Tracking Spam to the Source 366
cygnusx writes: "MSNBC is carrying a Wall Street Journal article on one reporter's attempts to track the spam she receives to the source. Armed with a few Hotmail and Yahoo accounts, reporter Stacy Forster actually responded to most of the barrage of spam she began to receive after a week or so. Not quite the best investigative jounalism ever seen, but still a good glimpse (or so I thought) at those who send us those unloved missives about "exciting business opportunities" and "millions of $$$ waiting"."
Bellsouth = Spam (Score:5, Interesting)
Just use PINE and... (Score:4, Interesting)
It's not worth getting all hot and bothered over some "INCREDIBLE MONEY MAKING OPPORTUNITY" someone felt like telling you about.
On another note, check out somethingawful's pranks section under spam for Lowtax's take on the whole thing.
Ironically, Junkbuster. (Score:3, Interesting)
Click on the link to the article.... (Score:1, Interesting)
D'oh!
An alternative approach to SPAM filtering (Score:5, Interesting)
Software like TMDA [sourceforge.net] implements this. When a mail comes from an known source, an automatic confirmation mail is sent by the script. If the sender acknowledges, his address will be added to the 'whitelist'. No more confirmation will be needed.
This is extremely efficient, and it basically reduces the SPAM actually delivered to your mailbox to zero.
Just don't forget to manually add mailing-lists you're subscribed to, to the 'whitelist'.
I want to know HOW they got her address... (Score:5, Interesting)
She says she signed up a Yahoo account, bought one book from Borders.com and promptly received spam thereafter.
Sooooo.... if Borders _and_ Yahoo both say they there's no way the e-mail could have been sent out by either of them -- (and if the reporter is completely accurate about her sequence of events) -- how did the company get her e-mail address?
Either someone's lying, is mistaken, or her e-mail address was "created" through some sort of bruteforce e-mail address creation application.
Cheers,
Mike...
I want server configured from client (Score:5, Interesting)
Any message that your client would filter into the trash, your client should be able to tell the server to bounce.
Perhaps we could also use the "plus convention" to allow users to effectively manage their own email address(es). Many servers are set up so that if my assigned email address is fred@foo.com, then fred+[anystring]@foo.com is still sent to fred. Tell your friends to address you as fred+friend@foo.com, and then have your client sort the "+friend" messages into a friends folder.
Why not be able to create a list of valid plus extensions in your client, which would then post them to the server? Why not be able to create your own rule for messages that arrive with no extension? You could instruct your client to instruct the server to accept them or to bounce them back to the sender as simply nonexistent addresses.
You could create an extension in your client and specify an expiration date. Your client informs the server. Then you post your email address publicly, a Usenet question perhaps, and your server would accept responses until the date you specify, and then bounce everything thereafter as spam.
With so many addresses expiring quickly and users able to get their servers to hide their non-expiring addresses from mail with certain characteristics, the spammers databases would become much less usable.
Email is becoming worthless (Score:1, Interesting)
So people should just bounce all html mail. What ever mail client that you use. As almost all porn mails require to download images from somewhere or try run some Javascript.
Report spam to ISP concerned and ask politely your ISPs to start implement RBL lists.
If people do not stand up a shoud we dont want this junk, email will die.
RIP 2002 Email accounts the world over.
Track down the scum (Score:2, Interesting)
Then when the spammer emails to it, track them down, file a large lawsuit for copyright infringment, tresspass to chattel, computer tresspass and fraud.
Bankrupt a few spammers, others may think twice before spamming
Re:maybe if we stop answering it... (Score:5, Interesting)
Somebody writes an e-mail system where sending messages cost money. Lets say 50 cents per message. That looks like a lot, but bare with me...
You read the message, and, if you want it, you accept it and the operator cancels the charge. Otherwise the sender gets charged.
You don't charge your friends, or any wanted mail but you do charge commercial entities and spammers (if you want).
Money from charges goes to the mail operator, so it does make some $$$ from the service. But this $$$ don't come from you, unless you are adept to send unwanted mail.
Now lets see how much do this 10-15 new customers cost: 15,000 cents x 50 cents / 10 new customers = 600$.
That would be a day. For a year he would be charged about 200,000$.
That would stop most spammers.
Re:Bellsouth = Spam (Score:2, Interesting)
Give those SPAMMERs a taste of their own medicine (Score:2, Interesting)
We should be encouraging hackers to point their skills towards a noble goal: shutting down SPAMMER websites. SPAMMER's would take notice when their sites were hacked and redirected to Spamcop. And ISPs would really start to check accounts if their service became a transport for DDOS attacks against a SPAMMER.
Come on hackers it's easy. Create a hotmail account and post just once to USENET. I'm still getting SPAM 4 years after posting 1 message to USENET with a real address. Do something positive to the Internet community for a change. Get to work hacking those jerks' sites!
Email harvesters: an answer? (Score:2, Interesting)
Facts:
The only way to stop spammers is to make spamming unprofitable.
Their profit depends upon harvesting usable email lists, so there's a chance some idiot will buy something after reading their garbage.
Solution(?):
Dilute their mailing lists with so much garbage they'll only actually send out one or two emails to real addresses for every X thousand mails sent to fake addresses.
Method idea:
What if I put together a quick CGI to generate pages with fake text (just paragraphs full of random picks from a dictionary + punctuation) plus randomly created email addresses. Then linked to the chain of 1000's of fake pages from one of the real pages of my sites? What if I allowed anyone to use this tool for their own sites, to generate 1000's more, or made an online tool to generate pages and email them on to people to upload for their websites?
Anyone think this is a good idea? Obviously it's a trivial piece of scripting, but I think if major sites used something like this, it would seriously piss off a lot of these lowlifes...
Idea for getting removed from e-mail databases. (Score:5, Interesting)
What if it were required by law that every company must track WHERE and WHEN they obtained any e-mail address that they send bulk messages to. If you requested to be removed from their list "recursively" the offending company would have to notify its provider. Each company would have to notify any company they bought the address from that you want your information kept PRIVATE. The recursive notification would only go UP the chain. I'd love if it they had to notify everyone they sold it to as well, but this might not be practical. Each provider would send you a message as they removed you from their list. Each company would have to keep your e-mail address on a black list for a period of time you specify (such as "until hell freezes over") and not send you further mesasges until that time elapses.
You would have as evidence the date/time you were removed and would have grounds for damages in the event that someone repurchased your address from a provider or they didn't remove you.
Until then, I'll just continue to give my email address out as myname_companyimgivingitto@mydomain.com
So far, 99% of the spam is coming from myname_usenet@mydomain.com, which is about to be automatically filtered and deleted.
Re:My favorite part of the article? (Score:2, Interesting)
If by (NOT), you mean the popunder did not happen, then disregard this post. Otherwise... I tried loading the msnbc page several times from various boxes and could not get a popunder to appear.
Are you sure you don't have something installed inadvertently that creates these popunders? If you haven't already, give something like AdAware [lsfileserv.com] a try to see just what is lurking about.
If you are absolutely sure that you are getting popunders from msnbc, then why the hell am I not getting them! I hate feeling left-out.
Re:Beware spammer dictionary-attack (Score:3, Interesting)
That's one hell of a dictionary attack. From the article(emphasis mine):
Using my name and a combination of six numbers, I created a few new accounts through free online services such as Microsoft Corp.'s Hotmail and Yahoo Inc.'s YahooMail.
Re:Email harvesters: an answer? (Score:3, Interesting)
Re:I want server configured from client (Score:5, Interesting)
I think that's a good idea, but only a short-term solution. If it ever becomes wide-spread, spammers will just use brute force and send emails to fred+%dictionary_word@foo.com. It wouldn't even be that hard - most likely, people would somewhere accidentally post their "secret" email address (which happens right now) and a spambot would pick that up. Above that, most people would use common words, "secret", "spam", "free", etc. There would be huge incentive to break the system for the spammer - if they're the first to find out how to bypass the secret system, their spams are able to be read by everyone, while other spams will be filtered out. It'll simply be a race to be the first spammer to be "heard".
The solution must inevitably be, in my mind, to make spam cost something. Not necessarily money, but some sort of tangible resource. Various solutions have been proposed, all of which in my mind are not completely up to the task. However, they're the only effective long-term solution. So long as spam is free, there's no disadvantage to sending 1,000,000 emails to get one responce. I personally like Adam Backs' Hashcash program, which is at www.cypherspace.org/~adam/hashcash/> [cypherspace.org]. However, the site seems to be down at the moment, so one can use Google's quite convinient cache of it at http://www.google.com/search?q=cache:-g8yVfQ3vFwC
Re:maybe if we stop answering it... (Score:2, Interesting)
I hate it, but its great money. I am not a good telemarketer by any means, and I refuse to coerce anyone, but I normally get enough sales by just being honest with the customer.
I plan on quitting the moment I get a comparable paying job, fyi
Re:I want server configured from client (Score:2, Interesting)
> allow users to effectively manage their own email
> address(es). Many servers are set up so that if my
> assigned email address is fred@foo.com, then
> fred+[anystring]@foo.com is still sent to fred.
> Tell your friends to address you as
> fred+friend@foo.com, and then have your client
> sort the "+friend" messages into a friends folder.
FWIW, I use qmail so I use a minus sign as opposed to a plus but I see your point.
How about the opposite approach? Start an automated service running at foo.com . We create a dummy address dummy@foo.com . We create a whack of aliases: dummy-ebay, dummy-chapters, etc. We give each address to only company. Then we do metrics on the amount of spam inbound to each of these addresses and post results to the web.
Are we still concerned with dictionary attacks? Then we make the suffix of the dummy address something essentially random... perhaps we md5 the name of the company and use that as a key. So dummy-chapters becomes dummy-c463e91ad6440efcf637a78054a11e06 . I find it pretty hard to believe that a dictionary attack is going to hit that address any time soon.
Some of the spam protection agencies out there could set this up on anonymous domains. I can't think of any way to get more real-world testing.
BTW, if there is some service out there that does this sort of thing then please feel free to add a followup to this post. It seems like a relatively intuitive idea so I doubt that I'm the first to think of it.
--
-mikecarrmikecarr
Soutions for ISPs (Score:2, Interesting)
Its not possible to do the 'deny all, allow from a list' at the root level as you have no idea what customers will want to allow.
RBL helps some of course, but not much.
Subject filters help abit too but only for words you Know will be in spam, and sometimes it needs to be multiple words which means a spammer can rearange the subject and it will still get past.
The ISP I work for has been in business for about 7 years now under the same domain name, and has been dictonary scanned/spammed so even when adding a new account chances are someone has been sending spam to that address for alot time before it existed.
Blocking spam by the relay server used is not possible. I get over 500 spams a day to the normal administration addresses (staff hostmaster postmaster etc) and generally 475 of them are different servers. It would not be possible to filter them all, and even so the chances of the relay server being used a second time appears very low.
Most of the 'server-wide' filter programs are designed to try and not block ligit email.
Unfortunatly this means it blocks very little spam in the process.
Would anyone know of any solutions we havent thought of?
Re:How to track who sold yours email to spammers (Score:3, Interesting)
I create a new alias that bounces or /dev/null's email coming into that account.
I've been doing this for a while (actually, I usually forward the spam back to the abuse address of the person who leaked the address), unfortunately, I've run into two problems:
First of all, I have a somewhat popular domain name, and used to get lots of spam from people who lie about their email address and just put in blahblahblah@inbox.org. So to fix that I had to create a white-list rather than a black-list.
The second problem is really a result of the fix to the first. I can't simply use ebay@inbox.org, etc, because that's too easy to guess (security through obscurity), so I have to make something up. Unfortunately, I can't really remember the made up names, and I don't always have access to inbox.org to set up the white list. So instead I have an MD5 scheme. Take the name of the site, a number (incremented whenever I want to change the email address), and a special "password". Put them together in a certain order, and MD5 it (http://pajhome.org.uk/crypt/md5/ is available on any computer with javascript). So for slashdot, my current email address is 4e9fd9f4624c02685096769364a81d95@inbox.org (which I have to change since I'm now getting spam every couple days to this address). I keep the numbers (and actually the usernames) in a list on a certain publically accessible web page (javascript DES protected of course). So wherever I am as long as I have javascript access, I never forget the information I put in.
I just figured a new addition though. Put the domain name and the number in the beginning of the email address. So this email address would be slashdot14e9fd9f4624c02685096769364a81d95@inbox.or g (you don't need a separator since the MD5 is a fixed size?). The advantage is that I no longer have to have a white list in the first place, because the mail machine can simply check the full MD5.
Comment removed (Score:5, Interesting)
Re:An alternative approach to SPAM filtering (Score:3, Interesting)
Plus they'd have the added bonus of knowing it's a valid address. Although the disadvantage of knowing it's someone who hates spam enough to set up TMDA to avoid it... Actually, to answer my own question, I don't think spammers will bother unless a lot of people start running TMDA. But still, this is an evolutionary arms race, and TMDA is not the Weapon To End The War. It's a pretty good weapon, but as others have pointed out, some people just don't get it. I can just imagine my mom trying to understand the TMDA auto-response. And sure, I could add her to my whitelist ahead of time, but I've got some old friends I haven't heard from in a long time who occasionally track me down, and I think some of them would be just as confused.
Re:Just use PINE and... (Score:1, Interesting)
I've been running a system with about 1500 users for a bit over 6 years. This means I have a LOT of people that no longer exist. I've been the admin since the system went online, and I know when many of these people left.
There are some accounts that are STILL getting hammered, despite returning permanent failures for over 2 years. I finally had to come up with a process for blocking these twits for good - first by domain, and then in terms of the IP layer.
So what happens now? I have a ton of incoming DNS queries from these idiots, since they can't get to my primaries. Now I have to start using Bind 9's views just to give them bogus DNS with a high TTL so they'll FOAD and stop pissing on my networks.
Besides, look at the story of "Nadine" - there's an account that was _never_ valid, but it still gets sold to every spammer whore out there. Once they get an address - valid or not - you're screwed.
Re:I want to know HOW they got her address... (Score:3, Interesting)
The only difference between the accounts is that the one she divulged to Borders received more spam; therefore Borders sold her address (and who knows what else), despite the fact that Borders told her its "Privacy Policy" prohibits it from doing that. The only reason the reporter didn't write "Borders lied" is because then the WSJ could get slapped with a lawsuit.
The lesson here is that companies are in no way obligated to tell you (or a WSJ reporter) the truth if it's not in their best interest. Companies imply that Privacy Policies are binding legal contracts, but they're not; they are statements of what the company thinks you want to hear.
Re:use filters.. (Score:2, Interesting)
Re:I want to know HOW they got her address... (Score:5, Interesting)
Re:Bellsouth = Spam (Score:2, Interesting)
What about testing for valid addresses? (Score:3, Interesting)
So how about this: every time my computer receives an email, it initiates a connection to the sender and tries to send a reply message. If the sender's server accepts the email address, close the connection (i.e. cancel the message before it's finished). If the server rejects the email address, you know the return address is invalid, so you can throw away the message (or filter it into a different box).
Of course, spammers might start to make the return addresses random (but valid) return addresses at yahoo, etc. - but that will just get Yahoo very, very mad, and they'll track down and sue the spammers.
Probably never gonna happen, but I've never heard that particular idea before...
Beware of MSN messanger (Score:3, Interesting)
A guy/gal using Hotmail gets heavily advertised to use and install MSN Messanger and some does it just to have a online mail checker for hotmail.
Now the freaky part begins... http://news.com.com/2100-1001-833154.html
Yes... With a not-so-advanced 133t jscript tactics, they can harvest your mail AND the mails of others unless they use a nickname. I don't see any reason like 90% of people would change their know Hotmail adresses to nicknames.
More interestingly CNET reporter tries to say (I congratulated him for breaking that story btw) "It is not so serious". YES it is serious!
For months I was telling my friends I am not using MSN messanger because I believe spammers/harvesters found a way to get my MSN signon name and spamming me. They called me paranoid, anti-ms but recent days they admitted "We don't know how too but there must be a way and we are getting spams"
Can anyone tell me how that glitch isn't serious?