SpamSlayer - should we DDOS spammers? 587
pointbeing writes "Just read this article about a company called Blue Security that essentially floods a spammer's website with requests to unsubscribe members - we're talking thousands of requests per day - the company's CEO says that fighting back by "inducing loss" against spammers is the only way to eventually stop them.
Although I hate spam as much as the next guy, is participating in a DDOS attack the way to bring spammers to their knees? If it's okay in this instance, it it okay to DDOS the next guy who does something we don't like?
"
Sophistry at its finest... (Score:5, Insightful)
From TFA:Sounds a lot like a DDOS attack...in fact, it sounds exactly like a DDOS attack. But aren't they illegal?
Also from TFA:That's what I thought...what does Blue Security have to say in their defense?
Again from TFA:Sorry, Reshef, but what you are describing is a textbook example of a DDOS attack. Whether the site in question is actully shut down, or merely incapacitated, is beside the point.
This whole caper is a non-starter, especially so since a precedent [pcworld.com] for this sort of thing has already been established by Lycos Europe.
Hell yes! (Score:3, Insightful)
For those who complain that ISPs end up footing the bill because the spammers don't pay, well, I guess they'll need to be more careful about vetting their customers next time. As if there are any really "innocent" ISPs hosting Internet "pharmacies" or "Rolex" dealers.
No, no no no no... (Score:5, Insightful)
I don't think so ... (Score:3, Insightful)
Different purposes, different results (Score:2, Insightful)
If I shoot you before you do so, being reasonably certain that you intend to shoot me and take my wallet, I have acted in self defense, and there is no crime.
Not really a one-for-one analogy, but it does illustrate that shooting someone does have different consequences depending on the situation and purpose.
Two wrongs don't make a right (Score:2, Insightful)
Only sending spammers to jail AND taking away ALL their assets (cash/cars/houses) is going to deter them.
Re:Sophistry at its finest... (Score:2, Insightful)
Also from TFA:
Launching a distributed denial of service attack is illegal in the U.S. and in most European countries.
That's what I thought...what does Blue Security have to say in their defense?
Or the opposite? (Score:1, Insightful)
-Rick
Hate to break it to you, but (Score:2, Insightful)
Spam wouldn't be a problem if people didn't actually click on the links. I've seen studies somewhere about the return rate on spam. While it is quite low, it's still high enough to make it worth their while.
Maybe we should establish a site that lists all the companies that support spam, and then boycott them. We could even have a plugin in firefox that would warn or block a site that was known to have used spam.
Menace to the Internet (Score:5, Insightful)
Re:Sophistry at its finest... (Score:4, Insightful)
If spammers are sending unsolicited emails to others, I have no moral problem with a system that sends coordinated unsolicited requests to their sites in response.
The legal issues are quite another matter.
DDoSing spammers (Score:5, Insightful)
When you start trusting someone else to tell you who's spamming and who isn't, you invite them to abuse that power; what guarantees do you have that Blue Security will never go to a legitimate site owner, and threaten to tell SpamSlayer users that the legitimate site is spamvertised unless Blue Security receive enough money?
Re:Sophistry at its finest... (Score:5, Insightful)
Doing things properly results in a more permanent fix. Vigilantism just gets innocent bystanders hurt and only works until the next guy comes along.
DDoS attacks affect more than just the target... (Score:2, Insightful)
I don't know about everyone else but I don't want my cable connection bogged down just because my neighbor feels like being an activist. Let's let the legal system do its job and use distributed computing for protein folding or other more worthy causes.
Re:Sophistry at its finest... (Score:5, Insightful)
Rule #1 Spammers lie
Rule #2 see rule #1
If an e-mail has false headers, what makes you think the reply-to or un-suscribe belong to the spammer. A DDOS against a third party (Joe Job) is not the way to shut down a spammer. You may be helping him shut down his legit competition. An obfuscated URL may point to amazon.com for example.
I liked the other aproach of repeatedly reloading the page used to buy the spammer's product. That's a way to have them melt or have the hosting company become less friendly to hosting spam product order websites.
Re:I remember when this debate started (Score:5, Insightful)
What shall we do? (Score:4, Insightful)
A and B aren't working. C, at present, is the only answer we have available to us.
I want to say for the "record" (whatever that means) that marketing through email is okay with me so long as people WANT to recieve it. If someone out there WANTS to buy some descrete penis pills or any other "plain brown wrapper" item that's fine with me. And let there be a means for them to subscribe to the stuff. The key is Opt-in explicitly and without any tricks or gimicks and more significantly, an "instant off" function that will not require 4-6 weeks to update their databases (which is utter horse shit). Okay I said it... now let's move on.
We do everything we can to block these people. They do everything they can to avoid being blocked. Their attempts at evasion is proof positive that they know they are pissing off the world for profit. How many other business models work at public expense for personal gain? In effort to prevent at-large vigilante-ism, where should the line be drawn? As much as I'd like to pull over and beat the crap out of people with ridiculously loud stereos playing in their cars, it's wrong (and dangerous) to do.
I'm at a loss for what we should do about the problem. These people are essentially polluting the internet and it needs to stop. But how?
Re:Sophistry at its finest... (Score:5, Insightful)
'or'test@yahoo.com'like'%
If the spammer uses sequel sewer or access rather than a real database, this will wipe their address list squeaky clean!
Re:Sophistry at its finest... (Score:5, Insightful)
While it's certainly true that DDoS attacks are illegal, and that there is a precedence that sets these types of things firmly in the illegal category, I personally think that we should reexamine them. Set a statute that allows DDoS attacks against known spam hosts and the like.
That's one knot that I think would be best left untied. It may start out as an anti-spam tool, but it'll only be a matter of time before all manner of other uses are okayed. How long before the RIAA gets permission to DDoS file-sharers, or entire P2P networks? How long before Microsoft gets permission to DDoS servers hosting cracks for their software?
Legalized DDoS attacks as a tool for fighting spam just reeks of a Pandora's Box solution to the problem. Once we make it an acceptable method for netcrime fighting in one instance, it's only a matter of time before all manner of major corporations and organizations tug the leash they have around US lawmaker's necks and get the right to DDoS anything they don't like.
Comment removed (Score:3, Insightful)
Re:Sophistry at its finest... (Score:1, Insightful)
I'm not saying that I like the idea of DDoS attacks; at the same time I'm not going to allow my personal dislike of them to keep from saying that it may or may not be a good thing for bringing down servers.
Ultimately, any manner of dealing with spam can be seen as a gateway for heavy handed squashing other things that major corporations don't like and carry enough influence to accomplish their own ends. If you're willing to dismiss one of them, you might as well give up on fighting netcrime in all its' forms.
Re:Sophistry at its finest... (Score:3, Insightful)
So I suppose it depends on which story/continuity you're discussing.
-Z
Wasted bandwidth (Score:3, Insightful)
I'm sure the rest of the network doesn't appreciate the potential increase in latency and packet loss these attacks can result in, either.
DDoS attacks are never a solution to a problem. They may hurt the target, but at the cost of wasted bandwidth for everyone else using the paths to that target.
Let's not start down this path. Please.
-Z
Re:Sophistry at its finest... (Score:3, Insightful)
Spam from BlueSecurity.Com (Score:3, Insightful)
Seriously, what's to stop a spammer from sending spam on behalf of a competitor, and laughing while BlueSecurity shuts down their website?
And who decides what is spam? BlueSecurity employees? A poll of users? A 13 yr old who scripts a bunch of canned messages to "BS" and says Microsoft spammed him?
Spam is Evil, but so is fighting spam *with* Evil.
Re:Sophistry at its finest... (Score:4, Insightful)
The danger of vigilantism (Score:5, Insightful)
There's another name for this sort of activity: "Lynching" There's a good reason why one isn't supposed to take the law into one's own hands. It's because, however noble your intentions, there are no checks or balances on your actions; no safeties or limits.
I HATE spammers. When I'm bored, I shut them down by tracking relevant data about them, and reporting them to their hosts and domain registrars. But who decides who the next "spammer" is? When I get spammed, even that isn't strong enough evidence for me. My next step is to ensure that it isn't an isolated incident, and so I go search the web to see if they've been added to a database/blacklist, or are on any of a number of spammer watchlists. Once I've got enough evidence to be able to convince a host/registrar, as well as myself, THEN I take action. But... how many vigilantes would take these extra steps? How many would simply go along with the crowd? "Hey! It's a spammer! GET HIM!!!"
As much as I hate what spammers do, I simply can't condone this kind of action, without some kind of safety net for false positives. We're seeing something of a double standard here. What if, instead of discussing actions against "spammers", we were discussing actions against "terrorists"? Biometric tracking? Millimeter wave scanners? RealID? We've all seen how many people get strip-searched, end up on no-fly lists, get arrested for not having the right paperwork or IDs, and have any number of other civil rights violated. We're constantly demanding that we have some sort of guarantee that we're not going to end up flagging the wrong individuals. I agree wholeheartedly; we'd damn well better ensure we're flagging the right people, or the system is pointless, and the "terrorists" will end up laughing all the way back to the compound. So... where's our safety net here, folks?
If we could legitimately do something like this, there wouldn't be a need for it, because it would mean the authorities would already be doing so. What happens on the day someone decides that Bob's Direct Mail service is "close enough" to spam, and we should start targeting them? How about Bob's Direct Mail Order? Bob's Direct Shipping? Bob's Joint? Who decides the next target? What if it's just a personal vendetta, and isn't even accurate? What happens when 20,000 people take that person's word for it, without doing any of their own research?
Yes, something needs to be done about the spammers, but this sets a dangerous precident. What's the solution? Hell if I know, though I suspect it's a combination of legislation and education. I just know that this has enough problems to have been condemned by almost everyone here, if it had come from the opposite direction.
Is spam email a DDOS? (Score:4, Insightful)
Before you can ask if using the function is a denial of service answser this question: Is sending spam a denial of service attack? I have had to cancel email accounts because of all the spam. Did the spammers attack me? Did they deny me access to my email by raising the noise to signal ratio to the point that I could not use it anymore? I certainly feel that they did.
Now, the only reason that the spammers would have a technical issue is if they were not prepared for all the cancellation requests that come through. In that sense it is like a slashdotting. When a site gets slashdotted we laugh and say the site should have been on a better server, with more bandwidth, etc, etc. So...if the spammer cannot handle the cancellation requests maybe it's his fault. Maybe he should have vetted his mailing list and not sent emails to uninterested parties. Maybe 10 year old boys dont need viagra, cheap diabetic supplies, and hot lesbian horse action. Some discretion and discipline in advertising practices could help alleviate this problem.
Fact of the matter is that each spam email out is supposed to offer a chance to cancel the mailings and get off the list. If the spammer cant do that he is in violation of the law. I dont care if he has too many cancellation requests. I dont care if everyone who recieves it cancels.
If they dont want attention then they should not advertise.
Re:Sophistry at its finest... (Score:3, Insightful)
So by saying that DDoSing warez servers is a bad thing? Or are you saying that they should be proteced and allowed to carry out illegal activities?
It could be. Say you own a small net-based business, small enough that you can only afford shared hosting. Now say one of those warez sites is on the same shared server as you. Microsoft (or Adobe, or Apple, or whomever) lays a DDoS attack on the server, now your site is down until the attack is over and you can no longer conduct business. Even worse, a particularly potent DDoS could take the entire host down, affecting all the sites they host.
Perhaps the warez site is hosted off of some kid's home PC through his cable modem. The DDoS attack could take down everyone's internet access around him. Do you want your internet connection killed for a day (or days) because the kid next door hosted a warez server? I know I don't.
There are already laws, albeit sometimes ineffective, on the books to deal with those kinds of situations. Opening the floodgates on DDoS-ing every server that commits anything even percieved as illegal is using a sledgehammer to swat a mosquito, and there's too much risk of collateral damage, IMHO.
This is an embarassment to law enforcement (Score:3, Insightful)
I am still dumbfounded as to why ANY of the ~200 (or less) spam-gangs (as documented by Spamhaus) who are responsible for 80% of all spam haven't been taken down? I don't buy the jurisdictional problem excuse -- most of them are in the states and all of us know they can be easily traced. Almost every one of these spammers are engaging in multiple criminal activities, including computer tampering, fraud, copyright infringement, RICO violations, identity theft, ponzi schemes, and more.
The biggest casualty of spam is the theft of bandwidth and network resources. DDOS'ing the spammers, while effective in that it may increase their cost of doing business, compounds the problem.
However, at this point, since the feds seem incapable of doing anything about this, I'm unwilling to write off any approach that might wake them up and get them into action. Our country does have a history demonstrating that civil disobedience can be an effective catalyst when the status quo is ambivalent. With that being said, I wouldn't personally endorse anything of questionable legality, but at the same time, I can't help but respect the role of such tactics in history.
Still, it just boggles me that a few FBI agents haven't done something as simple as toss up a few PCs on a cable connection with a packet sniffer, and begun documenting the propagation of worms and how the spammers are operating. It would take no more than a week to build a solid case against so many of these operations, you could pick-and-choose which perpetrator would be the easiest to prosecute. So why hasn't this been done?
Re:Menace to the Internet (Score:3, Insightful)
What do you really know about the West? (Score:3, Insightful)
Do you think the West was tamed by vigilante gangs, citizen lynchings, and the like? Do you believe this is what civilized the West?
Or rather, was it the coming of the railroad, the influx of honest people, the extension of the hands of law enforcement, the implementation of new laws and their enforcement, etc.
I submit that the Wild West was a place of murderers, vigilante gangs (murderers), hired guns (ditto), the precursor of the corporate army (likewise sometimes), and citizens who were sometimes willing to backshoot a dangerous stranger or lynch him without due process.
Now, all I'm getting at is reverting to the same type of action as the spammers is sort of like admitting you can't come up with anything better, more civilized, or more effective. That smacks of giving up, of throwing up your hands and saying "we can't beat 'em, better join 'em".
There are any number of existent laws and if the agencies that enforced them were a bit better funded and there was better international cooperation, we'd see a fairly marked decrease in some of this sort of traffic. Fighting spam is as much an international diplomatic/legal/bureaucratic issue as it is a technical one.
I mean, think of it in another way. You've got a dark room and you have a door onto it. You know the dark room has some nasty critters in it, and one might wander into your lighted door and try to eat you. I don't think the solution is releasing alternate strains of nasty critter. That's just magnifying the problem. Instead, you'd put a door on with a peep hole, you'd install a mantrap or two, and you might find out which other room is popping monsters out and send a group of people to that room to speak with them about it.
I figure we can win this war another way, we just have to decide to spend the money and put it as a priority for our law makers, law enforcers, and budget allocators for same. And of course, arm-twist some offshore havens into rethinking their policies.