SpamSlayer - should we DDOS spammers?

pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them. Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like? "

This is just a DDOS, and that's bad

[fudgefactor7]

Not only is this immoral, but in many places it's outright illegal. This is not the direction to go.

Re:Hate to break it to you, but

[DenDave]

It's actually on the rise.

http://www.nu.nl/news.jsp?n=556966&c=50&rss [www.nu.nl]

http://www.mirapoint.com/company/news_events/press /20050712.shtml [mirapoint.com]

Shared hosting

[nmb3000]

Making a DDoS attack SOP against spammers introduces other problems. Most of these spammer websites are on cheap shared webhosts meaning that when you DDoS the spammer's website you're likely also attacking many innocent websites.

Even if it's determined that attacking a known spammer isn't actively prosecuted, the fact that you're attacking perhaps many other people as well will most likely get attention.

Re:Sophistry at its finest...

[hoggoth]

> An idea

A really bad one.

> Start having all email servers reply message for message automatically.

The From address and Reply-to address are fake. They may be using YOUR email address.

How would you like that? Ten million spams all claiming to be from YOU and each one sending a reply to the smouldering ashes of your mail server.

Re:Spam RBL?

[ocbwilg]

I personally like the SURBLs [surbl.org]. They list spamvertised web sites, not the originating hosts of spam messages. If you block those then you're one step closer to cutting down on their profits.

Anti-phishing

[cjsnell]

DoS attacks are very effective against phishing sites. Most phishing scams utilize a CGI that e-mails the captured data to an e-mail address somewhere. By using a script which generates random data (see my sig), you can quickly render a phisher's data collection. Several factors can contribute to this. First, the flood of fake data can obscure the data that was captured from actual victims, Secondly, you can overflow the SMTP server that the phisher is using to process the captures. Finally, you may be able to fill the mailbox to which the captured data is being sent, although this is a bit harder with things such as GMail. However, the flood of mail from a single host may trigger sanctions at a free e-mail provider.

As a sidebar, I'm going to be releasing a new version of my anti-phishing tools in the next few days. I've added functionality which generates real-looking names and e-mail addresses and credit card numbers with valid checksums.

Chris

Re:Sounds like a lawsuit waiting to happen...

[Trailer Trash]

All it'll take is one spammer to file a lawsuit against these guys to stop them dead in their tracks.

Read about the clean hands doctrine [law.com] and get back with us.

This is why you don't see drug dealers suing someone to collect a debt. Spammers are criminals, they simply cannot sue with regard to their criminal activities.

Re:Sophistry at its finest...

[fubar1971]

There are already laws...

Exactly. Instead of DDos'ing spammers and their hosting providers, why not use the bogus accounts to collect the information to turn the spammers over to the authorities. It looks like it could be quite a lucrative deal.

From the CAN-SPAM bill: [gigalaw.com]

"SEC. 11. IMPROVING ENFORCEMENT BY PROVIDING REWARDS FOR INFORMATION ABOUT VIOLATIONS; LABELING. The Commission shall transmit to the Senate Committee on Commerce, Science, and Transportation and the House of Representatives Committee on Energy and Commerce-- (1) a report, within 9 months after the date of enactment of this Act, that sets forth a system for rewarding those who supply information about violations of this Act, including-- (A) procedures for the Commission to grant a reward of not less than 20 percent of the total civil penalty collected for a violation of this Act to the first person that-- (i) identifies the person in violation of this Act; and (ii) supplies information that leads to the successful collection of a civil penalty by the Commission; and (B) procedures to minimize the burden of submitting a complaint to the Commission concerning violations of this Act, including procedures to allow the electronic submission of complaints to the Commission; and (2) a report, within 18 months after the date of enactment of this Act, that sets forth a plan for requiring commercial electronic mail to be identifiable from its subject line, by means of compliance with Internet Engineering Task Force Standards, the use of the characters ''ADV'' in the subject line, or other comparable identifier, or an explanation of any concerns the Commission has that cause the Commission to recommend against the plan./

Re:Sounds like a lawsuit waiting to happen...

[cimmerian]

I've heard about burglars sucessfully sueing the owners of the houses they break into when they hurt themselves. Shouldn't these activities fall under the clean hands doctrine or are they all urban legends?