Spam Research Six Month Report

Zoomer writes "Every day, millions of people receive dozens of unsolicited commercial e-mails (UCE), known popularly as 'spam.' Some users see spam as a minor annoyance, while others are so overwhelmed with spam that they are forced to switch e-mail addresses. This has led many Internet users to wonder: How did these people get my e-mail address? In the summer of 2002, CDT embarked on a project to attempt to determine the source of spam. To do so, we set up hundreds of different e-mail addresses, used them for a single purpose, and then waited six months to see what kind of mail those addresses were receiving. The results offer Internet users insights about what online behavior results in the most spam. The results also debunk some of the myths about spam." Update: 04/12 15:47 GMT by CN : About a minute after this went live, I found that michael posted this earlier. Mea culpa.

Duplicate

[forged]

This story was already posted 2 weeks ago [slashdot.org].

Bad Addresses

[mongus]

Almost all of the spam I get is to invalid addresses. I get all of the incorrectly addressed email for about 10 different domains - somewhere around 1000 messages per day. I don't know if the spammers just made up the addresses or if someone intentionally filled out forms with bogus addresses.

I'm happy to get all of this spam because it increases the effectiveness of my anti-spam system Herbivore [herbivore.us]. Herbivore is a distributed anti-spam system. Everybody that uses it increases it's accuracy. If you're interested, any Slashdot readers can get two years for free by entering "slashdot" as the promotional code. Help us fight spam!

Re:WHOIS

[the uNF cola]

Whois records are definitely sources of spam. It depends on

1. How secure the whois information is from automated stuff.

2. Does the company sell your info to other companies?

Worth saying again.

[JKConsult]

It seems every article (dupe or not) on spam returns a thousand people throwing out their personal solution to fighting it. Most involve mail-server solutions, such as SpamAssassin, but I've read about MailWasher [mailwasher.net] a number of times. After the last article (the original of this dupe, actually), I finally decided to try it.

A week later, spam to my hotmail account has dropped from 30 or so a day to about 2. (Warning: Hotmail support is only provided in the pay version, but there's a 30-day trial.) Preview the spam on the server, and you're able to delete it, blacklist it, and best of all, bounce it back to the sender. In my wildest dreams, I never thought it would work so well. YMMV.

Another kick-ass product is Spam Gourmet [spamgourmet.com]. Some website wants your email address? Give them (unique identifer).(some number).(your user name)@spamgourmet.com . The number is the number of emails they can send before the address is killed, and the user name is your user name at spamgourmet. Go sign up, and you never have to go back to the site again. It works.

I'm sure many people are like me, and read these testimonials and figure that they're hype. Trust me. They're not. I wish I had done it the first time I read about them.

Odd coincidence and report summary.

[phillymjs]

Just this past Wednesday night I discovered that I left the PDF version of this report sitting on my iBook from the last time this article was posted. Before I deleted it, I actually read the entire thing. Here's pretty much all you need to know:

1. Don't give out your e-mail address any more freely than you have to.

2. For the love of God, NEVER put it in unadulterated form (i.e. user@domain.com) in a Usenet posting or in a publicly-accessible HTML page-- even in the comments or other places that it won't appear on the final, rendered web page. If you do, it WILL get picked up and you WILL get an assload of spam.

3. If you MUST provide your address on a web page or Usenet posting, slightly obfuscating it (i.e. "user at domain dot com") is, for now, 100% effective against fooling the spambots. Which frankly I find amazing, because that trick has been around for years.

~Philly

Re:Do as I say...

[oscillateur]

In the source the email was "hidden" : &#97 ;&#114 etc.

Re:Bad Addresses

[mongus]

How is this different from the open-source Vipul's Razor, Pyzor or DCC...

Herbivore filters out random garbage that spammers are putting into their messages before it creates the identifying hash. It also was designed to be easy for anyone to install and transparent to use.

...Cloudmark [cloudmark.com] seems to do alright by using Razor's network.

Cloudmark's SpamNet has a lot of users even though it is only currently only available for Outlook. Herbivore runs on just about anything (its running on Gentoo PPC right next to me) and you can use your favorite mail client!

Active Spam Killer

[Isldeur]

This has probably been posted before, butI think a fantastic little tool is the Active Spam Killer [paganini.net]. I'm using 2.3 beta 3 which is very stable and worthwhile.

Basically it requires a once-off confirmation from any non-whitelisted and non-blacklisted user who sends you something. I haven't gotten one spam since I installed it. It's impossible to loose a real email and it's dead easy to install.

Re:What I want to know....

[McDutchie]

.... is the profile of the average spammer. Most of my spam is poorly spelled and frequently points to sites that don't have anything to sell. My suspicion, and I have no way of verifying it, is that most of these messages are sent by people who get suckered into a "Make Money From Home!" offer, send a few messages to a giant list of addresses, and then give up when they're not living in MC Hammer's mansion by the end of the week. Does anyone know who the average spammer is?

At Spamhaus [spamhaus.org] they know. Not only does Spamhaus run the SBL [spamhaus.org], the most widely used blocklist of spam sources in existence, they also run ROKSO [spamhaus.org], the block-on-sight public database of notorious spam gangs. This database is used by many ISPs for background checks when signing up clients. It's also used by the FTC and state Attorney General offices [google.com].

According to Steve Linford, head of the Spamhaus team, 90% of the spam originating from America is sent by some 150 top spammers [google.com]. If these were eliminated, our spam problem would virtually vanish overnight. This seems to contradict your suspicion that most spam is sent by suckers. In reality it's a small number of committed criminals that send most of it, and you can see all the publically available data on them at ROKSO. Go check it out - very educational indeed. So are many of Steve Linford's postings in news.admin.net-abuse.e-mail [google.com].