Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: I'm calling for LycosEU heads and team to resign or be sacked
From: dcdave () att net
Date: Mon, 06 Dec 2004 21:17:24 +0000

two points should be mentioned in this discussion.

1) I have done several investigations of malicious code, intrusions, etc, and discovered it is almost impossible to 
avoid "collateral damage". Hackers and spammers working through someone else's machine are common. Does retaliation 
which does more damage to innocent people and may not even touch the spammer justify the means?

Of course, you could say that if that person is so unaware that he does not have his security up, he is causing the 
problem, but how will he know what he's done if you block his communication channels?

I woud recommend a nice email detailing the real damage and spiritual damage caused by spam, aned what they might do to 
find a better way to make a living.. Lots of spammers are simply trying to make a living, and don't feel they have 
other options. 

2) Retaliation leads to retaliation. Not to get into politics, but what opinion do you think the Arab and Muslim worlds 
have of George Bush and what he is doing with his bullying/terroristic power play in their back yards? Not to mention 
what they think of the American People for (allegedly) electing him again?
As a former member of the National Security Team I can vouch for their (Arab/Muslim) long memories and grudges. The 
Arab and Muslim worlds are uniting agaist a common bully. Groups that were on the edge or undecided are now joining the 
anti-Americans. We will pay or our children will pay for this. 

How will we pay for damages, both direct and collateral?

we need to find a better response.

I thought I was doing the right thing in Viet Nam at the time, but I am paying for it now in my soul.
People who have been in a war know that it is not the right solution to the problem.
If we don't learn from our mistakes, we are doomed to repeat them.

"Peace in your hearts, peace in the world" - Dali Lama
"There is a big difference between kneeling down and bending over" - Bob Dylan

InfoSec Group 

-------------- Original message from Tatercrispies <tatercrispies () gmail com>: -------------- 

Self regulate is NOT self retaliate. 

Why not? Why can't retaliation be a form of regulation? Is your 
objection in general, or is there a specific to this case? 

To go back to a previous message; in attacking spammers, I see the end 
result as being the greater good. Despite what another poster wrote, 
the phrase "The ends justify the means" does not immediately 
invalidate your argument, this is the essence of virtually all ethical 
questions-- does one good outweigh a bad? 

. I run a small mail server that services about 10 domains. At any 
given time, I have approximately 500MB of spam stored on my server. I 
pay, every night, to back up this garbage to tape, and pay the weekly 
bandwidth fees to upload disk images to a remote server. Not to 
mention the gigabytes of transfer a month I spend downloading spam to 
my system an re-uploading it to mail clients.I could enforce mail 
quotas, but I will never be able to force a hosting client to check 
and clean their mail on a regular basis. 

. More than once spammers have leveraged holes in the mail servers of 
clients of mine. One mail server hard drive filled up with 60GB of 
queued spam, and they had to pay me $100/hr to drive in and clean up 
the mess. Plus the company was without e-mail for a weekend and a 
Monday. Another time, an improperly configured zombie _elsewhere_ was 
attempting to send spam in excess of 10,000 messages a minute to a 
server I was managing. It took two days for me to contact the other 
administrator and get them to unplug the server. 

. Every week I spend hours of what could be billable time cleaning out 
my inbox. Sometimes I accidentally delete an legitimate message 
without realizing it. This costs me. 

All these things cumulate to be a very large cost to myself, but more 
so to others with even larger organizations. E-mail is steadily 
becoming an irrelevant method of communication, and unless we can 
perfect a method to ignore or combat spammers, I really can't see 
e-mail being an effective form of communication in five or ten years. 
Isn't that worth fighting for? 

If I can help shut down a spammer by sending a few MB of traffic their 
way every day, I'm for it. What are the downsides? 

. Extra traffic for backbone carriers 
+ Spammers and their direct carriers will have to pay for it 
+ If the spammer is shut down, then this is irrelevant as the net 
bandwidth and costs to others will still be less 
- Might target an innocent, which is why such a tool is best 
coordinated by SPAM professionals 

. Ethics 
+ If you object, you don't have to participate 
. Operates outside the law. Some other people on the list like 
making (rather funny) analogies about physically assaulting your 
mailman, but the impacts are primarily financial, and if done properly 
affect only the ones that deserve it. If a spammer is earning 
$750,000USD a month, I feel no pity that I've increased his bandwidth 
- May seem morally questionable. Clearly this is subjective. I think 
history can demonstrate that while brute force isn't typically the 
best solution, sometimes it is the only answer. 

Then, what will you do when (not IF) you'll receive X bazillions 
polite emails requesting you to remove such-and-such random 
IP from your flood-list ? Will you really deal with all of those messages ? 

This was intended tongue-in-cheek, but I would stop flooding a spammer 
under the following conditions: 

. They use opt-in mailing lists only, and no funny business like "We 
got your address from a member site" 
. They use their own resources to send bulk e-mail, and stop 
leveraging the bandwidth and storage of unsecured mail servers 
. They respect unsubscribe requests 
. They do not attempt to mask the true sender, nor pull stupid 
bullshit like "V1.4grAAa". If I want my mail server to block messages 
with Viagra in it, then forcibly bypassing my mechanisms is an 
personal insult. Personally I can't see why spammers do this, if I'm 
actively filtering spam, I'm obviously not going to buy your damn 

I DO agree that strong measures should be taken against spammers. Legal ones, 
that is. No other way to keep a civilized society still civilized. 

That's an interesting point. Is this illegal? Is it illegal to go to 
the spammer's website and hit refresh fifty times? A hundred times? A 
thousand times? If it is, then I suppose this _is_ illegal, but my 
gut feeling says it isn't. If not illegal, then maybe in a gray area. 
I'm sending them this traffic of my own cognizance as a peaceful 
protest. Is there any law in any country that makes this illegal? If 
not specifically defined, then in general what would you call this 
sort of 'illegal' activity? 

Full-Disclosure - We believe in it. 
Charter: http://lists.netsys.com/full-disclosure-charter.html 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]