Forgot your password?
typodupeerror

SpamSlayer - should we DDOS spammers? 587

Posted by Hemos
from the what-lines-to-cross dept.
pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them. Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like? "
This discussion has been archived. No new comments can be posted.

SpamSlayer - should we DDOS spammers?

Comments Filter:
  • by TripMaster Monkey (862126) * on Monday July 18, 2005 @11:01AM (#13093652)

    From TFA:
    The influx of tens of thousands of requests exactly at the same time floods the spammers' Web site, causing it to become inoperable.
    Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?

    Also from TFA:
    Launching a distributed denial of service attack is illegal in the U.S. and in most European countries.
    That's what I thought...what does Blue Security have to say in their defense?

    Again from TFA:
    Blue Security's Reshef bristles at the notion that his firm is involved with any type of DDoS attack. "We aren't trying to shut down any Web sites. We are just trying to slow these sites down so much the spammers can't earn money"
    Sorry, Reshef, but what you are describing is a textbook example of a DDOS attack. Whether the site in question is actully shut down, or merely incapacitated, is beside the point.

    This whole caper is a non-starter, especially so since a precedent [pcworld.com] for this sort of thing has already been established by Lycos Europe.
    • by JustinKSU (517405) on Monday July 18, 2005 @11:05AM (#13093705)
      Isn't there some rule of thumb - never fight evil with evil? This is a vigilante approach which is reserved exclusively for BATMAN
      • I think that the best idea is not to do DDOS, but something even more useful. If everyone chooses a fake set of personal credentials (name, phone number and whatever else) and then responds with the fake information, that will shut down the spammers in a hurry. Instead of sending out 10,000,000 e-mails and getting 10 promising leads, they will get 10 promising leads and 999,990 fake names and addresses.
      • It seemed to work well for Paul Kersey [imdb.com]. "I mean, if we're not pioneers, what have we become? What do you call people who, when they're faced with a condition or fear, do nothing about it, they just run and hide?"

    • Also from TFA:
      Launching a distributed denial of service attack is illegal in the U.S. and in most European countries.

      That's what I thought...what does Blue Security have to say in their defense?

      ...maybe they'll have to start using the same offshore ISPs as the spammers?

    • by shokk (187512) <ernieoporto&yahoo,com> on Monday July 18, 2005 @11:07AM (#13093731) Homepage Journal
      Easy! To get around all these little rules, we'll just hijack a bunch of PCs to our dirty work for us. I'm sure the owners will not mind helping out for a truly noble cause. Then, we'll use servers in countries with questionable laws to control the DDOS. Then, to raise money to help us out in our quest, we'll use these servers to also mail out requests to help us secure our target US$20mil by sending us a paltry US$20k. We've got the spammers beat in will power AND on the moral high ground!
      • by joranbelar (567325) on Monday July 18, 2005 @12:44PM (#13094984) Homepage
        Well, here's an idea - rather than go the vigilante route, why not pursue the natural alternative: government control.

        No, I'm not talking about enacting more laws, I mean having the government declare a "war on spammers", where DDoS attacks are used against them by the military in a digital carpet-bombing campaign.

        That would take care of the whiny limp-wristed liberals crying "slippery slope" and "no better than them", and it would satisfy the bloodlust of the neocons. We could even hold spammers indefinitely in military prison camps by labelling them "enemy combatants".

        Think of the possibilities!

    • by interiot (50685) on Monday July 18, 2005 @11:09AM (#13093741) Homepage
      How do you define DDOS? If spammers send millions of emails in a day to AOL, does that constitute a DDOS against AOL? If large ISPs automatically send an unsubscribe response for each spam they get, and the total bandwidth is less than what the spammer originally sent, does that constitute a DDOS? Is it a DDOS if the large ISP's intent in doing this is to shut the spammer down?
    • by Gherald (682277) on Monday July 18, 2005 @11:09AM (#13093750) Journal
      This seems like a form of vigilanteism to me.

      If spammers are sending unsolicited emails to others, I have no moral problem with a system that sends coordinated unsolicited requests to their sites in response.

      The legal issues are quite another matter.
      • An idea.... Start having all email servers reply message for message automatically.

        It would immediatly double the amount of bandwitdh used by spammers.

        Even if they filter (if they send to a box, drop responses from that box.) It'll still take some of their time and resources.

        And legitimate emails wouldn't be harmed much. Sure I'd have more emails coming at my server. But I can handle double.
        • by hoggoth (414195) on Monday July 18, 2005 @11:26AM (#13093985) Journal
          > An idea

          A really bad one.

          > Start having all email servers reply message for message automatically.

          The From address and Reply-to address are fake. They may be using YOUR email address.

          How would you like that? Ten million spams all claiming to be from YOU and each one sending a reply to the smouldering ashes of your mail server.
    • by Tinik (601154) on Monday July 18, 2005 @11:12AM (#13093804)
      Vigilatism may seem like a good idea at the time, but always leads to problems in the long run. It's better to work through proper channels to resolve these problems. If the proper channels can't resolve the problem, then work to fix them.

      Doing things properly results in a more permanent fix. Vigilantism just gets innocent bystanders hurt and only works until the next guy comes along.
    • by Technician (215283) on Monday July 18, 2005 @11:15AM (#13093847)
      Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?



      Rule #1 Spammers lie
      Rule #2 see rule #1

      If an e-mail has false headers, what makes you think the reply-to or un-suscribe belong to the spammer. A DDOS against a third party (Joe Job) is not the way to shut down a spammer. You may be helping him shut down his legit competition. An obfuscated URL may point to amazon.com for example.

      I liked the other aproach of repeatedly reloading the page used to buy the spammer's product. That's a way to have them melt or have the hosting company become less friendly to hosting spam product order websites.
    • Shared hosting (Score:2, Informative)

      by nmb3000 (741169)
      Making a DDoS attack SOP against spammers introduces other problems. Most of these spammer websites are on cheap shared webhosts meaning that when you DDoS the spammer's website you're likely also attacking many innocent websites.

      Even if it's determined that attacking a known spammer isn't actively prosecuted, the fact that you're attacking perhaps many other people as well will most likely get attention.
    • Not a fan of fighting fire with fire, I see. I would like to see a "Do Not Spam List." If you sign up, the system takes care of sending "Do Not Spam" replies. It is automated because one receives way to much spam to unsubscribe from each piece. Is it the lists fault that spammers deliver at such a rate that the replies from the system deliver at a higher rate and DDOS their machines?

      Everyone likens spam to junk mail, but it is significantly easier to throw away junk mail then to unsubscribe from each
    • by ArsenneLupin (766289) on Monday July 18, 2005 @11:26AM (#13093984)
      Personnally, I prefer to submit only one single unsubscribe request. My email address just happend to be ...:
      'or'test@yahoo.com'like'%
      If the spammer uses sequel sewer or access rather than a real database, this will wipe their address list squeaky clean!
      • Personnally, I prefer to submit only one single unsubscribe request. My email address just happend to be ...:
        'or'test@yahoo.com'like'%
        If the spammer uses sequel sewer or access rather than a real database, this will wipe their address list squeaky clean!

        At which point, the spammer gets to sue you for business damages due to lost potential revenue? The best part is, they can scale the damages based on thier potential lost revenue (IE - the bigger the spammer, the more they can hold you liable for).

  • Slashdot (Score:5, Funny)

    by ZakuSage (874456) on Monday July 18, 2005 @11:03AM (#13093674)
    Wouldn't it just be easier to slashdot a site owned by a spammer company?
    • Collateral Damage (Score:2, Interesting)

      by Zane Hopkins (894230)
      But how do you correctly identify which sites to target. It will probably cause even more collateral damage than dns block lists.

      Fighting fire with fire usually results in damage to both sides (friendly fire anyone?)
    • Unless you want to publish pr0n,viagra or trips to Cancun on slashdot "SPAM" section.

      Which I doubt it'll work, because most /.'ers would skip the ads and jump right to the good articles.

      Nice try, tho.
  • Hell yes! (Score:3, Insightful)

    by base3 (539820) on Monday July 18, 2005 @11:04AM (#13093675)
    I think a few GB of traffic in an hour is just the ticket for spamvertized sites, and I always do my part for any one I come across.

    For those who complain that ISPs end up footing the bill because the spammers don't pay, well, I guess they'll need to be more careful about vetting their customers next time. As if there are any really "innocent" ISPs hosting Internet "pharmacies" or "Rolex" dealers.

  • No, no no no no... (Score:5, Insightful)

    by gmknobl (669948) on Monday July 18, 2005 @11:04AM (#13093679) Journal
    I'm sorry, acting just like a criminal for revenge purposes, no matter how satisfying, is wrong. It just brings you down to their level.
    • by RealProgrammer (723725) on Monday July 18, 2005 @11:20AM (#13093915) Homepage Journal
      If you catch someone in the act of doing harm to you or to someone else, don't wait. Act. Stop the harm being done, or being threatened.

      It may be necessary, in the process of stopping the harm, to inflict harm on the attacker. Take care that your response isn't more harmful than that which had been threatened.

      Failing to act in that circumstance is at best a reverse tragedy of the commons, in the general case laziness, and at worst is sheer cowardice.

      After the fact it becomes mere revenge, which is a waste of time.
      • After the fact it becomes mere revenge, which is a waste of time

        Unless it can be shown that he's in the habit of continuing to do it. Taking him out after an event is pre-emptive and self defense against the inevitable next event. It's the same reason that some women who kill their wife-beating husbands in their sleep are acquitted of murder.
  • by fudgefactor7 (581449) on Monday July 18, 2005 @11:04AM (#13093681)
    Not only is this immoral, but in many places it's outright illegal. This is not the direction to go.
  • by Iphtashu Fitz (263795) on Monday July 18, 2005 @11:04AM (#13093682)
    All it'll take is one spammer to file a lawsuit against these guys to stop them dead in their tracks.
  • Easy profit (Score:2, Interesting)

    by rockclimber (660746)
    1. Spam in Name of Competitor 2. ? 3. PROFIT
  • by AEton (654737) on Monday July 18, 2005 @11:04AM (#13093686)
    A couple of guys told everyone on Usenet about their latest green card scheme.

    Should we bomb them into oblivion?

    Or should we listen to the voice of reason and tolerate this behavior as a necessary evil, integral to the total freedom of the global Internet?

    Sometimes I think we chose wrong.
  • by Living WTF (838448) on Monday July 18, 2005 @11:04AM (#13093688)
    What if only once a bad guy manages to blame someone innocent who get's DDoSed? Should we hazard the consequences?
  • This beggs me to ask, do twon wrongs make a right?

    This also brings out the same issues of mob mentality. Who decides who is bad or good? Who leads the mob?
  • If you shoot me and take my wallet, you are a murderer and a thief.

    If I shoot you before you do so, being reasonably certain that you intend to shoot me and take my wallet, I have acted in self defense, and there is no crime.

    Not really a one-for-one analogy, but it does illustrate that shooting someone does have different consequences depending on the situation and purpose.
  • Why are they doing this, when they could put their energy into tracking the spammers so they can be prosecuted.

    Only sending spammers to jail AND taking away ALL their assets (cash/cars/houses) is going to deter them.
    • The problem is the spammers are operating through zombie PC nets and open proxies. The actual (end) senders of the spam are usually unaware that they're sending it. Meanwhile, spamvertising is an inherently low margin operation. By costing the spamvertised site more hosting costs, you're taking away thier incentive to hire the criminal spammers who we can't catch anyways.

      Imagine if drug dealers were invisible, but drug buyers glowed in the dark.

  • Spam wouldn't be a problem if people didn't actually click on the links. I've seen studies somewhere about the return rate on spam. While it is quite low, it's still high enough to make it worth their while.

    Maybe we should establish a site that lists all the companies that support spam, and then boycott them. We could even have a plugin in firefox that would warn or block a site that was known to have used spam.

  • by dfn5 (524972) on Monday July 18, 2005 @11:08AM (#13093737) Journal
    This is just another form of spamming. Anyone who generates unnecessary network traffic is a menace to the Internet.

    • This is just another form of spamming. Anyone who generates unnecessary network traffic is a menace to the Internet.

      Policing the Internet and making it an unwelcoming place for spammers is not "unnecessary." It's necessary if e-mail is to remain a viable, cost-effective means of communication.

      Spammers love the kind of prissy-assed, holier-than-thou, arguments about ethics that people like you put up every time someone actually tries to combat spam. Bullsh*t. Enough is enough. If two or three months o
    • Without unnecessary traffic, would there even be an Internet?
  • Basically this comes down to the moral idea of whether or not iit's ok to do things to those guilty of crimes (or other unacceptable actsl ike spamming) that would not be ok to do to an innocent person or entity.

    So, do we cut off the hands of thieves?

    As a side note, the idea of internet vigilantism is a rather interesting topic, and one that as the internet continues to expand could become inevitable.
  • This is a common practice. I did some consulting work for a co-owner for one of the early email harvesting/organizing/sales/distrobution companies. (Not on his evil project though) He went through 6 IPs that year. Basicly, DDOSers would attack the entire node he was on, not just him, they would threaten the ISP. The ISP looks at the profit potential of one company, versus the cost of losing all of their customers and would boot him off their grid.

    All in all a pita for him. But the thing that will shut do
  • by ledbetter (179623) on Monday July 18, 2005 @11:10AM (#13093763) Homepage
    Sorry, but I can't feel bad for spammers (or sites that support them) who get DDoS'ed. They make their $ by annoying millions in the hopes that hundreds will be gullible enough to buy their crap. What goes around comes around... and I fully support the use of DDoS attacks against these loosers.

    Furthermore.. the repeated HTTP requets should include in their USER_AGENT header the following so it shows up in the logs ("LOOKS_LIKE_YOUR_WEB_SERVER_NEEDS_SOME_V1aGrA")
  • Spammers use unsuspecting third party email "from" addresses to to send spam. Spammers could also use fake unsubscribe links to redirect to innocent people's sites. Those people would be incidentally taken offline and might end up with tremendous bandwith bills. So this is just another bad idea.
  • DDoSing spammers (Score:5, Insightful)

    by farnz (625056) <slashdot@ f a r n z . o r g .uk> on Monday July 18, 2005 @11:11AM (#13093775) Homepage Journal
    If you're sending an unsubscribe request to a spammer in response to a spam you've received, that's not intended as a DDoS; the spammer invited you to contact them and unsubscribe, and should have taken care to limit their list to avoid accidentally DDoSing their servers. In the same vein, I see nothing wrong with browsing a site advertised to you in a spam, despite intending to merely use up bandwidth, rather than make a purchase; again, if the spammer isn't happy, they shouldn't invite you to browse their site (in other words, they shouldn't send spam if they don't want to be visited).

    When you start trusting someone else to tell you who's spamming and who isn't, you invite them to abuse that power; what guarantees do you have that Blue Security will never go to a legitimate site owner, and threaten to tell SpamSlayer users that the legitimate site is spamvertised unless Blue Security receive enough money?

  • Ok this is a dumb move on many levels. For one it is going to be illegal activity in many places and will give the "spammers" a legitimate reason to sue the people behind the attack. This also seems like an asanine solution to the problem itself. So spam emails take up so much bandwidth and we should solve that by chewing up even more bandwidth in order to shut down them down... If your stated goal is to knock these people offline then why not just directly try to penetrate their box and disable their compu
    • Ah, the "violence begets violence" argument. But if spam isn't attacked, it's guaranteed to grow. With a counterattack, ISPs will be motivated to kick their spammers quickly, and the "cost" to spam increases. Eventually, when it is established that spam will be met with a swift and devastating network attack, it will become less common.
  • Something everyone should remember is that unless you are directly connected to the spammer's LAN, you aren't sending packets to him directly. Every packet you send out travels many hops. Your ISP and everyone in between have to use resources to forward that packet.

    I don't know about everyone else but I don't want my cable connection bogged down just because my neighbor feels like being an activist. Let's let the legal system do its job and use distributed computing for protein folding or other more worthy
  • Or at least an arm's race and anyone who thinks that sunday school models of good behavior and just plain ol being nice is a better way to proceed, is being childish.

    I wouldn't stop at email requests. I would hurl massive amounts of big frames at them all day like a REAL D/DOS attack. All you have to do is increase their cost of doing business a few percentage points.
  • untill the spammers website is hosted on the cablemodem of someone on your block.
  • With SpamVampire you set your browser to continuously load images from a spammer's site. It doesn't deny service but it eats bandwidth which (theoretically) increases his/her costs.
  • These type of things are exactly what everyone *wants* to do to spammers, but we need to remember that they have rights just like everyone else. We can't go DDOSing a spammers site, and then get upset if someone were to DDOS a site we like.
  • by Weaselmancer (533834) on Monday July 18, 2005 @11:20AM (#13093909)

    ...because it's illegal to castrate them.

  • What shall we do? (Score:4, Insightful)

    by erroneus (253617) on Monday July 18, 2005 @11:22AM (#13093936) Homepage
    Two wrongs not making a right and all that... we know the drill. But it is undeniably wrong that spammers do what spammers do. With that in mind, we can either (a) wait until they see the error of their ways, (b) wait until sufficient legislation is enabled that will actually work or (c) do something about it ourselves.

    A and B aren't working. C, at present, is the only answer we have available to us.

    I want to say for the "record" (whatever that means) that marketing through email is okay with me so long as people WANT to recieve it. If someone out there WANTS to buy some descrete penis pills or any other "plain brown wrapper" item that's fine with me. And let there be a means for them to subscribe to the stuff. The key is Opt-in explicitly and without any tricks or gimicks and more significantly, an "instant off" function that will not require 4-6 weeks to update their databases (which is utter horse shit). Okay I said it... now let's move on.

    We do everything we can to block these people. They do everything they can to avoid being blocked. Their attempts at evasion is proof positive that they know they are pissing off the world for profit. How many other business models work at public expense for personal gain? In effort to prevent at-large vigilante-ism, where should the line be drawn? As much as I'd like to pull over and beat the crap out of people with ridiculously loud stereos playing in their cars, it's wrong (and dangerous) to do.

    I'm at a loss for what we should do about the problem. These people are essentially polluting the internet and it needs to stop. But how?
  • Mr. President, we are rapidly approaching a moment of truth both for ourselves as human beings and for the life of our nation. Now, truth is not always a pleasant thing. But it is necessary now to make a choice, to choose between two admittedly regrettable, but nevertheless *distinguishable*, postwar environments: one where you got twenty million people spammed, and the other where you got a hundred and fifty million people spammed. Hello? Hello, Dimitri? Listen, I can't hear too well, do you suppose you
  • One of my company's customers has a nasty habit of sending extremely abusive emails to any spammers and scammers he finds signed up to his webmail system. The upshot of this has been his domain being joe-jobbed and our mail server being inundated with bounce messages. The upshot of this is much slower mail delivery and the people who received the spam complaining that we had been spamming them when we had nothing to do with it.

    While I applaud the sentiment of taking the fight to the spammers and trying to
  • If unsub sites get overloaded on a regular basis then I would not be suprised to see even the weak protections of CANN-SPAM lifed. Some companies really do unsubscribe people, and this defense would be gone, leaving us with more garbage then ever and a useless tool. You are also gonna hurt "legitmate" spammers who follow the rules more then phishers, scammers and other hucksters.
  • While I don't think it's a good idea to let IT vigilantes stop spam by launching what would otherwise be an illegal DDOS attack, it might be a good idea to allow this sort of thing as a formal punishment for uncooperative spammers.

    Kind of like when the city boots your car when you refuse to pay your parking tickets, having law enforcement DDOS a spammer's site when they refuse to pay fines or show up in court might be an effective way to enforce anti-spam laws.
  • Anti-phishing (Score:5, Informative)

    by cjsnell (5825) on Monday July 18, 2005 @11:46AM (#13094226) Journal

    DoS attacks are very effective against phishing sites. Most phishing scams utilize a CGI that e-mails the captured data to an e-mail address somewhere. By using a script which generates random data (see my sig), you can quickly render a phisher's data collection. Several factors can contribute to this. First, the flood of fake data can obscure the data that was captured from actual victims, Secondly, you can overflow the SMTP server that the phisher is using to process the captures. Finally, you may be able to fill the mailbox to which the captured data is being sent, although this is a bit harder with things such as GMail. However, the flood of mail from a single host may trigger sanctions at a free e-mail provider.

    As a sidebar, I'm going to be releasing a new version of my anti-phishing tools in the next few days. I've added functionality which generates real-looking names and e-mail addresses and credit card numbers with valid checksums.

    Chris
  • by ravenspear (756059) on Monday July 18, 2005 @11:54AM (#13094339)
    Your post advocates a

    ( ) technical ( ) legislative ( ) market-based (x) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    (x) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    (x) It will stop spam for two weeks and then we'll be stuck with it
    ( ) Users of email will not put up with it
    ( ) Microsoft will not put up with it
    (x) The police will not put up with it
    ( ) Requires too much cooperation from spammers
    ( ) Requires immediate total cooperation from everybody at once
    ( ) Many email users cannot afford to lose business or alienate potential employers
    ( ) Spammers don't care about invalid addresses in their lists
    (x) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    (x) Laws expressly prohibiting it
    ( ) Lack of centrally controlling authority for email
    (x) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (x) Asshats
    (x) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    (x) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    (x) Extreme profitability of spam
    ( ) Joe jobs and/or identity theft
    ( ) Technically illiterate politicians
    ( ) Extreme stupidity on the part of people who do business with spammers
    ( ) Dishonesty on the part of spammers themselves
    (x) Bandwidth costs that are unaffected by client filtering
    ( ) Outlook

    and the following philosophical objections may also apply:

    (x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    ( ) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    ( ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    (x) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    ( ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    (x) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    ( ) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    (x) Sorry dude, but I don't think it would work.
    ( ) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
  • by litewoheat (179018) * on Monday July 18, 2005 @11:57AM (#13094398)
    My mail server got hacked and ( )\/\/ |\| ) by some sleazebag spammer. It ended up sending a bunch of spam that had a URL to click on to "sign up" for their wonderful offer. After recovering and updating the mail server I wrote a quick little program that ran overnight that filled in this web form with garbage, but not random garbage that could be filtered out. To a machine each record looked valid. I ended up inserting over 200k records into their database making it worthless. I did it again a few times when I was able to get an IP address that didn't get blocked at the server.

    Was it right? Probably not. Did it feel good, HELL YES.
  • by guyro (570194) on Monday July 18, 2005 @11:59AM (#13094436)
    There is no doubt that DDoS is an illegal and immoral action. As a security company we are the first to recognize that and live by that rule.

    Blue Frog clients do not arbitrarily perform DDoS on spam sites. They complain about specific spam messages received in mailboxes belonging to our users. Our users exercise their right to complain about the spam they receive. They are merely responding to invitations to the spammer's website.

    The Blue Frog enters the site and sends a complaint just as a user would do manually. It does not consume more resources from the site or from its ISP than a user could do manually. Many users have tried sending complaint to spammers at some point requesting to unsubscribe. We merely allow the users to do it in a safe and automated manner.

    Our goal is to force spammers to comply with the Do-Not-Intrude Registry - to clean out our users' addresses from their mailing lists. When they do so, they will not receive even one single complaint from community members.

    We perform thorough manual (human) validation on the spam messages we act upon, to prevent Joe Jobs and to make sure we minimize any possible impact on third parties.

    Guy Rosen
    Blue Security, Director of Operations
    http://www.bluesecurity.com/ [bluesecurity.com]

    • Whilst I admire your company's ingenuity for coming up with a money-making scheme to help Joe Public in the fight against spam, you're really just a "Band-Aid" over the problem, not the solution to it.

      The crux of the matter is that Joe Public users are playing with Internet services that have been sold to them as "the New Revolution" but were originally designed by geeks for geeks.

      As far as I'm concerned, you go on the Internet then you "learn to fight with the big boys" or get shot down in flames - in

  • by DavidD_CA (750156) on Monday July 18, 2005 @12:19PM (#13094677) Homepage
    OMG i just got spammed from bluesecurity.com! We better rush out and DDOS them.

    Seriously, what's to stop a spammer from sending spam on behalf of a competitor, and laughing while BlueSecurity shuts down their website?

    And who decides what is spam? BlueSecurity employees? A poll of users? A 13 yr old who scripts a bunch of canned messages to "BS" and says Microsoft spammed him?

    Spam is Evil, but so is fighting spam *with* Evil.
  • I see... (Score:3, Interesting)

    by rpdillon (715137) on Monday July 18, 2005 @12:28PM (#13094784) Homepage
    ...a lot of people taking the moral "high ground" on this one and deriding these types of tactics. Let me draw another picture:

    Rather than taking an offensive stance, let design a system that runs in a distributed way (a network) that can detect a particular spam email as it is sent out to millions of addresses. Then, merely in response to that event, the nodes on the network coordinate to create an automated reply to unsubscribe from that piece of email.

    Now, I am sure there are those among you that would argue that this is a DDoS type approach. And it is. Except I think you'd stand a very good chance in court (if it ever even made it that far) of arguing that is perfectly legal. Spamming is illegal, and they are required to provide a link to unsubscribe. In the case that they do not, some nodes on the network could sleuth down the appropriate address to send the request to and provide it to other nodes. Thus, the network would never initiate an attack, it would merely recognize and respond (using the channels provided for in law) to the emails that are sent out. Sure, the end effect would be a DDoS, but so is a Slashdotting - and that isn't illegal.

    I haven't done my homework on the wording of the law that makes a DDoS illegal (besides, in whose jurisdiction is it illegal?), but there are so many DDoS-like events on the web that the law cannot make them ALL illegal, and if Slashdotting is OK, I'm sure the scheme outlined above would be OK, too.
  • by ezraekman (650090) on Monday July 18, 2005 @12:35PM (#13094878) Homepage

    There's another name for this sort of activity: "Lynching" There's a good reason why one isn't supposed to take the law into one's own hands. It's because, however noble your intentions, there are no checks or balances on your actions; no safeties or limits.

    I HATE spammers. When I'm bored, I shut them down by tracking relevant data about them, and reporting them to their hosts and domain registrars. But who decides who the next "spammer" is? When I get spammed, even that isn't strong enough evidence for me. My next step is to ensure that it isn't an isolated incident, and so I go search the web to see if they've been added to a database/blacklist, or are on any of a number of spammer watchlists. Once I've got enough evidence to be able to convince a host/registrar, as well as myself, THEN I take action. But... how many vigilantes would take these extra steps? How many would simply go along with the crowd? "Hey! It's a spammer! GET HIM!!!"

    As much as I hate what spammers do, I simply can't condone this kind of action, without some kind of safety net for false positives. We're seeing something of a double standard here. What if, instead of discussing actions against "spammers", we were discussing actions against "terrorists"? Biometric tracking? Millimeter wave scanners? RealID? We've all seen how many people get strip-searched, end up on no-fly lists, get arrested for not having the right paperwork or IDs, and have any number of other civil rights violated. We're constantly demanding that we have some sort of guarantee that we're not going to end up flagging the wrong individuals. I agree wholeheartedly; we'd damn well better ensure we're flagging the right people, or the system is pointless, and the "terrorists" will end up laughing all the way back to the compound. So... where's our safety net here, folks?

    If we could legitimately do something like this, there wouldn't be a need for it, because it would mean the authorities would already be doing so. What happens on the day someone decides that Bob's Direct Mail service is "close enough" to spam, and we should start targeting them? How about Bob's Direct Mail Order? Bob's Direct Shipping? Bob's Joint? Who decides the next target? What if it's just a personal vendetta, and isn't even accurate? What happens when 20,000 people take that person's word for it, without doing any of their own research?

    Yes, something needs to be done about the spammers, but this sets a dangerous precident. What's the solution? Hell if I know, though I suspect it's a combination of legislation and education. I just know that this has enough problems to have been condemned by almost everyone here, if it had come from the opposite direction.

  • by gorehog (534288) on Monday July 18, 2005 @01:06PM (#13095210)
    Is going to the DMV and waiting on line a DDOS? no, it is following the procedure as it has been recommended by the provider.

    Before you can ask if using the function is a denial of service answser this question: Is sending spam a denial of service attack? I have had to cancel email accounts because of all the spam. Did the spammers attack me? Did they deny me access to my email by raising the noise to signal ratio to the point that I could not use it anymore? I certainly feel that they did.

    Now, the only reason that the spammers would have a technical issue is if they were not prepared for all the cancellation requests that come through. In that sense it is like a slashdotting. When a site gets slashdotted we laugh and say the site should have been on a better server, with more bandwidth, etc, etc. So...if the spammer cannot handle the cancellation requests maybe it's his fault. Maybe he should have vetted his mailing list and not sent emails to uninterested parties. Maybe 10 year old boys dont need viagra, cheap diabetic supplies, and hot lesbian horse action. Some discretion and discipline in advertising practices could help alleviate this problem.

    Fact of the matter is that each spam email out is supposed to offer a chance to cancel the mailings and get off the list. If the spammer cant do that he is in violation of the law. I dont care if he has too many cancellation requests. I dont care if everyone who recieves it cancels.

    If they dont want attention then they should not advertise.
  • by mabu (178417) on Monday July 18, 2005 @01:16PM (#13095297)
    The fact that so many people are seriously considering vigilante-oriented solutions to these problems calls attention to the woefully inadequate enforcement resources we have.

    I am still dumbfounded as to why ANY of the ~200 (or less) spam-gangs (as documented by Spamhaus) who are responsible for 80% of all spam haven't been taken down? I don't buy the jurisdictional problem excuse -- most of them are in the states and all of us know they can be easily traced. Almost every one of these spammers are engaging in multiple criminal activities, including computer tampering, fraud, copyright infringement, RICO violations, identity theft, ponzi schemes, and more.

    The biggest casualty of spam is the theft of bandwidth and network resources. DDOS'ing the spammers, while effective in that it may increase their cost of doing business, compounds the problem.

    However, at this point, since the feds seem incapable of doing anything about this, I'm unwilling to write off any approach that might wake them up and get them into action. Our country does have a history demonstrating that civil disobedience can be an effective catalyst when the status quo is ambivalent. With that being said, I wouldn't personally endorse anything of questionable legality, but at the same time, I can't help but respect the role of such tactics in history.

    Still, it just boggles me that a few FBI agents haven't done something as simple as toss up a few PCs on a cable connection with a packet sniffer, and begun documenting the propagation of worms and how the spammers are operating. It would take no more than a week to build a solid case against so many of these operations, you could pick-and-choose which perpetrator would be the easiest to prosecute. So why hasn't this been done?
  • Bad idea. (Score:3, Interesting)

    by Quixadhal (45024) on Monday July 18, 2005 @03:25PM (#13096858) Homepage Journal
    I don't hate spam for the same reasons most people hate spam. I suspect most people are just annoyed with the deluge of crap that ends up in their inbox. I don't care, it gets filtered out 80% of the time and it takes me about a minute each morning to click the "yes, that's spam too" button in thunderbird.

    What *I* hate about spam is the fact that there's so much of it that it accounts for a good measurable percentage of the total traffic on the net. Think about it. Spam is usually small messages, sent to thousands of recipients all over the world. So every bit of spam branches out from the spammers local mail relay and induces a small amount of traffic to a great many parts of the network.

    There are lots of spammers. They send lots of spam to lots and lots of people. That makes up a huge collection of packets that have to be routed all over the globe, all day long. I heard a figure somewhere saying it might be as high as 60% of total traffic.

    My ping times to various game servers are seldom better than 70ms, and quite often over 100ms. I'm willing to bet that if all that crap weren't being flushed all over the net, the overall latency would drop by a good 20ms.

    (Don't get me wrong, I'd rather have a nice T3 and be high enough up to not have the extra latency to begin with... but... I can only hold my breath so long.)

    Using DDoS attacks against them would just induce even more garbage onto the network, and make it even slower.

    The "right" way to deal with it is to (a) change the SMTP protocol so it requires some form of identification (perhaps a public key signature) -- if I don't recognize the caller-id on my phone, it goes to voicemail, why should email be different?, (b) go back to batch processing of email -- why do you NEED email to get there in 30 seconds, use an IM for real-time. Let mail servers send mail every 4 hours so at least that end can be more efficient. Use compression while you're at it. And (c) make spamming a crime, punishable by firebombing of the offenders house *grin*. If (a) happens, it should be possible to locate the spammer's property and eliminate it. That would remove the incentive for spamming, since all that "hard-earned" money would be lost.
  • invalid on its face (Score:3, Interesting)

    by maxpublic (450413) on Monday July 18, 2005 @04:16PM (#13097449) Homepage
    There is no law on the internet. Some countries punish spammers via the law but this only works for spammers within the borders of those countries, or reciprocating countries, and only if the spammer is actually caught. Crime prevention on the internet has been a laughable exercise in futility from the get-go regardless of the 'high-profile' cases touted about as a bizarre metric of success.

    You're dealing with a system that really doesn't give a shit what the law is in any one country, or any one group of countries. And since only the insane among us want a world government, that leaves with the question of what to do when law enforcement is essentially ineffective. Which it has been, and will be, no matter what laws the U.S. decides to pass or what the penalties are. U.S. law, after all, stops at U.S. borders.

    So long as there are countries that'll host spammers there'll be mountains of spam to contend with.

    If the law can't control the problem, what does that leave you? Seems to me that vigilantism doesn't sound so bad when the alternative is "bend over and grab your ankles".

    Max
  • Its a great idea! (Score:3, Interesting)

    by heybo (667563) on Monday July 18, 2005 @04:26PM (#13097543) Homepage
    I am always suprised at the out cry to protect spammers from DDOS attacks or rejecting mail back to them on this site. It would seem that the people here would be more likely to understand this is a viable method to keep spammers down.

    I know most of you are too young to remember the old days of the Internet but before DDOSing was illegal this was the method to stop spammers. That and brute force attacks aginst their servers. If you where a spammer then you were an open target.

    This worked too. Spam increased only after the laws pretaining to network attacks came into effect.

    I I guess that if someone breaks into your house watches your TV and eats all your food this is ok as long as they don't carry anything out. Still your left with the electric bill for running the TV and now you also have another mouth to feed. Guess your made of money. Well I am not and if you break in here you will be dealt with accordly and I will call the Cops only to come and carry away your corpse.

    So if you stick your hand in my pocket to take my money and I cut off your hand am I the bad guy for cutting you? If you hadn't put your hand in my pocket in the first place I would have never hurt you. This is the same thing spammers stick their hands in my pocket everytime they send their shit. So if I cut off their hand by DDOSing them am I wrong? Personally I don't think so.

    Remember THEY contacted me first.

    The laws are no good. Ever called the FTC about this? Even being a ISP they will not presue your case. Their only answer is send us an email. Even when you have a mountian of evidence against them. Laws aren;t worth the paper it is written on if they are not enforced and the CAN-SPAM Act is just an illusion to appear that the goverment is doing something about it.

    OK guys you can flame me now....

  • out of band attacks (Score:3, Interesting)

    by 0111 1110 (518466) on Monday July 18, 2005 @06:13PM (#13098422)
    I am fence sitting on this one. I joined the site and downloaded the blue frog client and may use it if only because my one computer isn't enough to make any difference in internet traffic by itself anyway. In this kind of war no one soldier makes much of a difference to the outcome.

    However I am concerned about starting a large scale netwar with the spammers, effectively shutting down the internet. This is essentially what happened for me locally during the whole makelovenotspam fiasco. The spammers faught back with everything they had. It was not pretty. Also, as a rabid e-pirate complete with parrot and eye patch, I am concerned that the war could be an excuse for RIAA/MPAA sponsored attacks as well. The fact is that the internet is a very fragile system which can be easily broken. Some people are arguing that maybe it should be until our governments are willing to pass enforceable spam laws with actual teeth. But I'm not so sure I'd be willing to go that far.

    I think a better long term system would be to get large groups of people to join an anti-spam organization which would accept donations and membership dues or whatever to fight against companies that advertise with spam in the real world. Something like a shady, vigilante, version of the EFF. The idea would be to hurt and put out of business companies that advertise with spam as much as possible. Moebius faxes, war dialing of 800 numbers, junk mail attacks, publishing of personal contact information for everyone in management positions including cellphone numbers, email and snail mail addresses. Maybe even opportunistic vandalism in a car-keying, sugar in the gas tank, potato in the tailpipe, spray-painting "spam sucks" onto windshields, kind of way. Presumably a professional organization could come up with even more nuisance ideas. Maybe a freesite could keep track of the exploits.

There's got to be more to life than compile-and-go.

Working...