's are starting to put all this in, that day may soon be at hand.
How ironic (Score:4, Interesting)
Perhaps we should DDoS the goits for pushing adverts to people without their consent in an underhand fashion? Oh, no, if WE tried that they would airdrpo a million lawyers on us in a heartbeat
Comment removed (Score:4, Insightful)
Fight Fire With Fire!!! (Score:2, Interesting)
I'll do almost anything to stop spammers.
I don't care if I am reducing myself to their levels.
They did not care, neither shall I. They have gone too far. Expect no mercy.
Fight!
Adolfo
Hell of an idea (Score:2)
Brilliant!
[John]
um...Wonderful... (Score:2, Interesting)
If the app is trusted by your local firewall, getting a connection out to wherever you want it to go wont be an issue...
Does anyone see the irony? (Score:2)
This may be a hoax (Score:5, Interesting)
Kungsgatan 6
Stockholm, 111 43
SE
[Administrative contact] Brockman, Didde
Starring Ltd AB
Kungsgatan 6
111 43 Stockholm
SE
Email: technical@starring.se
Phone: +46 8 6144600
Fax: +46 8 6144610
The sites use Lycos logos, but it's not at all clear that Lycos has anything to do with this. While these sites link to Lycos, there's no obvious link to it from the Lycos main page.
Re:This may be a hoax (Score:3, Informative)
strings reveals some blowfish setups, in a screensaver?
some filecopywithcompression, which might be just sloppy compilation...
chmod 777 hmmm,
and buried in one section of binary Shakespeare's monkeys have inserted amongst the other bits & bytes
Anybody with a sa
Not a hoax, but a marketing campain! (Score:4, Insightful)
Luckily, that explained the situation, starring is a marketing company [starring.se], that were contacted by spray(a Lycos company in Sweden) to Get more people to start using Spray's e-mail service. [starring.se]
There you have it, it is all a marketing campaign to attract more users to Spray(and Lycos) mail. I guess they made it quite well, mentioned on slashdot and all...
This is a really bad idea (Score:2, Insightful)
Modify it to hurl big frames at the RIAA (Score:2)
Time to bring out the old warhorse... (Score:5, Insightful)
Your post advocates a
( ) technical ( ) legislative ( ) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
(x) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it [well, we'll find out if this is illegal once Ralsky et al. sue]
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam [providing Ralsky et al. with enough funds to make the court case long and bloody]
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Inethicality of slowing the entire Internet down, when a handful of spammers are responsible for 99% of our spam
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
(x) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
(x) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
(x) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
False Positives (Score:3, Insightful)
Will anyone win but the laywers?
WASTE (Score:2)
Brilliant (Score:4, Insightful)
For example take a piece of spam advertising a site which provides no contact information and which replys on form submsissions to promote a product. Take random (but meaningful) data, such as fortune strings, delimited to smallish lengths for each field, and wget form submissions every few hours | minutes | seconds. Any legitimate inquiries are lost in (likly literally) an unceasing email bomb sponsored by lycos.The destinction here, is that rather then costing them more you are litterally losing them the tiny fraction of respondents which make spam profitable, this renders the model unprofitable and makes any attempt to offset the cost ineffective.
I take great satisfaction in ensuring that a spammers time is wasted to a greater degree then my own. Given the products that are often peddaled via spam a quick forward can often ensure this, for instance forwards to enforcement@sec.gov have resulted in six lawsuits [sec.gov] (and counting) this month alone. There is a great forward for almost any ware, but medication, promotional stock tips, and cheap (generally pirated or edu version) software are some of the most fun - despite my dislike of Microsoft and the Government I relish the thought of their respective legal teams gunning down a newbie floridian who mistakenly purchased my address.
This is a misguided but appealing idea... (Score:4, Interesting)
What should really be done to curb spammers is to have all major ISPs implement the following:
1. block SMTP for all users and force them to route thier email through the ISPs email servers. Permit users to request port 25 be opened up. This would block all the spam generated by zombie machines (probably greater than 90% of spam comes from such machines.)
2. Implement greylisting on the ISPs email servers. This blocks better than 90% of spam being sent today since it mostly comes from zombie machines.
3. Utilize the block lists that contain the web sites the spam sends people to to block those IP addresses at the main routers on the back bone.
By implementing these items across all major ISPs, virtually none of the spammers messages would get through to the dupes that actually buy the crap. If you can dry up the responses to spam then the business model should fall apart and die. At least one can hope.
Many people apparently don't really understand that this new screensaver is not going to punish the zombie machines owners by using up their bandwidth. It is aimed at costing the owners of the web sites that collect the orders. Which kind of the right idea. But I figure most of those sites are not using metered service but have ordered at minimum full T1's and probably have more than that dedicated. So trying to run up their bandwidth costs is probably not going to impact them that much.
Impementing the three items outlined above is guaranteed to have a major impact on spam.
This is PR (Score:3, Insightful)
This is not a DoS (well it would be if it worked). It is just PR. Suddenly it got everbody saying "Lycos", front page on slashdot, etc., and it probably isn't even aimed at people who could figure out the problem. Most people will say great Lycos is taking a courageous stand, etc.
If Lycos was really serious about stopping spam, they should put the technical, managerial, and public relations resources they are dumping into this and go after the spammers one at a time. There are a finite number of people doing this in the world, and a corporation that wants to hunt them down can do it. Just follow the money, maybe buy some spam from these guys to confirm it. Then decide what to do about it. They might even consider posting a list of spammers, companies that profit from spam, and spam purchasers, on the net. Though that might make it hard to do subsequent investigations into spammers.
Well that's one thing they ought to do instead of this. Personally I think it would be better PR if they actually made some positive results in reducing spamming (with scientific proof) and publicized *that*. So this could maybe be called a half-assed DoS and a half-assed attempt at PR for mainstream technophiles, but on the whole it is just silly and wasteful. Thank god my fiber connection is nowhere near them.
Re:Two words: (Score:3, Insightful)
Provided one's server isn't mistakenly targeted (and I'm positive they'll eventually either friendly-fire or mistype an IP).
Re:Two words: (Score:3, Insightful)
[standard disclaimers about letting your users install their own software apply here]
Re:Two words: (Score:5, Interesting)
(on a business network) many of your users install and run the screensaver and suck up your own bandwidth as well as that of the spammers.
I installed it and it doesn't seem to use much bandwidth (MacOS X). It does, however, seriously cut into the Folding@Home CPU cycles, so I'm not sure how long I'll play with it. I think I'd rather help cure diseases than DDOS spammers, even though the latter is immensely satisfying...
Re:Two words: (Score:2)
The real travesty here is cutting into your Folding@Home work - how dare they!
GREAT IDEA? Can't decide. But AWFUL SURVEY! (Score:2)
I don't know why I sat through that. Volunteer surveys shouldn't take that long without warning the volunteer ahead of time. Plus he didn't bother to list my particular spam solution (greylisting) as a category, so I had to kinda fudge it.
screw two words, just one: SCARY (Score:5, Insightful)
Course that's only 100 people, imagine a few hundred or thousand, it could easily shutdown small online vendors or personal websites, hurting average people if the idea is altered a little and falls in the wrong hands.