As Internet junkies will already have heard by now, on December 1, 2004, Lycos Europe released a screen saver named Make Love Not Spam (MLNS).
The purpose of the screensaver was to harass sites that send out spam through a modified Denial of Service (DoS) attack. A DoS attack, for the less internet savvy, is a way of disabling a website (more specifically the computer it's on - the "host") by sending so many requests for pages that it overloads and can't function. When you load a page in your browser, your browser must first send a request to the website to send out the page. The request is a very small effort for your computer to send out. The host computer then spends a fair amount of time and effort to send out the whole page. There is no reason that your computer must accept the page, however. For the totally computer illiterate, think of the difference between the amount of effort your boss expends in asking for a report, versus your effort in producing it.
The difference between the small effort required to request a page and the large effort to send a page of ordinary size out creates a disadvantage for the host computer. Even in a one-on-one battle between two equally matched computers, the requesting computer will win easily. Although servers tend to be large, powerful computers, relatively few smaller computers are needed to disable a server. Hackers have used these DoS attacks to disable computers, perhaps most famously the successful attack on Microsoft's Hotmail email system, which inexplicably was at that time subject to the amateurish mistake of hosting the whole thing on a single server. Microsoft has since changed the setup.
DoS attacks are illegal in a number of ways. Some governments have created criminal sanctions for this type of attack. Also, the owner of a site disabled by DoS attack may have grounds for action against the hacker if damage results.
Thus, Lycos' decision to use DoS methodology was a somewhat risky proposition from a legal perspective. However, Lycos modified the standard DoS pattern to one less likely to totally disable a site. Rather than attacking a site with intent to totally disable it, the MLNS program was set up only to make a partial burden on the sites. By monitoring the amount of bandwidth (how much capacity to send out pages) each spam site has, MLNS could refrain from sending so many requests that the site would only be using a portion of its bandwidth, say, 50%.
However, even occupying half the available bandwidth of a particular site is a significant event. Servers generally charge a larger fee for sites that use a lot of bandwidth. So, even without actually disabling the sites, they are likely to incur additional costs for use of the bandwidth resources. This partial attack may or may not be illegal under the laws that prevent a full DoS attack. Since a request for a page is sent every time you press the refresh button on your browser, a law prohibiting a Lycos MLNS type of activity would have to specify how many times you are allowed to press the refresh button. 12? 16?
Lycos' MLNS was operated by a central server that identified problem sites, and then picked a limited number for harassment by each personal computer that held the screensaver. The personal computer would then send out the actual requests.
Unsurprisingly, server/host companies disliked the idea. Almost all sites are hosted on servers that hold other sites, sometimes numbering in the hundreds. Thus, a DoS attack on one site actually burdens not only the one site, but restricts the bandwidth available to all the sites hosted on that computer. From the perspective of the server's company, many customers are being burdened. From the perspective of the person receiving spam, putting a burden on companies that allow spammers to use their computers may not be such a bad thing.
In order to interrupt the attack by Lycos MLNS, server companies created "black holes" to interrupt the connection between the personal computers and Lycos MLNS. Lycos has apparently shut off its central server, pending a decision on what to do next.
Lycos has opened a Pandora's box with the partial DoS attack concept, however. Spam is sent out for the specific purpose of getting people to request pages (and presumably to read them), just as other sites wish, so prohibiting people from requesting pages is not practical or desirable. How many requests is too many is a somewhat difficult matter to decide, and more so to enforce.
The soft spot in Lycos' overall plan was the central server, a totally unnecessary part of the plan. Since every email account receives spam, each user is capable of identifying problem sites. Further, to the extend that Lycos faced possible liability for DoS attacks, having the individual user identify the problem sites decreases or eliminates Lycos' responsibility in the event an attack is excessive or misplaced.
Whatever Lycos decides to do next with MLNS, we can reasonably expect to see more programs of a similar character. One obvious structure would be to integrate a partial DoS attack mechanism into an email program, such that the user could forward each spam email into an account that would automatically add it to its list of targets.
Just wait. Or, let me know when you have your program up and running.
Thomas J. Westgard
Illinois Mechanics Lien