The war on spam: Can we win it with DDoS attacks?

How far do we go in the fight against spam? Jonathan Yarden examines the controversy of launching DDoS attacks against spammers.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday!

On April 12, 1994, spam first entered the Internet world in the form of an unsolicited Usenet advertisement, sometimes referred to as the "green card lottery" posting. The day this infamous message began making its rounds, I knew that the era of commercial-free communication on the Net had ended. Over the next decade, unsolicited e-mail would flourish into a lucrative underground industry, helping to create a global cesspool of electronic junk.

Ask any group of computer users how they feel about junk e-mail, and the vast majority of responses will surely be negative. But ask that same group of people how they think we can stop junk e-mail, and few, if any, will be able to offer a feasible solution.

Literally dozens of methods exist for fighting unsolicited e-mail, but none are completely effective. The key is to stop spam at the source.

A Virginia court recently sentenced one junk e-mailer to a nine-year prison term for violating a state law about e-mail marketing. While this certainly stops one spammer at the source, it's merely the tip of the iceberg. Thousands of junk e-mailers are still out there.

Lycos Europe thinks it has a better solution. Last week, the company announced the release of a screensaver specifically designed to disrupt known sources of junk e-mail by bombarding the Web sites advertised by the spam messages. (Lycos Europe is a separate company from the U.S. Lycos Web portal.)

Dubbed the "Make love not spam" effort, each screensaver installation repeatedly requests data from a targeted Web site. Lycos Europe asserts that the requests won't impact the bandwidth of individual users, but the combination of many users' screensavers performing the same requests at the same time is what wreaks the damage, which can cause something similar to a targeted distributed denial-of-service (DDoS) attack.

Within days of the screensaver's release, early reports showed that the "Make love not spam" campaign succeeded in causing significant disruption of specific networks known to be the source of junk e-mail and took two Web sites hosted in China offline.

But before you begin cheering the death of spam, keep in mind that, like that fateful day in 1994, we're again entering a new era—and perhaps crossing a line that we shouldn't cross. Distributed denial of service is the Internet equivalent to a weapon of mass destruction, and vigilante justice is never the best solution, regardless of whether it stops unwanted, illegal activity.

The Web portal has countered that carrying out DDoS attacks is not one of its intentions, nor is taking Web sites offline. It claims it only wants to slow the bandwidth of these sites, hurting them economically, which in turn makes sending unsolicited e-mail less lucrative.

But shortly after the official launch of the screensaver campaign, the distribution site for the screensaver met with a fate similar to the Web sites hosted in China. As of this writing, Lycos Europe has switched to a new IP address, and the site currently asks visitors to "Stay Tuned."

Lycos Europe may think it's on the right track to ending unsolicited e-mail, but I strongly disagree. In my opinion, "fighting fire with fire" will accomplish nothing more than to escalate hostilities. Make no mistake: Spammers will continue to retaliate.

Editor's Picks

Free Newsletters, In your Inbox