Spam is Back With A Vengence 510
Ant writes "The Red Tape Chronicles reports that just last December (2006), the FTC published an optimistic state-of-spam report. It cites research indicating spam had leveled off or even dropped during the previous year. It now appears spammers had simply gone back to the drawing board. There's more spam now than ever before.
In fact, there's twice as much spam now as opposed to this time last year. And the messages themselves are causing more trouble. About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don't even use e-mail. About one-third of all spam is stock spam now."
Stock scam spams - 3n14rge yur SC0X ... (Score:4, Interesting)
Until the SEC hasn't gone aggresively against one of the most blatant pump-and-dumps. nothing will change.
Comment Spam (Score:4, Interesting)
I'm posting AC so slashdot doesn't melt my server again...
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:4, Interesting)
Stock Spam (Score:3, Interesting)
Moo (Score:2, Interesting)
There are only a few ISPs that connect at cross-network access points. All other ISP, buy their service from up-level ISPs.
As has been suggested before, why can't every ISP have a policy (start at the top (the access points), and the rules will trickle down) that any ISP sending spam has to turn off access within a few hours or be shut down.
Ultimately, the low-level ISP, who actually connect to the users would be forced to recognize the individual computers sending the spam, and shut down their access. These users can even use a virus cleaning program, or never come back on.
When "innocent" computers are turned off, it really isn't that big of a deal. There are free tools to remove viruses, and i'l bet they will be *happy* to know they're a problem, and how to get better.
At first they would be inundated with calls, but then we'd have a clean inter-network.
And noone can just start a new top-level network, because they would be denied entry to the access point, of which there are only a few.
Seriously, why won't this work?
Make money from spam without spamming (Score:3, Interesting)
scan for pump and dump, and buy stock based on verious
factors. If you refined you algorithm perhaps you could get
an application that would buy and sell pump and dump
stock on your behalf, and make money in the process
I would practice with virtual stock at first.
Could an application buy and sell stock without
human intervention?
Re:The solution (Score:5, Interesting)
Well then I know what to do about my pesky competitors, just have some spammers send spam in their name! Problem solved!
So who do you want to monitor everybody's commerical actions? Actually, to know that the person bought a product because of spam, we'd need to monitor them whenever they check their email. Big Brother go!
In the name of Karl Popper, though, I appreciate your proposals.
Re:Moo (Score:5, Interesting)
I can see you've never worked at an ISP. A customer who is cut off could not care less about why, all they want is to be reconnected immediately and with no work on their part. They will threaten leaving your service, lawsuits, and practically death threats if you do not reconnect them.
Seriously, why won't this work?
Primarily it becomes an issue of volume. One call to a customer with an abusive machine will eat up the profit from that customer for months. You can't just call them and say "fix it", you have to handhold them through the process or you will almost certainly lose their revenue altogether.
Re:The solution (Score:3, Interesting)
I'd settle for ten seconds of jail time and a penny fine per spam. That would (very roughly) approximate treble damages for time wasted. A million spams would yield a 4 month sentence and a $10,000 fine.
Of course, if they sent a billion spams, they might as well get the death penalty, since they wouldn't be getting out in this lifetime.
Also, your American laws don't carry much power over other jurisdictions, and convincing others to share death penalty for something like this would be hard.
The reverse is also the case, of course.
How often do you hear of spammers getting busted? (Score:4, Interesting)
Arrests don't seem to happen that often. Do a google for "spammer arrested", and most of the hits are about the Buffalo spammer. He was arrested back in 2003 to much fanfare. However my mailbox is still full of. Maybe there is more than one of them out there?
I'm guessing spammers spam because they know the chance of them being caught is nigh on zero. Yet, this is a criminal racket just like any other criminal racket. If some serious money is put into law enforcement, then spammers might finally get the shakes. Apart from pump-n-dump stocks (get off yer asses SEC), spammers aren't hard to catch. Consider Mortgage spammers. If you reply to a Mortgage spam (I am told) you will later be called by a seemingly unrelated mortgage agency. They have bought your contacts off the spammers. Everything can be traced, and if we have the feds seeded spammers with 1-use-only phone numbers, buying stuff and tracking it just like they do any other illegal contraband, of course they can bust it. Make receiving spammed contact details an offence too: The recipient must be reasonably confident that the leads they received are not spam. Harder to prove, but if there is a reasonable chance of prosecution buyers of spam harvests will become shyer and the market dry up. Lets make it a legal requirement that ISPs have to report spamming users to the feds.
And let's get beyond "fines" for offenders. Fines for any profitable business are merely an operating expense. What really scares company directors is Jail time. This has been used in L.A. to force companies comply with laws they'd otherwise have simply paid out. If a spammer thinks there is a 0.0001% chance of him being caught (and then let off with a warning), they will do it. If they think they probably can't sell their harvest, have a 50% chance of being caught and will definitely go to Jail, they won't!
So why isn't this happening? (1) It's not an issue for politicans. I want to see Obama/Hillary/McCain arguing about Spam!!! and so... (2) The money isn't budgeted for law enforcement. With some Elliot Nesses on Spam, I reckon we can crack this. How do we let the politicians know this is an issue for us?
Re:In /. before (Score:2, Interesting)
Re:Stock Spam (Score:5, Interesting)
1) many of the companies that are promoted in the pump and dump schemes are not involved and often dont know for months that they are also victims of the spam. basically its hard to know who really is (spam coming from open relays etc)
2) most of these stocks are what they call pink slip or OTC (over the counter) stocks not traded on exchages like the NYSE or CME, thus not falling under the SEC (i think, please correct me here im no stock expert)
3) it appears that these spams are more of a scam to drive people to brokerages, or stock advisors. if you google one of the symbols in the spams, you will find very shady looking, hastily constructed sites who's sole purpose is to grab the #1 google ranking for the word "spam" and the symbol in the email.
I could be wrong about the purpose but I think there is more to this scam than pump and dump. ymmv.
Re:The solution (Score:5, Interesting)
Re:Stock Spam (Score:5, Interesting)
I wonder if these "pump and dump" schemes are still working? This round of image spam has been going on for months now, so I'd expect that people just delete them. Even shorting these stocks may not be profitable at this point, which is why I think you are right, there is something else going on here. I wonder if this is some type of money laundering scheme?
As for retribution, if these are "shady looking, hastily constructed sites", then they are your targets. If I was more skilled and so inclined, I would be "analyzing" those sites.
Re:What I just don't get.. (Score:3, Interesting)
There's a saying in Europe:
"You know how dumb the average American is? Well, half of them are even dumber than that."
Seriously, though, people still fall for 419 scams all the time, and I'd think you'd have to be much dumber to go for that than to think you could make money on some stock you heard about in a spam e-mail.
A lot easier than that (Score:3, Interesting)
Example: You "borrow" 500 shares of Pump-n-dump Enterprises at $5.00 a share and sell them making $2,500.00. It crashes to $0.10 per share. You buy 500 shares to fulfill your short contract at that price for $50.00. You net $2,450.00.
Cheers,
Dave
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:3, Interesting)
The images are, ironically, using the same technique used in captchas [wikipedia.org].
Re:The solution (Score:5, Interesting)
Ok numbnuts, that's exactly the kind of attitude that spammers have. That they can do anything because they pay for it. You pay taxes for construction of roads and for schools, but that doesn't give you the right to drive 100 mph through a school zone. You have to have limits. There have to be rules.
Penology 101 (Score:3, Interesting)
and perceived to be:
- certain
- immediate
- more costly than the benefit of the crime
"Law and order" advocates generally advocate
draconian punishments, but there is no evidence
that they help, beyond counterbalancing the
benefit of the crime. Increased detection speed
and likelihood are far more effective.
You might think that draconian punishments increase
the expected cost, even with haphazard and delayed
detection, but they don't increase the perceived
cost nearly enough to counter the tacit "I will
beat the odds mentality" to which criminals and
lottery-ticket buyers cling.
In the case of spam, I'm not entirely convinced
that any of the three criteria are met, but
cranking up the third is certainly not "a solution"
as the parent indicated.
aim correctly (Score:2, Interesting)
They are allowed to profit immensely, yet have no normal consumer warranty. Precedent setting major supreme court action here, class action would be the way to go, from individual users to ISPs, file suit,do it, sort this crap out. If software companies can demand patents and receive them-that means they should be *forced* to offer a warranty, including suitability for purpose, exactly the same as any other consumer product out there. One or the other, but not both. If software is just art, then copyrights only. If it is a product with patentability-make them have a warranty. Even just dead tree books-copyright only, because they are a product, have to have a warranty, it is implied. If the pages fall out with normal immediate use-they will be forced to recall them.
If Microsoft (or any other for sale software company) wants to still offer software with no warranty, call it a beta testing agreement, but then they can't charge a single penny for it. Shift the responsibility to where it belongs.
--and sorry leet trolls, before you even start, I don't give a rat's ass about some slashdork geek who claims he can keep his windows box "secure". That isn't the point at all. There are one hundred million people or a lot more who *can't* keep their machines secure, that's the point, that's why there is so much spam and other sorts of computer bogusness, because it's too hard for normal users to use this stuff even remotely safely on the internet, and microsoft software is insanely insecure and has a precedent going back years to prove it, despite numerous major releases all claiming to have "fixed" the problems.. It just is, admit freaking reality.
In this day and age you don't have to be an engineer to use normal consumer products. You shouldn't need to be a thermodynamics engineer and an EE to keep your refrigerator running. You shouldn't nneed to be a systems administrator and a programmer and a security guru to surf the internet. You don't need to be a telecommunications engineer to use a telephone. You don't need to be a professional audio engineer to use consumer audio equipment.
The cartel of Microsoft and the big box vendors KNOWINGLY ship consumer products that they make billions on knowing they are highly susceptible to malicious compromise. In legal terms, this is maintaining an attractive nuisance at a minimum. And I'll repeat the patent angle- you want a patent, want to maintain your typed up crap is some sort of "product" that you can charge money for? You need a warranty, or offer it for free for testing with a copyright only.
end of no-permission email (Score:4, Interesting)
We will migrate to a system where a sender must have a "key" before email is accepted, and those keys are under the control of the reciever.
This kind of system will work much like email, as it is so popular and so useful people will only migrate from it slowly. Default keys for new email users will be simple (like a "1"). Once someone is getting enough connection, enough email, then mail clients will communicate automatically with known good senders and create an individual, bidirectional keypair so that future communication with known friends continues, while spam is shut off. In the future, sharing someone's "contact" will be more akin to sharing the private key they have to connect to a person. Once you see a new email address use a known key of someone else, you would accept it once, automatically regnerate the key for the original person, and watch the behavior to determine if it was spam or a legitimate introduction of a friend to a friend. To most users this system could work exactly like email now - just need to add more functionality to the mail clients' spam processing ability.
Re:Filtering is wrong (Score:2, Interesting)
I agree that it would be very nice to stop spam altogether, or at least stop it before it gets near to my mail server, but so far as I'm concerned, filtering has changed spam from being a 15 minute annoyance each working day to a bandwidth hit that I barely notice.
I can't fault your technical knowledge, I'm not that good, but in so far as my workplace is concerned, filters do an adequate job.
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:1, Interesting)
That's impressive.
Re:What I just don't get.. (Score:5, Interesting)
Well, a lot of it just has to do with the psychological wiring of homo sapiens. We have to think that our actions are meaningful, that our victories are entirely our doing and that our failures are caused by bad luck. Failure to think this way will make you feel very very depressed.
So, in the case of these stock options scams, there's a lot of people that *know* it is a scam, but, if they're quick enough, they might profit as well from the clueless hordes that will buy the stock later on. My bet is that the largest stake of these stock buyers thinks along theses lines. People might try that a couple of time before they realize they loose every time - and by that time new clueless humans come along.
Then, there's that pitfall of familiarity. We tend to like things we already know. This is what advertising is based on. Show me 10 advertisements for 'Toothpaste Brand A' and none for 'Toothpaste Brand B' and when I'm in a shop, I will pick brand A (even if I very consciously know that that preference is based solely on advertising). A lot of people will think along the lines "It can't be that bad if they offer it to me this often - it must be the real thing" I once read an interview with a women that suffered severe dental problems after buying teeth whitener form a tell-sell channel, and she literally said "I thought: they advertise so much for it, it must be a good product".
And then there's just basic greed: "This offer is so good, I don't want to spoil it with disbelief."
And shame: "I can't ask Viagra to my doctor, this might be a rip off, but it might also be the right thing. I won't know until I try it".
And the-only-change: "They don't sell penis enlargment kits in my pharmacy, I know it is shady, but I can't get it anywhere else"
And the list goes on... We are o so great in fooling ourselves.
Re:What I just don't get.. (Score:1, Interesting)
Re:The solution (Score:5, Interesting)
Email certification.
If you want to be able to send Certified Email (CE), you apply for Certification from the company that gives you internet connectivity. They check you out, and 'Certify' you as being a legitimate emailer (ie: not a spammer). Then, you generate a private/public key pair and give them the public one. In the headers of all your email, is their certification, and an encrypted header line that's createdusing your private key.
When email arrives at the recipients server (or this could be done at the client level, as well), the server sees the certification, and connects to the certifying server to get your public key. It attempts to decrypt the header line. If it does it marks the email as 'certified', if it cannot, it marks the email as 'uncertified', and the email client can be programmed to filter messages based on that.
Due to the public/private key cryptography, there can be no certified email spoofing. (Assuming the private keys are secure, the keys are of decent length, etc.) All emails are traceable back to the originating server. CORRECTION- all CERTIFIED emails are traceable. Anonymous email is still possible. People can still set up email servers for mailing lists without "having" to get them certified. And people can still receive non-certified mail.
If an email server sends out spam, the complaints go to it's certifier. They can drop the certification, deleting the public key from their server. When this happens, ALL the email from the spamming server is now 'uncertified', and gets handled accordingly by email clients. If nothing is done, complaints go to THEIR upstream, etc. Individuals and groups can keep their own blacklists, if they wish, and anyone can choose to filter emails according to those lists.
Now, I've looked over that 'form email' that people like to post to shoot down anti-spam ideas. And nothing applies to this idea. (If something seems to apply, it's because I either left out details, or explained something wrong.) This idea does NOT need to be universally adopted, nor does it need to be adopted by everyone all at once. It's primarily a way of reliably tracing (certified) emails back to their originating server. The anti-spam part comes later: if you receive certified spam, complain and get the server un-certified. If you receive un-certified spam... well, just have your email client dump all uncertified emails in the trash. (Not nessisarilly, you could just use it's un-certifedness as a factor in filtering your email.)
This idea does not require anything be changed with SMTP. It simply requires a second connection be made to the certifying server. Now, before you bitch about the extra bandwidth, I'd like to remind you that, once this idea catches on, spam will be greatly reduced. This reduction will MORE than make up for the slight increase in bandwidth created in querying the certifying servers. Also, the certifying servers can set time limits on when the certifications expire, and need to be re-downloaded (kind of like DHCP leases). A 'new' company that just applied for certification might have it's certificate set to expire almost instantly. This way, every email they send requires a download of the certificate. This allows the certificate to be pulled rapidly if they start spamming. After a month or two, it could be set to expire weekly or monthly.
To sum up: Email Certification is reliable way of tracing the certified emails back to their originating server. This allows spammers to be identified unequivocally, and have their certification pulled. Email servers are NOT required to be certified, and anonymous email is still possible. Email recipients can, if they choose, set up their client to send uncertified emails to the trash, or to handle them however they wish. White lists and black lists
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:3, Interesting)
Actually, you overlooked something ... the body can be 20 bytes - just a link. People will click any old $hit nowadays, and using stuff like tinyurl helps obfuscate/defeat anti-spam proggies.
I'm surprised more spammers don't use tinyurl and other services to get around filters. Of course, now that the "secret" is out, we'll see an increase in tinyrurl, permalink, and pingback spam.
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:2, Interesting)
"A master's degree in corporate logos can help lolita get out of debt just by adding three inches to your mortgage. Just open the attached video.exe to learn how to begin."
Re:Filtering is wrong (Score:2, Interesting)
EHLO f.q.d.n.
220 OK
MAIL FROM: (<> or postmaster or recipient)
220 OK
RCPT TO: (the apparent sender)
(220 OK or 550 bad user... or etc)
QUIT
The last status code indicates whether that address is permitted on the remote MX or not. The problem here is greylisting by the remote MX...it's better to only teergrub/tarpit connections you can't remotely verify these days rather than drop them outright. The escalation of the spam was has made sender verification not as fool proof as it used to be.
-Ben
There are currently 1075 messages in your Bulk... (Score:2, Interesting)
But we digress...sometimes I go through my bulk e-mail and read my spam's sender names and subjects for a good dose of surrealist humour. Let's see what I have from today that's especially funny:
Winston Beaver sent me "Hussy so agreeable and cultured!"
Patti asked me "yoou wantt punctilious Cuties?"
Freeman Childress wanted to talk to me "Re: Loan requets approved"
Stockroom P. Groundwork and Unkinder R. Restudy sent me blank e-mails.
The approach is wrong (Score:3, Interesting)
The problem is that certification is useless until the vast majority of email servers are certified.
I know, you said this isn't true, but I don't think you understand the situation. Spam filtering at the client level doesn't affect spam -- the suckers who the spam targets are NOT configuring filters at home. Yes, the geeks will get their family server in the basement certified in their spare time, and all their friends will send them certified messages. The spammers won't give a damn, because they're perfectly happy if the geeks and antispammers don't read their spam (they don't buy anyway).
So -- can you imagine an ISP filtering out email at the server level based on certification? No -- because all grandma cares about is getting Junior's emails, and when they stop coming (because his ISP's servers are in the 95% still uncertified) she gets on the phone and starts costing them money... and don't forget the time/money they spent implementing the filter, testing it, rolling out with hopefully no glitches/downtime, monitoring it, etc..
They might put a flag in the subject line of uncertified emails... okay, but it shows up in the emails from the bank, from the kids, from work... the complaints roll in. Cash flows out. So filtering is a liability.
But what about their own outgoing mail? Certify? Well, again it'll cost a chunk of time (money) to learn, setup and maintain 24/7/365 with the occasional confused complaint, it'll possibly cost their users some downtime particularly if they screw it up, and it'll gain them *nothing* for now, because no one is filtering yet (see above).
No brainer decision when your staff is already stretched thin.
The last link is the upstream access provider. They would need to implement the system and hire the staff for accepting complaints (online? via phone?), filtering out the sabotage from the real complaints, collecting evidence of abuse, dealing with angry ISPs on the phone, establishing/expiring/revoking certification, etc..
Will they go for it? Again, big cost, big headaches, and no gain until that magical day when everyone is on board.
Seriously, there's a positive push because no one likes spam, and everyone would gain from a plan that would actually curb it... but people need to come up with something that will work on the low level.
The SPF system [openspf.org] is one that DOES help incrementally more as implementation spreads. It mitigates joe-jobs and backscatter for all domains with a SPF DNS record, and is trivial for server admins to implement. AND it doesn't cost anything if mail servers reject mail that fails the test: valid email will come from the server listed in the DNS record, OR the server may have no SPF record yet (let it through). Spammers can only spoof addresses without SPF records, since they can't set up their own SPF record -- they'd be easily traceable when they spam, since the domain registrar would have credit card info, etc..
Even at early stages, there's benefit for server admins to filter (removes spam safely from any domain with an SPF record), and there's benefit for adding the SPF record (please, filter out spam that pretends to be from me! my customers don't like it).
It's not perfect... forwarding email and badly created records can cause issues, plus while AOL has implemented basic SPF filtering Microsoft is involved and trying to mix XML into the record format somehow....
Personally I feel the BlueFrog approach [wikipedia.org] is the strongest for non-stock-pump spam... but obviously a decentralized approach is required to avoid Blue Security's fiery downfall. The main problem with this system is that human analysis is required to analyze spam and write scripts for leaving complaints.
Re:The solution (Score:1, Interesting)
People who DO have a compatible client will not enjoy the spam blocking until they can unilaterally reject anything that is not certified. That won't happen until the servers that typically send them email switch over to your protocol.
"Hello, ISP. Joe Speaking. How may I help you?"
"You want to get certified to send emails? No problem. We have your personal info (name, address and phone number) on file, as well as your Credit Card. If this is for a business, we just need the name/address/phone of the Business. Otherwise, please log onto our home page and upload your private key. Someone will contact you by phone tomorrow to confirm you are set up."
"Thank you for calling ISP"
Not that tough, is it??
That's exactly my point. Of course they won't have your personal info on file. That's what you give them when you first call them up. Also, you don't call the ISP. In this case it's the spammer that wants to be an ISP. So they either certify themselves (how ridiculous is that?) or they call up a centralized certification authority like Verisign to get certified.
(Heck, the whole thing could be done online!) And with that information (name/address/phone), the ISP knows exactly who you are.
No they don't. Do you have any idea how easy it is to present fake information--even with a credit card? You can go down to Walgreen's, pick up a Visa gift card, log onto a web site and enter any personal info you want. Regardless of that, large key-signing authorities (eg Verisign) have a reputation for not checking up on any of the information presented to them.
If you send spam, they pull you certification, and blacklist you. (The old-fashioned blacklist, where they place you on a list that other ISPs have access to, as a warning that you broke your agreement with them.)
By the time your key can be revoked (and note that key revocation is still a huge problem in PKI) you can send more than enough spam to make up for the cost of the certificate. Anyway, if you set up blacklists like this, identity theft will become a common means of retribution where someone gets certified with your name, then sends some spam and gets you blacklisted. Spammers will do it for no other reason than to introduce noise into the system.
This is a policy matter to discuss with the ISPs, not wih me. If the zombies are sending spam thru the ISPs email server, then the ISPs need to BLOCK these zombie users from sending email. Then contact the users and inform them that, since they have violated the TOS, they cannot send email until their machine is un-zombified. On the other hand, if the zombies are sending email directly (ie, NOT thru the ISP email server), then they are already uncertified, and no one is receiving the spam anyway. :-)
And you accuse me of not reading your post! This matter is not disputed, just the issue of how quickly the zombie machine can be shut down and how quickly new zomies can come into play.
And the minute they send spam, they will get their certification pulled, and their names on a blacklist. Which means no other (legitimate) ISP will certify them in the future (and the illegitimate ISPs should already be un-certified and/or blocked).
"Repeating yourself doesan't make you right."
Re:The solution (Score:3, Interesting)
Say you've got a regional provider(ie a Chinese ISP), anyone in a given region can only connect to that ISP because there are no alternatives(this is most definitely the case). Now say that that ISP, as is often the case in certain parts of the world, doesn't give a rats about its clients sending SPAM, and is perfectly willing to certify them. Now by your system the ISP should lose its certification, which means that any legitimate users of the system also lose their certification, which means they can't send certified e-mail to anyone.
This system is also expensive, not so much in bandwidth, but in human time. Verifying someone's identity and intentions is expensive and time consuming, even for an ISP, and for something like hotmail or gmail, which people use for perfectly legitimate reasons, it's be pretty much impossible.
So in the end, what you have is an expensive system which is essentially a complicated form of blacklisting, which as I said, sucks.
Re:Stock scam spams - 3n14rge yur SC0X ... (Score:4, Interesting)