OT - WAY - OT

Fairlight fairlite at fairlite.com
Fri Mar 21 12:16:02 PDT 2008 

>From inside the gravity well of a singularity, Kenneth Brody shouted:
> Quoting Howard Wolowitz (Fri, 21 Mar 2008 12:48:26 -0400):
> > To discourage phishing via email what about replying to some of all of the
> > requests for information with totally false data?
> > They, thinking they have struck gold, will waste their time trying incorrect
> > logins, passwords, account #s etc.  Sure it wasted your time too but if lots
> > of people did it then they (the bad guys) would be busy 24 hours a day to no
> > avail and maybe the number of phishing requests would go down.

You really must have time to waste.  A scheme like this isn't worth the
stress, nor the legal exposure, much less the time involved to set
something like that up.

> I recall coming across a site that will automate this.  You give them the
> URL of the phish, and they'll submit a zillion fake entries.  I have no
> idea how effective such tactics are.  (The phishers will know that they
> haven't "struck gold", but the idea is that the signal-to-noise ratio
> will be so low as for them to not be able to distinguish the real data
> from the fake.)

Which is totally illegal.  You could easily be accused of a DoS, which you
effectively are performing, as well as unauthorised use of a computing
system.  The second it crosses state lines, that falls under interstate
commerce and is automatically a federal felony, even if it was locally a
misdemeanor.

Hacking someone back is no more legal than the first hack.  Ditto with
pingfloods and other DoS tactics.

> > My real question is - Is it safe to even follow the links?  (I do have virus
> > protection but still ...)

Keep in mind these people are in the information-gathering "trade".  I'd be
more worried about spyware than actual virii, per say.

> My main concern with this is some phisher with too much time on his hands
> can capture your IP address and try to launch a DoS attack against you.

Which you have no legal leg to stand on for complaint, as you initiated the
first actual attack.  They were just looking for idiots, and the person
that attacks them quickly raises their hand to be counted.  It's just the
left hand instead of the right hand.  People raising the right hand are the
people that are suckered into divulging their information.  You're still
letting them win, and lowering your standing in the battle to boot.

Believe me, I have no sympathy for phishers or any other cracking type
folks.  But this is -not- the ethical (or legal) way to handle it.

If you get phishing emails, report them to the abuse departments of the
companies that were "hijacked".  They're more than willing to go after the
bastards.  Notably, eBay and PayPal are very good about this.  Whenever I
get one, it just goes off to spoof at paypal.com as a forward with full
headers, and that's that.

mark->
-- 
"Moral cowardice will surely be written as the cause on the death
certificate of what used to be Western Civilization." --James P. Hogan

More information about the Filepro-list mailing list