Friday, November 26, 2004

ISP resorts to denial of service attacks on spammers

From The Register:

"Lycos Europe has started to distribute a special screensaver in a controversial bid to battle spam. The program - titled Make Love Not Spam, and available for Windows and the Mac OS - sends a request to view a spam source site. When a large number of screensavers send their requests at the same time the spam web page becomes overloaded and slow.

The servers targeted by the screensaver have been manually selected from various sources, including Spamcop, and verified to be spam advertising sites, Lycos claims. Several tests are performed to make sure that no server stops working. Flooding a server with requests so that the server is unable to respond to the volume of requests made - a process known as a distributed denial of service (DDoS) attack - is considered to be illegal.

Lycos believes the program will eventually hurt spammers. 'Spamvirtised' sites typically don't sell advertising, so they have to pay for bandwidth. Therefore more requests means higher bills, Lycos argues."
This is an interesting twist on the usual denial of service attack. Is Lycos exposing itself (and potentially the users of the screensavers) to criminal liability? In Ireland and the UK the answer would most likely be no - as I argue in this article on computer crime, current law fails to address this sort of attack, which falls outside the unauthorised access offences and the damage offences. However, Lycos might well be in trouble if it targets US based spammers - see Jeff Nemerofksy's piece on "Interruption of Computer Services to Authorised Users".

Before you ask: Lycos isn't necessarily shielding itself from liability by "making sure that no server stops working". Some jurisdictions do seem to require an attack which brings down a server, but equally some of the US laws mentioned in that article criminalise the degradation of service as well as an outright denial of service.

No comments:

Post a Comment