Forgot your password?
typodupeerror
Spam

Tracking Spam to the Source 366

Posted by michael
from the hunt-the-wumpus dept.
cygnusx writes: "MSNBC is carrying a Wall Street Journal article on one reporter's attempts to track the spam she receives to the source. Armed with a few Hotmail and Yahoo accounts, reporter Stacy Forster actually responded to most of the barrage of spam she began to receive after a week or so. Not quite the best investigative jounalism ever seen, but still a good glimpse (or so I thought) at those who send us those unloved missives about "exciting business opportunities" and "millions of $$$ waiting"."
This discussion has been archived. No new comments can be posted.

Tracking Spam to the Source

Comments Filter:
  • Bellsouth = Spam (Score:5, Interesting)

    by Renraku (518261) on Saturday February 09, 2002 @03:48PM (#2980056) Homepage
    When I signed up for their ADSL service, I used a very odd username which I haven't used before, nor have I ever seen. I checked my email a day (after the account was made, not after I got DSL) later and guess what? Two email from Bellsouth, one from some porn company. I posted my findings to DSL reports, and got fired from my tech support job at Bellsouth DSL for that.
    • by Pituritus Ani (247728) on Saturday February 09, 2002 @04:13PM (#2980122) Homepage
      Did you contact an attorney about suing for wrongful termination? Can you provide a link to your post?
      • Wrongful termination for what? If you're working for a company, and you speak out about them, they have every right to fire you. I've seen it happen before.
        • In the case of unsolicited email maybe a whistleblower's defense would've protected him.
        • They may technically have a legal right, but they certainly don't have a moral one.

          And laws aren't that cut and dried, and various states and localities have laws to protect workers from this and similar kind of capriciousness. In fact, some companies unknowingly tie their own hands with internal policies allowing grievances, etc. An attorney can help exhaust those options--a legal aid attorney can help a wrongly (legally or morally) terminated worker in this kind of situation at least cost their former employer some time and money, and maybe even obtain some severance in return for a promise not to sue. And if that doesn't work, he can always puruse an Office Space type remedy :).

    • Re:Bellsouth = Spam (Score:2, Interesting)

      by linzeal (197905)
      Well until the tech workers unionize you are going to get shit on. I contracted for SBC and saw the same thing happen to a guy in project management who finnaly snapped and told a customer on a 700 million dollar deal that we can't get the VPN/DSL installs on time because we have no process or process engineer and no one wants to take responsibility for a 700 million dollar deal gone bad.
    • This happens with Pacific Bell (PacHell to those in CA) too. Never used my e-mail account for anything but sending messages (which have a different reply to address) and I got spam.

      On another note I think what irks me the most is companies like Outpost.com who have a link to unsubscribe, but somehow you keep getting their crap...
  • Just use PINE and... (Score:4, Interesting)

    by Colin Bayer (313849) <vogonNO@SPAMicculus.org> on Saturday February 09, 2002 @03:49PM (#2980058) Homepage
    turn on "enable-bounce-cmd" in your prefs. Open the spam, hit "B", tippity-tap out the source e-mail address (or flex your gpm muscles if you're so inclined), and off it goes back to the sender; alternately, do your best to fudge a mailer daemon bounce. When they get the message, 9 times out of 10, they stop sending. Failing that, just redirect known bad domains (I do this with Yahoo and Hotmail because I don't know anybody who uses those accounts) into a spam folder; check it occasionally to make sure the signal-to-noise ratio is non-zero.

    It's not worth getting all hot and bothered over some "INCREDIBLE MONEY MAKING OPPORTUNITY" someone felt like telling you about.

    On another note, check out somethingawful's pranks section under spam for Lowtax's take on the whole thing. :)
    • by forkboy (8644) on Saturday February 09, 2002 @03:54PM (#2980073) Homepage
      I bet that works great when the source address is spoofed.

      • Or they're trying to make you *think* it's spoofed.

        You'll be sending bounce messages back and forth for years.

    • i just close my eyes and hope it goes away.

      luckily outlook crashes before i open my eyes again. (karma whoring microsoft bashing there, i find it moderatly stable nowadays)
    • by stego (146071)
      Select Message->Bounce to Sender, or Option-Command-B if you do this often...
    • by walt-sjc (145127) on Saturday February 09, 2002 @05:34PM (#2980365)
      Bouncing spam after it's in your inbox is useless. Since most spam is forged, all this will do for you is get you another email from "Yahoo" (or whoever the spammer used as a forged address) claiming the user is unknown.

      Spam has to be bounced at the SMTP server level before reception is complete to be effective at all, and even at this point it's usually pointless as the spammer is probably just bouncing off some random open relay in China. All this will do is fill up the clueless administrators mailbox of the relay in china with bounce messages. Maybe this will cause them to close their open relay, but with hundreds of thousands more open relays to choose from, it does little good in the overall picture.

      Spammers have found another method too. Relay through some lammer's poorly-configured wingate or squid proxy.

      Use spamcop, bounce messages, write nasty notes all you want, but you will not make a dent in the spam problem.

      The only thing you can do that might have ANY impact at all would be to complain to your congressmen that they need to outlaw spam. Once laws are in place we can sue the pants off these assholes, and maybe even get them some jail time.

      What scares me more than the "make money quick" or "loose 150 lbs in 10 minutes" spams are the pseudo-legit type used by businesses.

      Think about that... If only 1% of american businesses decided to use spam, and they only sent one spam email a year to 1% of the population,
      that's still thousands of messages A week per person!

      With all the filters I have setup, I block about 600 spam attempts per day to my server, another 50 or so a day get filtered into a spam folder automatically, and about 2 or so a day get all the way through to my main inbox folder. This is on an email address I've had for 7 years, so just about every spammer seems to hit it.

      Considering that I only get about 100 legit emails a day (including several mailing lists) I'd say the problem is WAY out of hand. With the levels of spam increasing about 10% per month, my guess is that we have about a year left before email is completely saturated with spam making it impossible to communicate.

      So Please, do as I have and write a physical letter (no emails, they just junk those) to your congress critters (or what ever government officials you have in your country that pass laws) to ban spam.
  • by oregon (554165) on Saturday February 09, 2002 @03:50PM (#2980059) Homepage
    junkbuster [junkbusters.org] blocked 15 images from loading in that one article.
  • The popunder for the "World's Largest Casino." (NOT)
    • The popunder for the "World's Largest Casino." (NOT)

      If by (NOT), you mean the popunder did not happen, then disregard this post. Otherwise... I tried loading the msnbc page several times from various boxes and could not get a popunder to appear.

      Are you sure you don't have something installed inadvertently that creates these popunders? If you haven't already, give something like AdAware [lsfileserv.com] a try to see just what is lurking about.

      If you are absolutely sure that you are getting popunders from msnbc, then why the hell am I not getting them! I hate feeling left-out.

      • If you are absolutely sure that you are getting popunders from msnbc, then why the hell am I not getting them! I hate feeling left-out.

        MSNBC does random popup ads, in that not every time you load the page will an ad be displayed, but if you browse around on the site enough, or just get unlucky, you'll get a pop-up. I'm not sure I've ever seen a pop-under ad on MSNBC, but then I use a combination of Adzap [zip.com.au] with my Squid proxy and NoPopIE [daishar.com] with Internet Explorer to banish most advertisements and popups. You may be using similar things, if you're never seeing popups on MSNBC

  • Recommendation (Score:5, Informative)

    by doorbot.com (184378) on Saturday February 09, 2002 @03:51PM (#2980063) Journal
    The article says the FTC recommends that you forward all of your spam to uce@ftc.gov. I know I will be doing so from now on...
  • by spacefem (443435) on Saturday February 09, 2002 @03:56PM (#2980079) Homepage
    One spammer interviewed in the article says he sends out about 15,000 spam messages a day and gets 10-15 new customers out of that. So I guess the message about spam we send to these people is that's it's worth it.

    It feels like we're kinda stuck - it's annoying and stupid, but spam is here to stay. That 1/1000 is a good enough target for these businesses, and e-mail addresses are so cheap to get they might as well go for it. The only thing I can think of is being extra careful to NEVER look into an e-mail that even looks like spam - don't go to the website, don't buy the product, even if it could be interesting.

    I once asked a telemarketer if he hated his life, he said he did. I thought it was kinda funny that he admitted it straight out - it was proof that the underbelly world of cheap advertising is evil.
    • by oregon (554165) on Saturday February 09, 2002 @04:01PM (#2980093) Homepage
      NEVER look into an e-mail that even looks like spam

      Absolutely, these HTML mails are dangerous with their 1x1 gifs with a custom URL so "they" know you've read the message.

      I check the source and add the urls to junkbuster's list. If the filters don't get the mail, then the images still don't get requested.
    • by javilon (99157) on Saturday February 09, 2002 @04:20PM (#2980150) Homepage
      I have got a better Idea.

      Somebody writes an e-mail system where sending messages cost money. Lets say 50 cents per message. That looks like a lot, but bare with me...
      You read the message, and, if you want it, you accept it and the operator cancels the charge. Otherwise the sender gets charged.
      You don't charge your friends, or any wanted mail but you do charge commercial entities and spammers (if you want).
      Money from charges goes to the mail operator, so it does make some $$$ from the service. But this $$$ don't come from you, unless you are adept to send unwanted mail.
      Now lets see how much do this 10-15 new customers cost: 15,000 cents x 50 cents / 10 new customers = 600$.
      That would be a day. For a year he would be charged about 200,000$.
      That would stop most spammers.
      • what happens when one of the spammers spoofs YOUR email address? :)
        Ouch.
      • But what if you still want to receive e-mail from your grandfather who uses Windows XP (which doesn't support the new protocol) and doesn't want to upgrade because he has been using it for years?

        I can hardly imagine phasing out SMTP any time soon despite all its problems.

        Another question. Would you want to block an e-mail operator in China that only charges 1 cent? What if you have friends in China? Or the United States should break all ties to all counties that charge less, even though the average salary in those countries is 100 times less than in the US?

      • You mean like E-Stamps [templetons.com]? Or perhaps you'd settle for a non-monetary payment like Hash Cash [cypherspace.org]? I don't believe that either of these systems can prove to be very useful, because spammers simply won't adopt them. You can start refusing mail from everyone who doesn't support them if you like, and that will certainly solve your spam problem, because the chances are you won't get any mail anymore.

        In my experience so far, the only way to run a fairly spam-proof SMTP server is to be utterly ruthless with blacklisting. Blacklist insanely large portions of IP space, but configure your SMTP server to produce a bounce message which describes a way around the block (like a postmaster address, or something). A legitimate sender should receive and read the bounce (unless they have one of those ghastly SMTP servers which discards error message text and "helpfully" translates it into "the user does not exist"), whereas a spammer is likely to ignore it. If someone responds to the bounce message in the manner described, whitelist the associated IP address. Spammers send out so much mail that they can't attend to every bounce message personally. (And contrary to some opinions I've seen expressed elsewhere in this article, I've yet to see any evidence that spammers remove addresses which consistently bounce.)

        Another possibility is to use the "MAIL From:" address: construct a whitelist of names from whom you will accept mail, and bounce all the others with a similar "how to get around this" message. As before, add the address of any such person who reads the bounce message to your whitelist. Note that both of these techniques could, in principle, be automated. Note also that although a spammer can trivially forge the "MAIL From:" address, it's not nearly so trivial to match every "RCPT To:" address with a whitelisted "MAIL From:" address.

        I don't pretend that the above approach to spam-blocking is polite, but rather that it's the only one I've found to be very effective, given the limitations of SMTP. Most people are quite horrified at the number of IP addresses I blacklist: one spam from an open relay is usually enough to convince me to blacklist that IP address at the class B level (approx 65,000 IP addresses in its neighbourhood). It's not about raw numbers, though: it's about the impact that it has on your mail service. If I'm never likely to receive a legitimate email from that IP range, then why not blacklist it?

        Ultimately, though, the solution will be to replace SMTP with a protocol that recognises one simple fact that SMTP does not: parties engaging in mail exchange are potentially hostile to each other, and thus the protocol must only allow progress when there is mutual agreement between the parties that the transaction should go ahead. IM2000 [cr.yp.to] is an interesting and potentially useful proposal, for example, albeit a bit short on details (and stagnant, judging by the recent lack of traffic on the mailing list). As it happens, I've chosen to make this problem (replacing SMTP) the subject of my Honours thesis, and that's due to be finished by July. Whether or not my proposals will actually be adopted by anyone is a different matter, of course.

    • by dangermouse (2242) on Saturday February 09, 2002 @04:24PM (#2980169) Homepage
      The only thing I can think of is being extra careful to NEVER look into an e-mail that even looks like spam


      I looked at the trap, Ray.

    • Though refusing to read spam and installing spam filters help clear the inboxes of ./ users, they won't discourage the bulk-spammers of the world. Make-money-fast marketers aren't targeting sophisticated Internet users, they're looking for the newbies and the gullible, folks who don't use filters.

      Even worse, sellers with legimitate products (such as Orbitz and X10) will always find spamming cost-effective. It's not the response rate that's attractive, it's the cost.
  • by Flavio (12072) on Saturday February 09, 2002 @03:56PM (#2980080)
    ... was to install Spambouncer [spambouncer.org], which is a large set of procmail filters.

    Before installing it, I got ~20 spam messages a day. Now I get at most 1-2 a week. Spambouncer does come with very restrictive default settings, though. For example, you must specify if you want to receive email from free web mail services like Yahoo and Hotmail, otherwise it'll filter those out.

    It also logs everything it does and has the option of sending blocked email to a file instead of /dev/null in the case it filters something it shouldn't.

    In my case the only inconvenience was it blocked legitimate email from Amazon.com and eBay -- these are filled with disclaimers and have HTML, which Spambouncer doesn't like to see. In any case, it's easy to mark those domains as safe and start receiving their email again.
    • Stop all the spam? Well, it can be done, but we all have to realize a few things and make some changes. And it will take a little while.

      Sorry this is long -- please bear with me.

      We need to realize or accept these things:

      1. We absolutely cannot directly control the behavior of all the spammers. No law is going to stop all of them from sending spam. No law enforcement agency is going to search all of them out and prosecute all of them. No punitive action (legal or otherwise) by a group of users is going to dissuade all of them. And if we don't stop all of them, there will still be spam in our mailboxes. We can safely give up on this kind of thing.

      2. The problem with spam is not that they send it, but that we receive it and it's in our faces when we want to read our real email, and it's annoying to have to deal with it. So we need to stop worrying about the sending of the spam. We have to handle it at the receiving end (our end).

      3. The spammers are will continue to be motivated to send spam because it works often enough to be profitable for them.

      4. Inbound mail filtering on addresses or message content will never go far enough. Some spam (new junk from new sources) will continue to get through, and the spammers will be encouraged enough to continue.

      Solving the problem means making a couple of changes -- one fundamental (about the way we think about email) and one sweeping (across as many email systems as possible):

      1. The fundamental part -- we must change the way we think about accepting email from unidentified senders. It is the acceptance of mail from unverified sources that allows spam to work at all.

      2. The sweeping-change part -- we need to implement (or lobby for) verified-sender mail delivery systems everywhere, and get it to be the default delivery mechanism for new accounts. These are the kind of systems (like TMDA) that use whitelists to allow mail to be delivered, with all other inbound mail (except the blacklist) gets an auto-response with a code - the sender is asked to reply to the auto-response in order to get their original mail delivered. Responders are added to the whitelist. People will get used to the verification process -- it isn't terribly burdensome.

      Anyway, if no response comes back in X days, the message may be discarded, optionally adding the sender's address to a blacklist.

      This kind of delivery system stops spam because of the very nature of spam -- the sender never looks at replies to his spam. Think about it.

      It isn't necessary to use TMDA -- it's just one example of this kind of system. I ended up writing my own system with scripts and procmail. I'm down from 30-40 spams per day to zero, and my email is usable again.

      If we do this across the board and make it the default condition for new accounts, spam will stop working for those who use it. When the response rate drops to zero, they'll quit spending money on it.

      This does not address the issue of the cost of receiving the spam (for those who pay by the byte), but if we can make it all dry up and go away by making it stop working, that problem would solve itself.

      Disclaimer: this is all opinion, of course. Your mileage may vary.

  • Harris Poll/MS spam (Score:2, Informative)

    by dickens (31040)
    Anyone else received an unsolicited email inviting them to participate in a Harris Poll for Microsoft ? Sort of a "how are we doing" type of thing ?

    It took a little guts, but after 2nd and 3rd thoughts I reported it via spamcop.

    Not sure if I'll take the poll anyway. I think it sucks that MS has me on their list. Maybe they scraped microsoft.public.???.
  • to remove some of my spam I added filters. basically filter your email on your email address. This filters out email sent to friend@friend.com mail messages. This alone reduced my spam. Next make sure you set your default email user in your web browser to boo@foo.com or something fake NOT your real email address. Next setup a free web account and when you hand it out to places on the web that require email addresses use that one. Also try filtering out mail that has no subject and or no date in it, this is often spam. Lastly don't post your email address on the web.
  • by chrysalis (50680) on Saturday February 09, 2002 @04:11PM (#2980114) Homepage
    Instead of using SPAM filters (accept everything by default, deny some mails according to filters), a new and very efficient approach is to do like firewalls :
    • Deny everything by default
    • Only accept mails from known sources.

    Software like TMDA [sourceforge.net] implements this. When a mail comes from an known source, an automatic confirmation mail is sent by the script. If the sender acknowledges, his address will be added to the 'whitelist'. No more confirmation will be needed.
    This is extremely efficient, and it basically reduces the SPAM actually delivered to your mailbox to zero.
    Just don't forget to manually add mailing-lists you're subscribed to, to the 'whitelist'.


    • I don't think the firewall concept can be used for spam filters. Firewalls work on the concept that you want to keep everyone out except for a select few. Spam filters work on the concept that you want to allow everyone, but a select few. With email, you never know who will email you and/or from what email address. Let's just take this to a corporate environment. If a sales associate or a CEO takes the configuration you recommend, they would lose out on a number of new contacts. They would have to manually enter in an email _before_ it is actually sent to the address. There would be way too many false positives that would be picked up.

      The idea is good for personal email accounts where you know only a select number of people will be emailing that account. But to the most part, at least one email account has to be open to the public.
    • Any predictions for how long it will be until spammers have a valid (if temporary) reply-to address in their header, and a program that parses automatic replies from TMDA and jumps through the necessary hoop to be added to people's whitelists?

      Plus they'd have the added bonus of knowing it's a valid address. Although the disadvantage of knowing it's someone who hates spam enough to set up TMDA to avoid it... Actually, to answer my own question, I don't think spammers will bother unless a lot of people start running TMDA. But still, this is an evolutionary arms race, and TMDA is not the Weapon To End The War. It's a pretty good weapon, but as others have pointed out, some people just don't get it. I can just imagine my mom trying to understand the TMDA auto-response. And sure, I could add her to my whitelist ahead of time, but I've got some old friends I haven't heard from in a long time who occasionally track me down, and I think some of them would be just as confused.
  • by writermike (57327) on Saturday February 09, 2002 @04:13PM (#2980121)
    I want to know about one more part of the story.

    She says she signed up a Yahoo account, bought one book from Borders.com and promptly received spam thereafter.

    Sooooo.... if Borders _and_ Yahoo both say they there's no way the e-mail could have been sent out by either of them -- (and if the reporter is completely accurate about her sequence of events) -- how did the company get her e-mail address?

    Either someone's lying, is mistaken, or her e-mail address was "created" through some sort of bruteforce e-mail address creation application.

    Cheers,

    Mike...
    • Borders and Yahoo just said they didn't sell the address.

      The spammer said he used "an e-mail harvesting program called Target 2001 ... [which] ... scans Web sites and databases for addresses ."

      So it is possible that neither Borders or Yahoo are lying ... but that there is a security/privacy flaw in one or both of the sites which lets the address be harvested.
    • In the article she says she set up several accounts but only gave one of those addresses to a third party (she bought a gift certificate from Borders). Less than a week later, the email address she gave to Borders began receiving more spam than the other addresses.

      The only difference between the accounts is that the one she divulged to Borders received more spam; therefore Borders sold her address (and who knows what else), despite the fact that Borders told her its "Privacy Policy" prohibits it from doing that. The only reason the reporter didn't write "Borders lied" is because then the WSJ could get slapped with a lawsuit.

      The lesson here is that companies are in no way obligated to tell you (or a WSJ reporter) the truth if it's not in their best interest. Companies imply that Privacy Policies are binding legal contracts, but they're not; they are statements of what the company thinks you want to hear.

    • by Technician (215283) on Saturday February 09, 2002 @09:38PM (#2980960)
      I had a paper trail on a snail mail issue I had with the Oregon Department of Transportation. I registered my new car (got plates). Due to a typo, my middle initial was wrong on the title and registration. I was going to correct it when I got a chance, but changed my mind when I got my first junk mail with the same mistake. After that, I decided not to correct the error. About 1/3 of my junk mail had that error for as long as I owned my car. About half the telemarketers also asked for me by that name. It was mostly chimney sweeps, re-financers, and vinyl siding salesmen. They were totaly useless calls as I was renting an apartment at that time and it didn't have a fireplace. I should have had them drop by for the free estimate to waste some of their time. Maybe they will get their demographic close enough to quit bothering me.
  • from the story.. (Score:2, Informative)

    by Suppafly (179830)
    The FTC encourages consumers to forward unsolicited commercial spam to uce@ftc.gov.

    Guess I have someone else than abuse.net to forward unsolicited spam to now..
  • by GCP (122438) on Saturday February 09, 2002 @04:16PM (#2980131)
    I think we should have a server feature that is configurable from the client. The client would be able to tell the server that if a message has certain characteristics, the server should respond to the sender in the same way it would respond if the address didn't exist at all.

    Any message that your client would filter into the trash, your client should be able to tell the server to bounce.

    Perhaps we could also use the "plus convention" to allow users to effectively manage their own email address(es). Many servers are set up so that if my assigned email address is fred@foo.com, then fred+[anystring]@foo.com is still sent to fred. Tell your friends to address you as fred+friend@foo.com, and then have your client sort the "+friend" messages into a friends folder.

    Why not be able to create a list of valid plus extensions in your client, which would then post them to the server? Why not be able to create your own rule for messages that arrive with no extension? You could instruct your client to instruct the server to accept them or to bounce them back to the sender as simply nonexistent addresses.

    You could create an extension in your client and specify an expiration date. Your client informs the server. Then you post your email address publicly, a Usenet question perhaps, and your server would accept responses until the date you specify, and then bounce everything thereafter as spam.

    With so many addresses expiring quickly and users able to get their servers to hide their non-expiring addresses from mail with certain characteristics, the spammers databases would become much less usable.

    • by Saeculorum (547931) on Saturday February 09, 2002 @04:36PM (#2980219)
      GCP says: Perhaps we could also use the "plus convention" to allow users to effectively manage their own email address(es). Many servers are set up so that if my assigned email address is fred@foo.com, then fred+[anystring]@foo.com is still sent to fred. Tell your friends to address you as fred+friend@foo.com, and then have your client sort the "+friend" messages into a friends folder.

      I think that's a good idea, but only a short-term solution. If it ever becomes wide-spread, spammers will just use brute force and send emails to fred+%dictionary_word@foo.com. It wouldn't even be that hard - most likely, people would somewhere accidentally post their "secret" email address (which happens right now) and a spambot would pick that up. Above that, most people would use common words, "secret", "spam", "free", etc. There would be huge incentive to break the system for the spammer - if they're the first to find out how to bypass the secret system, their spams are able to be read by everyone, while other spams will be filtered out. It'll simply be a race to be the first spammer to be "heard".

      The solution must inevitably be, in my mind, to make spam cost something. Not necessarily money, but some sort of tangible resource. Various solutions have been proposed, all of which in my mind are not completely up to the task. However, they're the only effective long-term solution. So long as spam is free, there's no disadvantage to sending 1,000,000 emails to get one responce. I personally like Adam Backs' Hashcash program, which is at www.cypherspace.org/~adam/hashcash/> [cypherspace.org]. However, the site seems to be down at the moment, so one can use Google's quite convinient cache of it at http://www.google.com/search?q=cache:-g8yVfQ3vFwC: www.cypherspace.org/~adam/hashcash/ [google.com].
    • > Perhaps we could also use the "plus convention" to
      > allow users to effectively manage their own email
      > address(es). Many servers are set up so that if my
      > assigned email address is fred@foo.com, then
      > fred+[anystring]@foo.com is still sent to fred.
      > Tell your friends to address you as
      > fred+friend@foo.com, and then have your client
      > sort the "+friend" messages into a friends folder.

      FWIW, I use qmail so I use a minus sign as opposed to a plus but I see your point.

      How about the opposite approach? Start an automated service running at foo.com . We create a dummy address dummy@foo.com . We create a whack of aliases: dummy-ebay, dummy-chapters, etc. We give each address to only company. Then we do metrics on the amount of spam inbound to each of these addresses and post results to the web.

      Are we still concerned with dictionary attacks? Then we make the suffix of the dummy address something essentially random... perhaps we md5 the name of the company and use that as a key. So dummy-chapters becomes dummy-c463e91ad6440efcf637a78054a11e06 . I find it pretty hard to believe that a dictionary attack is going to hit that address any time soon.

      Some of the spam protection agencies out there could set this up on anonymous domains. I can't think of any way to get more real-world testing.

      BTW, if there is some service out there that does this sort of thing then please feel free to add a followup to this post. It seems like a relatively intuitive idea so I doubt that I'm the first to think of it.

      --
      -mikecarrmikecarr
  • by whipping_post (521700) on Saturday February 09, 2002 @04:17PM (#2980134) Homepage
    ...the reporter could have gotten more info if she didn't keep telling these people that she is a reporter?!?!

    How's this for investigative journalism?
    1. Locate Spammers
    2. Call and explain to spammers that you are a reporter
    3. Determine if spammer has hung up
    4. If step 3 is yes, call spammer back and leave message
    5. Repeat
    • People say things "off the record" all the time.

      If reports print things without unveiling the fact that they're a reporter, it's mostly just unethical journalism, which can actually get you in trouble - because since you didn't announce that you were doing an interview, you don't have legal proof that the guy said everything (and agrees with eveyrthing) he said. If that stuff is bad stuff, he can sue you for libel.
  • Put terms of use on your websites to prohibit email collection. Use a unique email address on the site, so it can be tracke.


    Then when the spammer emails to it, track them down, file a large lawsuit for copyright infringment, tresspass to chattel, computer tresspass and fraud.

    Bankrupt a few spammers, others may think twice before spamming

  • by Seth Finkelstein (90154) on Saturday February 09, 2002 @04:21PM (#2980154) Homepage Journal
    Quoth the writer:

    In only one of the e-mail accounts, I provided all of the information requested (name, address, demographics, etc.) during the registration process, and I used this e-mail address just one time - to purchase a gift certificate from Borders.com. Less than a week later, the spam started rolling in - jamming the in-box with more spam than the other new accounts I had created.
    The writer seems to think spammers couldn't get the address unless they got it from Borders.com. This may be unfair. What spammers sometimes do is to dictionary-attack ISPs, trying lists of usernames (after all, what do they care if the mail bounces - it's not like it's THEIR problem ...). Once they find an address works, (by not having it bounce), they sell it to other spammers as a "verified" address. I saw something similar happen where an account I only used to received a few mailing lists (never send) suddenly received a huge upsurge in spam. The list-maintainers were above reproach, they hadn't sold the user list. What seemed to have happened is that spammer found the address in a dictionary-attack, and then it was all over ... :-(

    Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

    • What spammers sometimes do is to dictionary-attack

      That's one hell of a dictionary attack. From the article(emphasis mine):
      Using my name and a combination of six numbers, I created a few new accounts through free online services such as Microsoft Corp.'s Hotmail and Yahoo Inc.'s YahooMail.

  • I've been sending SPAM to abuse/postmaster/uce@ftc.gov for months, but most ISPs will just terminate the account if they even bother.
    We should be encouraging hackers to point their skills towards a noble goal: shutting down SPAMMER websites. SPAMMER's would take notice when their sites were hacked and redirected to Spamcop. And ISPs would really start to check accounts if their service became a transport for DDOS attacks against a SPAMMER.
    Come on hackers it's easy. Create a hotmail account and post just once to USENET. I'm still getting SPAM 4 years after posting 1 message to USENET with a real address. Do something positive to the Internet community for a change. Get to work hacking those jerks' sites!
  • I've been thinking about this...

    Facts:

    The only way to stop spammers is to make spamming unprofitable.

    Their profit depends upon harvesting usable email lists, so there's a chance some idiot will buy something after reading their garbage.

    Solution(?):

    Dilute their mailing lists with so much garbage they'll only actually send out one or two emails to real addresses for every X thousand mails sent to fake addresses.

    Method idea:

    What if I put together a quick CGI to generate pages with fake text (just paragraphs full of random picks from a dictionary + punctuation) plus randomly created email addresses. Then linked to the chain of 1000's of fake pages from one of the real pages of my sites? What if I allowed anyone to use this tool for their own sites, to generate 1000's more, or made an online tool to generate pages and email them on to people to upload for their websites?

    Anyone think this is a good idea? Obviously it's a trivial piece of scripting, but I think if major sites used something like this, it would seriously piss off a lot of these lowlifes...
    • You mean line Wpoison? [monkeys.com]
    • don't forget this [slashdot.org]
      and there exist tools like wpoison [google.com] (the better one i came across while googlewhacking escapes me) that do exactly what you're talking about
    • Yes, it has been done.
      And some of the email harvesters have routines that tried to detect fake email pages. But of course if the fake page is not overdone, it might still fool them.

      Anyway When making web pages, I like to make people's emails on the page a a small .png file instead of text with no mailto: link. This prevents that these programs can pick it up. But people can't just click on your email adr. to send a mail.
      • Accessibility? (Score:2, Informative)

        by yerricde (125198)

        When making web pages, I like to make people's emails on the page a a small .png file instead of text with no mailto: link. This prevents that these programs can pick it up.

        It also prevents that blind people using a speech reader can pick it up, which may be a violation of your jurisdiction's disability code.

  • by e_n_d_o (150968) on Saturday February 09, 2002 @04:29PM (#2980193)
    This is probably old news, but its just a thought.

    What if it were required by law that every company must track WHERE and WHEN they obtained any e-mail address that they send bulk messages to. If you requested to be removed from their list "recursively" the offending company would have to notify its provider. Each company would have to notify any company they bought the address from that you want your information kept PRIVATE. The recursive notification would only go UP the chain. I'd love if it they had to notify everyone they sold it to as well, but this might not be practical. Each provider would send you a message as they removed you from their list. Each company would have to keep your e-mail address on a black list for a period of time you specify (such as "until hell freezes over") and not send you further mesasges until that time elapses.

    You would have as evidence the date/time you were removed and would have grounds for damages in the event that someone repurchased your address from a provider or they didn't remove you.

    Until then, I'll just continue to give my email address out as myname_companyimgivingitto@mydomain.com
    So far, 99% of the spam is coming from myname_usenet@mydomain.com, which is about to be automatically filtered and deleted.
  • by Tabercil (158653)
    My dad was complaining bitterly about the volume of spam he was getting as a result of signing up to get a online greeting card (no I don't remember which site) since he's on a dialup account with fixed number of free hours each month. Downloading and deleting the spam effectively ate into his hours. A quick installation of Mailwasher [mailwasher.nett] (which serves to send messages back marking it as undeliverable) served to quiet him afterwards since he now feels like he's doing something to stop it.

    What I think I might want to check is to see if it can't also directly forward the original email to that ftc mail address...
  • by Em Ellel (523581) on Saturday February 09, 2002 @04:50PM (#2980258)
    A year or two ago I came to the conclusion that you cannot stop all the spammers using filters. You can use any filtering program you want, but either you going to loose some e-mail or some spam will get though (or both). You can use fake e-mail addresses but many sites now-days check by sending you a confirmation e-mail that requires you to do something with information you get in the e-mail. But what you CAN do is control how they get your e-mail address in the first place.

    Here is my easy method to track the bastard that sold your address. All you need is your own domain and control over the e-mail server - as many of my fellow geeks do.

    Using my domain - I created an account for dealing with spam. I then created an alias which will put all e-mails without a specific mailbox into that account. (for example - the qmail/vmailmgr allows you to create "+" alias as such catch-all address)

    Now comes the fun part- every time I need to use my e-mail in public - I make up an e-mail address that makes it easy to figure out where I used it. To make sure I do not create a real mailbox with same name - I use a specific prefix (like ns- for no spam) to make all of those e-mail addresses stand out (example - when signing up for e-bay, I sign up with ns-ebay@mydomain.com. Now when that spam arrives I can find out which e-mail address it is destined to - and which place it came from.

    The last part of this comes after a while. Eventually some addresses start getting too much spam and you seem to end up where you started. No problem. I create a new alias that bounces or /dev/null's email coming into that account.

    If I find that I gave out an address to a trustworthy source, I can even create an alias to go to my main mailbox.

    Of course, if you go to a source that is guaranteed to leak your address to spammers, no point to even bother with all this - that's what the free webmail accounts are for ;-).

    The interesting part of all this is that to my own surprise I find that most sites are pretty good at keeping your privacy when you sign up. So far the biggest culprits were postings on USENET (well, duh!) and ebay - but e-bay were all from massmailings by people I bought from and they were good at removing my address when asked to.

    Hope this helps.

    -Em
    • I create a new alias that bounces or /dev/null's email coming into that account.

      I've been doing this for a while (actually, I usually forward the spam back to the abuse address of the person who leaked the address), unfortunately, I've run into two problems:

      First of all, I have a somewhat popular domain name, and used to get lots of spam from people who lie about their email address and just put in blahblahblah@inbox.org. So to fix that I had to create a white-list rather than a black-list.

      The second problem is really a result of the fix to the first. I can't simply use ebay@inbox.org, etc, because that's too easy to guess (security through obscurity), so I have to make something up. Unfortunately, I can't really remember the made up names, and I don't always have access to inbox.org to set up the white list. So instead I have an MD5 scheme. Take the name of the site, a number (incremented whenever I want to change the email address), and a special "password". Put them together in a certain order, and MD5 it (http://pajhome.org.uk/crypt/md5/ is available on any computer with javascript). So for slashdot, my current email address is 4e9fd9f4624c02685096769364a81d95@inbox.org (which I have to change since I'm now getting spam every couple days to this address). I keep the numbers (and actually the usernames) in a list on a certain publically accessible web page (javascript DES protected of course). So wherever I am as long as I have javascript access, I never forget the information I put in.

      I just figured a new addition though. Put the domain name and the number in the beginning of the email address. So this email address would be slashdot14e9fd9f4624c02685096769364a81d95@inbox.or g (you don't need a separator since the MD5 is a fixed size?). The advantage is that I no longer have to have a white list in the first place, because the mail machine can simply check the full MD5.

    • by aiken_d (127097) <`brooks' `at' `tangentry.com'> on Saturday February 09, 2002 @05:58PM (#2980427) Homepage
      This is very, very simpleminded and outright wrong.

      I operate a service that collects emails for a private mailing list. I am the only one with access to the database. There is no web-based facility to harvest the addresses.

      Every now and then I get an 8 page rant from some joker using this method to "prove" that I gave their email address to spammers. It's always very self-righteous because they are so sure that this is the pefect way to figure out where spammers got their address.

      Well, I know firsthand that it simple is not. I have two theories:

      1) email scanning. I also operate a semi-public smtp server, and I have it set to log multiple "user does not exist" messages going to the same ip address. At least once a week, there are thousands; "a@x.com" then "b@x.com" and on up into "aacd@x.com".

      2) However, they probably aren't going to get longer addresses that way. What seems likely to me is that someone is sniffing traffic at public peering points, or on ISP's networks themselves. It wouldn't be a bad way for some tech to make extra cash.

      But no matter what the real reason is, please don't assume that if get spam to a made-up, one-time-use address, that the person you originally gave that address to is at fault. I can assure you that that is simply not the case.

      Cheers
      -b
      • So, what you really want to do is put their company name followed by 10 quasi-random characters, and to write them down. That way they can't be guessed, it is sorta like a password.

        And one of my friends set up a funny system to counter spam. Check out the email link at the bottom of his site page, he used PHP to set it up with the person's IP address and time at the beginning of the url. Apparantly he got some spam through this and found the spammers' IPs.
  • Filtering (Score:3, Informative)

    by HRbnjR (12398) <chris@hubick.com> on Saturday February 09, 2002 @04:58PM (#2980275) Homepage
    I use procmail to filter out email from anyone not in my address book to a different account. That way I can check the spam account once a day, and won't be bothered the rest of the time.

    I export the email addresses in my address book to a file which I FTP to my server. Here is the procmail recipe I use on the server:

    -------
    SHELL=/bin/sh

    FROM=`formail -rzxTo:`

    :0
    * ! $FROM ?? .*myisp.com
    * ! $FROM ?? .*networksolutions.com
    * ! $FROM ?? .*otherimportantdomains
    * $ ! ? cat emaillist.txt | fgrep -iqs "$FROM"
    ! spam@account.com

    ----
  • Great Link (Score:2, Redundant)

    I followed the link to the story, and got an idiotic popup spam for some online casino.
  • Spammers (Score:2, Funny)

    by BelDion (109503)
    Am I the only one who wouldn't just want to 'talk' to spammer. What I mean is that I have no interest in talking to one of those people, nor getting an insight into their "buisness" practices.

    Personally, if I ran into one, I'd knock em out.
  • A simple solution (Score:5, Informative)

    by Anonymous Coward on Saturday February 09, 2002 @05:26PM (#2980341)
    If you have your own domain name, simply use abuse@yourdomainnamehere.com as your primary e-mail address and you'll never be spammed. After 3 years I am still waiting for my first spam
  • Once I got a spam from someone claiming to be my cousin Jimmy. He said that he had found a place that would host our web site for free. My plan was to find the sender and arrange a meeting and when it wasn't the real "Jimmy" to freak out and ask WHAT HAVE YOU DONE WITH JIMMY?!?!?! I sent "Jimmy" an email saying it was good to hear from him, and that I sometimes still felt guilty about what we did to that guy up at the lake (fiction). My message to Jimmy just bounced, which made me wonder what the heck the reason was for this spam. I was prepared to send them real $$$ just to have my little joke.
  • Soutions for ISPs (Score:2, Interesting)

    by dissy (172727)
    While most filtering programs and package mentioned here are for the individual user, or one that has their own mail server, what would you suggest for ISPs to use?

    Its not possible to do the 'deny all, allow from a list' at the root level as you have no idea what customers will want to allow.
    RBL helps some of course, but not much.

    Subject filters help abit too but only for words you Know will be in spam, and sometimes it needs to be multiple words which means a spammer can rearange the subject and it will still get past.

    The ISP I work for has been in business for about 7 years now under the same domain name, and has been dictonary scanned/spammed so even when adding a new account chances are someone has been sending spam to that address for alot time before it existed.

    Blocking spam by the relay server used is not possible. I get over 500 spams a day to the normal administration addresses (staff hostmaster postmaster etc) and generally 475 of them are different servers. It would not be possible to filter them all, and even so the chances of the relay server being used a second time appears very low.

    Most of the 'server-wide' filter programs are designed to try and not block ligit email.
    Unfortunatly this means it blocks very little spam in the process.

    Would anyone know of any solutions we havent thought of?
  • by Floyd Turbo (84609) on Saturday February 09, 2002 @05:39PM (#2980376) Journal
    There's a column in today's Washington Post [washingtonpost.com] on spam:

    I arrive at my office, uncap my coffee, unwrap my bagel, open my e-mail and face the first searing public policy question of the day: "Do you want to watch teens make their first porn video?"

    It's called "The Great American Spam Attack" [washingtonpost.com], by Ellen Goodman.
  • by nasalgoat (27281) on Saturday February 09, 2002 @05:52PM (#2980411) Homepage
    And the article is fairly accurate - we cut off affiliates who spam pretty quickly and block access to their reseller code.

    However, such programs generate incredible amounts of traffic - the money generated far exceeds the bad publicity and attention the occasionally poorly targeted email generates.

  • here's an idea (Score:3, Insightful)

    by cr@ckwhore (165454) on Saturday February 09, 2002 @07:50PM (#2980691) Homepage
    Lets take all of our spams on a daily basis and put 'em into a large database for analysis, and output cool statistics. Would Larry Ellison like to help with this one?

    Then parhaps, the FTC/FBI could use the data as a tool for investigation in order to link paterns in the database to their respective spamlords.
  • spamgourmet [spamgourmet.com] is a good (open source) inline disposable email address filter that does *not* require you to set up each address specifically on the site -- instead, you simply remember the syntactic rule for disposables and make them up when you need them. You can then track how spammers got your address, or simply let the disposables get used up and not worry abou it.

    The idea is to set you free to surf/sign up at will and make it easier to not get spam than it is to get spam.

  • We had a problem, we allowed people to send you an sms email to your phone at phonenumber@company.com. Normal service, people wanted to get email'ed alerts for stocks, messages from the wife/gf etc. To fight spam we put up message que that checks to see if the sender is sending over 10 emails to different accounts. It filters out most spam. We did have to tweak settings for people who do dispatch services to employees.

    The other method we did, we added a random 5 digit number to a persons phone number. So if your phone number was 2025551212 it would be 2025551212-01234. This blocked all brute force spam techniques. The customer knew what thier subscriber id was, and it was safe from prying eyes.

    Im tired of spam, using the same email address for over 6 years, my daily spam count is over 100. Spam and tele-marketers are the worst.

    -
    The worst thing about Europe is that you can't go out in the middle of the night and get a Slurpee. - Tellis Frank
  • Report that spam! (Score:4, Insightful)

    by Parsec (1702) on Saturday February 09, 2002 @08:47PM (#2980859) Homepage Journal

    The least you can do is cost the spammer their account. Depending on the spams contents I...

    Traceroute the last reliable IP of the sending email address. Know your mail gateways and take the IP address it received the mail from, traceroute it and report to abuse@[someisp].[ext]. If seems unreputable, cc their isp.

    Visit the web page. Do it. This is to find out if there's a redirect in place. http://[somefreewebhost].com/[directory] redirects to http://[scumballspammer].com/ . Traceroute and report the site it redirected you to to the appropriate ISP. Least it will do is annoy the sysadmin, and we know how sysadmins can be [theregister.co.uk]. Best case is they lose their site, any money put toward it, and pay a penalty fee.

    If the web page sends you somewhere to order, visit it, traceroute it, and report. (Same reasons as above.)

    In the case of javascript encoded html, it's easy to rewrite. Look for the document.write( xxx ); statement and change it to document.write( "<form><textarea>" + xxx + "</textarea>" ); . Repeat as necessary. Follow steps above.

  • by Dominic_Mazzoni (125164) on Saturday February 09, 2002 @10:22PM (#2981067) Homepage
    Normally, spammers use bogus return addresses, right?

    So how about this: every time my computer receives an email, it initiates a connection to the sender and tries to send a reply message. If the sender's server accepts the email address, close the connection (i.e. cancel the message before it's finished). If the server rejects the email address, you know the return address is invalid, so you can throw away the message (or filter it into a different box).

    Of course, spammers might start to make the return addresses random (but valid) return addresses at yahoo, etc. - but that will just get Yahoo very, very mad, and they'll track down and sue the spammers.

    Probably never gonna happen, but I've never heard that particular idea before...

    • So how about this: every time my computer receives an email, it initiates a connection to the sender and tries to send a reply message.

      And what happens if you are receiving an email from someone who has the same rules applied to their server?

      Have a look at "man hosts.allow" and read the section under "booby traps" referring to infinite finger loops

      Of course, spammers might start to make the return addresses random (but valid) return addresses at yahoo, etc.

      You mean like spammers do already?

      What about the following? This assumes that only yahoo.com sends out addresses with yahoo.com as the _envelope_ address (as opposed to having yahoo.com as the from/sender fields, which anyone should be able to do to set return addresses. In the latter case, but the envelope address should be your isp address in this case.)
      ...Welcome to server.isp.com. This mail service is brought to you today by the random number "rand_num" and the letter Q. 1) HELO Yahoo.com (date) (date-key+rand)
      2) MAIL FROM: (user@yahoo.com)
      (check_mail rule:
      a)is date correct?
      b)do we have yahoo.com's current (not expired) public mailkey?
      b-1) No? query dns record type "MK" for yahoo.com)
      c) Does record MK exist?
      c-1) Yes. Is f(date-key, "yahoo.com", date, rand_num) = key?
      c-1-1) yes? - accept.
      c-1-2) No - reject.
      c-2)Domain not verified, accept for backward compatiblty (current situation)

      I think the above could be useful, as most solutions I've seen rely on the network effect of everyone switching over, and getting people to reject all non-verified address. however, the above would allow even one isp to change over (by adding a dns record) to say, "we've changed over, if you getunverified email "from" us, it's not - reject it. Result? Zero forged emails from isp, isp rep goes up. Other ISP's get interested. Keys can be expired periodicly where "key expiry time" < "time to crack key"

      Comments? Is this currently possible with esmtp?

  • by Ilgaz (86384) on Sunday February 10, 2002 @03:24AM (#2981581) Homepage
    Notice the hotmail account guys who was tricked by the MSN Messanger setup talking about "We never gave our mails, not even using it but when we checked not to get it suspended , we figured there are 100 spams!"?

    A guy/gal using Hotmail gets heavily advertised to use and install MSN Messanger and some does it just to have a online mail checker for hotmail.

    Now the freaky part begins... http://news.com.com/2100-1001-833154.html

    Yes... With a not-so-advanced 133t jscript tactics, they can harvest your mail AND the mails of others unless they use a nickname. I don't see any reason like 90% of people would change their know Hotmail adresses to nicknames.

    More interestingly CNET reporter tries to say (I congratulated him for breaking that story btw) "It is not so serious". YES it is serious!

    For months I was telling my friends I am not using MSN messanger because I believe spammers/harvesters found a way to get my MSN signon name and spamming me. They called me paranoid, anti-ms but recent days they admitted "We don't know how too but there must be a way and we are getting spams"

    Can anyone tell me how that glitch isn't serious?
  • by Moderation abuser (184013) on Sunday February 10, 2002 @08:24AM (#2981866)
    http://www.yelm.freeserve.co.uk/spamido/

You had mail, but the super-user read it, and deleted it!

Working...