OT - WAY - OT

Howard Wolowitz howiewz at beonthenet.com
Fri Mar 21 14:51:58 PDT 2008 

----- Original Message ----- 
From: "Fairlight" <fairlite at fairlite.com>
To: "filepro list" <filepro-list at lists.celestial.com>
Sent: Friday, March 21, 2008 3:16 PM
Subject: Re: OT - WAY - OT


> >From inside the gravity well of a singularity, Kenneth Brody shouted:
>> Quoting Howard Wolowitz (Fri, 21 Mar 2008 12:48:26 -0400):
>> > To discourage phishing via email what about replying to some of all of 
>> > the
>> > requests for information with totally false data?
>> > They, thinking they have struck gold, will waste their time trying 
>> > incorrect
>> > logins, passwords, account #s etc.  Sure it wasted your time too but if 
>> > lots
>> > of people did it then they (the bad guys) would be busy 24 hours a day 
>> > to no
>> > avail and maybe the number of phishing requests would go down.
>
> You really must have time to waste.  A scheme like this isn't worth the
> stress, nor the legal exposure, much less the time involved to set
> something like that up.
>
>> I recall coming across a site that will automate this.  You give them the
>> URL of the phish, and they'll submit a zillion fake entries.  I have no
>> idea how effective such tactics are.  (The phishers will know that they
>> haven't "struck gold", but the idea is that the signal-to-noise ratio
>> will be so low as for them to not be able to distinguish the real data
>> from the fake.)
>
> Which is totally illegal.  You could easily be accused of a DoS, which you
> effectively are performing, as well as unauthorised use of a computing
> system.  The second it crosses state lines, that falls under interstate
> commerce and is automatically a federal felony, even if it was locally a
> misdemeanor.
>
> Hacking someone back is no more legal than the first hack.  Ditto with
> pingfloods and other DoS tactics.
>
>> > My real question is - Is it safe to even follow the links?  (I do have 
>> > virus
>> > protection but still ...)
>
> Keep in mind these people are in the information-gathering "trade".  I'd 
> be
> more worried about spyware than actual virii, per say.
>
>> My main concern with this is some phisher with too much time on his hands
>> can capture your IP address and try to launch a DoS attack against you.
>
> Which you have no legal leg to stand on for complaint, as you initiated 
> the
> first actual attack.  They were just looking for idiots, and the person
> that attacks them quickly raises their hand to be counted.  It's just the
> left hand instead of the right hand.  People raising the right hand are 
> the
> people that are suckered into divulging their information.  You're still
> letting them win, and lowering your standing in the battle to boot.
>
> Believe me, I have no sympathy for phishers or any other cracking type
> folks.  But this is -not- the ethical (or legal) way to handle it.
>
> If you get phishing emails, report them to the abuse departments of the
> companies that were "hijacked".  They're more than willing to go after the
> bastards.  Notably, eBay and PayPal are very good about this.  Whenever I
> get one, it just goes off to spoof at paypal.com as a forward with full
> headers, and that's that.
>
> mark->

You miss my point.

I am not proposing flooding them with automated replies.  Just responding to 
their requests for my private information (while illegally pretending to be 
a company that they are not.)

If enough people do it, they will be flooded with replies but only ones that 
they requested.  One per email they sent.

I don't see any problem with responding to a criminal attempt to steal my 
information, money, credit or identity with an incorrect response.  I tend 
to make a lot of typos anyway.  What, are they going to sue me?

Ken's point about them making a DoS attack on me is only not really 
worrisome since how would they know who to do it to if many people 
responded?  These people are not out for revenge, just theft.

Your point about spyware is really scary and I will update my spyware 
protection before I do anything.  That may be the main reason they want you 
to visit their sites in the first place.

And no, I don't have much free time but I'll be glad to spare a few moments 
a day (for the greater good) to screw up these criminals and eventually 
maybe make it too expensive for people to bother phishing.

Maybe you can't cheat an honest man (not too easily anyway) but cheating a 
crook is a moral imperative.


Howie

More information about the Filepro-list mailing list