How to attack spammers in your sleep

comment Plans are afoot to attack spammers by launching the kind of cyber-attack favoured by organised crime and hackers with an axe to grind.

comment Plans are afoot to attack spammers, not by physically visiting their homes in Boca Raton and landing one on them, or even by using the power of the law to bring them to justice, but by launching the kind of cyber-attack favored by organized crime and hackers with an axe to grind.

The attacks in question will be distributed denial of service (DDoS) attacks deliberately launched to sap bandwidth and potentially bring down Web sites which advertise their products using spam e-mail.

The method of launch and propagation will require users to download a grid computing model screensaver from Lycos. Similar to the SETI screensaver which powers the search for extraterrestrial intelligence, it will combine the processing power of thousands of computers while they sit idle to power the attacks. The grid of machines will make constant requests against a list of sites maintained by SpamCop--effectively bombarding them with traffic.

It represents a coming full circle for the grid model or at least an ironic evolution of sorts.

Seen originally as a way for academic research to garner vast power, grid computing has become a principle used and abused by cybercriminals. Networks of machines unwittingly infected by Trojan horses are a grid of sorts--though their intended use is far from academic. Often such a network, which can be leased out by the remote 'owners' as a 'botnet', is the engine room for spam campaigns and DDoS attacks.

Perhaps the most famous use of DDoS attacks to date has been against online bookmakers where a 'pay-up or we'll cripple your Web site' ultimatum is delivered, often ahead of a period of heavy betting, such as the FA Cup final.

Some have paid up; others have felt the consequences of not doing so. Similarly a number of viruses in recent years have had some kind of DDoS endgame such as that which attacked the SCO and Microsoft Web sites.

Some in the industry have even predicted that the huge army of compromised PCs in existence may one day be used to launch a devastating DDoS attack crippling dozens of Web sites in a co-ordinated blitz.

So a DDoS attack is clearly a powerful and proven weapon, but the question here is whether that is justification enough for taking the law into our own hands, potentially committing an offence in the process and apparently legitimizing DDoS attacks.

Also where do we draw the line? Who is fair game, who isn't? And who decides?

At the moment the Lycos list of targets is maintained by SpamCop but neither body is authorized, licensed or regulated in such matters--other than the tempering effect of their own reputations

What is there though to stop other unregulated bodies launching attacks at other sites with the best intentions?

Starting with the pornographers, for example. If a Christian action group decided it wanted to take action against such Web sites, is its motive any less well-intentioned than Lycos?

If environmental campaigners decided to attack oil companies or if human rights organizations decided to target the Web sites of controversial regimes, are they any less legitimate? The bottom line is there are thousands of bodies, political parties and individuals with a Web presence who would attract willing attackers in effective numbers, but there is a line in the sand which is impossible to draw where the internet is concerned.

But do we accept in this instance the time has come to fight spammers on their own terms--turning the power and the ubiquity of the Internet against them?

Certainly the scheme, which is drawing a lot of press attention, will prove popular. The disenchanted masses of e-mail users, who are now beyond tired with the problem of spam e-mail, will sign up in their revenge seeking droves.

As far as illegality is concerned it may be required for an aggrieved party to come forward and lodge a complaint, which would 1) be a bit rich and 2) certainly blow their cover.

A spokesman for Lycos said: "This gives Internet users the opportunity to hit spammers where it hurts."

Which is true, so why is one respected anti-spam campaigner already cringing at the prospect?

Steve Linford from SpamHaus said: "It's irresponsible of Lycos to put its name to it because it lends legitimacy to DDoS attacks. You can't break into a thief's house just because he breaks into yours. We don't support this or recommend this practice. Directing traffic is part of the degradation of the Internet we are trying to stop."

What happens is yet to be seen. It could prove effective but the contents of this particular can of worms could do few long term favors to the Internet. My own personal feeling is that the problem of spam has grown so out of control some vigilantism is to be expected but mob rule, whatever the intention, has a history of proving more trouble than it is worth.

Part of me certainly wants to congratulate Lycos on the thought behind this and perhaps for sparking fresh debate on effective ways to crack down on spam, but in truth this is one which probably should have stayed in the brainstorming meeting.

Whatever the effect, a lot of people will be talking about Lycos over the coming weeks. Which is no bad thing--not least of all for Lycos. After all, when was the last time you visited its pages before today?