Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

DSLReports Study: 8 Hours 'til the Spam Hits 348

Masem writes: "In a rather interesting study at DSLReports, it was observed that email addresses published on a web site recieved spam within 8 hours of being posted, showing how aggressive the harvesters are working. In particular, a special link was set up on the main page that by following the link, the site generated an email address that was trackable to the IP that called the link, and not published anywhere else at any time. In the specific case, in only 8 hours after the email address was created, it had recieved spam; since that time about 9 months ago, it's gotten around 100 pieces. Given the time and source of most of the emails, the authors believe that they've simply got someone at one end of a home broadband pipeline using open relay mail servers, and most likely being paid to redistribute spam on the email addresses they harvest."
This discussion has been archived. No new comments can be posted.

DSLReports Study: 8 Hours 'til the Spam Hits

Comments Filter:
  • Lockheed Marin (Score:4, Insightful)

    by irony nazi ( 197301 ) on Sunday February 17, 2002 @05:34PM (#3023071)
    When I started working for Lockheed Martin, I had 4 spam emails in my mailbox that was delivered prior to my first day of work. In addition to this, I had 2 personal (they seemed personal IT related) job offer emails in my mailbox, also from prior to my first day of work. Both from recruiting companies.
    All of which I have used to registery sofware in the past. is still waiting for his free natural viagra as I write this.
    • by hendridm ( 302246 ) on Sunday February 17, 2002 @05:43PM (#3023129) Homepage
      Hmmm, using these sorts of e-mail addresses can lead to annoyances to legitimate domain owners. For awhile I remember the owner of, which seems to no longer exist, posting complaints about people type "" when they register software. It seems his servers were hit or something.

      I always like to use the webmaster's e-mail account when registering software. For example, if I was registering software on, I might use the e-mail address "" or "" to register the software.

      I feel torn, as I want to support free software vendors by allowing them to make money, but I just don't want my e-mail address to be sold for spam. Ever. I also don't want those annoying newsletters that I could care less about unless I *explicitely* ask for it (and not be tricked or required by default).
      • by foobar104 ( 206452 ) on Sunday February 17, 2002 @06:23PM (#3023314) Journal
        I remember the owner of, which seems to no longer exist, posting complaints about people type "" when they register software. It seems his servers were hit or something.

        A good alternative is to use the domain "" IANA (Internet Assigned Numbers Authority) holds the names "example.*" in reserve for use as (you guessed it) examples. It's been that way since at least 1995.

        So an email of the form "" is perfectly valid... and can never be the recipient of email.
      • Years ago, I had been using as a generic email address to enter whenever I feared receiving spam. As I recently discovered, there really is a (The address was formerly owned by someone at Microsoft, if I recall correctly.)

        I'm sorry, Bob. So very, very sorry.

      • I actually started sending my junk to - they actually pissed me off that bad. All I wanted was to download something inconsequential, and they've been a great resource in the past, but this time, I clicked "download" and it asked me for all kinds of demographic information, preferences, can we contact you, and it wouldn't let me get to the file unless it first went through that. Then I came to realize that the file wasn't even one that they cache on their servers, or that is on tucows or something! It was a link to the download page of the publisher. And not only that, but the link was BROKEN!

        Needless to say, I was annoyed. Not so much that it changed my life, except now I get a little chuckle of someone looking through the root email and checking on bad cron outputs, or whatever, or looking for httpd error messages, and finding 19932 "get rich quick". I always check the contact me button, and all of the "list your interests" buttons

    • by Roundeye ( 16278 ) on Sunday February 17, 2002 @06:41PM (#3023401) Homepage
      I always use real addresses, just those of the people I think more likely to be interested in cheap Viagra, weight loss, and 12-year old girls: and

  • by Tom7 ( 102298 ) on Sunday February 17, 2002 @05:37PM (#3023090) Homepage Journal

    The email address wasn't harvested 8 hours after being posted, it was sent spam 8 hours after being harvested.

    What would be more interesting is to find out how long it takes with your address on the web before it gets entered into the various lists...
  • Very interesting (Score:5, Interesting)

    by InterruptDescriptorT ( 531083 ) on Sunday February 17, 2002 @05:37PM (#3023094) Homepage
    While this study is very interesting, what I'd like to see more posted about is how often an e-mail address, unpublished on the Web but used for e-commerce, becomes the target for spam. Whenever I post something where the e-mail address goes up on a Web page, I sufficiently de-spamify it so that the harvesters won't know what to do with it (i.e. it's an obfuscated form of my address). But what really gets me is when I used my e-mail address for getting e-commerce confirmations, important for verifying orders, etc., and find that address the target of spam, even when I decline it.

    I also find it handy to have a 'spamdrop' account, which is just another e-mail alias on my host, for signing up for one-off things, like chat, games, etc. That account fills up incredibly quickly; I receive on the order of 50 spams/day at that address. Wow...
    • by Anonymous Coward
      Like many domain owners, I have a catch-all email address set up. So when I register I generate a new email address every time. And I link back when I get spam. It's not perfect - sites can leak my address fairly innocently (Salon on its chat pages, for example).

      IME, very few ecommerce sites spam. And almost all of those are obviously from the company I gave the email to.

      Note: I don't live in the USA, so don't deal with some of the more egrarious spammers.
      • Like many domain owners, I have a catch-all email address set up. So when I register I generate a new email address every time. And I link back when I get spam. It's not perfect - sites can leak my address fairly innocently (Salon on its chat pages, for example).

        IME, very few ecommerce sites spam. And almost all of those are obviously from the company I gave the email to.

        I do something similar. With my domain, I create a mail alias for each merchant and kill it at the first sign of spam.

        Some of the merchants are very bad. Particularly the ones. I think that either Yahoo has a leak in its ordering system, or somebody's actively soliciting mail addresses from sellers. Well over half the items I order from there result in spam to the corresponding stores' addresses. Maybe one in seven of the non-Yahoo merchants end up selling or otherwise sharing my address.

        Altogether though, ebay remains the absolute worst place to get your address harvested, with usenet a close second.

        • by kubrick ( 27291 ) on Monday February 18, 2002 @02:58AM (#3025149)
          Altogether though, ebay remains the absolute worst place to get your address harvested, with usenet a close second.

          Ebay must be lucrative for spammers; a whole 'audience' of people either with money to spend (buyers), or who are about to have money to spend (sellers). And this 'audience' has already self-selected; they're not afraid to spend their money online...
    • I put in a separate alias for each service I subscribe to. That way I can tell who has sold my address. It also allows me to drop that specific address from my alias list, allowing me to keep the other ones still working but not having to sift through the spam (which is useful for announcements and for sites like eBay where it sends ligitimate notifications). I have one for my wife to use on usenet too. Once that one gets too much spam, I'll change it slightly. that way you can still reply-to and have it get to her.

      For those who don't know how, you just add a line in /etc/aliases.
      alias: account

      One of the advantages of running your own SMTP server. I use DHS [] for my (free) domains and am running this on a home network off a cable modem w/ linksys router. No, it's not an open relay.
    • Re:Very interesting (Score:3, Informative)

      by tandr ( 108948 ) []

      I am VERY satisfied user.

      Oh, and for some annoyances [] do the job really well.

    • Whenever I post something where the e-mail address goes up on a Web page, I sufficiently de-spamify it so that the harvesters won't know what to do with it (i.e. it's an obfuscated form of my address).

      Are you talking about obfuscating it in source code (mailto:)? If so tell me how! I always figured that if a browser could read it so could a harvester, but would love to be proved wrong.

      • "Are you talking about obfuscating it in source code (mailto:)? If so tell me how! I always figured that if a browser could read it so could a harvester, but would love to be proved wrong."

        My new address has been up on the company web site for two and a half month but no spam AT ALL has come to it ... this is possibly because I used the win32 prog Mailto Encryptor [] for all the mailto links. (You have to go into the site a bit to find it.)

  • by gUmbi ( 95629 ) on Sunday February 17, 2002 @05:38PM (#3023097)
    What's the average length of time between a slashdot posting and the subsequent DoS attack on the linked site?

  • by reparteeist ( 533894 ) <> on Sunday February 17, 2002 @05:39PM (#3023101)
    Damn that Bernard Shifman! Will he never learn?
    • Speaking of spamming resumes... with a name like that, no wonder why no one would give him a job! What kind of parents would name their child Bernard? Related to a dog? Mr. Shitman needs to get his name changed.
  • How? (Score:3, Interesting)

    by SevenTowers ( 525361 ) on Sunday February 17, 2002 @05:41PM (#3023110) Homepage
    On 6.26am the morning of May 13th, 2001, the link is hit from IP - a residential cable modem in Arizona

    Google is big. Google has a very fat spider going around. Google definitly does not check a nowhere webpage as soon as it is created! How can somebody on a cable account (limited bandwith?) scan pages at a high enough rate that they hit an almost invisible webpage soon after it was created? Big machine, big connection? spoofed IP?

    Is this business really so lucrative that people are willing to spend hours working on it? It'd like to have some stats on how many people actually subscribe to the "services" advertised for in spam. I know a spider is not a lot of maintenance once setup and the distribution cost for the spammers is almost null because they make everybody else pay for it, but where the hell do they get the profit...
    • The article doesn't mention how long it took from when the hidden page was put up to when it was hit; it only looks at the time after that. For all we know after reading the article, that link could have been up for a year before it got a hit. However, since it was presumably linked from a reasonably major site (DSLReports), that probably increases the chances that it would be found quickly. All it takes is for one guy sitting at home to type in to his harvester (or some site that links to and they find the link. The probability of that happening at a major website, given enough time, is quite large, I'd fathom.
    • Re:How? (Score:3, Insightful)

      by Arker ( 91948 )

      Google has to do a lot to process a page. It tries to analyze the content, it crossreferences complex networks of linking, building a very complicated database for searching.

      A spammer-spider can be much more simple, and thus move much more quickly. All it is interested in are email addresses. Period.

    • Re:How? (Score:4, Interesting)

      by Restil ( 31903 ) on Sunday February 17, 2002 @07:02PM (#3023487) Homepage
      From what it sounds like. spammers delegate spamming to smaller, entities. Each of these enitites constantly scans its own set of pages, then sends spam to every address it finds. It might keep a list that it updates a master list with, or it might not. But the harvesting and spamming is done from many boxes on many networks.

      This means, if there are enough of them, you could easily scan several tens of thousands of pages every day with little difficulty. And if one or even many of them get shut down, the spamming operation is not affected much. This is probably the first good example of a distributed network for profit. Too bad its such a slimy one.

    • That's a good point. I recently did some scanning for web servers, as part of a research project I'm doing about spatial correlations in IP address space. I wrote a little C program to do the scanning, which opens 900 simultaneous socket connections, with a 2-minute timeout period, and a 30-second timeout when reading from supposedly active web servers. I found that I was able to scan roughly 27,000 addresses per hour.

      But even at that rate, it would take me about 18 years to scan the entire internet.

      However, if there were 1,000 people all scanning at that rate, they could do it in under a week.

      Now, how many people do you think are out there looking for web servers to harvest e-mail from? I dunno, but it's probably a lot closer to 1,000 than it is to 1. So it's not surprising to get hit by a random scan pretty often.
  • by Peyna ( 14792 ) on Sunday February 17, 2002 @05:41PM (#3023114) Homepage
    I'm curious how random the e-mail address was. If was something like 'bob79@', then I would expect it to receive spam regardless of being harvested.

    I used to have an e-mail address that was andrew@, it was great for a year or two. I still have it, but I do not retrieve the messages since it receives 30+ SPAM messages per day. My other e-mail address is my first initial + last name, and my last name is rare enough that I get maybe 1 Spam message per month.

    • I think the point the article made, which got lost in the summary on /., is that the web page was up for awhile (the article only says A while ago) without receiving spam at the associated email address. When it finally received spam, they went back to the web logs, and found the entry corresponding to the unique email address that was generated for that particular hit. And they discovered that the particular web page hit corresponding to the spammer happened 8 hours before the spam arrived.

      The interesting part to me is the conclusion that all subsequent spam over a 9 month period was the result of that single web page hit. That tells me that addresses are harvested off obscure web pages only occasionally. I suspect that most spammers get email addresses come from other sources.

  • The solution to spam is that Giant laser of death the airforce just got. Tie it to the email system, so once a spammer is identified, they become toast. Literally.

    Sheesh, though, I hate spam. I get like 10 spam a day at my real email address, which people only can discover by talking to me (I don't post it or give it out for obvious reasons).

    Maybe some kind of bulk-email tax could be imposed.... Even though I am firmly against internet tax, I think making the spammers pay for the mail (ala-junk mail via postal system) is the only solution.
  • Not only are addresses harvested quickly, but it's amazing how often they'll use a brute-force attack. This is how some email spam ends up in new employee mailboxes.

    I've seen it while administering our own Exchange server. They'll try all sorts of common name combinations (such as rsmith@, tsmith@, jsmith@, etc.) in the hopes that some of them exist.

    They know your domain is valid - so they never lay off trying to stuff garbage in any valid boxes on the site they can hit.
  • Something like WPoison [] has to be used more often. Until a higher percentage of harvested emails are faked, these web spiders will continue roaming the web, adding email addresses to their collection.
    - grunby
  • New use for this? (Score:5, Interesting)

    by iamplasma ( 189832 ) on Sunday February 17, 2002 @05:45PM (#3023140) Homepage
    Could this technique be changed. Rather than generating a mailbox for the spam to go to, based on IP, instead generate the abuse address for the IP's netblock owner.

    That way, whoever is running the spider can start spamming direct to the abuse address, saving the site owner from having to report them. :)
  • I for one am curious if a spam e-mail has EVER worked. Why do so many people spend so much time and money working on spam technology? SOMEONE out there must be buying things from spam ads.
    • by nuggz ( 69912 )
      Yes, it does work.
      Last I heard they would get a response of something like 0.02-0.05% of the time
      That is 2-5 for every ten thousand spams.

      They don't care, send out a few hundred thousand spams, get a few hundred responses, they can make money.

      Shortly after it stops working, people will stop spamming.
    • If you didn't want to listen to P. T. Barnum (who is often incorrectly attributed []) and don't see AOL as further proof... SPAM has got to be some of the best evidence.

      "There's a sucker born every minute."

      A great expose of how spammers operate comes from one of the mirrored [] sites Behind Enemy Lines []. It shows that if SPAM itself isn't always profitable, selling the service of spamming certainly is. And to make this profit, spammers will resort to illegal [] activities.

      Of course, when you consider the morals this group has already demonstrated, it should come to no suprise that their most agressive campaign was a stock pump-n-dump scam [].

      Does SPAM pay? Apparently. But so do a lot of other crimes.

    • by aussersterne ( 212916 ) on Sunday February 17, 2002 @08:23PM (#3023782) Homepage
      In 1997, I worked for a very small travel company that decided to try its hand at SPAM. Of course, take this anecdote for what it's worth (it *was* five years ago).

      They set up a small server that would just browse around the Web and usenet harvesting e-mail addresses wherever they could be found. The first week they sent out about 80,000 pieces of e-mail per day. They got tons and tons of hate mail in return but also a few hits. The first day, there were about 60 sales of a $69.99 "travel club membership" product (essentially a hotel and airline coupon book), and by that Friday they were up to over 200 sales a day thanks to the SPAM. Totals for the week were something like 350,000 e-mails sent and 900 sales for a total of about $63,000 in revenue that week thanks to SPAM. The coupon book itself wasn't all that expensive -- the deals were promotional and each book only cost the company something like $12.00, so the net was around $52,000 for the week. Not bad for a computer sitting in the corner with a $100 piece of software -- this likely explains why spammers stay at it.

      I left shortly thereafter so I don't really know whether they "stuck with it" or not, but it obviously can generate sales.
  • If you're on AOL, you get it within minutes of entering a chat room or accessing any AOL specific content
  • Solution? (Score:5, Interesting)

    by gnovos ( 447128 ) <gnovos.chipped@net> on Sunday February 17, 2002 @06:02PM (#3023217) Homepage Journal
    Does suing spammers work? For example, if you made a web-page that CLEARLY reads: If you agree to pay me $52,000, please send email to Consent of this contract will be shown by sending an email to that address, regardless of content.

    Post this email NOWHERE else. Wait for a spider to come around and harvest... Is such a contract legally binding? I would think it would be, considering you can make online-payments and such, and those contracts are binding (i.e. if you promise to pay Amazon for your book, you have to do it, right?)
    • Re:Solution? (Score:3, Informative)

      by reparteeist ( 533894 )
      Although there is no federal law, some states have them forbidding unsolicited spam. For the details in your area, go here. []
    • Re:Solution? (Score:2, Interesting)

      by edp ( 171151 )
      I don't know if a judge will enforce such an agreement, but, just in case, here's an embellishment: Make the generated address contain not only the IP address, but also the agreement. E.g., y_you_$

      That simplifies the process of proving you offered them an agreement and so on.
    • Re:Solution? (Score:2, Interesting)

      This is just a variation on:


      (Bart Simpson closes his eyes and starts spinning his arms)

      (Bart comes flailing towards Lisa)
      Of course that's not legally binding. The law is not stupid.
      • Of course that's not legally binding. The law is not stupid.

        I don't see how this is any different then when you "purchase" something on-line. I mean, you send a request for some item, they send the item, and you send the payment. Lets say you make an mp3, charge $6500 for it, and have people send requests for it to
  • sneakemail (Score:4, Informative)

    by doofsmack ( 537722 ) on Sunday February 17, 2002 @06:04PM (#3023228)
    That's exactly why I use sneakemail []. It gives you a random email address like When an email is sent there, it goes to your inbox. You can have as many aliases as you want (They suggest 1 per site you sign up with). If you receive spam on one of them, you can just disable that alias. It's really great.
    • Re:sneakemail (Score:2, Interesting)

      by Matthaeus ( 156071 )
      Qmail is also great for this. In its default setup, if a user has e-mail address, he can use for any values of baz (e.g.,, etc). No work on the part of the admin is required unless an account starts getting too much spam.
    • You don't need to use an external service to do this. You can do it yourself. There are several programs that do this. The one that I use is TMDA []. Another is Kiwispam [].
  • Apparently the cutting edge of harvesting web information (in this case e-mail addresses) is in the spam business. We all like to think that entities like Google are at the forefront of Web searching technology, but it seems like shadowy, unscrupulous advertising firms may be just ahead of the curve.

    I know I'll get modded down for this, but I think there are a lot of parallels between this case and that of pornography (another somewhat shadowy industry that is often looked down upon, yet is always there to profit off of new technologies as soon as they become available.)
    • I wouldn't mod you down even if I had mod points, but I'd just make the point that your seem to be noting that the use of technology is somewhat further ahead of the curve in those industries than the mainstream public.
      Regardless of your own views on porn, it's largely there for those who want it and avoidable for those that don't. <warning type="bad pun ahead">It's not like they shove porn down your throat like spammers do with their "information"</warning> I'd rather tell people I was in the adult business than a spammer! ;) (Not that I'm in either, though!!!)
  • by Beowulf_Boy ( 239340 ) on Sunday February 17, 2002 @06:07PM (#3023244)
    I rarely ever got telemarketing calls.
    Last week I applied for a telemarketing job.
    Within hours I started getting calls, and I've gotten 5 a day since.
    • Re:telemarketers (Score:5, Informative)

      by TheFlu ( 213162 ) on Sunday February 17, 2002 @06:30PM (#3023334) Homepage
      I have a similiar experience. I recently started participating in's blacklisting effort...a few days after I started submitting SPAM to be blacklisted, for some reason, my daily SPAM intake has tripled. I'm not sure if it's just coincidence or what, but it doesn't please me. I hate to think of the reason why this has happened...

      I'm seriously considering moving my mail servers over to using TMDA [], which I hear stops about 99% of SPAM. At this point, I have to do something.

      • Hm...not sure if just submitting stuff to spamcop (you send the spam, they email back a link, you click on the link and hit submit) but if you are, I don't think it's likely you'll get spam from that. Also, have a look at the MRTG spam graph [] I maintain. It keeps track of the numbers of messages we catch using procmail. As I write this, the average over the last couple days is 333/hour. In the time I've been keeping this graph, I figure something like 1.25 million pieces of spam have been caught.

      • Crap...always hit preview, kids.

        What I meant to add is that I take abuse complaints at the small ISP where I work. Occasionally one of our customers will spam, and often the first reports we get will be from Spamcop. I can reply to the reports, but the email address is always something like "". Unless the sender has left in a .sig w/their email address, I'll never know it.

    • Re:telemarketers (Score:2, Insightful)

      by sholden ( 12227 )

      I rarely ever got telemarketing calls.
      Last week I applied for a telemarketing job.
      Within hours I started getting calls, and I've gotten 5 a day since.

    • Re:telemarketers (Score:2, Insightful)

      by Tackhead ( 54550 )
      > I rarely ever got telemarketing calls.
      > Last week I applied for a telemarketing job.
      > Within hours I started getting calls, and I've gotten 5 a day since.

      Since only a moron would want to be a telemarketer (i.e. would believe the "Make $$$ at our call center, d00d!" flyers on campus), it stands to reason you got placed on a "sucker's list" as a result of applying for the job.

      If I were in a good mood I'd call it poetic justice and leave it at that.

      But I'm not in a good mood today, so I'll just gloat by pointing out that payback's a bitch, and on behalf of the rest of us who no longer answer our phones because of pieces of subhuman shit such as yourself (oh, sorry, you only applied for the job, that makes you a wannabe subhuman piece of shit :) that I sincerely hope you never receive a non-telemarketing phone call again as long as you live.

      Now go away or I shall taunt you a second time.

      • Re:telemarketers (Score:2, Insightful)

        by buss_error ( 142273 )
        Since only a moron would want to be a telemarketer

        Since he didn't say if it was inbound or outbound TM, you might be premature on that rant. Sure, outbound (where they call you) sucks, but what's wrong with inbound (where you call them)?

        As for being a moron if he was going for an outbound job, let me say that if it comes down to feeding my family or not, I'm going to feed them. If this means I have to take an outbound TM job, well, I'll just have to do it.

        As much as I hate the Telemarketing business model, remember that the person on the other end of the phone (99 times out of 100) is just trying to make an honest living. I'm (mostly) polite to the TM's that call, and ask to be put on the "do not call" list. That works, except for some chairities that won't leave you alone until you are dead 5 years.

        The long and the short of it is -- lighten up, 'cause life's too short to blow a fuse over a phone call.

        • Just how do they bully or harrass you?

          Yeah, they aren't my favourite phone calls either, but calling it "bullying" or "harrassing" is either rhetorical extravagance or a revelation of a serious mental problem on your part. It's a freakin phone call. Harrassment is possible, but if they're seriously harrassing you there are ways to deal with that - and I've never even heard of that happening. What on earth would they have to gain? Harrassment doesn't get sales. And to bully you would require that they could actually do something to threaten you with, they can't, they're a voice on the other end of a phone, they can't hurt you.

          I get telemarketer calls all the time. It usually goes like this. Pick up the phone, listen to spiel long enough to determine I am not interested (3-4 seconds) - interrupt and say "sorry, not interested, better luck next call" and hang up. Once in awhile someone actually calls with something I'm even interested in (promotional offer on something I'm thinking about buying already.) Either way, there's no bullying or harrassment. And, most importantly, they call on their dime. The trouble with spammers is they call on my dime. I would never buy anything from a spammer, even if they did have a good deal on something I wanted. If a telemarketer called with such an offer I'd have no problem with it though.

  • by ( 321932 ) on Sunday February 17, 2002 @06:29PM (#3023333) Homepage Journal
    I've been using the '' technique whenever I provide an email to on-line stores.

    I was amazed when I started receiving spam on '' (only the mydomain is fake!) and I contact the people and they denied everything. But at least you can ban that email address and ban the company.

    On the other hand it's funny when (for some reason) the company calls you to verify something, and they go over all the stuff and then get to the email. There was one person that just didn't get it: 'yeah, but that's OUR email address', recognizing her companies name. :o)

    For those reasons some people generate an obfuscated (rot-13 for example) address.

    In any case, the sad thing is that there's not much you can do against the companies that sell your email address, legally...
    • I had one company whose web page wouldn't let me register an e-mail address with their company's name as part of my address. I usually register addresses like "" where the "ZZZ" is that company's name, e.g. "" (the "jm" stands for "junk mail").

      Anyway, when I was filling in the registration info on one company's page that I was buying something on (wish I could remember which one), it came back saying invalid e-mail address. I was thinking "huh, what is invalid about that e-mail address?!" I tried a few variations, and sure enough, as soon as I put in one which didn't have the company's name as part of the address, it stopped complaining and accepted it. Bastards. And too bad for anyone who actually has that word in their e-mail address...
  • There is a relatively easy way to report businesses and organizations you believe to be acting unlawfully to the FTC. Here's the link: FTC complaint page [].

    From the page:

    If you would like to forward unsolicited commercial e-mail (spam) to the Commission, please send it directly to UCE@FTC.GOV without using this form.

    Use with care,

  • by nodrip ( 459776 )
    Make their lists worthless. Compile this, run it, and put the result up on your favorite web site. Hide a link to it in your pages. Also add a disalow in your robots.txt so Google doesn't waste time on it.

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <math.h>

    #define MAX_DOMAINS 8

    static char * domains[MAX_DOMAINS] =
    "com", "edu", "biz", "net", "gov", "it", "ru", "info"

    int getRandomLength( void )
    float val = (float)rand();
    val = val / RAND_MAX;
    val = val * 20;
    return (int)val;

    char getRandomChar( void )
    float val = (float)rand();
    val = val / RAND_MAX;
    val = val * 26;
    return (char)( ((int)val) + 0x61 );

    int main(int argc, char* argv[])
    char c;
    char buf[1000];
    FILE * fp;
    int accountLength;
    int subDomainLength;
    int bufIndex;
    int i, g;

    int gencount = atoi( argv[1] );

    printf( "Generating %i accounts.\n", gencount );

    fp = fopen( "emaillist.html", "w" );

    if ( fp == 0 ) return 0;

    for ( int dcount = 0; dcount < MAX_DOMAINS; dcount++ ) {

    g = gencount;

    while ( g > 0 ) {

    memset( buf, 0, sizeof( buf ) );
    bufIndex = 0;

    accountLength = getRandomLength();
    subDomainLength = getRandomLength();

    for ( i = 0; i <= accountLength; i++ ) {
    c = getRandomChar();
    buf[bufIndex] = c;

    buf[bufIndex] = '@';

    for ( i = 0; i <= subDomainLength; i++ ) {
    c = getRandomChar();
    buf[bufIndex] = c;

    buf[bufIndex] = '.';

    strcat( &buf[bufIndex], domains[dcount] );

    fprintf( fp, "%s ", buf );


    fclose( fp );

    return 0;
    • Re:Have some fun (Score:3, Interesting)

      by Spackler ( 223562 )
      Make their lists worthless. Compile this, run it...(snipped out overly long, but runnable C proggy)

      Dood, learn some perl. Not only would it cut this down to a nice readable couple of lines, but you could also generate a different list every time the web page was hit. That way, it would really poison the well.


      PS: Yes folks, right tool for the job. Not every job.
  • Obfuscated html (Score:5, Insightful)

    by rsidd ( 6328 ) on Sunday February 17, 2002 @07:10PM (#3023520)
    I use html code in my email address on my web page, like this:

    &#114&#115idd&#64;yah&#111&#11 1.c&#111&#109

    Amazingly, not a single spammer has gotten hold of it yet, in over a year; whereas, unobfuscated
    addresses used only once, on mailing list archives for example, are picked up immediately.

    Obviously these spambots aren't so intelligent.
  • for reasons I won't elaborate- I wound up creating a Hotmail account.. the suprise that makes this article trivial is that there was blatant spam WAITING for me the first time I'd ever checked it- at confirmation! needless to say, it hadn't been posted on any web site, newsgroup or used in any electronic transaction prior. Hell, I hadn't even written it down on the napkin I was taken notes on yet! Within 5 MINUTES I had 4 spam mails in my inbox. By the time I had sent a message to their support folks (customer and tech, with full header info- who STILL haven't responded) I had 12.
    Obviously, its unusable. How many others have similar experiences?

    • Your defenition of spam might be a bit off but i suspect you have NOT removed all the check boxes in your affiliates and hotmail partners section when you sign up.

      I have had the same hotmail for years and the only SPAM i get is about fake university degrees - alsways the same message but from different domains. I get more spam on my work account than my hotmail. far from being unusable i find it gets less spam than Altavista or Yahoo (which should be called spamhoo), the blocking in hotmail works pretty well as well.

      And as the spam in these accounts is sent to a preditcion list (john1@, john2@ and so on please indicate the address you chose (HINT : notpublic@hotmail would be a great way to collect spam) The point on these types of services is that if you want to avoid spam dont use a common address - hotmail and other free mail providers cannot defend against every spammer out there using a dictionary type list against them - they are just enetering over and over to get responses and as hotmail has so many clients an addres like mik12567@hotmail is as great a spam target as bob_smith

      Hotmail is a free service and thats what pisses me - its free so if you dont like it dont use it - its not like you have to - and as free services go its not bad for what you pay for it, or is it simply that its owned by Microsoft ?

      id mark you down as a troll if i had any points left
  • ...the article submitter didn't use an email address link on his name.
  • We should have hunting parties and every 3rd tuesday of the month go hunting down spammers and beat the tar out of them...
  • by aussersterne ( 212916 ) on Sunday February 17, 2002 @07:41PM (#3023620) Homepage
    The following experiences have led me to wonder whether my ISP (AT&T Broadband) or my Web host (Doteasy) are selling e-mail addresses to spammers as they are created:

    1. Created a new e-mail account for a friend at my doteasy domain. I am the only owner of the domain ever, and have held it for years. The e-mail address had never existed before. About 12 hours later, while helping my friend to configure outlook express to check the account, I was surprised to discover two pieces of SPAM already in the account. This is a new address that has never been used or given to anyone, ever.

    2. After the AT&T @Home to AT&T Broadband fiasco, new e-mail addresses had to be created. One of the accounts I created (and did not use for anything) got spam within hours of its being created. Here again, this e-mail address had never been supplied to anyone but AT&T Broadband, in the process of creating it.

    My reluctant conclusion (unless someone can explain some other solution to me) is that both ISPs and Web hosts routinely place e-mail addresses they host on lists which are sold to spammers, I guess as a way to supplement the revenue stream.
    • Highly unlikely.

      Spammers routinely rotate domain names on their address lists, for one thing. Say, if you have,, etc, it's likely these addresses will also exist Change the example domains to and, each with millions of active mailboxes, and you've got a pretty good chance of hitting a high number of people. Change the domains to any domain you can find, regardless of size, you'll hit some (albiet not as many). Don't worry about the bad addresses bouncing, just forge someone else's return address and you won't have to deal with it (another common practice).

      Another method they use is a dictionary attack type of thing, where they'll try random combinations of names, initials, numbers, etc, in the hopes of finding live mailboxes.

      Gah, now I'm getting all pissed off about it. Bastards.

    • They don't need to, their own incompetence gives away your email address for free.
      I used to be a media1 (now ATT I believe) customer and logged into one of their big sun boxes for my free 5MB website via ftp.

      cd ../..
      ls -l

      50,000 directory listings later I'm almost in tears. Simply add to them and you've got a really saleable list. Tech support couldn't even understand what I was saying and I didn't want to push it, you never know what these stupid companies will accuse you of.

    To catch the spammers, and:

    Vipuls Razor[1].

    To report the spam to others and widen the protection once they've been caught.

    [1] Doesn't that just sound like a spell out of D&D?

  • by nettdata ( 88196 ) on Sunday February 17, 2002 @08:19PM (#3023760) Homepage
    ...has it's advantages.

    Whenever I need an email address to register at a web site, or to register software, I always use an address that is specifically created for that account. Well, actually, it's just a wild-card catch-all, so I don't have to create each account required. For instance, when I register my Adobe software, I use an address of This way I can see who is selling my email address to who, and I can then reject that individual address if it seems to be getting more than it's fair share of spam.

    The hard part is getting other web users to NOT fill out those stupid "send an e-card to someone you love" with my real, virtually spam-free email address!
  • by Hyped01 ( 541957 ) on Sunday February 17, 2002 @08:38PM (#3023841) Homepage
    On our networks, logging for almost two dozen domains, the largest source of spam via "Open Relay Mail Servers" is Hotmail. These emails are being sent via other servers, and mass mailed via hotmail servers being used to relay them. Hotmail's responses to the numerous complaints? "We'll cancel that user's account..." Often though it's not the user at fault, since you dont even need a valid Hotmail address to do this. So, even with notifying them of the real problem (open servers) and showing them headers that confirm it, they do nothing. Our incoming spam would drop by over 45% if they'd fix it. - Rob
  • by stph ( 541287 ) on Sunday February 17, 2002 @08:43PM (#3023861) Homepage
    This report matches my own experience. While at a public library awhile back, I opened a hotmail account in order to mail a few URLs to my home account. I did nothing consciously to advertise this account other than the default hotmail settings. Out of curiosity, I checked this account the following day and had 20 SPAM advertisements. So much for privacy on the web. By the end of the week, I had received just under a hundred messages, all to an account I had never actively given out. Turns out it was those account defaults that bit me. Hotmail automatically publishes your account on their directory, to make it possible for other Hotmail members to find your address. Sigh....
  • Why not.... (Score:2, Funny)

    by malkman ( 539215 )
    I think we could combine the technologies outlined in the article below this (laser of death) with the problems in this article (spammers)! Think of the possibilities!
  • This e-mail address here was not up on any site for years (well, before it was, but still,) and I got a grand total of, err, 3 spam messages over the course of 3 or 4 years.

    I put it up just here on /. and it took me two weeks to get anything.

    During those first two weeks it was not even obscusicated at all. In fact since selecting to use /.'s automatic obscurification(?) routine the amount of spam I am receiving has INCREASED, leading me to believe that some of the trolls likely keep up with the latest methods and likely go about and purposely harvest the e-mail address's from people who use the obscusification option on /.

    Err, spellcheck just choked on my message, and google cannot even figure out some of those mystery words. Screw it, good luck reading the above. :)
  • One guy? (Score:5, Funny)

    by blair1q ( 305137 ) on Monday February 18, 2002 @12:24AM (#3024652) Journal
    One guy is the source of all the spam on the Internet?

    I say we've found a perfect target for testing that AC-130 Death Ray.


Machines that have broken down will work perfectly when the repairman arrives.