CDT Releases New Report on Origins of Spam

Carnth writes "CDT has released a new report based on a six month project entitled "Why Am I Getting All This Spam?" The results offer Internet users insights about what online behavior results in the most unsolicited commercial email and also debunk some of the myths about spam." A very good report - read it. There's also a story about yet another sleazy spammer in Ohio.

Mirror

[delta407]

I managed to grab the PDF before the server was trampled by the swarming masses.

Mirror is here.

the two things I've seen increase spam for me...

[AssFace]

1) Sign up on an internet gambling site.
2) Register a domain name.

I have multiple domain names and I know for certain that much of my spam originated from either scanning the whois database, or someone selling the e-mail addresses from there.

I don't gamble, but I noticed that the java applets that were used for 99% of the gambling sites were all from the same place. In other words, if you want to start a gambling site, but you don't want to write software - you can pay to use the java applets of this one company. There is some rebradning that goes on - but in the end, it all goes through their servers and uses their code.
Because of that, I figured if there were any holes in the software, that would mean a whole crapload of open spots out there. So out of curiosity I registered at a gambling site and then looked at the source (you can get the source from a java applet).
After that, my spam increased exponentially - the immediate group was spamming me, as well as selling off the address - which then gets repeated over and over.

I use spamassassin now and I have it tweaked to the point where out of over 100 spams a day, I only have 1 get through - and that is because the code times out and lets it through, not because SA hasn't caught it.
I first installed it in January and in that time have only had it once grab mail that it shouldn't have - from my mom. I added her to the whitelist and have never had a problem since.
I use one of the more recent 2.60 versions, have the spam threshold lowered to 3.5, and I have tweaked a few of the score settings. Workds great for me.

FTC links on Charles Childs

[Randar the Lava Liza]

The FTC already filed a complaint [ftc.gov] and had a preliminary injunction [ftc.gov] against Childs back in April. See the press release [ftc.gov] for more information. The article mentions he lives by Riverside drive in an apartment, could be with Linda Lightfoot [superpages.com], the woman mentioned in the complaints with him?

Re:Mirror

[delta407]

Argh, Slashdot ate my link.

http://www.visi.com/~rwglynn/030319spamreport.pdf [visi.com]

Slashdot advertiser facilitating SPAM

[masonbrown]

Saw a banner ad for IronPort MTA [ironport.com] just now on Slashdot. It features a technology that "ensures that if one campaign has a problem with less than perfect spam filters at receiving ISPs, it won't impact other campaigns on separate Virtual Gateways".

Re:Spam

[da' WINS pimp]

Yea, but you should try working for a public institution. Our e-mail addresses are public domain and have to be given to anyone who asks. Thank god for Mozilla's filtering. Thats gotten me down to only 20 or so a day that I have to deal with.

At this point I'm praying for legislation that makes UCE illegal to government entities! You would think it would be misappropriation of resources or something. But the Ashcroft says no, I guess he is too busy chasing terrorists.

Re:Actually I don't get that much spam.

[Anonymous Coward]

Moral of this story? Post to usenet (and mailing lists) with a junk account. Keep a private account for friends and contacts.

This only works until one of your friends or contacts screws up and puts you on a list. How does that happen? E-greeting cards, "send this page to a friend" links, etc. Eventually it will happen, and once you're on the first list you get sold around. Mark my words because I had an email address as clean as yours (4 years, no spam!) until one of my well-meaning family members sent me an e-Halloween card.

Re:FTC links on Charles Childs

[blibbleblobble]

If anyone is having trouble forwarding their postal junk-mail ("Not known at this address: please forward to..."), here's the address again:

Charles F Childs
and Linda Jean Lightfoot
4132 Pompton Court
Dayton
Ohio 45405

Keywords: "Spammer's address, Universal Direct, Pyramid marketing scam", for the benefit of google.

How about, "Burn in Hell, Dirty Cop"?

[UberOogie]

Actually, if you read carefully, this guy was a cop who got fired after being caught selling drugs.

Yeah, this guy is a real success story to be immitated.

Re:Surprised 'bots are that stupid

[KillerCow]

I would suspect that many bots convert % symbols now. It would only take a pass through a standard URL encode/decode function.

There are better obsfucators [arizona.edu] available.

Re:Spamburgers for Hotmail

[SpamJunkie]

Are you in your own address book? If so then this is likely the case, an easy trick. And if so then here's a tip for next time: check the email addresses you're getting them from to make sure they aren't in your address book.

Re:My spam research

[B3ryllium]

You little nutjob :) That'll blow away the aliases file.

You need to use >>. :)

spammer's home address

[Anonymous Coward]

Here's what I presume [spamhaus.org] to be home address of the spammer named in the article.

ABUSERS: C. Fielding Childs
cf_childs@yahoo.com
Bulker's Paradise
4132 Pompton Ct.
Dayton, Ohio 45405
FAX: (937) 275-3741

ALSO: Charles Fielding Childs, Jr.
"MAIL ORDER ALLIED COMPANY"
2936 Melbourne Ave.
Dayton, OH 45417

Re:Other amazing discoveries...

[druske]

Some of the CDT's conclusions do seem obvious, but others really contradict prevailing beliefs. For one thing, they found that opting out of future mailings generally didn't result in the email address being sold or shared, thus attracting even greater quantities of spam. It's also surprising that addresses harvested from the web fall into disuse rather quickly, and that the harvesting programs aren't clever enough to overcome very simple obfuscation.

I'm a little sorry that the CDT pointed out that last bit, though; it shouldn't take more than a few minutes to upgrade harvesters to interpret these concealed email addresses. On the other hand, maybe spammers figure that anyone bright enough to use HTML codes or Javascript isn't likely to buy their snake oil.

Re:the two things I've seen increase spam for me..

[AssFace]

One of the funnier (to me - others likely hate it) things I've seen are those "somebody has a crush on you" sites. you then have to "guess" who sent you the thing, so you put in emails and it collects them. I don't think that anyone ever really sends you anything, it just says that, then collects all the emails that generates and then tells those people that someone has a crush on them, etc etc.
Then that list can be resold.

I have my email address up on slashdot, I have it on my webpage (current and an old school one). I have posted to various discussion boards, yahoo groups, newsgroups, mailing lists, etc. I have purchased online from literally hundreds of online stores (I pretty only buy anything aside from dinner online).
Our of all of those, I definitely saw increases in spam coming in - but it wasn't huge increases until the two things that I mentioned up there - the online gamling and the domain registration.

In Ohio, SPAM is Illegal!

[adamkuj]

The Dayton Daily News article discusses Charles F. Childs, an Ohio native. Last year I testified before the Ohio Senate Commerce Committe regarding a proposed spam bill. That bill was later passed into law [state.oh.us] . Among other things, the bill has opt-out requirements, requires a pre-existing business relationship, and makes it a feleny to forge headers and/or abuse open relays or proxies to send email. I would imagine that Mr. Childs, and another Ohio spammer, Tom Crowles [toledocybercafe.com], are in violation of some or all of the provisions of the Ohio spam law. Here's a new get rich quick scheme for you: hire an attorney and start collecting damages from these scum (up to $100 per email plus legal expenses).

Re:Surprised 'bots are that stupid

[great throwdini]

There are better obsfucators available. [link omitted]

The pitch for YASS (Yet Another Silly Script) aside, that solution isn't exactly 'better':

• The original email address is still nicely present in a foo@bar.baz format as a single string entity - how is this any more difficult to parse?
• Denying an email address to those who've disabled JavaScript seems a bit arbitrary.
• Adding about 0.5 KB to a document just to hide a multi*byte* email address seems less than optimal from an efficiency standpoint.

Of course, two of three of those problems can be overcome through inclusion of the script as an external resource (rather than an inline element) with some tweaking of the code presentation. But the 'solution' arbitrarily excludes a (likely small) population of users from actually accessing your email address.

If the whole point is to hide the actual email address, push it to the server-side (peddling a client-side JavaScripted solution is sub-par) and use a contact form. If the point is to present the actual email address (in cases where hiding behind a contact form sends the wrong message to your audience), I'm not certain turning to JavaScript offers all that much protection over plain markup obfuscation. Logically, it might, but at what additional cost?

I remain skeptical that HTML character encodings are enough, but perhaps it is so (still) given the CDT finding. One might combine it with the table-split solution offered up-thread. Turning to JavaScript doesn't offer enough demonstrable benefit to warrant usage.

Now, if one would conduct a nice controlled study of the differing techniques...

Re:My spam research

[Fluid Truth]

Very sorry. :-) As long as the mail server is running qmail and you have shell access, you can set up qmail files for any given "extension." .qmail is what happens to mail sent to username@domain.tld. .qmail-yahoo is what happens to username-yahoo@domain.tld

And, if you want to accept everything that starts with your username, you set up .qmail-default. That will catch everything that isn't just sent to username@domain.tld (that has to be handled by .qmail) and doesn't already have another file handling it.

So, you can have .qmail which handles mail to just username@domain.tld, a .qmail-yahoo that handles everything to username-yahoo@domain.tld, and .qmail-default which handles everything else that starts with your username.

This info is pretty much available in the man page "dotqmail" and some info may be found at the author's web site at http://cr.yp.to/qmail.html [cr.yp.to]
or the Life With Qmail web site, http://www.lifewithqmail.com/ [lifewithqmail.com].

proof that US economy is in the dumper

[witts]

I read the report and was immediately struck by the fact that email addresses posted to us.jobs newsgroup received ZERO spam. Don't try this in alt.sex.erotica, however, as that newsgroup received the most spam. Further proof that pr0n really is the driving force behind the internet... p.s. now you know where to post email addresses of thy enemies

Re:New Tactic

[inerte]

Not new. In fact quite common.

I use Evolution and it can block loading images from the web.

HTML copy of the report now available

[mclarkcdt]

I have posted an HTML version of the report at http://www.cdt.org/speech/spam/030319spamreport.sh tml [cdt.org] . Thanks for your interesting comments, I am collecting them for ideas for future research projects. Mike

Re:My spam research

[ebh]

You left out the best part: If, say, user-ticketmaster@domain.tld (now, why would I pick that as an example?) starts getting spam, create a file called .qmail-ticketmaster in your home directory containing the single line

|exit 100

The 100 exit status causes all mail to that address to bounce, not just get sent to /dev/null. And a bounce is the most reliable way to get off a spam list. AFAIK, qmail is the only MTA that allows user-level control of bounces like this.

How to detect HTML mail in Mail.app via Rules

[valkraider]

This article tells you how to set up a rule that will detect HTML mail in Mail.app:

Add an HTML filter to catch more spam in Mail.app [macosxhints.com]

It works great!

My experience - harvesters are smarter!

[WoodstockJeff]

Having read the article, I find it amazing that CDT never received any spam to an encoded-on-webpage address; we routinely encode addresses, even have a PHP function embedded in our base code to handle it. And we also receive several spams per month to our "encoded test address".

At least some harversters decode the page before searching it for addresses, and several advertise the ability to get through the "bob at domain dot com" subterfuge.

But, we also have several domains that have no mail address set up, except those required by RFC. They routinely get spammed, even when no email address was used in creating the domain.

Lots of good advice, though!

Re:My spam research

[Fluid Truth]

Hey! That's nice! There's another way, using the "boucesaying" program that comes with qmail. if you put this line in the .qmail file, you can actually control what the bounce says (though yours is nice because it's easy and looks more automated):

| bouncesaying "Better luck next time"

Not with Mozilla

[aaandre]

In version 1.3:
Edit > Preferences > Privacy&Security > Images: Do not load remote images in Mail & Newsgroup messages (check!)

also, in Preferences >Advanced > Scripts & Plug Ins: Enable Javascript for News & Newsgroups (uncheck!)

This, along with whitelisting sites with popup windows and Bayesian email filtering should make your life easier.

Cheers
-- Andre