Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked

From: Tatercrispies (tatercrispies_at_gmail.com)
Date: 12/06/04

  • Next message: bkfsec: "Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?" 
    To: full-disclosure@lists.netsys.com
Date: Mon, 6 Dec 2004 14:15:52 -0500

    > Self regulate is NOT self retaliate.

    Why not? Why can't retaliation be a form of regulation? Is your
    objection in general, or is there a specific to this case?

    To go back to a previous message; in attacking spammers, I see the end
    result as being the greater good. Despite what another poster wrote,
    the phrase "The ends justify the means" does not immediately
    invalidate your argument, this is the essence of virtually all ethical
    questions-- does one good outweigh a bad?

    . I run a small mail server that services about 10 domains. At any
    given time, I have approximately 500MB of spam stored on my server. I
    pay, every night, to back up this garbage to tape, and pay the weekly
    bandwidth fees to upload disk images to a remote server. Not to
    mention the gigabytes of transfer a month I spend downloading spam to
    my system an re-uploading it to mail clients.I could enforce mail
    quotas, but I will never be able to force a hosting client to check
    and clean their mail on a regular basis.

    . More than once spammers have leveraged holes in the mail servers of
    clients of mine. One mail server hard drive filled up with 60GB of
    queued spam, and they had to pay me $100/hr to drive in and clean up
    the mess. Plus the company was without e-mail for a weekend and a
    Monday. Another time, an improperly configured zombie _elsewhere_ was
    attempting to send spam in excess of 10,000 messages a minute to a
    server I was managing. It took two days for me to contact the other
    administrator and get them to unplug the server.

    . Every week I spend hours of what could be billable time cleaning out
    my inbox. Sometimes I accidentally delete an legitimate message
    without realizing it. This costs me.

    All these things cumulate to be a very large cost to myself, but more
    so to others with even larger organizations. E-mail is steadily
    becoming an irrelevant method of communication, and unless we can
    perfect a method to ignore or combat spammers, I really can't see
    e-mail being an effective form of communication in five or ten years.
    Isn't that worth fighting for?

    If I can help shut down a spammer by sending a few MB of traffic their
    way every day, I'm for it. What are the downsides?

    . Extra traffic for backbone carriers
     + Spammers and their direct carriers will have to pay for it
     + If the spammer is shut down, then this is irrelevant as the net
    bandwidth and costs to others will still be less
      - Might target an innocent, which is why such a tool is best
    coordinated by SPAM professionals

    . Ethics
      + If you object, you don't have to participate
      . Operates outside the law. Some other people on the list like
    making (rather funny) analogies about physically assaulting your
    mailman, but the impacts are primarily financial, and if done properly
    affect only the ones that deserve it. If a spammer is earning
    $750,000USD a month, I feel no pity that I've increased his bandwidth
    bill.
      - May seem morally questionable. Clearly this is subjective. I think
    history can demonstrate that while brute force isn't typically the
    best solution, sometimes it is the only answer.

    > Then, what will you do when (not IF) you'll receive X bazillions
    > polite emails requesting you to remove such-and-such random
    > IP from your flood-list ? Will you really deal with all of those messages ?

    This was intended tongue-in-cheek, but I would stop flooding a spammer
    under the following conditions:

    . They use opt-in mailing lists only, and no funny business like "We
    got your address from a member site"
    . They use their own resources to send bulk e-mail, and stop
    leveraging the bandwidth and storage of unsecured mail servers
    . They respect unsubscribe requests
    . They do not attempt to mask the true sender, nor pull stupid
    bull*** like "V1.4grAAa". If I want my mail server to block messages
    with Viagra in it, then forcibly bypassing my mechanisms is an
    personal insult. Personally I can't see why spammers do this, if I'm
    actively filtering spam, I'm obviously not going to buy your damn
    Viagra.

    > I DO agree that strong measures should be taken against spammers. Legal ones, that is. No other way to keep a civilized society still civilized.

    That's an interesting point. Is this illegal? Is it illegal to go to
    the spammer's website and hit refresh fifty times? A hundred times? A
    thousand times? If it is, then I suppose this _is_ illegal, but my
    gut feeling says it isn't. If not illegal, then maybe in a gray area.
    I'm sending them this traffic of my own cognizance as a peaceful
    protest. Is there any law in any country that makes this illegal? If
    not specifically defined, then in general what would you call this
    sort of 'illegal' activity?

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: bkfsec: "Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?"