SlashDotting spammers

[Kenneth Porter <sh...@sewingwitch.com>]

Every time I see a spam story on SlashDot I think how the SlashDot effect 
could be used for good by getting everyone to visit the spammer's site and 
take it to its knees, while driving up the spammer's bandwidth bill. Check 
out the first few posts in today's story:

<http://it.slashdot.org/article.pl?sid=04/09/22/1355238>

It makes me wonder if there's some way to grab a random link from SURBL to 
consume a spammer's bandwidth allocation.

Re: SlashDotting spammers

[Kenneth Porter <sh...@sewingwitch.com>]

--On Thursday, September 23, 2004 4:13 AM -0400 Matt Kettler 
<mk...@comcast.net> wrote:

> 3) this could be profitable for the spammer if the link is on a
> click-based ad revenue generation system.

At least until the ad supplier catches on to it.

Re: SlashDotting spammers

[Matt Kettler <mk...@comcast.net>]

At 01:05 AM 9/23/2004 -0700, Will Yardley wrote:
> > It makes me wonder if there's some way to grab a random link from SURBL to
> > consume a spammer's bandwidth allocation.
>
>This scheme has been suggested before.
>
>There are a couple of reasons why it's not a good idea...

And let's not forget:

3) this could be profitable for the spammer if the link is on a click-based 
ad revenue generation system. 

Re: SlashDotting spammers

[Will Yardley <sa...@veggiechinese.net>]

On Thu, Sep 23, 2004 at 12:39:11AM -0700, Kenneth Porter wrote:

> Every time I see a spam story on SlashDot I think how the SlashDot effect 
> could be used for good by getting everyone to visit the spammer's site and 
> take it to its knees, while driving up the spammer's bandwidth bill.
[...]
> It makes me wonder if there's some way to grab a random link from SURBL to 
> consume a spammer's bandwidth allocation.

This scheme has been suggested before.

There are a couple of reasons why it's not a good idea...

1) Fighting abuse with abuse (essentially creating a DOS attack) is not
IMO an acceptable solution to a problem, and makes the recipient of spam
(who, believe it or not, may not know all the facts) judge, jury and
executioner.
2) It makes it very easy for a spammer (or someone else) to indirectly
DOS attack a target by sending out spam with the target's URL.

Re: SlashDotting spammers

[Jeff Chan <je...@surbl.org>]

How about getting more people to use SURBLs, so once the spam
sites get listed, they get a lot less traffic?  The silent
treatment may be better. 

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: SlashDotting spammers

[Kenneth Porter <sh...@sewingwitch.com>]

--On Thursday, September 23, 2004 12:34 PM -0700 Will Yardley 
<sa...@veggiechinese.net> wrote:

> So what happens when said site is hosted by a legitimate web host which
> acts on complaints? You end up driving up said hosting company's
> bandwidth bills and (more importantly) very likely taking down other
> sites on the same webserver instance.
>
> Also, in case you hadn't heard, spammers often use bogus CC info, don't
> pay their bills, etc.

How about only taking action if the URL remains active for a couple days or 
more, indicating a lax hosting company?

> And, for anything like this to work (and again, I still argue that this
> isn't the right approach), you need to have a lot of people hitting the
> site all at once, which conflicts with doing all of these checks in a
> reasonable and safe way.

I recall seeing a site that set up a web page that used JavaScript to 
rapidly reload images from a well-known offender. The idea was to get lots 
of people visiting that page so that they'd start hammering the spammer's 
site from many IP's.

Re: SlashDotting spammers

[Will Yardley <sa...@veggiechinese.net>]

On Thu, Sep 23, 2004 at 11:05:30AM -0700, Justin Mason wrote:
> Kenneth Porter writes:

> > Every time I see a spam story on SlashDot I think how the SlashDot
> > effect could be used for good by getting everyone to visit the
> > spammer's site and take it to its knees, while driving up the
> > spammer's bandwidth bill. Check out the first few posts in today's
> > story:
> > 
> > <http://it.slashdot.org/article.pl?sid=04/09/22/1355238>
> > 
> > It makes me wonder if there's some way to grab a random link from
> > SURBL to consume a spammer's bandwidth allocation.

btw, this is the older article I mentioned earlier, which suggests
something similar
http://it.slashdot.org/article.pl?sid=03/10/09/1959248&tid=111

> It *could* work, in my opinion.
> 
> First, you would have to establish that (a) the spammer him/herself is
> paying for the site's hosting (ie. that the site isn't a proxy, a
> compromised machine, etc.).   This could be determined by working out
> what network it's on -- if it's a known spammer-infested hosting
> network, like some parts of Chinanet, you could make that assumption.

So what happens when said site is hosted by a legitimate web host which
acts on complaints? You end up driving up said hosting company's
bandwidth bills and (more importantly) very likely taking down other
sites on the same webserver instance.

Also, in case you hadn't heard, spammers often use bogus CC info, don't
pay their bills, etc.

In most, if not almost all, cases, this tactic will end up hurting lots
of people, but rarely spammers. I suspect that most of the people
suggesting things like this have not been the target of a large scale
DOS / DDOS attack.

And, for anything like this to work (and again, I still argue that this
isn't the right approach), you need to have a lot of people hitting the
site all at once, which conflicts with doing all of these checks in a
reasonable and safe way.

Re: SlashDotting spammers

[Steve Bertrand <ia...@ibctech.ca>]

> Steve Bertrand wrote:
>>>Finally, I would suggest that bombarding their purchasing forms with
>>>valid-looking purchase data, might work better.
>>
>>
>> As someone who deals with the consequences of DoS attacks, I
>> disagree
>> firmly with that approach, however...the above idea seems very
>> entertaining and I was LMAO when I read it...
>
>
> There seems to be a very grey line here.   The spammers send email
> containing
> HREF or IMG tags that they fully intend to have the recipient click
> on, or in the
> case of IMG tags, to have an agent for the recipient (mail client)
> retrieve.
>
> What is the difference between a recipient clicking on an HREF
> multiple times, or
> viewing the email (and loading the IMGs) multiple times, and an agent
> of the recipient
> performing similar actions?  I don't think that at a fundamental level
> there is a
> difference.
>
> If you publish anything on the web by any means the publisher has to
> accept that the
> slashdot effect is one of the possible consequences of publication.
>
> I do suppose though that it boils down to an issue of intent.  Viewing
> an email and
> its associated HREFs or IMGs is different than feeding these URLs to a
> process with
> the _intent_ that it consume large amounts of resources of the target.
>
> Hmmm...  Damn, its too bad because I like the idea.  They use zombies
> and spambots against
> us, why can't we use similar systems against them!

AFAIK, one of the ideas to get rid of the spam (yes only one) is to
clean up the crap clogging the pipes. Fighting fire with fire (or in
this case bytes with bytes) will just make worse the traffic jams we
have to deal with.

Save the load on the infrastructure, and instead, tie them up in a
chair in their house, then set the house on fire or something.
Partially kidding of course.

If we must continue this approach, a much more elegant and clean way
to do this is hack the boxes the mail is being spewed from, the boxes
the sites reside on, and implement a good strategy to have the mail
servers bombard themselves with email, and have the web servers
pollute their own databases with corrupt data. This will at least save
the bandwidth for better things...like mailing list rants like this
;o)

/*
Disclaimer... I am in no way in any proper frame of mind right now.
I can not be held accountable for actions taken in part, or in whole 
based on the ideas or thoughts contained in this email
*/

:o) Steve

>
>   - Mike
>
>
>
>
>

Re: SlashDotting spammers

[Mike Hogsett <ho...@csl.sri.com>]

Steve Bertrand wrote:
>>Finally, I would suggest that bombarding their purchasing forms with
>>valid-looking purchase data, might work better.
> 
> 
> As someone who deals with the consequences of DoS attacks, I disagree
> firmly with that approach, however...the above idea seems very
> entertaining and I was LMAO when I read it...


There seems to be a very grey line here.   The spammers send email containing
HREF or IMG tags that they fully intend to have the recipient click on, or in the
case of IMG tags, to have an agent for the recipient (mail client) retrieve.

What is the difference between a recipient clicking on an HREF multiple times, or
viewing the email (and loading the IMGs) multiple times, and an agent of the recipient
performing similar actions?  I don't think that at a fundamental level there is a
difference.

If you publish anything on the web by any means the publisher has to accept that the
slashdot effect is one of the possible consequences of publication.

I do suppose though that it boils down to an issue of intent.  Viewing an email and
its associated HREFs or IMGs is different than feeding these URLs to a process with
the _intent_ that it consume large amounts of resources of the target.

Hmmm...  Damn, its too bad because I like the idea.  They use zombies and spambots against
us, why can't we use similar systems against them!

  - Mike

Re: SlashDotting spammers

[Steve Bertrand <ia...@ibctech.ca>]

> Finally, I would suggest that bombarding their purchasing forms with
> valid-looking purchase data, might work better.

As someone who deals with the consequences of DoS attacks, I disagree
firmly with that approach, however...the above idea seems very
entertaining and I was LMAO when I read it...

Tks for the chuckle ;o)

Steve


>
> - --j.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Exmh CVS
>
> iD8DBQFBUxBqQTcbUG5Y7woRApRMAKDm2+3iSoqo1B6mwM5L6po2dhraIQCghQ8L
> aL+X0VH7QMKpP0SiN/lHsWU=
> =pngp
> -----END PGP SIGNATURE-----
>
>