Lycos Europe is distributing a screen saver that launches denial of service attacks on the websites of suspected spammers, according to a Craig Morris story at Heise Online. The screen saver sends dummy requests to the servers in order to slow them down. It even displays information to the user about the current attack target.
This is a serious lapse of judgment by Lycos. For one thing, this kind of vigilante attack erodes the line between the good guys and the bad guys. Spammers are bad because they use resources and keep people from getting to the messages they want to read. If you respond by wasting resources and keeping people from getting to the websites they want to read, it’s hard to see what separates you from the spammers.
This kind of attack can be misdirected at innocent parties. The article says that Lycos is attacking sites on the SpamCop blocklist. That doesn’t fill me with confidence – this site has been on the SpamCop blocklist at least once, despite having nothing at all to do with spam. (The cause was an erroneous complaint, coupled with a hair-trigger policy by SpamCop.)
We also know that spammers have a history of trying to frame innocent people as being sources of spam. A basic method for doing this is common enough to have a name: “Joe job”. Attacking the apparent sources of spam just makes such misdirection more effective.
And finally, there’s the question of whether this is legal. The Heise Online article reaches no conclusion about its legality in Germany, and I don’t know enough to say whether it’s legal in the U.S. Lycos argues that it’s not really a denial of service attack because they’re careful not to block access to the sites completely. But they do brag about raising the sites’ costs and degrading the experience of the sites’ users. That’s enough to make it a denial of service attack in my book.
This idea – attacking spammer sites – is one that surfaces occasionally, but usually cooler heads prevail. It’s a real surprise to see a prominent company putting it into action.
[Link via TechDirt. And did I mention that TechDirt is a great source of interesting technology news?]
UPDATE (Dec. 6): Lycos has now withdrawn this program, declaring implausibly that it has succeeded and so is no longer needed.
This type of attack is certainly illegal in some US jurisdictions – Lycos is simply mistaken in focusing on “denial” of service, when, for example, Connecticut, Delaware, New Hampshire and West Virginia all prohibit attacks which “degrade” or “disrupt” computer services. A good summary of state laws (but which might now be slightly out of date) is given in this article.
I think there is always a well-engineered solution out there if Lycos can show the patience. Perhaps their marketing department wanted to get (the wrong kind of) publicity.
I appreciated the use of the term – alleged and suspected.
The spammers Heise and you have mentioned. Are you referring to mail servers (possibly unattended & hijacked) sending unwanted email? Or specific e-mail accounts?
I have spent a few days this past week addressing spammers specific to the blogging community. Many blogger applications have the option to show the “referer” HTTP header. Marketing (spamming) companies have begun sending fake “referer” headers to misrepresent the origin of an interested reader and promote the origin domain (where the person came from) in the search engine rankings. Here comes the point.
The last thing I would want to do from Lycos perspective is show up on the spammers (and possibly hackers radar). Just continuing with a peaceful strategy of routing as much mail – or porn/gambling referrals as my case may be – sounds like a more effective strategy.
Well, the answer has come through technical code, always faster than legal code:
“A bid by Lycos Europe to launch denial of service attacks on spammers by use of a screensaver has been met with a sharp response – the website which it set up for people to download the screensaver was defaced overnight.
The site, makelovenotspam.com, bore a banner which said “Yes, attacking spammers is wrong, you know this, you shouldn’t be doing it. Your ip address and request have been logged and will be reported to your ISP for further action.””
From some work I did with a honey pot/deception vendor, offensive security is generally illegal in the U.S. But, offensive security is not illegal in the EU.
I think the CANN SPAM Act has provisions in it making interfering with communications illegal. But, then the act can be considered to be as much permission to span as it is a law to prevent it. By failing to make advertisers lible, the act grants spammers immunity from effective prosecution.
Famed spam-fighter Paul Graham (who first popularized Bayesian spam filters) suggested something similar which he called “Filters that Fight Back”. Graham’s concept is to request only URIs found in emails addressed to the user. So arguably the user’s computer isn’t pounding on a site for no good reason; it is following up on e-mail messages in order to filter them better and test their legitimacy. Graham also includes a human-reviewed blacklist.
This is almost like a sneaky way to implement a “pay per message” system that applies only to promoters of blacklisted sites.
The Filters that Fight Back FAQ answers various objections. I’m still not convinced of the legality.
Lycos’ attack spammers@home
I’d like to add one bit about Lycos’ new attack spammers screensaver. Ed Felten writes most of what needs to be said about it: This is a serious lapse of judgment by Lycos. For one thing, this kind of…