Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Spam Government The Courts News

New Attacks on Spam 153

Posted by michael from the war-machine-springs-to-life-opens-up-one-eager-eye dept.
AttackOfTheDictionaries writes "Project Honey Pot started operating back in November. The Project provides its participants with a script that generates fake webpages with unique honeypot email addresses. The end result is that Project Honey Pot can connect email harvesters' IP addresses with the spam received by those honeypot email addresses. Which is pretty nifty, but left some people asking how that would help legal attacks on spam. Well, it seems that some lawyer over at SecurityFocus has an answer."
This discussion has been archived. No new comments can be posted.

New Attacks on Spam More

New Attacks on Spam

Comments Filter:

  • Simple. (Score:5, Funny)

    by numbski ( 515011 ) * <[numbski] [at] [hksilver.net]> on Friday January 14, 2005 @06:22PM (#11368166) Homepage Journal
    You now have an IP address, and a known port number.

    You're going to sit here and ask a crowd of slashdotter what to do with that list?

    Publish it. Right here baby. ;)

    • Re:Simple. (Score:2, Interesting)

      by RidiculousPie ( 774439 )
      You now have an IP address, and a known port number.

      You're going to sit here and ask a crowd of slashdotter what to do with that list?

      Publish it. Right here baby. ;)

       As they note on the site, some of the IP addresses may be hijacked, and that's hardly a nice use of the power of slashdot.

      Although I am sure that some people would say that people should be responsible for their own system hijacked or not (indeed many/most ISPs would agree). Is DDOS ethical when used against spammers? Or were you

      • Re:Simple. (Score:3, Interesting)

        by mattyrobinson69 ( 751521 )
        if somebody refuses to secure their pc, sod them. If theyre being DDOS'ed, they cant send as much spam - its their problem
        • if somebody refuses to secure their pc, sod them. If theyre being DDOS'ed, they cant send as much spam - its their problem

          My question was more if it was ethical to DDOS then, bot whether it was effective. I do not doubt that DDOS would be effective in reducing the capability of that particular system to produce information for spammers.

          There is also the question of changing IP addresses, so the IP address being DDOS'ed might not be the one that is aiding spammers.

          You are right in that security
        • if somebody refuses to secure their pc, sod them. If theyre being DDOS'ed, they cant send as much spam - its their problem

          If a women wears a short skirt, then it's their own fault if they get raped.

      • ahhh so black and white.

        Do both :-)

    • RTFA (Score:3, Informative)

      by brunes69 ( 86786 )

      The list is linked to right in it

      http://www.projecthoneypot.org/bots_and_servers.ph p [projecthoneypot.org]

    • Publish it. Right here baby.

      You can browse the list yourself on the Project Honey Pot site and then click on an IP for more details.

      www.projecthoneypot.org/bots_and_servers.php [projecthoneypot.org]

      (Or go to the site and click the prominent "Data & Statistics" button/tab)
    • Right on dude! Lets /. em

  • Joined yesterday (Score:4, Informative)

    by Anonymous Coward on Friday January 14, 2005 @06:23PM (#11368181)
    I donated a few MXs (10 different domains), and setup a few honeypots. It's fairly easy to do assuming you have a basic understanding of DNS, and you don't mind enabling short PHP tags (if using their PHP script).

    I do have some concerns though. Just from a few minutes with it, it seems like it'd be fairly easy for spammers to detect. They only have a limited number of MXs the spam can go to. You could just check where the spam was going, and stop it if it's hitting a honeypot. It'll probably work for a little while before the spammers have time to adapt.

    Also, while you can start tracking spammers at this point, you don't really get much out of it, yet. They apparently may set up some sort of HTTP RBL so people can stop bad crawlers, but it doesn't exist at this point.
    • I tried joining donating a few MXs, but it wouldn't let me. First of all, it had a problem with profanity in my domain: andrewhitchcock.org. This happened with an online game one time. Why can't people make smarter filters!? Also, whenever I tried entering a sub-domain for another one of my domains, it would always give me an error saying it didn't exist, but if I did the domain without the sub-domain, it would work just fine. It seems they have a few problems with the script (or I am missing something obvi
    • Hum.... so, how do I get my mail server on the spammer's honeypot list?
    • [if] you don't mind enabling short PHP tags

      If you don't want to alter server settings you could
      sed -i "s/<?/<?php/" script.php
      ..to get rid of the short tags

  • Where is the Mafia when you need them? (Score:1, Informative)

    by Anonymous Coward
    Seriously, the Mafia can solve all our spam problems. They have computer experts who could track spammers and they aren't afraid to whack anyone. I'm not talking about killing people here, just frightening them. All they have to do is track down spammers and give them an offer they can't refuse. Get out of the spam business or they get a couple of broken collarbones.

    Problem solved.
    • Maybe you aren't talking about killing them but I am. I think once one or two spammers are killed, I think the others will get the message. I'm sick of spam and sick of spamming. Maybe I'm talking out of frustration and anger, but if I open the newspaper tomorrow and I see "man killed for spamming" on the headline, I'll start laughing my ass off as I am sure millions of others would. I think "wishing" someone dead isn't a crime... at least not yet... else I'd have been jailed long ago for wishing agains
      • He once shot a man (to death) just for snoring too loud. He is reported to have killed 40 men during his career, making him one of the most feared gunfighters in the Old West.

        Can you imagine if this guy were alive today, and surfing the internet (NRA website no doubt), and gets all kinds of spam in his Outlook? He would go nuts!

        Seems like just the man we need now ;)

    • Re:Where is the Mafia when you need them? (Score:5, Insightful)

      by Zocalo ( 252965 ) on Friday January 14, 2005 @06:44PM (#11368445) Homepage
      And what makes you think the Mafia isn't involved in actually sending the spam in the first place? Take a step back and look at the kinds of technical and organisational infrastructures that are used in spamming. We have address harvesting, botnets and the worms and malware to generate them, scams, counterfeiting of goods, moving goods (pills) from one country to another, hosting of services in countries all over the world. Oh, and much of this illegal too, and not just under legislation like CAN-SPAM. If that's not organized crime, then I don't know what is.

  • Fighting Spam (Score:3, Insightful)

    by superpulpsicle ( 533373 ) on Friday January 14, 2005 @06:29PM (#11368273)
    I have enough hard time setting up my website with decent security while allowing only Googlebot to come. Is it me or does this seem like alot of work to fight spam. Seriously shouldn't my ISP do that for me. Comcast does a mediocre job. The idea is to have me do nothing.

    • Re:Fighting Spam (Score:3, Insightful)

      by L.Bob.Rife ( 844620 )
      Businesses are driven by business decisions. If you want an ISP that will fight spam, then you have to stop giving money to your ISP that doesn't fight spam.

      The reality is that while it would be nice if other people did everything for us, many times you have to take matters into your own hands.

    • Re:Fighting Spam (Score:3, Insightful)

      by SharpFang ( 651121 )
      Is it me or does this seem like alot of work to fight spam.

      Sure! The method doesn't unload the effort in fighting spam at all, just opposite, adds work. So why...? Because it's profitable. You could make quite a decent living off lawsuits against spammers who fell for this. The idea is the spammer 1) can be identified 2) agrees to pay damage for every email harvested (implicitly. The bot does.) That won't solve problem of spam for your LAN. That will just make fight against spammers giving real financial
    • I have enough hard time setting up my website with decent security...allowing only Googlebot...shouldn't my ISP do that...Comcast does a mediocre job.

      A couple points:

      1: Pretty much any regular Comcast account shouldn't be running a web-server to start with.

      2: You bring up a fascinating point of favoring one search engine over others. What would happen if people en masse started only allowing their sites to be indexed by search engine companies they favor? Could, for example, MSN Search be hobbled by

  • Until they farm harvesting out to zombies... (Score:5, Insightful)

    by PornMaster ( 749461 ) on Friday January 14, 2005 @06:32PM (#11368323) Homepage
    When they farm out the harvesting work to zombies, it'll make this rather useless, no?

  • Follow the Money (Score:5, Interesting)

    by Lemurmania ( 846869 ) on Friday January 14, 2005 @06:33PM (#11368325)
    I've never understood why more attention isn't paid to punishing the businesses who advertise via spam. However well the spammers hide their tracks, there's a real company somewhere that wants to exchange services for cash. Why not attack this at the root? Why not make it a fineable offense to advertise via spam? Or would it be all-too-easy for a company to claim it never asked for the spam to be sent in the first place?

    It just seems to me that if you punish the money, there would be little to no incentive to spam. Any IANALs (or IAALs) like to comment on why this would/wouldn't work?

    • It would be too easy to threaten a company to send "fake" spam on his behalf.

    • Re:Follow the Money (Score:3, Insightful)

      by Anonymous Coward
      I've often thought about this too. My main concern is it's too easy for any individual to successfully attack a company by simply spending just a few bucks to have a spammer send out some bogus spam ads.
    • Start punishing any business that advertises via spam, and I'll start paying for spamvertisements for all my competitors... Really, it's hard to establish a money trail that will stand up in court.
    • It's a very sensible and obvious idea, and in fact several startup companies have tried it. For example, Habeas used to identify and sue the spammers that forged their trademarked header fields. They even purchased spamvertised products in order to create a paper trail.

      But the economics of it simply didn't work out. Many of the parties that were identified were small business with no deep pockets. The ones big enough to be worth suing would settle out of court, and disappear and resurface somewhere else.

    • Because the Direct Marketing Association lobbied Congress to weaken the CAN-SPAM act to prevent that.
    • As looney as I think the California legislature is, they did a pretty good job on recognizing the economic incentives behind spam. California Business and Professions Code 17529 holds the advertisers equally accountable with the actual spammers:

      (j) There is a need to

      regulate the advertisers who use spam, as well as the actual spammers, because the actual spammers can be difficult to track down due to some return addresses that show up on the display as "unknown" and many others being obvious fakes and the

    • Or simply allow customers to repudiate any credit card charges that they can prove came from purchases made as a result of spam?

      In that case the c/c companies would have a hefty financial interest in not providing services to spam-users.
    • i agree. can't they be charged with money laundering instead? i mean our country (philippines) is still on the blacklist of the fatf. most of the countries are not and can they not use their own rules to hold the accounts even if money is transferred internationally?

  • Friggin' No Good Lawyers! (Score:5, Insightful)

    by mekkab ( 133181 ) on Friday January 14, 2005 @06:33PM (#11368326) Homepage Journal
    So wait, the spider/e-mail harvester's access of your web pages are illicit, YET the license on those pages is now binding? Including paying fees and agreeing to be sued?

    If this isn't an abuse of our legal system, then honestly, I don't know what is!!

    • I dunno... (Score:4, Insightful)

      by brunes69 ( 86786 ) <[slashdot] [at] [keirstead.org]> on Friday January 14, 2005 @07:02PM (#11368637)
      I smell BS in this article.

      I mean, according to this, that means that someone could put a fancy legal document under a manhole cover saying "if you drive over this manhole, you agree to such and such".

      It's about the same thing - you never saw the agreement, so how could you have ever agreed to it? Surely they can't argue that a software program can enter into a legally binding agreement on its own - that would open up a whole other can of worms.
      • ...you never saw the agreement, so how could you have ever agreed to it...

        Indeed, an agreement always means there are at least two unambiguously identifyable parties who are legally able to agree to something. If neither of the parties can be proven in court to be part of an alleged agreement, there is no agreement, no matter what ten-thousand lawyers or millions of click licenses may say in wishful thinking. That is why all click licenses are bogus. It cannot be unambiguously proven exactly WHO did the cl
    • This is a good point. Since something as simple as EULAs might not be legally binding, in which a person must physically click "I Agree," how could it possibly be binding for an AUTOMATED PROCESS?

      As has been mentioned, no one under the age of 18 can legally agree to a contract, so by saying these licenses are legally binding, we've given the automated robot a higher standing than our kids? Seriously, I really fail to see how this has an legal basis.

      Blake

    • Bottom Line (Score:4, Insightful)

      by xant ( 99438 ) on Friday January 14, 2005 @07:19PM (#11368789) Homepage
      Address harvesting is illegal in some jurisdictions. If you're running a honeypot in that jurisdiction, and you can prove someone harvested an email address from you using the honeypot, it makes no difference whether they agreed to your license. They broke the law. If you go after them, you can nail them.

    • Re:Friggin' No Good Lawyers! (Score:1, Interesting)

      by Anonymous Coward
      I think a lot of people here are missing essential genius of this approach. Read the agreement [projecthoneypot.org]. First, in order to be bound by the agreement you needn't simply access the page, but then subsequently sending to the address found there. If the harvester pleads that their machine accessed the page and it wasn't them then you can sue them under the CAN-SPAM Act [projecthoneypot.org] for using automated means to harvest addresses. If they plead that they actually did it by hand, then you can sue them under the contract. Very clever.
    • Like a few others have said, unless there is a "meeting of the minds" (which by definition would seem to exclude bots) then there is no enforceable agreement.

  • Something missing from the writeup? (Score:2, Funny)

    by Anonymous Coward
    Did someone forget to editorialize the article writeup? I'll do it for you:

    It's clear that Bush and the Republican are responsible for all spam. It's just a neoconservative plot to destroy the American economy so that the value of all the Republican's foreign holdings will rise. What better way to destory the economy than through spamming the Internet to oblivion. Then they'll take over the world!

    (I'm just asking for it, aren't I)

  • This would be a bad thing (I am not a lawyer). (Score:5, Insightful)

    by Sheetrock ( 152993 ) on Friday January 14, 2005 @06:34PM (#11368347) Homepage Journal
    Even ignoring any possible First Amendment issues (which can be done if we discuss this hypothetically occuring only in other countries) imagine what kinds of doors are opened when you permit automatic sight-unseen licensing to take effect on material on the WWW?

    Here's a hint: website indexing as we know it will be completely destroyed the instant site owners can claim complete discretion about how their website information is used even though the websites are publically disclosed. Any automated webcrawling process could potentially subject the person running it to liability. Which means any future indexing will have to be vetted by hand.

    I could be misinterpreting this, but I think it would be very bad news to allow websites to bind people to contracts they aren't able to read or understand (even if we have a similar horrendous system for end-users of software). It's one thing to write a law restricting such behavior on a general basis, or specifying some way for people to opt-out of information collecting with a robots file, but even that is subject to confusion.

    Technical answers are needed for technical problems.

    • Umm... are we talking about the same thing? According to the CAN-SPAM act, if someone uses a crawler to harvest E-Mail addresses for the purpose of spamming, then it's illegal. I see nothing wrong with that.
    • Any automated webcrawling process could potentially subject the person running it to liability. Which means any future indexing will have to be vetted by hand.

      I guess that's what robots.txt is for. Given areas (like click-through disclaimers) should be made inaccessible for robots. If it's not forbidden for automated tools, it's not legally binding. If it's forbidden by RFC'd bot-understandable method, any entity that trepasses the "noindex, nofollow" border is considered a human and bound by the license

    • Does anybody read RFCs? (Score:2, Informative)

      by Anonymous Coward
      The rule is for non-transiant effects, all web sites must use POST.

      From RFC 2616 [66.102.7.104],

      Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others.

      In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These metho

    • Even ignoring any possible First Amendment issues (which can be done if we discuss this hypothetically occuring only in other countries) imagine what kinds of doors are opened when you permit automatic sight-unseen licensing to take effect on material on the WWW?

      Tell me about. This morning I posted a link here in Slashdot. At that link was an agreement that each visitor must pay me $50. With the slashdot in full effect, I think I will retire now.

      IANAL, but this 'binding' agreement thing sounds bogus. I

    • I think what this honeypot guy is doing is clever, and I like it.

      Not because I hope this legal tactic is upheld (though reducing spam would be nice), but because it so clearly illustrates the fallacy of so many other "licenses" out there. Sure it's silly to say "Here is a unique email address. By sending mail to it, you agree to...", but it's just as foolish to say "Thanks for buying our software. But if you actually run it, you agree to..." or "By opening the seal on this book/cd/box/whatever you agree

    • IAAL...

      if there was a standard that robots could read and be required to adhere to, i.e. robots.txt, then there shouldn't be a problem with a eula on a website since the only spiders that would be violating the eula would be ones that were ignoring the robots.txt file in the first place. Give the robots.txt files some legal standing as far as automated programs scraping a site goes then you wouldn't have to worry about the ramifications of a eula on a website.
  • Tell the [RI/MP]AA that they are actually super-secret encoded BitTorrent file transfers...
    • Tell the [RI/MP]AA that they are actually super-secret encoded BitTorrent file transfers...

      Or, better yet, wake up the Department of Homeland Security to the fact that spam is a perfect medium for transmitting brief hidden messages (e.g. the "go-code" for a terrorist op). Not only is the message itself concealed, but traffic analysis is defeated (there's no way to tell which of several million people is getting the real message).

  • Anyone see the irony of the comment spam [yale.edu] at the bottom of one of the linked articles?
  • This sounds like a great step, however I am wondering what happens if the collecting spider is running from a 'bot running on a hijacked machine. We are seeing more and more SPAM coming from SMTP engines installed through viruses and worms. It seems a natural next step to use these armies of zombies to run spiders. Then, the honeypot picks up the IP address of the harvester, but not of the real person behind the SPAM.

  • Is it just me... (Score:3, Funny)

    by multiOSfreak ( 551711 ) <culturejam.gmail@com> on Friday January 14, 2005 @06:53PM (#11368540) Homepage Journal
    Is it just me, or does "Project Honeypot" sound like a spring-break porn video?

    • We have a machine in our Distributed and Parallel lab called honeypot. After careful consideration, we decided to let the name be. After all, it's the only honeypot most of our Computer Science students will ever get to play with.

  • Spam Hit List (Score:3, Insightful)

    by Renraku ( 518261 ) on Friday January 14, 2005 @06:54PM (#11368550) Homepage
    There are all kinds of issues when trying to deal with spammers themselves.

    First, you have to find them. And prove that they sent the spam knowingly (and it wasn't a virus or worm or something). Then you have to hope and pray their local government and/or ISP (if outside the US) gives a damn about their activities.

    That's a pretty big feat to accomplish in itself.

    Then you have to be able to prove (probably in court) that it was their spam operation. That can be harder without judicial help.

    You might get some satisfaction if their operation is shut down after all this, but they probably have others in on it, ready to take the business over. Start from scratch.

    Spammer pays his court-ordered dues, and goes right back to spamming, being a little more careful.

    This is too lengthy a process for spammers. I think that if the ISP doesn't do anything, and the local government doesn't care, it should be up to the users of the internet to stop the spammer. Now, this can be RBLing the spammer, or causing his hard drive to detonate inside of its case. Some society should be set up to reward people that take down spammers. Kind of like a mercnet, only with emphasis on not physically injuring the person, but rather on shutting down their operation.

  • License agreements (Score:5, Interesting)

    by TiggertheMad ( 556308 ) on Friday January 14, 2005 @06:55PM (#11368561) Journal
    Ethan Preston, the lawyer that is linked to in the article above, mentions that the harvesters are forced to 'click through' a license agreement that has legal ramifications if broken. While this is a neat trick to put the screws to spammers, isn't it a bad idea in the grand scheme of things, as it lends more credibility to the 'click through' agreements that are packaged with software? If this were taken to court and upheld as valid, it could be used as a precedent.

    Now, admitidly, there is an important difference in that in one case you cannot read the agreement before buying the product, but the overall premise that such agreements can be legally binding would be the same. Also, since this is a tactic that has been developed to target harvesters, who the developers know will not be able to read or comprehend the agreement, wouldn't that invalidate the agreement. Simply: If I trick you into agreeing to a legal contract, is it any good in court?

    Also, as a side note, it would fall victim to all the same problems as EULAS. For example, if I was an evil spammer, I could probably get out of the clause by hiring a 17 year old to run the harvester for me, since a minor cannot enter into a legal contract, it would be no good.
    • If the 17yo is doing it for you, then he is acting as your agent. you are thus responisble the acts committed by another that is acting on your behalf with your authorization.
    • Simply: If I trick you into agreeing to a legal contract, is it any good in court?

      Last time I checked (I know, IANAL) if either party is entering into a contract with fradulent intentions, such as to sucker someone out of a page view after forcing them to sign a contract in which you promise to show them that page, then most courts will invalidate the contract. Additionally, if one of the parties invests money, significant time or effort on the basis of such promises, you can be sued for 'detriment' in a
    • This may vary from State to State, but here in Maine, to employ a minor, you have to have a signed work from from the superintendant of schools (which ever school district the kid goes to).

      I can just see it now.
      job desctiprion: Running a e-mail harvester for a spammer
      DENIED
  • I was generating tc-`date +s`@mydomain.co.nz email addresses about 6 years ago.. Recieve spam, convert address nack to date, find spammers IP in apache logs. It's also interesting to see how much spam is from mailing-list CD's and how much is scrape-send-throw away. Lots of those scraped addresses resulted in spam hours or days later but never got used again.. which means that removing or obfuscating your email address on the web even if it's previously been in the clear CAN significantly reduce the amount
  • The model license is meant to provide Project Honeypot's participants with effective legal remedies against harvesters.

    And herein is the weak point. A stupid harvester grabs the e-mail addresses and runs. A smarter harvester sees the exact verbage of the Model Agreement (which is likly copied verbatim) and says, "Hey, not this one." This article even has a helpful link to see just what a fake page looks like.

    So much as even getting rid of the dumb harvesters is can only be a Good Thing, this is not t

    • Every workaround you've proposed for the harvesters requires a lot more smarts, and a lot more time spent on each address.

      Making the harvesters more complex, harder to write, and less efficient can't hurt.

      But of course you're right, it's always an arms race.

    • "which is likly copied verbatim"

      Bzzt. The Model Agreement is perfectly readable by humans, but is obfuscated to bots and crawlers. Sound familiar? It should, because they are using some of the same (Very ingenious) techniques that spammers themselves invented.

      "realizes that the e-mail address has changed on every visit."

      That would require the spammer to cache a copy of every single page that they visit, possibly multiple copies (or, a smart spambot would use RCS, but even then they would have millions
  • I proposed arbitration of disputes between spammers and anti-spammers last year in a spam related Usenet group.

    I'm setting up a new and faster server, and won't give the URL out till I see how it responds. Please give me about an hour or so. Thanks, Pete
    • It is available in Google Groups by searching for "chatmag arbitration".
    • I proposed arbitration of disputes between spammers and anti-spammers last year in a spam related Usenet group.

      I propose a steel-cage-death-match style of arbitration.

      • 1. Buy an island. tonga, for example, is a poor pacific country with 7000 islands, they can probably make you a deal. 2. Elect island council. Pass ordinance making spam punishable by death via organ harvesting. 3. Revise arbitration terms such that spammer agrees to jurisdiction on island, agrees to appear voluntarily or to be billed for costs of bounty-hunters and plane ticket. 4. Recruit bounty hunters from slashdot, publish updated lists of spammers. 5. Arrest spammers at arbitration hearings, sentence
  • I wish I could think of a way to make this work for me ...

    I have my own domain name, I have had it for about ten years, and a uucp name before that. I am also on dialup. Up until about 6 months ago, the only spam I got was the usual, and since I can use whitelists, it was pretty easy to weed out.

    Then some scumbag decided to send spam to all possible names he could think of at my dowmain. It started out slowly, but has been increasing all the time, and I now receive about 50,000 (yes, it will soon overf
    • I hate spammers. Burnt to death with matches, one at a time, is a just reward, and I'd be more than happy to do it myself, except for the time involved. Hang 'em by their toes with their heads in a bucket until they drown in their own vomit sounds more efficient. They are scum.

      I like the idea of giving them the chair. Only I'd replace the switch with a motorized dial. The dial would be clearly marked with fatality and increasing pain zones. When I don't have time to lovingly spin the dial to and fro, I
    • I had a similar problem, at about 1/10th of the level, for about a year or so. In the end what solved it for me was (mainly) was that my ISP introduced email filtering: http://www.demon.net/helpdesk/technicallibrary/faq /email/index.html and (less) that I went on to broadband so doing any further filtering on what was left was easier. Some still gets through, but on the order of a few dozen a week, rather than thousands a day.
      • I don't want the ISP to filter my email, because I like having my own domain to which I can add temporary accounts when I want, and not have to edit their filter rules and wait for the next cycle. Plus, their filters are not by user name but generalized spam filters, and I don't want that. I have thought about satellite, but to use my own domain name and run my own SMTP server, they charge an arm and a leg.

  • another solution? (Score:2, Funny)

    by Anonymous Coward
    Your post advocates a

    ( ) technical (x) legislative ( ) market-based ( ) vigilante

    approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which vary from
    state to state.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    (x) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute forc
  • I'm not a lawyer, but it seems outlandish to me that simply stating "By accessing this web page you have automatically agreed to the following conditions..." in the text of your web page constitutes any sort of legally binding agreement. Perhaps if there was some sort of click-through process like with software EULAs I could buy it, but simply saying "Welcome to my web page - hey, guess what you just agreed to!" sounds pretty far-fetched.

    I'm pretty sure that if I tried to sue people who had accessed my
    • They agree to the EULA (such that it is) by harvesting the email address, not by simply using the webpage itself. Hence the part of the EULA that states that you will not email the email address provided...
    • How can they "agree to the EULA" if they've never even seen it? Remember, this is all done automatically by robots. If I put "Google agrees that by accessing and archiving my web page for search purposes they agree to pay me $1 million," could I actually sue Google? I somehow doubt it.
  • ... it will mean even more traffic for people getting joe-jobbed as they will have even more bounces (and double-bounces) hitting their mail server.
  • This post is the property of SlashDotMeNow. By moderating it (either up or down) or posting a reply to it you agree to pay me $50 for each mod point you use or reply you post.
  • You are hereby notified that by archiving the copyrighted text of this posting on any sort of digital storage device you agree to pay me $10. Also, Google is hereby informed that by archiving the text of this post in any form for internet search purposes they agree to pay me $100,000. Further, anyone who replies to this post hereby agrees to pay me $100. Just as long as we're clear on that...
  • Looking at their stats - they're off to a slow start:

    Total Spam Received: 509
    Spam Received (This Week): 98

    I get about 140 on my main account daily. Fortunately my spam filter catches about 98% of that...

    From my observation most spammers don't generate their own lists - they buy them from someone else. It can take years of having a public email address before you get on the real big ones.

    My newer accounts generally don't get too much spam - even through they're very public.

    My older, less public

  • 1. It's hard to catch spammers

    Totally not true. The truth is very few entities are actively trying to catch spammers. If you think that spammers can't be caught, simply set up an un-patched PC on a broadband connection and within 24 hours, the PC will be zombied. Worried about jurisdiction? You will have so many sources compromising your PC, you can pick and choose which ones are easiest to pursue.

    If there is a reason spammers are hard to catch this is because the authorities do not pursue the cases.
  • Effectively, what they are doing is forcing the spammers to do their harvesting through compromised boxes. So what they are really building is not a list of spammer IP addresses, but ratber a list of IP addresses of people to stupid to firewall their machines. Sure, contacting these people might be useful, but how are you going to win a court case against anyone when everyone will just claim "sorry, but my machine was 'owned' at the time"?

  • Google (Score:1)

    by Hoch ( 603322 )
    This seems like an easy way to trick a web server to block google requests. Google the site, then use the cached page to get the email. Bam, site looks at logs and blocks google. I hope that this has been considered in making the honeypot so that legitimate searches are not hindered. The simple solution would be to determine whether the search is from google's IP addresses and react accordingly. I guess the ips are reversed lookuped but if these are not human audited, legitimate searches could be banne

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?

Close