Spammers Using Students as Relays

Zendar writes "idg has an article about how students at the 151-year-old Tufts University were paid as little as $20/month to relay spam from computers in their dorms. Interestingly enough, the students approached the spammers about this scheme and not vice-versa."

Dangerous

[snitty (308387)]

It seems that being medical test subjects would be less likely to get them killed.

What's next?

[Honorbound (521347)]

Will they be setting up servers to share pirated music and video or something??? Oh, wait...

Peanuts

[dubiousmike (558126)]

This just proves these students aren't as resourceful as they could be. I for one, would have placed some sort of trojan on as many people's computers I could find, then sell ALL of their machine's use for spamming. I mean, I'm certainly not condoning spamming and I dislike it myself, but if you are going to do it, do it right....

Crappy Student Jobs

[ifreakshow (613584)]

What happened to the good old days when college students sold blood, sperm or surfed the web to earn beer money!

Re:Crappy Student Jobs

[Pxtl (151020)]

Or got jobs as telemarketers (hell, most universities even run extensive official telemarketing systems to harass alumni for donations). If you're willing to telemarket, I don't see why you wouldn't be willing to spam. Sure its less money, but its also less work.

Flashbacks

[fizbin (2046)]

Cutco....

Must... sell... knives...

The whole experience still makes me shudder.

Re:Flashbacks

[SomeoneGotMyNick (200685)]

I agree..... I used to sell them also....

However, I didn't have to spend any more than $150 to get started (I must have had a benevolent leader).

It didn't take me long to quit. I still don't care for their marketing practices. However, the products are great (more than I can say about Amway's product line). I still have mine 12 years since I got them. They're still as sharp and shiny as ever. I even have an inherited set that's over 20 years old. They're in great shape also.

I'm going to risk sounding like a hypocrite. I say if you never bought Cutco knives, and someone approaches you to buy them, give them a try. Money worth spending. However, don't jump at the first offer. Make it a hard sell for them and get the maximum discount you can. Even offer a single amount, take it or leave it, just slightly below their final offer. You'll get a good set of knives, but at the same time you'll effectively discourage the wayward soul from continuing on that dastardly path. You'd be doing them a favor. There's plenty of youth around for Vector Marketing to continue the practice, just don't allow someone get stuck in it.

You know you are old when....

[gosand (234100)]

What happened to the good old days when college students sold blood, sperm or surfed the web to earn beer money!

You know you are old when:

You had to work a real job to get money in college

People refer to the "good old days" and in your mind it was yesterday

There was no World Wide Web when you were in college (unless you count FTP, BBSs, and Gopher sites)

Your final paper in Computer Hardware Design was on the Pentium processor, and you could only find three sources because it wasn't due to be released for another 6 months.

You post on Slashdot recounting how old you are, hoping someone will think you are cool

I can think of better uses for them

[petronivs (633683)]

I thought college students made all the coin they could ever need with those webcams.

Re:I can think of better uses for them

[scott1853 (194884)]

I heard they got some VC money a couple years back, but for some reason their website [dorkymalecamwhores.com] never took off.

Tracked using MAC address

[monkey_tennis (649997)]

Interesting that they tracked the individuals down using MAC addresses for computers in their dorms...

I've never heard of any other Uni having the foresight to record this and it seems like a valid piece of info to have to include in any registration document (as per cable modem setup)

Re:Tracked using MAC address

[Frater 219 (1455)]

Interesting that they tracked the individuals down using MAC addresses for computers in their dorms...

I've never heard of any other Uni having the foresight to record this and it seems like a valid piece of info to have to include in any registration document (as per cable modem setup)

You don't even need to copy it down at sign-up time ... just take it out of the DHCP server logs, or the ARP tables on the building router, then look for the MAC address on a switch port in the hall switch. Provided you know your wiring -- and know what switch port goes to what dorm room -- you just narrowed your problem down to the spammer and his roommate.

(Why yes, I did used to be a sysadmin at a college with a bandwidth hogs problem.)

Re:Tracked using MAC address

[garcia (6573)]

I was compromised at one point in time my freshman year and had a smurf attack originate from my machine. They were able to track it down in under 2 hours to my specific port. They shut me down immediately. I had to contact the head of IT directly for reinstatement.

Although it was pretty obvious who was using the most bandwith even w/a tool like iptraf.

Re:Tracked using MAC address

[JackAsh (80274)]

Actually, I was a student at Tufts at the time they implemented the student network. At the time, ACS (Acedemic Computing Services) did require students to register MAC addresses, and I think I recall them assigning static IPs via DHCP or BOOTP (This was back in 95, DHCP was not very popular yet). You could let the network take care of everything for you, or you could enter it manually if you knew what you were doing...

I really don't remember if they used managed hubs/switches, but I recall it was a fairly trivial exercise to figure out where people were in a dorm by counting the IPs assigned (they had some pattern).

-Jack Ash
(Miguel if anyone else from Tufts is reading)

Re:Tracked using MAC address

[garcia (6573)]

at BGSU they started doing registration for the DHCP server via MAC in 1999 or 2000. When you started up after connecting your computer to the ethernet jack you would get a registration page. You would enter your student ID and your email login/passwd. Your MAC was recorded and a hostname that included your email id was given along w/a static IP. If you logged on from another other port on campus it would show as a "roam" address but it still knew you were authenticated so it still knew your MAC.

If you wanted to register another computer you would either have to use someone else's student ID + login/passwd or call up the people for help.

A side note, they were less than familiar about doing it w/alternative OSs that did not automatically bring up the registration page. You either had to use Windows to do it or have them do it manually. I used Windows ;)

Re:Tracked using MAC address

[Usquebaugh (230216)]

Oh another name dropper eh.

A more subtle way is that the college you attend in Cambridge has already implemented this. The only problem with this approach is that all the alumni from Cambridge Universtiy think you're trying to associate yourself with their older and more established college.

plight

[Joe the Lesser (533425)]

An interesting look at one of the things students will lower themselves to do to pay for their $80 calculus book.

Restricting SMTP

[wowbagger (69688)]

Unfortunately, this is the sort of thing that makes sysadmins block all outbound SMTP from anything that isn't registered as a mail server, or at a minimum redirect all such access to their mail server.

Gripe about it all you want, but had the uni been forcing all outbound SMTP traffic through their mail server, they would have seen this a great deal sooner.

As for a fitting punishment - if these students live in the dorm, they probably eat at the dorm cafeteria. Tell the cafeteria to only server them SPAM.

Shocking, I say.

[Skyshadow (508)]

Look, in college I sold my fucking *blood* for a few dollars. Why should it be surprising that students would sell bandwidth?

IMO, colleges should get out of the general IT business all together and contract these services out. They already contract out other things, like food service, landscaping, maintainance, etc. Some departments (CS, etc) obviously may need their own networks, but otherwise it's just a hugely wasteful money pit. Hell, at my university, they spent so much money on useless IT projects that it just boggled the mind -- a lot of the trouble was that they employed fresh grads who would pick up a couple years' experience then skate, so there wasn't enough adult supervision...

Anyhow, back on track: Colleges should concentrate on education and offload these other problems to professionals.

Re:Shocking, I say.

[sirinek (41507)]

Settle down, bud.

Colleges do a lot of experimental things because of the large variety of departments with their unique needs. I do not think they should contract out anything, contractors are expensive. Talk about a money pit!

I personally think a university's money would be better spent with a dedicated staff that knows what a university needs and use student labor when they can. It works well. If your university IT department was run poorly, well, that could (and does) happen in any kind of environment, not just acadamia and wont get fixed by hiring contractors.

siri

Re:Shocking, I say.

[cjsnell (5825)]

Interesting idea.

When I was a student at Vanderbilt University [vanderbilt.edu] back in 1995-1996, we had a student-run IT department. It was a very novel thing back then, dreamed up by an former student who worked for the school. What they did was give responsibility for some services (Web, mail, FTP, and some development) to student-run teams. These teams implemented these services on Solaris and Linux hosts and were responsible for their maintenance. I believe we were paid as work study employees but the wages were much better than what you could earn elsewhere on campus. I think I made around $9-10/hour.

What was really amazing is how they found around 12 *nix-saavy students in 1996 at a school mostly known for its liberal arts and pre-med curriculum. Somehow, they did. It spread by word-of-mouth and we all just drifted in. It was the ultimate student job.

Chris

Re:Shocking, I say.

[PlanetJIM (212710)]

Look, in college I sold my fucking *blood* for a few dollars. Why should it be surprising that students would sell bandwidth?

The difference, of course, is that you actually owned your blood in college. These students are selling something that they're permitted to use in the hopes that it will make them better and more successful students. It's a vulgar abuse of access, and don't gimme that "I pay X*10^y dollars a year to go to school here" crap. If those kids had to pay for the actual bandwidth they consume they'd be paying a fair chunk of that without all those education value-adds.

What I don't understand is why colleges don't make use policies part of housing contracts (most consider and bill bandwidth as a utility like electricity). Do something stupid or commit some vulgar abuse like this and you're out fending for yourself off-campus. Pay your own damn cable bill...

Christ I hope not

[siskbc (598067)]

IMO, colleges should get out of the general IT business all together and contract these services out. They already contract out other things, like food service, landscaping, maintainance, etc

That would be wonderful. Then they could have the network equivalent of the crappy food they serve at the cafeteria. Aaargh.

Also, you mention that the problem is that they only employ recent grads. That's true - but often these kids work at a "hometown discount" while they wait for their gf to graduate or whatever. The college could never afford people as good as their own grads, generally, if they had to pay them what they were worth. If they have to outsource, the cost will skyrocket - or the service will tank. Admittedly, a few adults wouldn't hurt, but the kids usually do a pretty good job. Hell, at our school the permanant hires were paid so little only the braindead took the job. You prayed you got an ex-student to solve your problem if you had one.

When I was in college...

[billmaly (212308)]

$20 a month was serious money. That's one week of clean laundry and GOOD pizza on Sunday night (and not the cheap stuff). Back then, $20 a month would have bought a lot of personal ethics. Can't say as I blame them.

Computer Nerds Gone Wild

[SirSlud (67381)]

This is like the computer nerd equivilent to "College Girls Gone Wild". Anything for a buck.

Except instead of making me want to spank myself, I want to spank them.

Can we say expulsion?

[www.sorehands.com (142825)]

Let see, a kid sets up a computer to steal on the college network. If the student hacked in the the dean's computer to get porn, it would be all over the news, the kid would be arrested.

The kid should be charged the same as the person who put the distributed decryption software, that was all over the news, and expelled.

They got bought cheap!

[FunWithHeadlines (644929)]

It sure doesn't take much to compromise a person's self-respect or integrity. $20/month in exchange for contributing to a problem that everyone hates, and knowing full well that everyone hates it? They sold out cheap.

It's sort of like the trend for journalist majors to wind up in PR jobs for corporations doing nasty things. The lure of extra money covers over any hesitation they might have in moving from a supposedly neutral position to one that shills for money.

But $20/month? Man, that's some cheap principles. How about we pay them $21/month to turn against the spammers?
---------

Re:They got bought cheap!

[FunWithHeadlines (644929)]

"Let me guess, you were the arsehole who had the porche parked in the school lot."

Bzzzt! Wrong, try again.

"Did you see the old beat up Ford Escort with a different color fender, no muffler, and a broken windshield?"

Ding! Ding! Ding! We've got a winner! That would have been me.

"The guy that owned the Escort (and I know him well) would have sold his self-respect for a tuna-freakin-fish sandwich. That guy had LESS than $20/mo for food, toiletries, and beer. You wouldn't survive a week in that guys shoes. $20/mo means another case of mac-n-cheese."

No excuse. You find other ways of making money rather than blatantly leeching off society and contributing to a problem that is despised. If you sell out for a price, regardless of circumstances, it means you sold out. Some people hold their integrity in high esteem and will find some other way to make the necessary money.
-------

Re:They got bought cheap!

[rjh (40933)]

If you sell out for a price, regardless of circumstances, it means you sold out.

H.L. Mencken was at a high society function and speaking with one of the grande dames of society. After some initial witty small talk, he asked her "Madame, would you sleep with me for a million dollars?"

Much laughter later, she agreed.

"Madame, would you sleep with me for one dollar?"

The dame was grievously offended and asked Mencken what she thought she was--some whore?

"Madame, we've already established that you're a whore," he replied. "Now we're just dickering about your price."

Re:They got bought cheap!

[Valdrax (32670)]

Let me guess, you were the arsehole who had the porche parked in the school lot. Did you see the old beat up Ford Escort with a different color fender, no muffler, and a broken windshield? The guy that owned the Escort (and I know him well) would have sold his self-respect for a tuna-freakin-fish sandwich. That guy had LESS than $20/mo for food, toiletries, and beer. You wouldn't survive a week in that guys shoes. $20/mo means another case of mac-n-cheese.

Well, gee, that excuses everything! I see the light now! After that guy broke into my friend's apartment last year and stole all his electronics, I should've excused him too because he was jobless and living in government housing! After all, I "wouldn't have survived a week in that guy's shoes," now would I?

You know what I did in college when I needed money? I got a freaking job; that's what I did. I spent my days sitting at a desk in a computer lab checking student IDs for $5/hour. I didn't throw in with parasites to get by.

Those students did sell themselves cheap. They could've gotten a real job, but instead they decided to let the bottom-feeders of the Internet take advantage of university resources so that they could get a small token sum of money without having to do a damn thing. They whored themselves out probably because they were too damn lazy to actually try to hold down a part time job while in school. As someone who worked for my food, I have absolutely no sympathy for them. They should be kicked out of housing and maybe even expelled for abusing the university network at the expense of others.

Money for using the computer

[Gortbusters.org (637314)]

has always been a popular fad. Remember those programs you could install and you would get a 10th of a penny for every website you clicked and it had a banner-system (I believe)? Everyone thought they would make hundreds of dollars a month with that. I wish I could remember the name. People love getting money for doing their normal tasks, i.e. using the computer. If relaying spam could be done with little or no active participation by a computer user, who [average computer user] wouldn't turn down 20 bucks?

What does it matter...

[mjpaci (33725)]

What does it matter that Tufts is 151 years old? Would this be different if it were 310-year-old College of William and Mary in Virginia or 210-year-old Williams College in Williamstown, MA?

--Mike

Oh, me, me, pick me!

[lastberserker (465707)]

Dear Mr. Spammer, I wouldn't mind to relay your
spam at all! In fact, I would do it with a full
satisfaction of doing a valuable service to the
community! Please, pretty please, pick (and pay)
me to be your relay!

WBR / lastberserker

.
.
.

[...of course I won't detail on _where_ I would
relay your spam, but what's the matter - noone
would miss it anyways...]

Students selling information

[brejc8 (223089)]

I have been getting spam addressed to [my_unix_username]@[my_machinename].cs.man.ac.uk
My machine passes the mail to me but I have no idea how the people got this address.
The only way I can think of is if someone used finger @ on the machines in the department and then stuck the username with the machinename.
As far as I am aware the finger@ is blocked to people outside the department so I am starting to suspect that some students are behind this.
Especially as the spam is for local companies.

Re:Students selling information

[igaborf (69869)]

That's one possibility. Another is that someone just built a spam list by Googling the domain man.ac.uk:

http://www.google.com/search?q=cb%40cs.man.ac.uk

Moral: Put your email address ANYWHERE on the 'Net and you'll get spam.

...but they could be making $50/hour

[callipygian-showsyst (631222)]

...if they put a video cam in their dorm room. They sold out cheap!

Thank Heavens for Diagrams!

[greenhide (597777)]

I didn't understand the article at all. Then I saw the helpful graphic at the bottom of the article. It clearly showed just how the process worked! Without that picture, I would have been in the dark.

Follow the money?

[mjh (57755)]

The article mentions that they can't track the original spammers, that all the further that they can get is to the students computers. If they really want to track the spammers can't they track the money?

Which makes me wonder, how do the students get paid? Remaining anonymous is critical to spammers being able to continue doing their thing. How does a spammer actually pay someone w/out being trackable? I can't imagine that they send cash.

The School is very liberal..this isn't surprising

[Migelikor1 (308578)]

I'm a current student at tufts, and I'm not that surprised that there is some abuse of the system. The University is overall pretty laid back about student computing. The only things the sysadmins monitor for is virii that may cause systemwide problems (they send a person to your room with virus software if one's detected) and excessive bandwidth usage (over a gig per day for more than 3 days in month.)
While it is troubling to know that some of my fellow students abused the policy, it really isn't that hard. Though it pisses me off a little that they used University bandwidth for their little endeavor, the school has plenty, due to massive infrastructure installation in the late nineties. It hadn't caused any issues for the school (nobody I know has complained about a slowdown) so it's my opinion that the fact it's a university isn't a big deal. The kids are entrepreneurs, even if it's in a business I despise, taking advantage of the resources they've paid for. The real question is wether the school will add a clause to the acceptable use policy and start to monitor for spammers. Wouldn't be surprising.

Re:The School is very liberal..this isn't surprisi

[rhizome (115711)]

The kids are entrepreneurs, even if it's in a business I despise, taking advantage of the resources they've paid for.

Are we supposed to believe that university network resources are completely supported by tuition? I would venture (though in typical Slashdot fashion I have no numbers) that there's a certain amount of taxpayer money involved. Furthermore, it's very common for end-user bandwidth agreements to include a clause prohibiting the resale of any portion of a connection.

Blacklists work

[frankie (91710)]

The university I work for has found itself on various spam blacklists each September for the past 3 years. The reason has been the same each time: underclassmen in the dorms installing old RH distros or whatever that includes an open mail relay.

This spring SMTP will be restricted to only approved departmental servers. Anyone else gets dropped at the firewall. It's a shame (academic freedom and all that) but really necessary.

Why [insert deity here] Why?

[korny69 (132030)]

What I do not understand is why don't they just block all incoming traffic to the dorms and labs? Why is it that they allow for this traffic to even make it to the PC in the first place?

Frank Grewe, manager of Internet services for the University of Minnesota in Minneapolis-St. Paul, also wasn't surprised. He says the university does not let client machines be used as servers, employs static IP addresses and tracks the amount of traffic going to and from those addresses.

Why track ... just do not allow it in the first place and it will be a whole lot easier. I just do not see a reason in allowing inbound traffic to a static IP address on a campus unless it is a server owned (no pun intended) and operated by the staff. When you allow anyone and everyone to do as they please, all hell will break lose.

I can see the point of some PCs and not others, but it should always be a special case when a PC needs access to it from the outside. This is how most corporate companies run their network. I just do not understand why in most cases all I have to do is 'host -l -t any uni-net.edu' and get a list of hosts to look at and forward my spam on from.

As for the out-sourcing of CS to someone else, I would have to disagree, because it is incidents like this that usually teach people. And when they go on to the corporate world, hopefully, they will remember that they need to lock their network down . It teaches fundamentals, and in this industry, unlike a lot of others and what a lot of corporate big-heads think, it is experience more than education that counts in the long run.

Re:Why [insert deity here] Why?

[ftobin (48814)]

Jeez, what an awful road to go down. The very idea that you cannot be a participant in the internet, and provide your own services, is abhorrent. There should be no problem with a student having his own webserver, mail server (as long as it's not an open relay), finger server, or whatever. Solve problems with specific solutions, not these broad, sweeping, castrating ones.

The way of thinking that you suggest, that only "powers that be" may provide services, promotes consumerism, and prohibits the freedom of individuals.

Your suggestions are antithetical to the very principles that the net was built on, end-to-end.

Message to Spammers:

[cybermace5 (446439)]

To the Man in the Can:

I am willing in the utmost confidence and secret to help your with some certain relaying needs. My server does waits idle at my residence in an yet to be disclosed location, ready to relay your messages to the considerate masses. In exchange for your sum of $20 per month, my server will confidentiality flood the Internet with your excellent offerings.

I can personally and utmost attest to guarantee that you messages will pass through entire unaltered, and not be redirected to /dev/null, or replaced with the text "I AM RESPONSIBLE FOR X PERCENT OF ALL YOUR SPAM" and your home address & phone number. I would most certainly not monitor every spam you attempted to send at your discretion, and report each and every instance to the immediately authorities.

I trust you to and maintain the highest level of integrity & confidence in this matter.

--- Ham Nbu Jahir, Supreme Commander of Nigerian National Space Fleet

Re:20 Bucks?

[phorm (591458)]

It's cheap, yes, but $20 is about 20 boxes of Mac & Cheese. For some students, this could probably feed them for 3/4 of the month.

Realistically though, profit depends on volume. Some few people probably masterminded the idea, and are taking part-profits somehow. If they skimmed $5 from 20 students with relays - that's $100/month. Still not a lot, but cheap for no work.

Re:20 Bucks?

[scott1853 (194884)]

You must have failed College Math 101. Dollar amounts are to be clearly be represented in Ramen noodle packets. Therefore, $20 = 160 packets = 160/3 meals per day = 1.8 months of good eatin'.

20 boxes?

[feed_me_cereal (452042)]

only 20 boxes of mac & cheese? I'm a college student and I sure as hell don't buy that kind of extravagant mac & cheese. Kroger regularly puts its "kroger brand" mac & cheese on sale for 25 cents a box!

Re:Unrest is born. . .

[Snork Asaurus (595692)]

Anything can be turned into a buck.

Bucks urgently required. Please post formula.

Re:Hmm

[Patrick13 (223909)]

The one guy I know making $30k a year doing spam

Yeah, but don't forget that according to the article this guy sold his Uni access for $20/month - that doesn't add up very many pizzas or beers.

My guess is that guy should have sold his connection for more like $200 - $500 per month, or based on the # of mails or something. $20/month is laughable, considering that he now most likely has been forbidden to connect to the University's network with his personal machine and may have some sort of procedural punishment on his University records.

Re:tufts ip address range

[kindbud (90044)]

did a little WHOIS digging......
the most important part (CIDR:130.64.0.0/16) just made my firewall blacklist : )

Did you read the article? The University's network admins have the problem under control. Students are being disciplined, PCs are taken off the network when they are found. Tufts runs a responsible and responsive abuse desk. By punishing an organization that has acted properly, you are undermining real anti-spam efforts.