Schneier on Security
A blog covering security and security technology.
« An Impressive Car Theft |
| Sensible Security from New Zealand »
December 2, 2004
Striking Back Against Spammers
From The Register:
Lycos Europe has started to distribute a special screensaver (http://makelovenotspam.com/intl) in a controversial bid to battle spam. The program -- titled Make Love Not Spam, and available for Windows and the Mac OS -- sends a request to view a spam source site. When a large number of screensavers send their requests at the same time the spam web page becomes overloaded and slow.
I don't like spam either, but this is not how to go about defeating it. It's vigilante justice, and it's morally and ethically wrong.
I've written about it before:
...vigilantism: citizens and companies taking the law into their own hands and going after their assailants. Viscerally, it's an appealing idea. But it's a horrible one, and one that society after society has eschewed.
Our society does not give us the right of revenge, and wouldn't work very well if it did. Our laws give us the right to justice, in either the criminal or civil context. Justice is all we can expect if we want to enjoy our constitutional freedoms, personal safety, and an orderly society.
Anyone accused of a crime deserves a fair trial. He deserves the right to defend himself, the right to face his accuser, the right to an attorney, and the right to be held innocent until proven guilty.
Vigilantism flies in the face of these rights. It punishes people before they have been found guilty. Angry mobs lynching someone suspected of murder is wrong, even if that person is actually guilty.
As emotionally satisfying as it might be to get back at the spammers, as much as the spammers deserve it, please think twice before downloading and using this tool.
UPDATE: Another danger -- this kind of thing easily escalates as those counterattacking are, in turn, attacked back.
Posted on December 2, 2004 at 9:38 AM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm not a security expert, but...
Given the realities of using bots (hijacked computers) and spoofed IP addresses by spammers, chances are that this "payback" would be taken against other innocent victims anyway. Grandma Smith's PC could be the one that gets attacked.
According to this story, the Lycos hacking story is a hoax
You neglect to remind people of a huge reason not to use such a tool: It gives spammers the power to direct massive denial-of-service attacks against any website they choose, just by including an innocent URL in their spam.
Spammers can easily afford to make 10% of their spam include links to innocent websites, and without an army of human URL-checkers (that never make mistakes, of course) this tool is easily turned against us.
Also, it rewards hosting companies that host spamvertised sites even as it punishes spammers, and given the amount of individual spammers out there it's a hopeless game of whack-a-mole that will never make a blind bit of difference.
Bit crap, really.
Who decides what urls are "spam urls"? Is it automatic?
Let's say spammers start including legit urls as part of their spam (as most phishing emails do). Now your distributed screensaver is going to hurt real businesses...
I agree with Bruce. It doesn't seem that Lycos spent much time actually thinking about this whole screensaver idea, hopefully they at least have some of the simple safeguards mentioned by others.
The way I see it, the whole spam issue is simple to solve. Just shut down their Internet connections! It would be fairly simple for an ISP to examine their email traffic for things like email message quantity, destination, valid return address, same content in multiple messages, etc. (could have a set of criteria to score a "hit") and if an email account fits the pattern, flag that account and connection as a possible spammer and investigate. The same could be done for multiple email accounts at a given ISP (i.e. the same message or pattern is hit across multiple accounts), flag the accounts as spammers and shut them down.
The reason this doesn't occur is... money. The ISPs make huge amounts of money from spammers who need lots accounts and use lots of bandwidth to send all that spam.
I had to laugh when I recently read that a spammer was caught and had multiple T1 lines into a residence! Hello! Didn't the ISP check into this? Who needs a T1 line at a residence (or 2 or 3 T1s)? While there may be legitimate reasons to have this much bandwidth at a residence, it would have been a simple matter for the ISP to check if that T1 is sending millions of spam email messages. The reason they don't... if the spammer was making $700k+ per month, think of all the money the ISP was making off those T1 lines, the spammer may have been that ISPs best customer!
With regards to ISP screening mail messages originating from their networks for spam: wouldn't it be illegal for them to do so? Isn't the contents (ie. the body) of an email considered private (never mind that it is send in clear text)?
If a message passes through a server owned and operated by an ISP (or anyone else, for that matter), the operator of the server has the right to view the contents. It's typically part of the contract for service, and is legally the default, as there are no laws protecting email messages from interception as there are for telephone calls. The owners of the server may then do anything they want with the message, as long as they do not violate any laws or breach contracts. The same thing applies to computers at your place of business. Network administrators can archive all email messages, log all web accesses, and install keylogging software, and they can use the data however they want (once again, within the law and within terms of contracts).
To put it simply: if you use my server, I can monitor anything and everything you do.
I believe there are currently no restrictions on online activity logs. The FBI could ask your ISP for logs of your usage and the ISP can hand them over (if they so desire), with no evidence or court order. The ISP is simply a normal business, as opposed to the phone company, which has obligations defined by law.
The lycos screensaver is an expression of the frustration about powerlessness to do anything about spam. Our governments / ISPs are not policing the situation and appear to be making no progress on eliminating spam. That situation in my opinion leads to vigilante action becoming more prevalent. A better way to fight spam is to make it the ISPs problem - customers should use their buying power to favor ISPs that have a spam zero tolerance policy and offer mail filtering or put pressure on their ISP by contacting other customers and lobbying for spam protection.
With regard to the Lycos campaign: Maybe this is just another form of more subtle advertising than the spammers themselves! I think Lycos has done well from this campaign. However, I do find spam annoying, and when it uses MY bandwidth which costs me money, I think about spam as theft. Bruce's idealistic attitudes about the right and wrong of vigilantism is of course right on. However, here in the UK and perhaps even in the US, justice has a price, and Im afraid it isn't interested in the pennies that the spammers are stealing from me. Its wrong, it unfair, but sometimes that's life. We can chose to accept it as a "running cost" of life (like your car insurance which is a lot of money if you never have an accident!) or we can chose to get upset by it and stew on it, and get angry and have it ruin relationships cos we're all tensed up by it. I'd suggest that we take pleasure in knowing we're right and that we're better people for it. Take pleasure in that fact alone. And have a wonderful day! "Make love....not spam !" ;-) Having said all this of course, I don't have kids myself, but I think that some of the spam is wholey inappropriate for minors. I think it can be damaging, and if I had children, I would want to protect them. The benefits of having an information resource as powerful as the internet and email is tremendous, and whilst the law seems ineffective what do we do until it is...?
On the topic of spam filtering, besides organizations, many ISPs already provide services to automatically filter spam out of their user's email accounts. In the ISP case, there is usually an extra fee (for better filtering, tuning, etc.), with some basic level of service thrown in.
It seems to me that if the technology is available (filters, pattern matching, etc.) for ISPs to remove spam on the way out of "the Internet cloud", those same tools and technologies could be used to prevent those same messages from ever getting into "the Internet cloud" in the first place.
It is also interesting that those (aka ISPs) with the best chance to prevent spam from ever getting into "the Internet cloud" are also those that have the ability to profit from its existance (bit of a conflict there). Let's see... The ISPs sell more and more bandwidth to let spam into "the cloud" and then turn-around and sell services to filter those same messages when they come out of "the cloud". Hmmmm... Someone will pay to introduce noise into the system and someone else will pay to filter that same noise out... Seems like the making of an industry ;-)
You do realize that laws only work when they are enforced by the police or government. None of that is really happening. Also remember that the laws of one country do not apply to all either.
What end result does that leave? Massive blacklists against IP blocks are the trend right now, China, S.Korea, Eastern Europe.
In the end result, this leaves with a few choices...you can use machines to get rid of the spam. You can try and get ISP's to pull their cash-cow spammers. Or you can soak up the spammers bandwidth until they are broke and the idiots who click on the stuff go away.
Some call hitting spammers back vigilantism, others call it self-defense.
Most major ISPs are already using blacklists -- several of which are publicly available -- to block all attempts to connect to known spammer IP addresses (both those that originate large amounts of spam, DOS attacks, etc. and those that host web sites advertised in spam).
Therefore the most likely result of this tactic will be that anybody who uses the "vigilante" screen saver will get himself, or his ISP, blacklisted. While this is rather amusing, it also hurts bystanders. I sure hope nobody does it from my ISP.
As for vigilantes in general, I mostly agree with Bruce. Yes, there are situations where there is no effective law and mob violence is the only way -- for example, last year's coup in Georgia. But as John Locke showed, going that route carries a huge price in blood and treasure, and should only be considered in desperate, life-and-death situations. Spam and hackers just aren't in that league, even if they shut down the whole Internet.
I just go after them the old fashioned way. The tools are there, free, take a little effort to learn, and when I track them down, I report them, to ISPs, administrators, prosecutors. I've even got phone companies involved, local BBBs, your imagination can go a long way. It works. It gets accounts shut down, and eventually, sued. It takes time, and yes, patience, but it's like inertia. I can't clean up the whole thing, but I get a spot, you get a spot, she gets another....
Legal, absolutely. You have the evidence, you pass it to proper authorities, and they act, within their limits, and with any other evidence they obtain; You are NOT a vigilante - you are a responsible citizen! When enough of you act, the authorities will act.
Spoofs, IP masking, other methods, yes, they are like their offense and defense. But they have their plays, I have mine. As a team effort, ISPs and other parties use resources and skills I don't have. I may not get him, but somebody else might. And I DON'T think there's going to be any lack of "evidence" to work with.
Moral, well, you're not playing "Lone Ranger". If the powers that be decide they can't make a case, you still havn't gone "over the line", so no harm, no foul. This is about doing the right thing, the right way. And you won't be acting alone. So I don't see a qualm in the world.
And I'll be honest, It's fun! I love getting a spammer's account whacked! It's the last "big game hunting" you can have today, the world is yours to roam, and there's no bag limit!
Although the spam for me has dwindled to next to nothing. (KOW) If there's a list, a REAL list the spammers know not to mail to, then surely I must be on it by now! And that's fine by me, too.
Don't you think that there's a contradiction between promoting civil disobedience of unjust laws on one hand and promoting reliance on the law to create justice on the other hand?
If we want justice and democracy, our only choice is to create it ourselves. Our leaders have demonstrated time and again that they have no interest in doing so.
Something needs to be done coz they have just release ADSL Max 8mbps on the world and its going to just et worse! The worst thing is the British Telecom are billing my ISP for the DOS traffic and in turn my ISP bills me! They have already warned that I'm not econimicaly viable :/
I blame those looking after our border routers. Big telecos dont care because they are billing everyone for it but concider this if they billed your phone for th fact that it rang wouldn't you be mad? Someone needs to start taking their ISPs to the law courts!!!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.