Forgot your password?
typodupeerror
Spam

Spammers Using Students as Relays 518

Posted by CmdrTaco
from the i've-seen-this-before dept.
Zendar writes "idg has an article about how students at the 151-year-old Tufts University were paid as little as $20/month to relay spam from computers in their dorms. Interestingly enough, the students approached the spammers about this scheme and not vice-versa."
This discussion has been archived. No new comments can be posted.

Spammers Using Students as Relays

Comments Filter:
  • Dangerous (Score:5, Funny)

    by snitty (308387) on Tuesday February 25, 2003 @12:15PM (#5379190) Homepage
    It seems that being medical test subjects would be less likely to get them killed.
  • by ifreakshow (613584) on Tuesday February 25, 2003 @12:15PM (#5379200)
    What happened to the good old days when college students sold blood, sperm or surfed the web to earn beer money!
    • by Pxtl (151020) on Tuesday February 25, 2003 @12:20PM (#5379242) Homepage
      Or got jobs as telemarketers (hell, most universities even run extensive official telemarketing systems to harass alumni for donations). If you're willing to telemarket, I don't see why you wouldn't be willing to spam. Sure its less money, but its also less work.
      • And I thought my job working for Vector Marketing, selling Cutco knives was unethical (network marketing... ugh)

        • Flashbacks (Score:5, Funny)

          by fizbin (2046) <martinNO@SPAMsnowplow.org> on Tuesday February 25, 2003 @12:48PM (#5379507) Homepage
          Cutco....

          Must... sell... knives...

          The whole experience still makes me shudder.
          • Re:Flashbacks (Score:3, Informative)

            by dubiousmike (558126)
            you and EVERY SINGLE OTHER PERSON I have ever spoken to that either sold them or made it through thte first day of "oreintation".

            Though one could make a little money on it, it still smacked of a scam. What salesperson in their right mond would pay $500 to get started to sell anything door to door AND have to generate you OWN LEADS!!!

            utterly rediculous.

            • Re:Flashbacks (Score:4, Interesting)

              by SomeoneGotMyNick (200685) on Tuesday February 25, 2003 @02:12PM (#5380225) Journal
              I agree..... I used to sell them also....

              However, I didn't have to spend any more than $150 to get started (I must have had a benevolent leader).

              It didn't take me long to quit. I still don't care for their marketing practices. However, the products are great (more than I can say about Amway's product line). I still have mine 12 years since I got them. They're still as sharp and shiny as ever. I even have an inherited set that's over 20 years old. They're in great shape also.

              I'm going to risk sounding like a hypocrite. I say if you never bought Cutco knives, and someone approaches you to buy them, give them a try. Money worth spending. However, don't jump at the first offer. Make it a hard sell for them and get the maximum discount you can. Even offer a single amount, take it or leave it, just slightly below their final offer. You'll get a good set of knives, but at the same time you'll effectively discourage the wayward soul from continuing on that dastardly path. You'd be doing them a favor. There's plenty of youth around for Vector Marketing to continue the practice, just don't allow someone get stuck in it.
              • Re:Flashbacks (Score:3, Interesting)

                by dubiousmike (558126)
                My mom sold them. My mother-in-law gave us a few "extra" ones she had lying around.

                They are great knives and I have no complaints what so ever about their quality. If I had the money, I might even buy some myself.

                But their tactics, not only for marketing, but especially recruiting is what p1ssed me off to no end. As a teen looking for a job, I called an ad for $15 an hour. They would not tell me what the job was. Perhaps this is a necessary tactic on their part as I NEVER would have bothered to waste my day to go to their seminar.

                I likely would buy a couple of knives, but only when one of my friend or realatives corners me into buying them or risk bad feelings between us. Frankly, there are other high-end-ish knives out there that don't rely upon sales and lead generation by guilt.

                :P

          • Nice, thanks for the flashback. I sold Cutco knives for a couple months back in college. Made back what I paid to enter and a bit more but delivering pizzas was better pay (and steadier).

            I still have my knives, and they still work great decades later (man I'm old).

          • Are they the ones who sell the "world's best knives"?

            A friend in college asked me if I'd heard of the world's best knives. I told him no, but I owned the world's cheapest knives, so if they ever broke or went dull, it would cost me nothing to replace them.
    • by gosand (234100) on Tuesday February 25, 2003 @01:15PM (#5379737)
      What happened to the good old days when college students sold blood, sperm or surfed the web to earn beer money!

      You know you are old when:

      You had to work a real job to get money in college

      People refer to the "good old days" and in your mind it was yesterday

      There was no World Wide Web when you were in college (unless you count FTP, BBSs, and Gopher sites)

      Your final paper in Computer Hardware Design was on the Pentium processor, and you could only find three sources because it wasn't due to be released for another 6 months.

      You post on Slashdot recounting how old you are, hoping someone will think you are cool

  • by petronivs (633683) on Tuesday February 25, 2003 @12:16PM (#5379206) Journal
    I thought college students made all the coin they could ever need with those webcams.
  • by Anonymous Coward
    And time to waste... and fewer inhibitions (amazing how college does that!)... so it's pretty easy to understand and believe. Oh well, most schools would yank your access for the rest of your time there. Not really worth $20/mo to me.
  • 20 Bucks? (Score:2, Funny)

    by MisterMook (634297)
    Man, I can imagine doing something like this in a dorm but for only 20 bucks? You'd think that it would at least be worth TWO large pizzas a month...
  • by monkey_tennis (649997) on Tuesday February 25, 2003 @12:17PM (#5379215)

    Interesting that they tracked the individuals down using MAC addresses for computers in their dorms...

    I've never heard of any other Uni having the foresight to record this and it seems like a valid piece of info to have to include in any registration document (as per cable modem setup)

    • No, they probably don't keep track of the MAC's students are using, but it is relatively trivial to ask a managed hub or switch which MAC's are one which port, ergo, which room the offender occupies.
      • by garcia (6573) on Tuesday February 25, 2003 @12:33PM (#5379391) Homepage
        at BGSU they started doing registration for the DHCP server via MAC in 1999 or 2000. When you started up after connecting your computer to the ethernet jack you would get a registration page. You would enter your student ID and your email login/passwd. Your MAC was recorded and a hostname that included your email id was given along w/a static IP. If you logged on from another other port on campus it would show as a "roam" address but it still knew you were authenticated so it still knew your MAC.

        If you wanted to register another computer you would either have to use someone else's student ID + login/passwd or call up the people for help.

        A side note, they were less than familiar about doing it w/alternative OSs that did not automatically bring up the registration page. You either had to use Windows to do it or have them do it manually. I used Windows ;)
      • Harvard requires you to register your MAC address.
    • My university (U of Guelph) attempts to record the MAC adress, but their registration program that you must use when you first log on is buggy as hell and often easier to circumvent then to actually use. So I'm not sure how many MAC adresses they actually record.
    • by Frater 219 (1455) on Tuesday February 25, 2003 @12:25PM (#5379311) Journal
      Interesting that they tracked the individuals down using MAC addresses for computers in their dorms...

      I've never heard of any other Uni having the foresight to record this and it seems like a valid piece of info to have to include in any registration document (as per cable modem setup)

      You don't even need to copy it down at sign-up time ... just take it out of the DHCP server logs, or the ARP tables on the building router, then look for the MAC address on a switch port in the hall switch. Provided you know your wiring -- and know what switch port goes to what dorm room -- you just narrowed your problem down to the spammer and his roommate.

      (Why yes, I did used to be a sysadmin at a college with a bandwidth hogs problem.)

      • by garcia (6573) on Tuesday February 25, 2003 @12:37PM (#5379416) Homepage
        I was compromised at one point in time my freshman year and had a smurf attack originate from my machine. They were able to track it down in under 2 hours to my specific port. They shut me down immediately. I had to contact the head of IT directly for reinstatement.

        Although it was pretty obvious who was using the most bandwith even w/a tool like iptraf.
      • Or, if you were a sys-admin at the overly-anal college I go to, you would require the MAC address at signup time, which would then be tied to an individual port in an individual room. Using an unregistered MAC would cause the port to immediately deactivate. So once you have the MAC, you wouldn't just have the room - you'd have the individual student and could immediately deactivate just their port.

        This is quite annoying to students who find out the "MAC tied to port" bit by accidently misplugging their computers into the wrong side-by-side ports after rearranging their desks. Fortunately, it was a triple, and my desk stayed where it was. Heheh.

    • by JackAsh (80274) on Tuesday February 25, 2003 @12:33PM (#5379387)
      Actually, I was a student at Tufts at the time they implemented the student network. At the time, ACS (Acedemic Computing Services) did require students to register MAC addresses, and I think I recall them assigning static IPs via DHCP or BOOTP (This was back in 95, DHCP was not very popular yet). You could let the network take care of everything for you, or you could enter it manually if you knew what you were doing...

      I really don't remember if they used managed hubs/switches, but I recall it was a fairly trivial exercise to figure out where people were in a dorm by counting the IPs assigned (they had some pattern).

      -Jack Ash
      (Miguel if anyone else from Tufts is reading)
    • Here [cmu.edu] MAC addresses must be entered as part of registering a computer for access to the network - each registration consists of a user's login/pass, their location on the network, the computer's name, and the MAC address. Makes things fairly straightforward when they need to track something down, or assign blame or whatnot.
    • by Kourino (206616)
      The University of Minnesota also does this; you have to register MAC addresses under your X.500 account, and you're given up to 6. (That's just about all I need ... NICs in three computers, LAN connection on my Linksys, and 802.11b card in my laptop.)

      The DHCP servers only give out IPs to MAC addresses that are registered thus. Also, you have to authenticate with your X.500 account to get an IP from the campus wireless service. This seems so obvious to me I'm surprised more people don't do it ^^;

      (Also, for those who read the article, the guy from UofM that says that "we don't allow clients to act as servers" ... this basically means they block port 80 incoming traffic. Nothing more. Although the service agreement for res hall networking does say that you're not allowed to serve stuff.)
    • Unless you're just stringing together some LinkSys hubs, most management software has this ability.

      I can go to a console, type an IP or MAC and be show exactly what switch and port on campus that is coming from. Pull up the map for that switch and see where that port physically terminates.

      Had someone with a rogue DHCP server years ago causing trouble. Right after the class let out, we were able to go into the room and descend upon him. Pretty much freaked him out. Turns out he downloaded something that he didn't know what all it did (was kinda a windows based router for a home network).
  • plight (Score:5, Interesting)

    by Joe the Lesser (533425) on Tuesday February 25, 2003 @12:17PM (#5379218) Homepage Journal
    An interesting look at one of the things students will lower themselves to do to pay for their $80 calculus book.
    • $80? What school are you at? My textbooks start at $100, unless its a course that requires more then one textbook when they're usually a little cheaper, but still gouging.
  • Restricting SMTP (Score:5, Insightful)

    by wowbagger (69688) on Tuesday February 25, 2003 @12:19PM (#5379234) Homepage Journal
    Unfortunately, this is the sort of thing that makes sysadmins block all outbound SMTP from anything that isn't registered as a mail server, or at a minimum redirect all such access to their mail server.

    Gripe about it all you want, but had the uni been forcing all outbound SMTP traffic through their mail server, they would have seen this a great deal sooner.

    As for a fitting punishment - if these students live in the dorm, they probably eat at the dorm cafeteria. Tell the cafeteria to only server them SPAM.
    • Man, I hope my ISP doesn't do that. We run our own mailserver because theirs is limited to a single account (extra accounts are $$$ a month and two of us use the connection). Worse, their mailserver goes down ALL the time, which makes it extremely annoying to say on mailing lists as most lists will autokick you if your mail bounces. Plus they have no spam blocking like we do on our mail server. If only they wern't a local monopoly...
  • Shocking, I say. (Score:3, Insightful)

    by Skyshadow (508) on Tuesday February 25, 2003 @12:19PM (#5379235) Homepage
    Look, in college I sold my fucking *blood* for a few dollars. Why should it be surprising that students would sell bandwidth?

    IMO, colleges should get out of the general IT business all together and contract these services out. They already contract out other things, like food service, landscaping, maintainance, etc. Some departments (CS, etc) obviously may need their own networks, but otherwise it's just a hugely wasteful money pit. Hell, at my university, they spent so much money on useless IT projects that it just boggled the mind -- a lot of the trouble was that they employed fresh grads who would pick up a couple years' experience then skate, so there wasn't enough adult supervision...

    Anyhow, back on track: Colleges should concentrate on education and offload these other problems to professionals.

    • Re:Shocking, I say. (Score:5, Informative)

      by sirinek (41507) on Tuesday February 25, 2003 @12:24PM (#5379291) Homepage Journal
      Settle down, bud.

      Colleges do a lot of experimental things because of the large variety of departments with their unique needs. I do not think they should contract out anything, contractors are expensive. Talk about a money pit!

      I personally think a university's money would be better spent with a dedicated staff that knows what a university needs and use student labor when they can. It works well. If your university IT department was run poorly, well, that could (and does) happen in any kind of environment, not just acadamia and wont get fixed by hiring contractors.

      siri
      • I don't think he's arguing for hiring a bunch of contractors, but rather for outsourcing the function entirely. A number of the big banks have done this, for example. JP Morgan just signed a multi-billion dollar deal with IBM to have IBM run _all_ their IT functions, from server admin to networking to helpdesk. Most of the JPM IT folks will become IBM employees, some will go. JPM just decided that they're a bank, not a computer company, and they'd rather leave these things to a computer company.
      • Re:Shocking, I say. (Score:5, Interesting)

        by cjsnell (5825) on Tuesday February 25, 2003 @01:06PM (#5379641) Journal

        Interesting idea.

        When I was a student at Vanderbilt University [vanderbilt.edu] back in 1995-1996, we had a student-run IT department. It was a very novel thing back then, dreamed up by an former student who worked for the school. What they did was give responsibility for some services (Web, mail, FTP, and some development) to student-run teams. These teams implemented these services on Solaris and Linux hosts and were responsible for their maintenance. I believe we were paid as work study employees but the wages were much better than what you could earn elsewhere on campus. I think I made around $9-10/hour.

        What was really amazing is how they found around 12 *nix-saavy students in 1996 at a school mostly known for its liberal arts and pre-med curriculum. Somehow, they did. It spread by word-of-mouth and we all just drifted in. It was the ultimate student job.

        Chris
    • by PlanetJIM (212710) on Tuesday February 25, 2003 @12:34PM (#5379396) Homepage
      Look, in college I sold my fucking *blood* for a few dollars. Why should it be surprising that students would sell bandwidth?

      The difference, of course, is that you actually owned your blood in college. These students are selling something that they're permitted to use in the hopes that it will make them better and more successful students. It's a vulgar abuse of access, and don't gimme that "I pay X*10^y dollars a year to go to school here" crap. If those kids had to pay for the actual bandwidth they consume they'd be paying a fair chunk of that without all those education value-adds.

      What I don't understand is why colleges don't make use policies part of housing contracts (most consider and bill bandwidth as a utility like electricity). Do something stupid or commit some vulgar abuse like this and you're out fending for yourself off-campus. Pay your own damn cable bill...

    • Colleges should concentrate on education and offload these other problems to professionals

      I say 'No', and for two reasons. The first being that colleges already offload enough services to paid contractors....food, books, lawncare, building upkeep, etc. Anytime you involve a contractor, you raise the amount it costs which is passed on to taxpayers if it's a public university, or the students if it isn't. Unnecessary charges.

      Second, I dated a girl at Tufts and know they have a decent sized CS/CpE program. Something like this is perfect to give jobs to students at the campus to a) give them a job, b) give them some experience. I won't even go into 'connecting them with their fellow students', that's a crap reason, but a & b are good enough on their own. There's no reason to hire expensive sysadmins when students are HAPPY to work on things like this and they're cheap. At Virginia Tech, we had a couple (remember...Tech is mucho larger than Tufts) chief sysadmins in charge of different colleges and areas, but the rest was student run. Very convenient, the students are many times smarter than the sysadmins.

      --trb
    • Christ I hope not (Score:5, Insightful)

      by siskbc (598067) on Tuesday February 25, 2003 @12:45PM (#5379487) Homepage
      IMO, colleges should get out of the general IT business all together and contract these services out. They already contract out other things, like food service, landscaping, maintainance, etc

      That would be wonderful. Then they could have the network equivalent of the crappy food they serve at the cafeteria. Aaargh.

      Also, you mention that the problem is that they only employ recent grads. That's true - but often these kids work at a "hometown discount" while they wait for their gf to graduate or whatever. The college could never afford people as good as their own grads, generally, if they had to pay them what they were worth. If they have to outsource, the cost will skyrocket - or the service will tank. Admittedly, a few adults wouldn't hurt, but the kids usually do a pretty good job. Hell, at our school the permanant hires were paid so little only the braindead took the job. You prayed you got an ex-student to solve your problem if you had one.

    • Re:Shocking, I say. (Score:3, Informative)

      by kiolbasa (122675)

      You do realize that alot of university networks have been around longer than most ISPs? Universities are where alot of the early internet research happened. Also, I'd say it is more cost effective to manage the network in-house for a few reasons:

      Those networks are so big they require full time support anyway. Might as well do your own hiring. It's no different than a huge corporation having its own huge IT division. Also, students studying IT are great for cheap labor to handle networking grunt work (first tier tech support, go patch this port to that, etc.). The school's IT degree program (if it has one) and a real-world network are mutually beneficial to eachother.

  • by billmaly (212308) <[ten.asudoelcm] [ta] [ylam.llib]> on Tuesday February 25, 2003 @12:19PM (#5379236)
    $20 a month was serious money. That's one week of clean laundry and GOOD pizza on Sunday night (and not the cheap stuff). Back then, $20 a month would have bought a lot of personal ethics. Can't say as I blame them.
  • by SirSlud (67381) on Tuesday February 25, 2003 @12:20PM (#5379247) Homepage
    This is like the computer nerd equivilent to "College Girls Gone Wild". Anything for a buck.

    Except instead of making me want to spank myself, I want to spank them.
  • by www.sorehands.com (142825) on Tuesday February 25, 2003 @12:20PM (#5379248) Homepage
    Let see, a kid sets up a computer to steal on the college network. If the student hacked in the the dean's computer to get porn, it would be all over the news, the kid would be arrested.


    The kid should be charged the same as the person who put the distributed decryption software, that was all over the news, and expelled.

  • by FunWithHeadlines (644929) on Tuesday February 25, 2003 @12:21PM (#5379251) Homepage
    It sure doesn't take much to compromise a person's self-respect or integrity. $20/month in exchange for contributing to a problem that everyone hates, and knowing full well that everyone hates it? They sold out cheap.

    It's sort of like the trend for journalist majors to wind up in PR jobs for corporations doing nasty things. The lure of extra money covers over any hesitation they might have in moving from a supposedly neutral position to one that shills for money.

    But $20/month? Man, that's some cheap principles. How about we pay them $21/month to turn against the spammers?
    ---------

  • by Gortbusters.org (637314) on Tuesday February 25, 2003 @12:21PM (#5379258) Homepage Journal
    has always been a popular fad. Remember those programs you could install and you would get a 10th of a penny for every website you clicked and it had a banner-system (I believe)? Everyone thought they would make hundreds of dollars a month with that. I wish I could remember the name. People love getting money for doing their normal tasks, i.e. using the computer. If relaying spam could be done with little or no active participation by a computer user, who [average computer user] wouldn't turn down 20 bucks?
  • by mjpaci (33725) on Tuesday February 25, 2003 @12:21PM (#5379262) Homepage Journal
    What does it matter that Tufts is 151 years old? Would this be different if it were 310-year-old College of William and Mary in Virginia or 210-year-old Williams College in Williamstown, MA?

    --Mike
  • Dear Mr. Spammer, I wouldn't mind to relay your
    spam at all! In fact, I would do it with a full
    satisfaction of doing a valuable service to the
    community! Please, pretty please, pick (and pay)
    me to be your relay!

    WBR / lastberserker

    .
    .
    .

    [...of course I won't detail on _where_ I would
    relay your spam, but what's the matter - noone
    would miss it anyways...]
  • by brejc8 (223089) on Tuesday February 25, 2003 @12:23PM (#5379279) Homepage Journal
    I have been getting spam addressed to [my_unix_username]@[my_machinename].cs.man.ac.uk
    My machine passes the mail to me but I have no idea how the people got this address.
    The only way I can think of is if someone used finger @ on the machines in the department and then stuck the username with the machinename.
    As far as I am aware the finger@ is blocked to people outside the department so I am starting to suspect that some students are behind this.
    Especially as the spam is for local companies.

    • Same happened to me, my .cs.man.ac.uk started receiving spam during last semester. Struck me as very strange because my uni address doesn't get used anywhere (well, nowhere that I don't trust).

      The irony of receiving "Get your diploma now..." spam on my university mail account...

    • by igaborf (69869) on Tuesday February 25, 2003 @12:59PM (#5379584)
      That's one possibility. Another is that someone just built a spam list by Googling the domain man.ac.uk:

      http://www.google.com/search?q=cb%40cs.man.ac.uk

      Moral: Put your email address ANYWHERE on the 'Net and you'll get spam.
    • "I have been getting spam addressed to [my_unix_username]@[my_machinename].cs.man.ac.uk"

      Do you have ident running? Could a website you connected to have used ident to get your username and then prepended it to the reverse lookup of your IP?

  • Should just kill those kid's connections, or charge them $50 a month for the "privelage" of being a spammer--then this whole problem goes away. Mind you, the network and its resources are the University's, and not the student's.
  • by grub (11606)

    !!! MAKE MONEY FAST !!!

    Earn as much as $20.00 a month sending out unsolicited email!
  • by callipygian-showsyst (631222) on Tuesday February 25, 2003 @12:26PM (#5379316) Homepage
    ...if they put a video cam in their dorm room. They sold out cheap!
  • <i>The practice isn't so much a bandwidth hog as it is an image problem for universities, she says.</i>

    <p>The "image problem" will be when their domain/ip range became listed in the main RBLs.

    <p>Will be fun if is discovered who are the students that did that, then the "Revenge of the Nerds" movie will have a new version.
  • by arvindn (542080)
    ... how students at the 151-year-old Tufts University were paid as little as $20/month to relay spam from computers in their dorms.

    Until I read the article I was under the impression it was an article complaining that the students were not getting a fair enough price for spamming ;^)

  • by greenhide (597777) <jordanslashdot&cvilleweekly,com> on Tuesday February 25, 2003 @12:26PM (#5379325)
    I didn't understand the article at all. Then I saw the helpful graphic at the bottom of the article. It clearly showed just how the process worked! Without that picture, I would have been in the dark.
    • I was thinking the same thing. That diagram does nothing but rehash a condensed version of the article with cute figures. It does nothing to enhance one's understanding of the subject matter (which isn't really that difficult to grasp anyways).
  • Follow the money? (Score:5, Interesting)

    by mjh (57755) <mark.hornclan@com> on Tuesday February 25, 2003 @12:27PM (#5379327) Homepage Journal
    The article mentions that they can't track the original spammers, that all the further that they can get is to the students computers. If they really want to track the spammers can't they track the money?

    Which makes me wonder, how do the students get paid? Remaining anonymous is critical to spammers being able to continue doing their thing. How does a spammer actually pay someone w/out being trackable? I can't imagine that they send cash.
    • Well , these students must be pretty dumb anyway to do this for a measly $20 with the risk of being banned permanently from the uni network (or even the uni itself) so maybe the spammers ask for bank details (get them because of the amazing credulity of Simon Student), deposit $20 and then sell those details on to some people in Nigeria who always seem to be desperate for somewhere to deposit $20,000,000 :) Ahem.
  • by kien (571074)
    "The students involved in this found the opportunity themselves - they were not contacted by the company directly," says Tolman, who adds that the software likely was downloaded via FTP or some other file-sharing protocol.

    Oh great, just wait until someone from one of the entertainment cartels reads that. Coming soon from a congresscritter near you:
    HR 34235, The Federal Ban of the File Transfer Protocol Act of 2003.

    --K.
  • AUP? (Score:3, Insightful)

    by redneck_kiwi (267118) on Tuesday February 25, 2003 @12:27PM (#5379331)
    Doesn't the IT Department at any college, university etc enforce their AUP? Doh! They don't have an AUP.....

    Seriously, I would imagine that surely the IT Department has an AUP that would prevent this behavior along with appropriate actions for dealing with violators?
  • I mean, students could agree to use MS products in exchange of money...
    Err, wait...
    You mean they pay to use the products ? Or they copy & use them for free ?
    Darn, where are we going today....

    Free MS bashing, but well, sometimes you just need to have a good laugh ^_-
  • Confiscate their equipment, kick them all out of school, and prohibit them from entering a publicly funded school anywhere in the State. Whatever the punishment for rape is, give that +10% to them. Then let Cartman kick them in the nuts.
  • by OECD (639690) on Tuesday February 25, 2003 @12:34PM (#5379397) Journal

    The interesting thing is that the spammers are now paying people to put out their spam. Now each outgoing spam costs something above the overhead costs. Sure, it's something really tiny ($20/??) but it's not zero. I wonder what the price point is that spammers are willing to pay? Would schemes that would charge spammers for their spam really be a deterent? How much would you have to charge?

  • by Migelikor1 (308578) on Tuesday February 25, 2003 @12:37PM (#5379414) Homepage
    I'm a current student at tufts, and I'm not that surprised that there is some abuse of the system. The University is overall pretty laid back about student computing. The only things the sysadmins monitor for is virii that may cause systemwide problems (they send a person to your room with virus software if one's detected) and excessive bandwidth usage (over a gig per day for more than 3 days in month.)
    While it is troubling to know that some of my fellow students abused the policy, it really isn't that hard. Though it pisses me off a little that they used University bandwidth for their little endeavor, the school has plenty, due to massive infrastructure installation in the late nineties. It hadn't caused any issues for the school (nobody I know has complained about a slowdown) so it's my opinion that the fact it's a university isn't a big deal. The kids are entrepreneurs, even if it's in a business I despise, taking advantage of the resources they've paid for. The real question is wether the school will add a clause to the acceptable use policy and start to monitor for spammers. Wouldn't be surprising.

  • by teamhasnoi (554944) <teamhasnoi&yahoo,com> on Tuesday February 25, 2003 @12:40PM (#5379441) Homepage Journal
    Everyone has said how 20 bucks isn't anything, but it's pure profit! I'm assuming these kids don't have to click 'Send' 1.6 million times, and they don't pay for bandwidth.

    Another shining example of the 'me first' attitude that permeates society. (Especially in the US) -

    Crap! It's free money, with no responsibillity attached, and poor college students would stand in line at the finger-smelling factory if they didn't have to work.

    I'm surprised it took 20 bucks.

  • Blacklists work (Score:4, Interesting)

    by frankie (91710) on Tuesday February 25, 2003 @12:56PM (#5379569) Journal
    The university I work for has found itself on various spam blacklists each September for the past 3 years. The reason has been the same each time: underclassmen in the dorms installing old RH distros or whatever that includes an open mail relay.

    This spring SMTP will be restricted to only approved departmental servers. Anyone else gets dropped at the firewall. It's a shame (academic freedom and all that) but really necessary.

  • At my University. (Score:3, Interesting)

    by MarvinMouse (323641) on Tuesday February 25, 2003 @12:59PM (#5379592) Homepage Journal
    Where I am at now, they have a very strict rule on that. If you spam, or are caught spamming, or are caught passing on chain mail letters, or a whole list of rules. They'll punish you in one of three ways (likely)

    Slap on the wrist. Basically translates into loss of marks for CS majors, or banishement from facilities for a short period, or a whole list of things.

    Banishment from computing facilities on campus. Thus, if you are a CS major or basically any major that requires computer systems use. You pretty much just failed yourself out of university.

    Expulsion. This has happened with a few people who were really abusing the system and even had warnings.

    Personally, I think if anyone even considers sending a spam on the network to bypass the filters, that they should be expelled immediately, or at very least banished from the facilities permanently. It is a priviledge, not a right to use those facilities. If you abuse them, you should lose that priviledge.
  • Now... (Score:3, Funny)

    by Mysticalfruit (533341) on Tuesday February 25, 2003 @01:00PM (#5379595) Journal
    This just proves that Tuff's has a better business school than Harvards...
  • by korny69 (132030) on Tuesday February 25, 2003 @01:20PM (#5379791) Homepage
    What I do not understand is why don't they just block all incoming traffic to the dorms and labs? Why is it that they allow for this traffic to even make it to the PC in the first place?

    Frank Grewe, manager of Internet services for the University of Minnesota in Minneapolis-St. Paul, also wasn't surprised. He says the university does not let client machines be used as servers, employs static IP addresses and tracks the amount of traffic going to and from those addresses.

    Why track ... just do not allow it in the first place and it will be a whole lot easier. I just do not see a reason in allowing inbound traffic to a static IP address on a campus unless it is a server owned (no pun intended) and operated by the staff. When you allow anyone and everyone to do as they please, all hell will break lose.

    I can see the point of some PCs and not others, but it should always be a special case when a PC needs access to it from the outside. This is how most corporate companies run their network. I just do not understand why in most cases all I have to do is 'host -l -t any uni-net.edu' and get a list of hosts to look at and forward my spam on from.

    As for the out-sourcing of CS to someone else, I would have to disagree, because it is incidents like this that usually teach people. And when they go on to the corporate world, hopefully, they will remember that they need to lock their network down . It teaches fundamentals, and in this industry, unlike a lot of others and what a lot of corporate big-heads think, it is experience more than education that counts in the long run.

    • Because blocking incoming connections will not stop the problem. The spammers are using custom written relays to do this - there's nothing stopping them from writing the app so that it actually "phones homes" to get it's workload for the day and then sends the spam.

      Blocking incoming connections is good for preventing unintentional use - like when most major MTA's came pre-configured to relay anything. That's not the case now so the use from a stanpoint of preventing intentional unauthorized use by internal users it's really not an effective measure.

      A more effective method would be to prevent the workstations from actually sending any mail directly - instead forcing them thru a corporate/university managed relay that can do appropriate anti-spam measures, including throttling excessive senders. This is the tactic that man commercial ISP's are taking the the exact same reasons.
    • by ftobin (48814) on Tuesday February 25, 2003 @06:08PM (#5382380) Homepage

      Jeez, what an awful road to go down. The very idea that you cannot be a participant in the internet, and provide your own services, is abhorrent. There should be no problem with a student having his own webserver, mail server (as long as it's not an open relay), finger server, or whatever. Solve problems with specific solutions, not these broad, sweeping, castrating ones.

      The way of thinking that you suggest, that only "powers that be" may provide services, promotes consumerism, and prohibits the freedom of individuals.

      Your suggestions are antithetical to the very principles that the net was built on, end-to-end.

  • by cybermace5 (446439) <g.ryan@macetech.com> on Tuesday February 25, 2003 @01:28PM (#5379844) Homepage Journal
    To the Man in the Can:

    I am willing in the utmost confidence and secret to help your with some certain relaying needs. My server does waits idle at my residence in an yet to be disclosed location, ready to relay your messages to the considerate masses. In exchange for your sum of $20 per month, my server will confidentiality flood the Internet with your excellent offerings.

    I can personally and utmost attest to guarantee that you messages will pass through entire unaltered, and not be redirected to /dev/null, or replaced with the text "I AM RESPONSIBLE FOR X PERCENT OF ALL YOUR SPAM" and your home address & phone number. I would most certainly not monitor every spam you attempted to send at your discretion, and report each and every instance to the immediately authorities.

    I trust you to and maintain the highest level of integrity & confidence in this matter.

    --- Ham Nbu Jahir, Supreme Commander of Nigerian National Space Fleet
  • by Indy1 (99447) <spamtrap@fuckedregime.com> on Tuesday February 25, 2003 @02:49PM (#5380570) Homepage
    i did a little WHOIS digging......
    the most important part (CIDR:130.64.0.0/16) just made my firewall blacklist : )

    OrgName: Tufts University
    OrgID: TUFTSU
    Address: 169 Holland Street
    City: Somerville
    StateProv: MA
    PostalCode: 02144
    Country: US

    NetRange: 130.64.0.0 - 130.64.255.255
    CIDR: 130.64.0.0/16
    NetName: TUFTS
    NetHandle: NET-130-64-0-0-1
    Parent: NET-130-0-0-0-0
    NetType: Direct Assignment
    NameServer: NS1.TUFTS.EDU
    NameServer: NS2.TUFTS.EDU
    NameServer: NS1.HIGHWIRE.ORG
    NameServer: NS2.HIGHWIRE.ORG
    Comment:
    RegDate: 1988-06-10
    Updated: 1999-12-06

    TechHandle: TN2-ORG-ARIN
    TechName: Tufts University
    TechPhone: +1-617-627-3144
    TechEmail: noc@net.tufts.edu
    • by kindbud (90044) on Tuesday February 25, 2003 @07:57PM (#5383213) Homepage
      did a little WHOIS digging......
      the most important part (CIDR:130.64.0.0/16) just made my firewall blacklist : )


      Did you read the article? The University's network admins have the problem under control. Students are being disciplined, PCs are taken off the network when they are found. Tufts runs a responsible and responsive abuse desk. By punishing an organization that has acted properly, you are undermining real anti-spam efforts.
  • Simple solution (Score:3, Interesting)

    by sik puppy (136743) on Tuesday February 25, 2003 @08:30PM (#5383412)
    This incident has happened once. All new and returning students should be given an updated school policy with the following addendum:

    Any use of the schools network for the purposes of aiding or supporting spam will result in immediate expulsion. No exceptions.

    Simple, brutal, efficient. No more problem.

Money will say more in one moment than the most eloquent lover can in years.

Working...