The Hypocrisy Weblog

ZDnet writes;

The fallout from Lycos’ anti-spam campaign continues with hackers using it to try and trick email users with a password-stealing Trojan

An identity-stealing email Trojan that disguises itself as the Lycos anti-spam screensaver is being distributed around the Internet.

According to antivirus company F-Secure, the key-logging Trojan steals usernames, passwords, credit card details and email addresses and travels as an email attachment.

Mikko Hyppönen, F-Secure’s director of antivirus research, said that the recent attention from the Lycos story could be an incentive to open the file.

“The whole case has been full of surprising turns from the beginning,” said Hyppönen. “Whoever is behind this is someone who felt they were being attacked by Lycos. They are trying to teach people a lesson. A lot of people heard about the screensaver but couldn’t download it because the ["Make love not spam"] Web site was down. Lots of people would be interested in looking though.”

The subject of the email read: “Be the first to fight spam with Lycos screen saver”, with an attachment file labelled: “Lycos screensaver to fight spam.zip”.

My comment; In retrospect, Lycos Europe should’ve known better and thought about all possible outcomes of their campaign. I hope that the recent events is a good lesson for both Lycos Europe and others thinking about doing something similar. Now, the brandname of Lycos is not known for great Internet service, but for their incapability and faulty campaigns.

The “Make love not spam”-campaign also proves that you should and can never defeat abuse with abuse.

As mentioned earlier here at Hypocrisy.nu, the Internet Service Provider (ISP) Lycos Europe has been having trouble with their anti-spam campaign “Make love not spam“, and now the the campaign is scrapped.

Through the Make Love, Not Spam website, users could download a screensaver that would endlessly request data from the net sites mentioned in many junk mail messages.

More than 100,000 people are thought to have downloaded the screensaver that Lycos Europe offered.

Lycos so far maintains that it has been careful to avoid completely shutting down the sites it targets as such distributed denial of service attacks (DDoS) are considered illegal in many European countries and the US, but monitoring firm Netcraft claims that some of the sites that the screensaver targeted were being knocked offline by the constant data requests.

In a statement from Lycos Europe announcing the scrapping of the scheme, the company denied that this was its fault.

“There is nothing to suggest that Make Love, Not Spam has brought down any of the sites that it has targeted,” the statement read.

“At the time that Netcraft measured the sites it claims may have been brought down, they were not in fact part of the Make Love, Not Spam attack cycle.”.

The statement issued by Lycos also said that the centralised database it used ensured that traffic to the target sites left them with 5% spare capacity.

“The idea was simply to slow spammers’ sites and this was achieved by the campaign.”.

(Note that many security organisations said users should not participate in the Lycos Europe campaign.)

Lycos has also shifted IP addresses from 83.241.136.230 to 213.115.182.123, which are both hosted by Starring, a Swedish advertising agency which is apparently working with Lycos Europe on the site.

The IP transfer is almost certainly the result of spammers redirecting traffic back to www.makelovenotspam.com, which means Lycos unintentionally launches a denial-of-service attack against it’s own anti-spam campaign web site.

To prevent further attacks by users, several major internet backbone providers and ISP’s are now blocking access to the Lycos web site, including Global Crossing’s worldwide network.

My comment; I hope that other ISPs will learn from this grand failure of Lycos Europe. From the first time the campaign risen in Sweden, the debate was on in the Internet community here. Of course there will always be the vigilante characters that wants “revenge” on the ones pestering their inboxes, email-servers and networks, but this is not the way to go. The only way is to create a framework, where serious actors on the Internet-market can exchange email-traffic.

Until this is done, server-side solutions such as Spam Assassin and server-side blacklist systems such as ORDB and Spamcop have to protect both providers and individual users. The previous mentioned together with open source antivirus software, such as ClamAV will both limit the amount of spam and viruses reaching individual users, and these software solutions will narrow down the target-range of those seeking new PCs to enslave in bot-networks used to spread further spam and viruses. The approach has an accumulative to narrowing down unwanted traffic on the worldwide network, known as the Internet.

The swedish organization “Svenskt Näringsliv” (swedish trade and industry) and their md Ebba Lindsö has stated that one of their lobbyists Johnny Munkhammar must stop writing in his own Blog due to the fact that Munkhammar’s opinions not always goes hand in hand with the ones of Svenskt Näringsliv.

The obvious reason that something will be done about Munkhammar’s Blog is because his private opinions might bleed over to his role as a lobbyist for Svenskt Näringsliv. Though now, there is a minor buzz within the swedish Blog-community that Munkhammar got silenced because he and his Blog is a powerful factor within swedish society and business life… I personally think that this is wishful thinking.

After some downtime due to system-upgrades, Hypocrisy.nu is up and running again!

Thank you for your patience!!!

Lycos now claims that the supposed hack of their “Make love not Spam“-campaign was a hoax created by some spammers themselves in order to taint the campaign.

“This is a hoax,” said Malte Pollmann, director of communication services for Lycos. “We have obviously reached our goal and are getting to the spammers. On our servers we don’t have any logs of an attack. No one was able to verify that. I wouldn’t be surprised if [the screensaver] causes this in the future. We have a couple of port scans, but that’s normal.”

The campaign site is still inaccessible, and this doesn’t really give Lycos wind in their sails.

Even if this defacement was a hoax, the spammers sure manage in their task when it comes to creating negative PR connected to Lycos and their campaign.

To go deeper into the questionable behaviour of this campaign, I quote the article on ZDnet further;

Lycos launched its ‘make love not spam’ campaign, which offers users a screensaver that helps to launch distributed denial-of-service (DDoS) attacks on spammers’ Web sites, on Monday. The company said the screensaver uses the idle processing power of a computer to slow down the response times from spammers’ Web sites — much in the same way spammers use compromised PCs to distribute unsolicited email messages.

But Lycos also denied it was using denial-of-service attacks.

“I have to be very clear that it’s not a denial-of-service attack,” said Pollmann. “We slow the remaining bandwidth to 5 percent. It wouldn’t be in our interests to [carry out DoS attacks]. It is to increase the cost of spamming. We have an interest to make this, economically, not more attractive.”

Head of international spam fighting organisation Spamhaus Steve Linford said that by attacking spammer bandwidth, Lycos could inevitably be attacking innocent users’ bandwidth too.

But Pollmann sidestepped the question of doing this: “We want to hit targeted bandwidth. We are selecting spammers form blacklists. We verify every address. Professional spammers run on very dedicated media.

I think this quote sums it up very well;
“Not only is Lycos in danger of breaking laws, it is in danger of lending credibility to the notion that DDoS attacks are OK if you’re the good guy — which of course you are — and you’re launching it against someone who, well, just deserves it. Regardless of the semantics of whether what Lycos is doing really is a denial-of-service attack, when you attack the bandwidth of one computer on the Internet, you effectively attack the bandwidth of all computers.”

When reading the Slashdot-article about Blogs being the future of journalism, I replied with the following text;

“From what I’ve seen, the topics discussed in Blogs aren’t results of investigative journalism, they are in most cases (excluding the “what I ate for breakfast blogs”) discussing events seen in the news.

A clear example of this is the genocide in Darfur and that it was an almost complete silence within the Blog-community, and this was connected to the silence in the mainstream media. As soon as the mainstream media started to air stories about Darfur, the Blogs caught up and got active in this topic.

Is this bad? Well, it’s not “bad” per say, it’s just a hint about Blogs not being the future of journalism, what it is is a brilliant way to spread and take part of information.”

Or as Anna Marie Cox, author of Wonkette said it so well; “A revolution requires that people leave their house.”

Note that this post here on hypocrisy.nu is a result of my thesis.

Lycos‘ “Make love not spam“-campaign, originally tested on the Swedish ISP-market as a PR-campaign in collaboration between Starring (fd Moonwalk Stockholm) and Lycos-owned Spray.se got Compromised, showing the message “Yes, attacking spammers is wrong, you know this, you shouldn’t be doing it. Your ip address and request have been logged and will be reported to your ISP for further action.”.

This PR-stunt by Lycos apparently back-fired on them now. What now is connected to Lycos isn’t that they are the net-heroes fighting back spammers, but that they host insecure Internet-services.

How “Make love not spam” works is that the screensaver, through a roundrobin-principle, fills up the webserver-logs of the targeted spammers with requests connected to the campaign.

The downside of this PR-stunt is that the spammers, under the “can spam”-act are able to make an abuse-complaint to your ISP, saying that you are taking part of a DDOS-attack against them. Sad, but true. Add to that; if your website is hosted at the same ISP as a spammer’s, or even in the same network, you may be part of a collateral damage process caused by this campaign.