Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: I'm calling for LycosEU heads and team to resign or be sacked
From: Tatercrispies <tatercrispies () gmail com>
Date: Mon, 6 Dec 2004 14:15:52 -0500

Self regulate is NOT self retaliate. 

Why not?  Why can't retaliation be a form of regulation?  Is your
objection in general, or is there a specific to this case?

To go back to a previous message; in attacking spammers, I see the end
result as being the greater good.  Despite what another poster wrote,
the phrase "The ends justify the means" does not immediately
invalidate your argument, this is the essence of virtually all ethical
questions-- does one good outweigh a bad?

. I run a small mail server that services about 10 domains. At any
given time, I have approximately 500MB of spam stored on my server. I
pay, every night, to back up this garbage to tape, and pay the weekly
bandwidth fees to upload disk images to a remote server. Not to
mention the gigabytes of transfer a month I spend downloading spam to
my system an re-uploading it to mail clients.I could enforce mail
quotas, but I will never be able to force a hosting client to check
and clean their mail on a regular basis.

. More than once spammers have leveraged holes in the mail servers of
clients of mine. One mail server hard drive filled up with 60GB of
queued spam, and they had to pay me $100/hr to drive in and clean up
the mess.  Plus the company was without e-mail for a weekend and a
Monday. Another time, an improperly configured zombie _elsewhere_ was
attempting to send spam in excess of 10,000 messages a minute to a
server I was managing. It took two days for me to contact the other
administrator and get them to unplug the server.

. Every week I spend hours of what could be billable time cleaning out
my inbox. Sometimes I accidentally delete an legitimate message
without realizing it. This costs me.

All these things cumulate to be a very large cost to myself, but more
so to others with even larger organizations. E-mail is steadily
becoming an irrelevant method of communication, and unless we can
perfect a method to ignore or combat spammers, I really can't see
e-mail being an effective form of communication in five or ten years. 
Isn't that worth fighting for?

If I can help shut down a spammer by sending a few MB of traffic their
way every day, I'm for it.  What are the downsides?

. Extra traffic for backbone carriers
 + Spammers and their direct carriers will have to pay for it
 + If the spammer is shut down, then this is irrelevant as the net
bandwidth and costs to others will still be less
  - Might target an innocent, which is why such a tool is best
coordinated by SPAM professionals

. Ethics
  + If you object, you don't have to participate
  . Operates outside the law. Some other people on the list like
making (rather funny) analogies about physically assaulting your
mailman, but the impacts are primarily financial, and if done properly
affect only the ones that deserve it.  If a spammer is earning
$750,000USD a month, I feel no pity that I've increased his bandwidth
  - May seem morally questionable. Clearly this is subjective. I think
history can demonstrate that while brute force isn't typically the
best solution, sometimes it is the only answer.

Then, what will you do when (not IF) you'll receive X bazillions
polite emails requesting you to remove such-and-such random 
IP from your flood-list ? Will you really deal with all of those messages ?

This was intended tongue-in-cheek, but I would stop flooding a spammer
under the following conditions:

. They use opt-in mailing lists only, and no funny business like "We
got your address from a member site"
. They use their own resources to send bulk e-mail, and stop
leveraging the bandwidth and storage of unsecured mail servers
. They respect unsubscribe requests
. They do not attempt to mask the true sender, nor pull stupid
bullshit like "V1.4grAAa". If I want my mail server to block messages
with Viagra in it, then forcibly bypassing my mechanisms is an
personal insult.  Personally I can't see why spammers do this, if I'm
actively filtering spam, I'm obviously not going to buy your damn

I DO agree that strong measures should be taken against spammers. Legal ones, that is. No other way to keep a 
civilized society still civilized. 

That's an interesting point. Is this illegal?  Is it illegal to go to
the spammer's website and hit refresh fifty times? A hundred times? A
thousand times?  If it is, then I suppose this _is_ illegal, but my
gut feeling says it isn't. If not illegal, then maybe in a gray area.
I'm sending them this traffic of my own cognizance as a peaceful
protest. Is there any law in any country that makes this illegal?  If
not specifically defined, then in general what would you call this
sort of 'illegal' activity?

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]