Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Make Love Not Spam Decentralized

By twestgard in Internet
Sat Dec 04, 2004 at 10:22:23 AM EST
Tags: Internet (all tags)
Internet

Lycos Europe released a screen saver that would pepper spam sites with requests for pages, in an effort to burden their bandwidth. Now it's disabled, but in very fixable ways...


As Internet junkies will already have heard by now, on December 1, 2004, Lycos Europe released a screen saver named Make Love Not Spam (MLNS).

The purpose of the screensaver was to harass sites that send out spam through a modified Denial of Service (DoS) attack. A DoS attack, for the less internet savvy, is a way of disabling a website (more specifically the computer it's on - the "host") by sending so many requests for pages that it overloads and can't function. When you load a page in your browser, your browser must first send a request to the website to send out the page. The request is a very small effort for your computer to send out. The host computer then spends a fair amount of time and effort to send out the whole page. There is no reason that your computer must accept the page, however. For the totally computer illiterate, think of the difference between the amount of effort your boss expends in asking for a report, versus your effort in producing it.

The difference between the small effort required to request a page and the large effort to send a page of ordinary size out creates a disadvantage for the host computer. Even in a one-on-one battle between two equally matched computers, the requesting computer will win easily. Although servers tend to be large, powerful computers, relatively few smaller computers are needed to disable a server. Hackers have used these DoS attacks to disable computers, perhaps most famously the successful attack on Microsoft's Hotmail email system, which inexplicably was at that time subject to the amateurish mistake of hosting the whole thing on a single server. Microsoft has since changed the setup.

DoS attacks are illegal in a number of ways. Some governments have created criminal sanctions for this type of attack. Also, the owner of a site disabled by DoS attack may have grounds for action against the hacker if damage results.

Thus, Lycos' decision to use DoS methodology was a somewhat risky proposition from a legal perspective. However, Lycos modified the standard DoS pattern to one less likely to totally disable a site. Rather than attacking a site with intent to totally disable it, the MLNS program was set up only to make a partial burden on the sites. By monitoring the amount of bandwidth (how much capacity to send out pages) each spam site has, MLNS could refrain from sending so many requests that the site would only be using a portion of its bandwidth, say, 50%.

However, even occupying half the available bandwidth of a particular site is a significant event. Servers generally charge a larger fee for sites that use a lot of bandwidth. So, even without actually disabling the sites, they are likely to incur additional costs for use of the bandwidth resources. This partial attack may or may not be illegal under the laws that prevent a full DoS attack. Since a request for a page is sent every time you press the refresh button on your browser, a law prohibiting a Lycos MLNS type of activity would have to specify how many times you are allowed to press the refresh button. 12? 16?

Lycos' MLNS was operated by a central server that identified problem sites, and then picked a limited number for harassment by each personal computer that held the screensaver. The personal computer would then send out the actual requests.

Unsurprisingly, server/host companies disliked the idea. Almost all sites are hosted on servers that hold other sites, sometimes numbering in the hundreds. Thus, a DoS attack on one site actually burdens not only the one site, but restricts the bandwidth available to all the sites hosted on that computer. From the perspective of the server's company, many customers are being burdened. From the perspective of the person receiving spam, putting a burden on companies that allow spammers to use their computers may not be such a bad thing.

In order to interrupt the attack by Lycos MLNS, server companies created "black holes" to interrupt the connection between the personal computers and Lycos MLNS. Lycos has apparently shut off its central server, pending a decision on what to do next.

Lycos has opened a Pandora's box with the partial DoS attack concept, however. Spam is sent out for the specific purpose of getting people to request pages (and presumably to read them), just as other sites wish, so prohibiting people from requesting pages is not practical or desirable. How many requests is too many is a somewhat difficult matter to decide, and more so to enforce.

The soft spot in Lycos' overall plan was the central server, a totally unnecessary part of the plan. Since every email account receives spam, each user is capable of identifying problem sites. Further, to the extend that Lycos faced possible liability for DoS attacks, having the individual user identify the problem sites decreases or eliminates Lycos' responsibility in the event an attack is excessive or misplaced.

Whatever Lycos decides to do next with MLNS, we can reasonably expect to see more programs of a similar character. One obvious structure would be to integrate a partial DoS attack mechanism into an email program, such that the user could forward each spam email into an account that would automatically add it to its list of targets.

Just wait. Or, let me know when you have your program up and running.

Thomas J. Westgard
Illinois Mechanics Lien

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Illinois Mechanics Lien
o Also by twestgard


Display: Sort:
Make Love Not Spam Decentralized | 32 comments (21 topical, 11 editorial, 0 hidden)
I like your stuff (1.80 / 10) (#7)
by MichaelCrawford on Thu Dec 02, 2004 at 11:12:33 PM EST

Your diaries have been very interesting to read. I like what you post here. Keep posting it. Don't let the trolls get you down.


--

Live your fucking life. Sue someone on the Internet. Write a fucking music player. Like the great man Michael David Crawford has shown us all: Hard work, a strong will to stalk, and a few fries short of a happy meal goes a long way. -- bride of spidy


Thanks, and don't worry about the trolls. (none / 1) (#20)
by twestgard on Sat Dec 04, 2004 at 12:52:04 PM EST

The trolls don't really get to me - they're a familiar group, if you know how to ID them properly. I've done a fair amount of work with with people with special needs, the mentally disabled and mentally ill. They aren't always very nice, because they're frustrated by persistent feelings of powerlessness and social victimization. They don't always smell good or have clean teeth or clothes. And they aren't always coherent. But with a little wisdom, a little courtesy, a lot of patience, and frequent breaks from their company, they really aren't that hard to deal with. Maybe you've seen my diary entry on Christianity as it relates to trolls.

K5 is a little like a group home. No matter what you were like when you arrived, if you stay too long, you'll fit right in. Beware the Group Home California.


Thomas Westgard
Illinois Mechanics Liens
[ Parent ]

Problem (2.50 / 4) (#10)
by driptray on Thu Dec 02, 2004 at 11:44:18 PM EST

How could an automated system differentiate between a genuine spam URL contained in a spam message, and a legitimate URL (say, www.lycos.com) that a spammer put in a spam message?

In other words, joe-jobbing.
--
We brought the disasters. The alcohol. We committed the murders. - Paul Keating

Plenty of ways to deal with that. Here's a list. (none / 0) (#18)
by twestgard on Sat Dec 04, 2004 at 12:03:19 PM EST

I see the problem of spam-spoofing as a way to create a DoS attack on someone you don't like for whatever reason. The idea could use some modification to confront that. I still think that, overall, the benefits outweigh the risks.

I think the great part about this spam-spoofing "problem" is that it assumes that this MLNS concept would be a highly effective way of attacking genuine spam sites. Notice that it was the server owners that objected, not the spammers, because both the server companies and the spammers understand that the server companies are choosing to deal with scum. Think this through - the spammers are going to disappear and not pay their bills to the server companies. So the real burden gets put on the server companies. But since they are in the best position to filter and control the spammers, that's great.

We all know there are scumbags out there, but not all of us let them use our stuff to commit their sleazy acts. With this program in place, you have server owners the world over trying to make sure that they don't let people use their equipment for theft or cheating. I think that's part of the responsible business, just as chemical companies shouldn't sell explosives to people who walk in talking about how America should be destroyed. We all have a part to play. And this allows the free market to do it, totally without governmental control. The server companies can decide what level of scrutiny works for them. If they have bad business judgment, their servers crash. That is, bad businesses fail. This is as it should be.

Meanwhile, there are ways to deal with fake spam DoS issues. Above all, decentralized updates, like we currently have for anti-virus programs, could ensure that advances and modifications get put into place. The anti-virus companies could make that a new part of their service. The program itself could have heuristics, like that older URLs get less harassment than new URLs (after a whois check), or there could be a list of no-no words and phrases, like "herbal Viagra." There could be a URL honesty function, that requires that all the domains in the email match, so it comes from www.corporatebank.com, it says it comes from www.corporatebank.com, it links to www.corporatebank.com, and it says the link is to www.corporatebank.com. It needn't be totally automated, either. You could have the single user check it. Or, you could have a decentralized trust system (modeled on k5's article evaluation system?) with people voting on who the jerks are. Or a more private one, so that I publish my list of bad sites, and other people publish theirs, and I decide which ones I trust to be added to my MLNS database. I think it would be important that there be a time limit, too. Like, nobody gets hammered for more than a week without getting reconfirmed. This is only what I can crank out off the top of my head. I expect it would be constantly retested and updated.

This is the point at which I ask the age-old, "We know what you're against; what are you for?" MLNS looks like a real advance to me, and spam is a real problem. Are there other, more workable proposals, and are they really something 'instead of' this, rather than 'in addition to' it? I don't know of any.

Thomas Westgard
Illinois Mechanics Liens
[ Parent ]

Great (2.83 / 6) (#13)
by pickpocket on Fri Dec 03, 2004 at 08:23:36 AM EST

So there's no need to personally DDOS sites anymore, just spam a few million addresses with the URL you want hosed.

Not really. See my other comment (1.50 / 2) (#19)
by twestgard on Sat Dec 04, 2004 at 12:06:17 PM EST

Just below this one

Thomas Westgard
Illinois Mechanics Liens
[ Parent ]

A better way to implement this ... (1.80 / 5) (#14)
by Mr.Surly on Fri Dec 03, 2004 at 11:43:46 AM EST

... would be to build it into an email client that has good spam filtering (like Thunderbird).

Every time it discovers that a spam-marked message has a URL, it strips off any GET options, and hits it about 1000 times a day for 30 days.

That way, the more spam received by end users would put more of a burden on the servers used to handle the orders generated by the spam.

Of course, this means that all you have to do to DOS a competitor site is to send out millions of emails with their URL.

Filters that Fight Back (none / 1) (#23)
by Drangon on Sat Dec 04, 2004 at 07:17:00 PM EST

There is an essay by Paul Graham (the guy that made Bayesian spam filtering popular) about this exact method of punishing spammers: Filters that Fight Back.

Graham tries to devise a working punishment system. He shows what might happen (spammers actually using valid unsubscribe-links to escape DDoS the next time...) and how to prevent the abuse of such a system.

[ Parent ]
spammers would win (none / 0) (#27)
by crayz on Sun Dec 05, 2004 at 06:18:07 PM EST

Problem is spammers would find a way to track down who was actually hammering the box. You could easily give each spam recipient their own page or subdomain to track which ones were "clicking" your link, thus recording them as a valid mail recipient

Perhaps better would be to just do a lookup and hammer the IP, but that would almost certainly be illegal

[ Parent ]

Problem sites? (none / 1) (#16)
by caine on Sat Dec 04, 2004 at 07:30:50 AM EST

Since every email account receives spam, each user is capable of identifying problem sites.

And they do this...how? All the actual adresses in spam are forged and the originating ip is probably either a proxy or someone's innocent zombied box. So, how do we go about identifying 'problem sites'?

--

The email clicks through to their site. (none / 1) (#17)
by twestgard on Sat Dec 04, 2004 at 11:11:11 AM EST

Not all the addresses are forged. Spam emails have a consistent purpose of getting the recipient to go to the site where the spammer is selling something, or collecting illicit information. Inside the email is a link to the site that the spammer wants you to visit, where you can buy their stuff.

Thomas Westgard
Illinois Mechanics Liens
[ Parent ]

Problem sites? (none / 0) (#21)
by pben on Sat Dec 04, 2004 at 02:56:33 PM EST

You are looking in the headers, look in the body. It is the product that is being pushed or the web site taking the orders that should be targeted. If you can not tell that that magic pill, pharmacy, loan offer, or lottery that you never entered is spam then I feel sorry for you.

[ Parent ]
Yes, I buy large quantites of magic pills. (none / 1) (#22)
by caine on Sat Dec 04, 2004 at 04:29:47 PM EST

I wonder who's stupid if you would even for a second belive I buy spam-adverstised products (or, for that matter, any of those products at all). The thing is that a website selling for example pharmacy might very well be hosted on a fully legit server. A sever that is host to several other - completly innocent people and/or businesses, but the pharmacy business have bought spam-services from some third party supplier. So if you DoS that site, it's like bombing an apartment complex to get to the spammer. Which is not only stupid, it's wrong.

--

[ Parent ]

The perfect opportunity (none / 0) (#24)
by brunner on Sun Dec 05, 2004 at 12:01:08 AM EST

IMHO this is the perfect opportunity to produce an Open Source cross-platform stand-alone app that's completely completely decentralized. My thoughts are here. Comments are welcomed.

lets for a list (2.00 / 2) (#25)
by auraslip on Sun Dec 05, 2004 at 06:17:42 AM EST

of the websites we don't like...
124
This is great! (1.16 / 6) (#26)
by bg on Sun Dec 05, 2004 at 02:09:29 PM EST

I always wanted to know what it would be like if someone new, but of little brain, wrote a story for kuro5hin.

kitten's shit is getting old fast.

- In heaven, all the interesting people are missing.

Not a great idea (none / 0) (#28)
by cdguru on Sun Dec 05, 2004 at 09:25:16 PM EST

This presupposes that the anti-spammer idea that ISPs and hosting companies have taken a pro-spam stand. It also presupposes that the URL referenced in a spam email points to something evil. There are several things wrong with these ideas.

Probably the most objectionable is the idea that any URL in a spam must be operated by someone in collusion with the spammer. A signficant amount of spam comes from people trying to make a buck through some kind of affiliate program. Such affiliate programs may have only one or two "spammer" affiliates out of thousands. Rarely does the affiliate program actually sanction spamming and will generally terminate the accounts of such people. But this kind of attack is focused on the host of the affiliate program, not the spamming affiliate member. This is the sort of thing that any large affiliate program (think Barnes and Noble) isn't going to take lying down.

A lesser issue is the idea that that an ecommerce hosting company has much, if any, connection with the advertising for that site. So, why wouldn't they just cancel the account of anyone accused of spamming? Fairness, for one thing. A hosting company that steals from their customers isn't going to be very popular. And, since every hosting company that I have dealt with has a "no partial refunds" policy, cancelling an account without good cause is the same as stealing. Determining "good cause" requires investigation and isn't something that a lot of hosting companies want to do much of.

So, all in all, there has to be a better way of dealing with this. Yes, spamming is a problem. But striking out at random people because you think they are part of the problem isn't the answer.

Too busy to be ethical? Then go out of business. (3.00 / 2) (#29)
by twestgard on Mon Dec 06, 2004 at 10:16:27 AM EST

Determining "good cause" requires investigation and isn't something that a lot of hosting companies want to do much of.

Well, now, that's the point, isn't it. For their economic convenience, we suffer vast quantities of spam, ie a hugely disproportionate economic inconvenience. What MLNS would accomplish is to shift the load of economic convenience back to the servers somewhat.

So, if Barnes & Noble sets up an affiliate program that sucks in jerks, losers, and criminals, now they have a prompt and effective notification system. Besides, I doubt that, with the modifications suggested elsewhere, someone like Barnes & Noble would get a lot of flak.

Spam is not being effectively addressed. Here again, I ask, we know what you're against; what are you for? What better idea do you have?


Thomas Westgard
Illinois Mechanics Liens
[ Parent ]

seems this idea was ripped from spamitback.com (none / 0) (#30)
by spaceman55 on Tue Dec 07, 2004 at 03:59:26 PM EST

check out this site, www.spamitback.com. Came up with the software before these guys, lycos or whomever simply seems to have ripped it and put it into a screensaver.

Ok (none / 1) (#32)
by ggn on Wed Jan 12, 2005 at 06:40:26 AM EST

Flowers

A new make love not spam (none / 0) (#33)
by kaz on Wed Mar 02, 2005 at 06:00:03 PM EST

I found a cool new Make Love Not Spam style prog/script called Fraud Fighter. It's been released by NetworkPunk. The difference with FraudFighter is it's web based. This means that web site owners can place it on their website and anyone who visits their site then helps in the fight against spam. You can get more details on FraudFighter at www.FraudFighter.NetworkPunk.com

Make Love Not Spam Decentralized | 32 comments (21 topical, 11 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!