h a l f b a k e r yPlease listen carefully, as our opinions have changed.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Individuals register with a website and download a piece of software which is essentially a browser without a window and which automatically and repeatedly "clicks" every link on a page sent to it.
Upon receipt of a particularly irritating or offensive spam the offending email is forwarded to the
website which processes it and distributes the html links to all participators blind browsers which then proceed to happily click away until they detect that the site is not available. Regular checks thereafter produce further frenzies of clicking if the site becomes available again.
Desired result - massive flood of traffic blocks hapless ISP's servers forcing them to take down the target domain.
Spam is rendered useless as it leads to the effective loss of a domain name for all practical purposes.
Probable result - the internet is slowed to a crawl with accidental attacks on innocent sites submitted maliciously by pranksters or through links to bona fide sites added to spam to deliberately create problems for the system.
Therefore submissions would have to be manually checked by volunteers to weed out bona fide links unrelated to the spam.
Legality? Cannot be regarded as an offence under the misuse of computers act as all that is being done is clicking on links which the spammers are urging us to click thereby making the access authorised and lawful.
Any volunteers?
Laura Betterly, The Spam Queen
mailto:laura@dataresourceconsulting.com [DrCurry, Oct 04 2004, last modified Oct 05 2004]
Junk Mail Bombs
http://www.nytimes....hnology/14NECO.html Coming soon to a Post Office near you: snail-mail-based denial-of-service attacks. [Link requires free subscription.] [DrCurry, Oct 04 2004, last modified Oct 05 2004]
BBC: Screensaver tackles spam websites
http://news.bbc.co....hnology/4051553.stm "Internet portal Lycos has made a screensaver that endlessly requests data from sites that sell the goods and services mentioned in spam e-mail." [jutta, Nov 29 2004, last modified Nov 30 2004]
(?) MakeLoveNotSpam
http://makelovenots...com/intl/index.html Slashdot recently covered this approach. This is a link to download an anti-spam screensaver that increases loads on spam sites without reaching DDoS levels. [mannby, Nov 30 2004]
Lycos withdraws tool after criticism.
http://thewhir.com/...watch/lyc120704.cfm "The company said it had achieved its objective, which was to ignite a debate about anti-spam measures." And if you believe that, there's a large sum of money that I could use your help getting out of my third-world country. Idiots. [jutta, Dec 08 2004]
[link]
|
|
absobloodylutely. I'd want to tinker with the idea to make it a little more anonymous and make the submission of sites an entirely human process but yes I like it. |
|
|
The ratio of those annoyed by spam against those creating spam should be big enough to make this work. |
|
|
Can we include pop-up ads too? |
|
|
I'm no expert, so bear with me, but if this invisible browser repeatedly "clicks" on the spammers website and the bandwidth flow would overwhelm the site, wouldn't the data being sent also slow you down? |
|
|
I like the concept, though. |
|
|
lumpy: yes, but if there's lots of you and the application makes sure that you all access a site at a similar sort of time then the impact at the site is maximised and for the least impact on your machine. |
|
|
Oh, st3f, I highly recommend the pop-up stoppers available on freeware/shareware sites like zdnet.com. |
|
|
I never even think about pop-ups anymore. |
|
|
I like the concept, but I think that this would be considered a DDoS (Distributed Denial-of-Service) Attack, which would bring up the legal thing again. |
|
|
Actually, forget I said pop-ups. If you're going to a site supported by pop-up adverts it seems a little churlish to launch a physical attack on them when you have the choice to avoid the site and thus the pop-ups. I wish I'd thought that one through. |
|
|
Best to go after unsolicited spam email. |
|
|
Aspdesigner, this is indeed a DDoS, and would thus be illegal. The same defense <"We're only clicking links on the page"> could be made when someone's site is attacked like that. |
|
|
Wish there was a way to do it, though. I've been getting a hell of a lot of spam from this one place lately... |
|
|
I rarely get spam with a reply vector involving a website; it's mostly fax or email to big anonymous free e-mail sites. |
|
|
I think spam is a case for the legislature, not for a distributed network of self-proclaimed vigilantes. There are reasons they ditched vigilante justice in the real world, and those reasons hold true on the Internet as well. |
|
|
Pretty much all of my spam points to websites, even the Korean crap. But while I have a website, I don't have my own domain. |
|
|
Self proclaimed vigilantes? crikey!
I was suggesting a well targeted protest by a group of intelligent and involved people with a care for potential side effects. Not tracking mass mailers down, hauling them into the street and beating them. |
|
|
Using your definition the suffragettes would be irresponsible criminals, Greenpeace's blocking and hindering tactics against whaling fleets would make them "self proclaimed vigilantes", and there are a host of other analogies i won't bore you with the details of, I will just mention the South African strikes and civil disobedience movement, Ghandi all of which were technically illegal. etc etc. |
|
|
Clearly untargeted mass email is annoying but not on a par with the inequalities and lack of justice mentioned above, and equally clearly I am not putting myself on the same level as the many heroes and heroines who have been involved in these struggles. However regardless of legislation we all have a right to protest using direct action where the action taken harms no third party at a level above minor inconvenience. I am always very happy to be disagreed with, but I think you should reconsider your allegation of vigilanteism. (is that spelled right?) |
|
|
You don't understand the difference between a destructive act (such as bringing down someone's network) and speech (such as a demonstration in the street)? There's nothing I can do about that. |
|
|
Even a demonstration in the street brings the traffic to a standstill. |
|
|
This would be the equivalent of a demonstration *designed* to bring traffic to a standstill. There's a difference of intent and extent. Not a big difference from where I stand, but enough to put you the uncomfortable side of the law. |
|
|
On the other hand this is how laws get changed. The person organising the protest would have to be aware of the consequences of their actions and be prepared to accept them as a symbol of the protest. Not being the martyr type I'm not about to volunteer for this role. |
|
|
I do understand the difference between a destructive act and speech very well thank you. I would not support any wanton blanket destruction, even in Afghanistan, but I would support hindrance and inconvenience with carefully considered parameters. I am not suggesting breaking into facilities and smashing the server racks with big hammers, I am suggesting that those who inconvenience others or provide support for them could be inconvenienced back without too much moral anguish. |
|
|
However I respect your position even if I feel that it is an attitude which has allowed a lot of things that shouldn't be happening to continue for far too long a time. Speech is of course an essential part of any protest, but maybe needs helping along a little. |
|
|
As to consequences i have to say that I personally am not prepared to go to prison over unsolicited email, some things yes, but email no. |
|
|
I have long wondered why an offensive Spam Killer doesn't exist. I think it is the only way to defeat the scourge of Spam. But what about these problems (for the more savvy to solve)?
1. Couldn't the attacked website simply stop responding to a given IP address after, say, 10 accesses within a given time period?
2. A lot of Spam goes to corporate email servers. Would corporate servers allow their clients to be part of a DDoS, no matter how noble its purpose? |
|
|
I'd be willing to write the software, provided I couldn't be personally traced and suffer legal action. i assume the halfbakery keeps a track of these things though, so i can't now. |
|
|
As for the "destructive act" argument, the only thing significantly affected would be the spammer's site. In the larger scale of things, it would do nothing to hinder anybody else's use of the net. |
|
|
And what makes people think that spam will stop if it's illegal? Companies (and governments) are just as happy doing illegal things as the consumer on the street, if they think they can get away with it. |
|
|
Interesting that even though Ivan said //Probable result - the internet is slowed to a crawl with accidental attacks on innocent sites submitted maliciously by pranksters or through links to bona fide sites added to spam to deliberately create problems for the system.// several people keep insisting that this would inconvenience no-one but the spam servers. |
|
|
The hypocrisy of the same people saying how they want to perform this illegal (you cant make it legal by repeating you argument over and over) act without personal risk is almost funny. |
|
|
as for //this is how laws get changed//, do you want the laws against DDoS changed? How about the ones against creating viruses and hacking (just in case you want to punish someone else)? |
|
|
"illegal" means somebody will punish you for it, not that it's wrong. There's no hypocrisy in doing something you think is right, but not wanting to be punished for it. |
|
|
I thought illegal was a sick bird of prey... |
|
|
Per the Wall Street Journal, the economics of spam for the self-described "Spam Queen", Laura Betterly: in a typical mailing, she spams 500,000 email addresses and gets 65 responses, generating $40 in revenue. As noted in the WSJ, at 2 seconds for each recipient to delete the spam, this means that the spammer has gained a mere $40 at a cost upwards of $3,900 in lost productivity to the general public. (Using US mean wages of $14/hr as a starting point.) |
|
|
Elsewhere, Betterly's company, Data Resource Consulting, is reported as sending 60 million spam emails a month. |
|
|
What is Spam Queen Laura selling at under $0.62?
Penis extensions? A bargain at 20 cents per inch.
Very cheap and probably barely legal web strippers? |
|
|
Good or bad, I have this system half written already. |
|
|
My program is designed to work with any spam filter that sorts your mail into a folder in your mail client. I use PopFile. |
|
|
The program parses the spam mailbox (it currently supports Mozilla's MBOX format and Outlook Express) and extracts anything that looks like a web URL. The URL extractor is implimented as DLL plugins, so URLs can be returned from any source. |
|
|
That part is done and working, the next part is yet to be written. |
|
|
Once the URL list has been returned, the program will download the page and any images linked on that page, just as if you had gone to the site yourself. It finds any links on that page that link to the same site and downloads them. Repeat to some depth (probably a depth of more than three would not be useful). |
|
|
I plan on including a document explaining the reasoning behind the program and how to use it properly. This will include an explaination of why hammering the site would be a Bad Thing (its an attack, and no better than spamming, it would allow spammers to filter the source address, it could harm innocent sites that are not spammers, it reduces the chance of someone using the system as a DDoS tool, etc). |
|
|
The point of the system is not for the user to single-handidly put a spammer out of business, it is to make the cost of sending spam greater. Spam can be sent out almost for free, and uninterested users filter themselves out of the users who visit the target website. This lets spammers spend their limited website resources only on users who were curious enough to click through. By always clicking through, you take a small piece of the spammers resources, kind of like what it would cost him to buy postage for the spam. |
|
|
There will no doubt be abusers, but I think many people would use the system responsibly. |
|
|
I don't understand what you are asking. |
|
|
One feature the browser portion will have is an option to ignore certain domains, like ebay, EFF, yahoo, where users may get opt-in news letters that they choose to leave in their spam folders for whatever reason. |
|
|
I would also like to incoporate some kind of features that make it more difficult to use it as a DDoS tool, like perhaps require the user to initiate the site downloads. Of course if its open source any programmer could modify it to create a DDoS client, but they could just as easily write their own. The point is to remove the automated step that would allow evil script kiddies from using spam mailings as a gateway to a vast network of mail-controlled DDoS zombies, attacking innocent, non-spam sites. |
|
|
I'm not sure that that goal is possible though. |
|
|
Although this could disrupt sites advertised by spam, how would it actually hurt the spammers? The people advertising with spam could sell advertising space on their sites for more money because they get so many hits. The spammers and the people selling address databases can charge more because they appear so effective. The sites will be safe from further attack because they will limit the number of times a person can access the site in a given time to an amount their server can handle. Or they could bring criminal charges against anyone using the software if they thought it was worth losing all that advertising revenue. |
|
|
Admittedly this is only a possiblity but even if they didn't make any more money, they would just increase their security - maybe prosecute, maybe not - and carry on as normal. |
|
|
The object of the application is not to distrupt the site, its just to make spamming more expensive in terms of bandwidth. |
|
|
The reason spam works is because most people ignore it, so only the people who are most likely to buy the product end up visiting the website, resulting in a high response rate for the web site, which makes spamming worthwhile. If many people who received spam visited the site, the response rate would be very low, possibly low enough that the sites that pay spammers to do the work will choose another method of advertising. |
|
|
IMO this is not a DDoS attack. To be a denial of service attack, the intent has to be to make the site become unavailable, which is not the aim here (that would only cause the spammers to develop a counter-tactic, such as lawsuits or websites that are difficult to download with an automated tool). The object is to simply automaticly retrieve the content for which the spammer has provided a link. |
|
|
It is possible that someone could be prosecuted for running this program (however unlikley). While I am not a lawyer, I think it would be difficult to win such a case because the person running the application would not be doing anything particularly noxious or even unreasonable. |
|
|
If I were to stand on a street corner handing out flyers (lets use pro-satan flyers for the example). Most people would just glance at them and toss them in the trash. However, I might really annoy a particular group (a local christian church perhaps). Those people, recognizing my right to hand out flyers (or stand on a soapbox and speak, whatever), know that they cannot legally steal my flyers or gag me. However, there is no reason they cannot themselves each take a flyer or two, or stand around my soapbox, thereby preventing preventing my message from reaching other people who might be swayed by it. |
|
|
Good point about banner ads, but banner ads are generally not hosted on the site displaying them, and the download portion of the application won't download images hosted off the site. Also, since advertisers generally pay for click throughs, and the program won't generate them, the ads would not generate any money. |
|
|
I agree w/[everest] -- how can I be faulted (ostensibly for
DDoS) for simply doing what's -specifically requested- by
the ad sent on behalf of the site in question? |
|
|
Easy. Just post a link to the offender on Slashdot. |
|
|
http://www.astrobastards.net/uc/index.jsp |
|
|
Has anyone looked at this? Is it safe to use (i.e.: no spyware / virii, etc.)? |
|
|
I'd like to try it, but I'm afraid that it might have some code in it that will be used for nefarious reasons... |
|
|
If anyone's used it, and can vouch for it, I'd like to hear from you. |
|
|
How about this, everyone? |
|
|
http://www.friedspam.net/ |
|
|
You can fashion a URL to automatically start hitting the spammers' websites:
[see links. --admin] |
|
|
We set up a daily email newsletter, detailing all the spamvertised websites each of us collect that day, and email them to a central repository. |
|
|
That repository then emails each of us with a link that we click, fashioned as above, and the spammers get hit all night. |
|
|
Actually, that URL should read: |
|
|
[admin: url deleted; please learn to
use "link"; please learn to use the "edit" button next to your old annotations; please get a blog where you can inform your many followers about your every move - this really isn't the place. Thank you.] |
|
|
You don't want the 'b=start' switch, so you can click the 'Start' button yourself. That way, if anything is wrong with the URL, you can fix it before beginning. |
|
|
I'm using it right now... so far, I've hit the spamvertised website 23,000 times. I'll stop when it hits 500,000. |
|
|
The great thing is, I run MultiProxy (an anonymous proxy rotator program), so my IP address doesn't show. It looks like I'm coming from several hundred places around the world. So, the spammers can't attack my machine. |
|
|
I've also chained WebWasher into the IP chain, and changed the Browser ID string to read 'SpamCop v1.3.4 (http://www.spamcop.net/)'. Thus, the spamvertised website server logs will be filled with this string, and the spammers will know why they're being hit. |
|
|
Hopefully, they'll visit SpamCop to complain, and be duly LART'd. |
|
|
I also tried Unsolicited Commando. |
|
|
It works, but unfortunately, a programming error causes connections to perpetually be held in a CLOSE_WAIT state. |
|
|
Thus, UC grabs a new port for each attack, and doesn't release it. So eventually, all your ports are used up, and you can't access the internet. |
|
|
I've emailed the author... I presume he's hard at work fixing it. |
|
|
Here's something else I've found... |
|
|
http://www.jerkz.com/tips_spam.htm |
|
|
I think they're doing what I've described above... emailing out a link to FriedSpam.net with the URLs of spammers. |
|
|
I've created a throwaway email account and signed up... I'll let you all know how it goes. |
|
|
baked: the former Blue Frog Security organization did just this |
|
| |