Has anybody seen this (http://www.securitypronews.com/news/securitynews/spn-45-20041129LycosScreensaverBattlesSpamWebsites.html)? Lycos has a new screensaver that apparently bombards the servers of known spammers with requests, causing their bandwidth and server load to dramatically increase. Frustrated spam victims download the screensaver for free and when you aren’t busy, your computer sends empty requests to the spammer’s servers.

Now, don’t get me wrong… I don't like spam any better than the next guy, but back in the old days this kind of thing was called a DOS (denial of service) attack and was generally frowned upon. Personally, I would put this little brainstorm right up there with “New Coke”.

...did they clear this with legal?

Who is to say what is spam and what is not? It would be very easy for me to accuse my competitors of spamming.. and essentially shut their servers down. The possibilities for abuse here are enormous, and the webmaster's recourse is limited... even if he were able to convince them he was not spamming (good luck) his site would be down to a crawl for days. Lycos had better put an extra pot of coffee on for their legal department.

Does anyone know whether, say if a spammer steals/uses an email address from a legitimate user, will the dos attacks be carried out on the innocent. E.g. I get regular emails 'Message delivery Failure' from bounced spam messages using my sites email adresses. Of course their not our emails - the email is a false one.

I actually found a little more comprehensive discussion of the lycos SS

It says at:
http://news.bbc.co.uk/1/hi/technology/4051553.stm



By getting thousands of people to download and use the screensaver, Lycos hopes to get spamming websites constantly running at almost full capacity.

Mr Pollmann said there was no intention to stop the spam websites working by subjecting them with too much data to cope with.

He said the screensaver had been carefully written to ensure that the amount of traffic it generated from each user did not overload the web.

"Every single user will contribute three to four megabytes per day," he said, "about one MP3 file."


and



The list of sites that the screensaver will target is taken from real-time blacklists generated by organisations such as Spamcop. To limit the chance of mistakes being made, Lycos is using people to ensure that the sites are selling spam goods.

It will be released Dec 1rst, 2004 according to the article. It's an interesting thought but too close to a DOS (Denial of Service) attack for comfort IMO.

Basically the screensaver generates requests for information to the web sites of companies that use SPAM to advertise goods or services for sale. From what I understand the article implies this is not via e-mail. Maybe I read it wrong :-\ as I can't think of any other way to drive the bandwidth totals through the roof except that it might continuously request the page like a browser. But that would slow your computer down. go figure!

Absolutely brilliant! Just short of 40,000 running this so far.
I for one will take the risk being sued by a spammer!
There’s even a tool to forward spammed urls through to Lycos.
719,597,375 hits to sites promoted by spam to date – ah – bliss!
Try it - gives one a really warm feeling inside . . .

http://makelovenotspam.com/intl/index.html

Hang on a minute here. Do I detect sympathy for the spammers, or is it you are worried about possible misuse of this product towards innocents? Doesn't Lycos only target people on the Spammers Blacklist? So what's the worry? If you don't do anything to get on the blacklist you are not going to be targeted.

Personally, I think it's a great idea. If a dog bites you on the leg you hit it back. It's time we were given a big stick to start hitting back at the scourge of the internet. I say Go for IT!. They are only getting a taste of what they really deserve.

BTW, if you haven't installed Thunderbird from FireFox.com do it now. I just love the Junk icon on the toolbar. Click it and teach the program to recognize that particular type of spam. Since I started using it I have significantly reduced the amount of spam appearing in my Inbox. It just gets shunted to the Junk directory where it deserves to be without ever getting read. If we don't ever patronize these annoying morons because we haven't even seen their message they may even give up one day....but don't hold your breath.

Just one question. I have searched Lycos and can't find any mention of this screensaver anywhere? Is it real, or is this whole thing a hoax?

Any suggestions on where to download?

Well - the BBC have a report at
http://news.bbc.co.uk/1/hi/technology/4051553.stm
and they are not easily tricked.

Lycos are quoting a launch date of 1st December perhaps we have picked up on the trial here. User figure quoted on the sreensaver has now risen to 60,000 plus

I'm sure we have not heard the last of this!

The download link is http://makelovenotspam.com/intl/index.html

Hi all,

There are some massive holes in Lycos' thinking here. I too don't like spammers but I can't see this working. It seems more like a publicity stunt for Lycos to be honest.

1) The spammers can get their site bombarded then simply redirect the flow of traffic to someone they dislike, i.e. a competitor. In fact all they need to do is put a link on there: [/url] to start fighting back against anyone they see fit.

2) Spammers rarely use permanent domain names/IP anyway. Most spam is sent from through open relays exploited in unprotected servers. The best attack on spam would be to educate the masses of DIY system admins out there with dedicated servers.

3) What is to stop this system getting hacked, this is now a prime target for inserting [url]http://www.microsoft.com (http://www.lycos.com/massivepicture.jpg style=) into the list for a high profile DDOS.

4) All of this just generates traffic, the report at the BBC states "Every single user will contribute three to four megabytes per day".

Well it's great for US and UK users who think they are spending their 'free' bandwidth fighting these guys but these costs will be passed on if this becomes a burden on network resources. I'm surprised more ISP's haven't commented on this issue. The thought of every one of their users downloading an MP3 every single day must be making some of them worried.

5) Fighting bandwidth use by spammers with more bandwidth use seems a little insane for net traffic levels as a whole. If we wish our networks to go faster then this is not the right approach. It's possible that this pays off by eliminating the spammers and their collective bandwidth use - but this is then dependant on their success.

I wish this would work, but unfortunately I think this is going to backfire spectacularly.


Best

Kino

The 'hit list' is going to be generated by real time black hole services like Spamcop. I don't know how much you guys know about Spamcop and services like them. How reliable are they? Well, let's see what they have to say on their site:

Here's the page (http://www.spamcop.net/bl.shtml)

Here are some highlights:

"It is not possible for any blocking tool to avoid blocking wanted mail entirely."

"The SCBL is aggressive and often errs on the side of blocking mail."

"There is no warranty associated with using this system. It is provided as is."


Now, based on these types of disclaimers, you're telling me that you're comfortable launching what is essentially a coordinated DOS attack on people that end up on their list?

Now, don't get me wrong... I'm not pro-spammer, I'm just anti-stupidity and this is a stupid idea that will have somebody wrongly accused, wrongly listed and then wrongly attacked by a few thousand Lycos users within a week of it's inception.

No matter the reason a DOS attack is a DOS attack. It's widely considered to be a hack in any other setting and it's a criminal act.

Well lets look at this logically.

Assuming this is a not spamming the spammers back through e-mail and that this is generating HTML requests to the sites advertised by the spammers in the SPAM e-mail, then what you are doing is attempting to punish those companies that use SPAM as a marketing campaign or advertising medium. If you force the companies that use SPAM as a marketing campaign to pay more for hosting their website because they are exceeding their bandwidth allotment by A LOT, then they will disappear faster.

With regards to redirecting the requests to another website:
When a small-to-medium company (such as what are usually advertised in SPAM) pays $500-$1500 for a spammer to send out thousands and tens-of thousands of SPAM e-mails, it's not likely that they are going to direct customers to a competitors website.

Is this the most effective way to fight SPAM? It does drive up the bandwidth use on your corporation's network. Additionally you are going to drive the popularity (if one can call it that) of the offending site up. However the load becomes even greater on the servers for the websites that use SPAM to advertise. This is an inducement to stop using SPAM as an advertising method or face the bandwidth consequences. If you remove the reasons the spammers SPAM us for, do you remove the problem? Most likely, yes. Are there ways to abuse the system? Absolutely. One enterprising spammer could SPAM some microsoft link across the web and all of the sudden microsoft could come under fire from the Lycos SS (like they aren't already under fire on a daily basis i.e Bill Gates is the most spammed person in the world). Will this solve the SPAM problem or will it just make it worse? Time will tell, or maybe litigation will.

This appears to not be a DOS per se, but more of a "let's run their bandwidth allotment down to zero faster." If the program can do this without creating a DOS or DDOS situation (i.e. it backs off if the site become unresponsive or TCP SYNs go unanswered) then it's not really a DOS or DDOS attack. It's merely a tool to generate traffic for a given set of sites.

I think that there may be some legal issues that Lycos hasn't considered (namely the stupidity factor of the software) that may be cause for concern at any company or individual using it.

I'm also anti-stupidity and will err on the side of caution when faced with monetary damages.
-------------------------------------

Brightglaive

You will miss 100% of the shots you don't take and, statistically speaking, 99% of the shots you do.

There are some massive holes in Lycos' thinking here.

No, but there are some massive holes in a lot of the thinking opposed to this, here and elsewhere.


1) The spammers can get their site bombarded then simply redirect the flow of traffic to someone they dislike, i.e. a competitor. In fact all they need to do is put a link on there: [/url] to start fighting back against anyone they see fit.

No. You're presuming without any basis that the traffic directed toward spamvertized websites is in the form of a conventional web visit with retrieval of all the objects identified in the HTML page. That isn't how it works at all. The Lycos tool formulates requests that the targe servers can't satisfy and it isn't done in a browser window. Nothing is retrieved or displayed, therefor nothing can be redirected anywhere.


2) Spammers rarely use permanent domain names/IP anyway. Most spam is sent from through open relays exploited in unprotected servers. The best attack on spam would be to educate the masses of DIY system admins out there with dedicated servers.

Wrong again. Where spam comes from is not the point of this tool. This punishes those who pay to have the spam sent -- the "spamvertized" websites. It punishes them with traffic which is, after all, what they asked for.


3) What is to stop this system getting hacked, this is now a prime target for inserting [url]http://www.microsoft.com (http://www.lycos.com/massivepicture.jpg style=) into the list for a high profile DDOS.

Sure. What if the lock on your car is hacked? So, uh, maybe you'd prefer to leave your car unlocked. Or maybe you'd prefer to use roller skates instead. Watch out for those skate hackers, though.


4) All of this just generates traffic, the report at the BBC states "Every single user will contribute three to four megabytes per day".

Well, duh, the point of it is to generate traffic -- more traffic than the spamvertized websites bargain for when they send those millions of explicit invitations to visit their sites.

Remember the TV ad (if you're in the U.S.) in which the crew of a new e-commerce website pushes the button to put the site on line? Their order counter starts registering, slowly at first, then faster and faster. At first they are pleased, then celebratory, then they realize they are in deep, deep doo-doo. Too much of a good thing can be bad.


Well it's great for US and UK users who think they are spending their 'free' bandwidth fighting these guys but these costs will be passed on if this becomes a burden on network resources. I'm surprised more ISP's haven't commented on this issue. The thought of every one of their users downloading an MP3 every single day must be making some of them worried.

Psst! Maybe you haven't noticed but zillions of people do precisely that, every day and more. This traffic raises the bandwidth costs of the spamvertized websites, pushing their operating margins into nonexistence. If you have metered Internet then of course you are completely free to not use this tool.


5) Fighting bandwidth use by spammers with more bandwidth use seems a little insane for net traffic levels as a whole.

Then you don't understand much about the magnitude or dynamics of the Internet.


If we wish our networks to go faster then this is not the right approach. It's possible that this pays off by eliminating the spammers and their collective bandwidth use - but this is then dependant on their success.

Whose success? The success of the spammers? Try making a bit more sense.


I wish this would work, but unfortunately I think this is going to backfire spectacularly.

It never ceases to amaze me how many people reject perfectly good mechanisms in favor of broken ones. This is called "self defense" and is as old as humanity. It is only in the late 20th Century that numbers of people began to find it fashionable to reject self defense. That's OK... rejecting self defense is a self-limiting phenomenon. Try it in any area where real danger exists.

Does anyone know whether, say if a spammer steals/uses an email address from a legitimate user, will the dos attacks be carried out on the innocent. E.g. I get regular emails 'Message delivery Failure' from bounced spam messages using my sites email adresses. Of course their not our emails - the email is a false one.

The Lycos screen saver has nothing to do with email addresses. It generates HTML requests to known, spamvertized websites. Email has no role in the actions of the screen saver, neither coming nor going.

The problem I have with all this, (beyond the ddos issue) is actually highlighted by your explaination:

"It generates HTML requests to known, spamvertized websites."

A spamvertized website and a spammer are typically two separate entities altogether. There have been plenty of instances of a website being 'spamvertized' without any clue that the company they've hired to send their marketing message is spamming.

Now, since I don't (based on any of the write up's I've read)think Lycos actually intends to go after anybody that isn't on a spam list like Spamcop. I doubt they will be attacking the sponsors of spam messages - only the senders. This is a fairly important distinction. It is not the 'spamvertised' site they're after, it's the outfit sending the message.

This is actually another good example of why this is such a classicly bad idea. You ask 10 different people to specifically and exactly define what spam is and you're going to get more than a few variations.

Different people have different ideas about what is and isn't spam. Different companies do too. Different blacklist companies certainly do. Trouble is, who decides who's right and accurately labeling spammers and not legitimate email? Spamcop readily admits they are not exactly 100% accurate. See my links above. So, who is it that's gonna be passing judgement on everybody else's email? that's a fairly legitimate question I think.

Unless you can say with an extremely high degree of confidence that this program is never ever ever going to let a few 'false positives' slip by and be attacked then there's no way it should be allowed.

I have giving up 4 email addresses because of spam. Then came the filters. Everyday I have to spend man hours adding or adjusting filters. The old saying is: FIGHT FIRE WITH FIRE!!!!!

Yes, well there's another old saying that applies here too:

"Whoever fights monsters should see to it that in the process he doesn't become a monster."

I would asume that Lycos has some tech savvy people on their payroll (though I wonder after this stunt) and how they came up with such a monumentaly stupid idea is beyond me.

First off using spamcop or any of the other blacklists is no guarantee that they will actually target spammers.
Spamcop is notorious for blacklisting ip's and even entire class c blocks on the word of a single spam report.

Anyone heard of a joe job? if I sent spam emails from my site but advertising your sites products? wham, your ip is on spamcop and you did nothing.

I've rented servers in the past only to be assigned and ip range that is in the spamcop blacklist and it is a royal pain in the backside to communicate with them to get the ip's removed from their list.

Secondly (lets set aside the ethical and legal implications of Lycos stepping down into the pit) targetting a spammers site with http requests is a waste of time. If the spammer is actually sending from his/her own domain they may not even have a website operating. If they do it does not take a genius to analyze the server logs and get some general info on the headers/packet size/type being sent by this lycos dummy and block them at the firewall level.

With the amount of spammers who spoof email addresses then this is just going to hurt more and more innocents.

Imagine poor Jim goes on his holidays and someone does a joe job on his site, he's in the spamcop database and lycos is hammering his site, he returns from holidays to find a bill for $1000's in overage fees?
Believe me, this will happen. How many lawsuits will lycos face in the near future?

Spammers need to be fought but by the worlds governments who can pass laws and enforce them.

Bye bye Lycos, you shot yourself in the foot with both barrels on this one. For a minute I thought it might have been April 1st.

True enough Easy.

The whole thing has an almost surreal Salem witch trial kind of air about it if you ask me.

From Wikipedia (http://en.wikipedia.org/wiki/Witch_trial#The_Process)

"One of the common tests was to tie the hands and feet of the person (and sometimes enclose the person in a bag) and throw him or her into a river or pool. It was held that if the person managed to float, this was due to the Devil's help. Such a person was thus found guilty of witchcraft. If the person could not float then he or she was considered innocent, but this acquittal came too late because the accused had by then drowned."

You folks that don't see the harm here need to pick up a copy of The Crucible (http://www.amazon.com/exec/obidos/tg/detail/-/0142437336/qid=1102014463/sr=8-1/ref=pd_csp_1/103-6815127-6670235?v=glance&s=books&n=507846). Go through and mark out the word 'witch' and replace it with 'spammer'.

If anyone here has downloaded that screensaver then I would strongly advise them to uninstall it straight away.

I am not a lawyer but I dont need to be to see that this is incitement to participate in a criminal act (distributed denial of service attacks ARE a criminal act) and anyone using this screensaver whilst connected to the net is aiding and abetting in that crime. You cannot plead ignorance as Lycos has stated the purpose of the screensaver. There will be lawsuits, do not get caught in the flak.

If a site is targetted and Lycos cannot come up with a single spam email originating from that domain then it's open season on them. I bet the major spammers are already setting aside funds for their warchest waiting on one of their sites to be targetted.

I'm totally dumbfounded by this.

Hi SpamKiller,

Read this yet?

http://www.theregister.co.uk/2004/12/03/lycos_antispam_site_offline/


Looks like they were directing the traffic back at Lycos after all. ;)


Then you don't understand much about the magnitude or dynamics of the Internet.

Perhaps I should have been clearer here. I know that the Lycos tool in itself is not really going to threaten internet traffic levels as a whole. However this philosophy of fighting fire with fire could present a problem if it is taken further. What if we have a thousand tools which do the same thing as the Lycos one, a million? The internet is indeed very large but if we start considering this an acceptable method to be adopted by the majority of users then that in itself is a effect of great magnitude.

Best

Kino

I am definitely not knowledgeable about the technical aspects of how the internet works and why or why not Lycos' software is a threat, but as someone who gets hundreds of spams a day in my e-mail and in my blog I wonder why I should be sympathetic in any way towards spammers and those who sponser them. They use MY bandwidth and MY time (for eliminating the garbage that gets through) without a thought for the trouble and cost it all causes me. I'm sure everyone in this discussion gets the same thing. Exactly how long, then, should I put up with this? "Respect the rights of spammers"? Why? They don't respect mine. Why in the world should I harbor the least bit of sympathy or respect for spammers or care in the least if their sites are knocked off line?

I think Lycos' attempt to do something about the problem, while perhaps not practical, at least reveals just how fed up most people are with spam. If the Internet is visualized as an ecosystem, spam is a species that has gone way out of control, like gypsy moths or locust swarms. Someone needs to create a predator to deal with the overpopulation and bring balance back to the system.

Hi Butuki,

Don't think for one minute I am respecting spammers rights or don't find them every bit as annoying as you. My gripe with Lycos is the method they are using for this.

You are right something needs to be done; I think we all agree on that, and those of us who are system admins face this problem every single day. Not with hundreds of spam emails like you, but thousands.

The question is what? DDOS attacking the spammers does not seem the best way to me, I am sorry. This creates a dangerous vigilante culture. What if I release a tool next week that sends 10GB instead of 1 MB - is that ok? It would certainly be more effective. Who am I relying on to give me definitive information on the spammers or am I just individually picking the domain names from the 100's of spam emails I receive every morning?

You see the problem?

Legalising DDOS attacks, and that is what Lycos are doing, is a dangerous step. What if you are accused of spamming one day or manage to slip into the spamcop database? And believe me this has happened before, no system is perfect. Who do you take your case to when your company and online business go down under this flood.

I agree something needs to be done, but not this. Companies who use spam to advertise their goods need to be prosecuted through a shared system of law. The source of most of the spam in the world is the US and that is where we need to start. I don’t really believe the people of China care too much about Viagra or Calis sales – but unfortunately they are prepared to take the money for doing this.

We need to set up bodies across internet boundaries to deal with these companies and prosecute them for doing this. Their crime isn’t just filling your mailbox – it’s causing huge parts of the world to be slowly cut off and banned from the using the internet. Do a search sometime for ‘how to block China’ and see the real extent of the problem.

Best

Kino

According to a ZDNet (http://news.zdnet.co.uk/internet/security/0,39020375,39179157,00.htm) article yesterday this program has been dumped.

For the record, according to Lycos, their program wasn't responsible for taking down anybody's server. Furthermore, the report that the Lycos 'makelovenotspam' site was at some point hacked or otherwise disabled may not have been accurate as explained by f-secure (http://www.f-secure.com/weblog/#00000380).

At any rate, it's over. As I look back at this situation, I find myself asking 'so what happened'? Lycos says they didn't shut down any spammers, the spammers apparently didn't shut down Lycos...

So... What Happened? Oh yeah, Lycos got their name in the news a lot. Other than that, absolutley nothing happened with the possible exception of the various pro and con arguments circulating through forums like this one.

I think a quote from the company's released statement says a lot.

"We are astonished by the enormous resonance generated by the "Make Love No Spam" campaign. With this campaign we intended to raise a new impulse in the antispam discussion and therefore create awareness for the big economic and societal problems caused by spam. The campaign has reached its goal and thus will be stopped."

Right. I think I'll stick with the comparison I made between makelovenotspam and New Coke. This whole thing reeks of a publicity stunt.