What You Get When You Buy a Spam CD 518
defender writes "Recently over here in The Netherlands, the spam versus anti-spam 'war' has hardened. More professional spamming coming from a handful of hard-core spammers utilizing bulletproof hosting in India, chained open proxies, more and more false whois information, etc. One of the more known anti-spam people has been sent one of the subjects of those spams: a CD with millions of e-mail addressess of 'individuals' and hundreds of thousands of 'businesses'... Rejo Zenger has done an analysis of such a CD, which is fuelling new debate as to why the recent EU anti-spam directive was weakened because of businesses complaining or indicating that spam wasn't a big issue for them."
Spammers are beginning to organise (Score:5, Interesting)
The spammers are doing everything they can to squeeze the anti-spammers out. They use frivolous lawsuits (aka Mark Felstein and his porn spamming backers) or DDOS attacks that either knock the anti-spam resources off completely or increase the costs so that no hobbyist can run them.
And while all this is going on, the law enforcement agencies are doing nothing to counter the clearly illegal acts of the spammers.
And ISPs are doing NOTHING to reduce the number of zombies on their networks. So the DDOS attacks continue.
Nice going.
It's only a matter of time when someone (Al Queda?) will use the zombie network for something that will truly be noticed.
Re:Spammers are beginning to organise (Score:5, Insightful)
Re:Spammers are beginning to organise (Score:5, Interesting)
Seriously... what would happen if everyone here went rogue, said "fuck it", and just actively blew away spammers (online, mind you, we don't need any gun-toting geeks for the love of god)?
With 700,000+ people on slashdot, a less than 1% high techno-competency rate (let the jokes fly...) would yield 7000 individuals from this site alone capable of tracking spam, breaking down proxies and ISPs, stealing and altering logs, etc. How long would it take before 7000 militant hackers working together broke down the spammers under an onslaught of attacks as underhanded as the ones the spammers are using? People like Ralsky aren't even that smart, technologically. I'm willing to bet that once the tough part is done: tracking them, actually beating the daylights out of their systems and them wouldn't be that hard.
Of course, each individual would have to be willing to deal with the fact that they could be one of the people that gets arrested and charged with a couple of felonies. Sort of like the old trick "yep - all three of you can surely beat me, but the first one in to try it dies". Who wants to be the hero?
Re:Spammers are beginning to organise (Score:4, Interesting)
We could do it without saying "fuck it"...
Seriously, it doesn't take a genius to write a virus/worm that take advantage of the latest virus/worm-problem, patches the local system, spends 30 minutes attacking spammers and spreading to other infected systems, after which it just erases itself.
_ONE_ person is enough for such a thing, and sooner or later someone will do it.
Re:Spammers are beginning to organise (Score:5, Funny)
We'd lose that caution to the wind, devil may care edge that most of us crave if we did that.
I know I'm not participating unless "fuck it" is the official battle cry of this movement.
Re:Spammers are beginning to organise (Score:4, Funny)
I don't think that "fuck it", in this context, means that you will be getting laid.
Sorry.
Friendly virus == shoot self in foot (Score:4, Insightful)
The first "great internet worm" was a friendly program that went haywire.
Re:How to legally DDOS spammers (Score:3, Insightful)
Re:Spammers are beginning to organise (Score:3, Insightful)
Re:Spammers are beginning to organise (Score:5, Funny)
What about Eric Raymond? [catb.org]
On second thought, guns are too subtle.
How about we attack spammers with Trebuchets? [trebuchet.com]
Or fling spammers into walls with a Trebuchet?
Re:Spammers are beginning to organise (Score:5, Insightful)
No, it's not bullshit, you're just an idiot and you have a problem with context.
Now, if you can show me where I said anyone SHOULD do it, as opposed to the entire post which is a hypothetical question regarding what would happen if an army of hackers DID do it, I'll eat those words.
And, please, just knock off the moralistic white-hat hacker bs. I'm sick and tired of people continuing the "play by the rules even if the rules are crooked" credo with their inflated egos and pomp. If the solution to the problem is a brute force assault, that's the solution. What sort of self-respecting geek would overlook the solution to a problem because they had a different one in mind to begin with? Mark my words: withing a year Bayesian filtering will be another dead suggestion in the pile of stopgap solutions to the problem. Whitelisting is already a solution only for those few mortals who can afford to miss random / unknown contacts and don't receive enough mail to make the overwhelmingly execruciating maintenance completely offset the benefits. Blacklists are under illegal assault as we speak and nobody is lifting a finger to help them. Computers are being zombified and mobilized on a daily basis making innocent users who just want to send pictures of their kids to grandma unwitting weapons in the arsenal of anyone with a little technical skill and some ill intent.
Hate to tell yah buddy, but the Internet is, in fact, a warzone. The technical solution is a total revamp of protocols, and it's unlikely that the implementation would be anywhere close to being construed as successful given the widespread nature of the network.
And for those of you who've been wondering about the obvious anarchist slant to these last two posts, no, I'm not anarchist, but the Internet IS an anarchy. As a result, it's the responsibility of the clueful few to handle problems in whatever manner the majority community sees fit (including the clueless ones in the community, not just the geeks). The Internet can route around physical damage, but it can't route around social problems like spam. Trying to solve a social problem like spam with a technical solution is stupid. That's like trying to "cure" racism with pills. A strong message needs to be sent, and, unfortunately, it would appear that nobody within the bounds of the law is willing to send it.
So, I ask again: what would happen if the community took care of the problem for them?
Re:Spammers are beginning to organise (Score:4, Insightful)
You want to shoot the messenger? Fine. But don't forget that someone pays the messenger to send their message. Whether they are selling you something (which may or may not work), or just harvesting replies to sell to interested businesses, they are the ones to target.
Re:Spammers are beginning to organise (Score:4, Insightful)
Shooting the proverbial messenger is just fine when the problem is the message itself. Shooting the messenger only becomes a problem when you don't want to hear a message about a DIFFERENT problem.
Of course, in this case, I have no problems with shooting the messenger AND the person who sent him...
Bayesian is still good (Score:4, Interesting)
I doubt that, at least to the extent you likely intend it. The great thing about Bayesian filtering is that it's adaptive. So they would have to dramatically increase the rate at which they discover and use filter-killing tricks for this to work.
I'm running Mozilla, and in the last 8 months (roughly) I've gotten 10,000 spams - modest, but a great library for catching spams. I catch about 97% or more of them. And I can tell when they come out with a new trick - my catch rate will drop to say 80% for a day, after which my filter catches up to the new trick. In fact, when they don't have new tricks, my catch rate is about 99+%. Most of what gets through is new tricks.
I'd say now, they come out with a filter-busting trick maybe once a month. For spam to become a problem to my client, they'd have to do it better than once a day. I don't think they have the resources to do that.
Re:Spammers are beginning to organise (Score:4, Interesting)
I think we'd all rather see an elegant solution here.
I don't WANT regulation, plain and simple. The government fucks up enough things without sticking its nose in the Internet too. It would be nice, however, if they'd bother to investigate and prosecute spammers and spam-virus writers the way they go after the "real Bad Guys" like Mitnick or Phiber Optik.
I think we'd all rather see an elegant solution here. I think we'd all rather NOT see More DOS attacks.
Agreed on both counts. But, I don't see any elegant solutions in the works and the ones that are on the way are already under attack. Bayesian filtering is trivially circumvented with blocks of "real" text to drive down the % likelihood of a spam being labeled as such and, at the same time, drive UP the likelihood that a legitimate message is labeled as spam. It's the best stopgap to date, but it will fail eventually. As for the DDoSs - a good way to put a total stop to them would be to wipe out the spammers. Sure, there'd be a huge spike for awhile if people DDoSed in return, but that's a clunky, temporary solution to them. There's far more "elegant" ways to fight back.
And, physical violence? Sort of. It's more akin to someone driving past your mailbox and bashing it in every time you get a new one. When you call the cops and they don't or can't do anything about it, what do you do? I'll tell you a good counter-measure: when you hear them coming down the street *pok* *pok* *pok* - grab a crowbar and hide in the bushes. As they slow down to pop your mailbox next, jump out and smash the back windshield of the car.
Never saw 'em again.
If the law can't be bothered to handle it (prosecution), and it can't be settled peacefully ("elegant" technology), I have no problem with a gun battle in the streets as long as the "victims" that you're fighting for approve of it.
Now, if someone has a serious proposal for retooling the SMTP or has some other workable solution to the problem, and has a plan for rolling it out, I'm all ears. However, I don't see a serious proposal that will be ready NOW and spam is a HUGE problem NOW. A solution that's going to take another 5 years to develop and implement is NOT ACCEPTABLE. The spammers are going to destroy e-mail in the process. They are not playing by the rules, they are not playing by the law, and nobody has a realistic solution that will be ready in time. Why should anybody else play by the rules if the law's not going to deal with them?
Re:Spammers are beginning to organise (Score:5, Funny)
It's only a matter of time when someone (not tuxette though) will do an al Qaida on some notorious spammer or other. There are only so many catalogs and pizzas you can send a spammer...
Re:Spammers are beginning to organise (Score:5, Interesting)
if you dont have one target to attack, and not allow the scumbags to modify the data file (md5 sums + other means to ensure the file is real... you can end run these spamming scumbags.
I for one dont understand why this has not been done already.
This is NOT Simple (Score:5, Insightful)
Bittorrents, for example, must have a seed site out there somewhere. This site can be taken out, and any other "offical" site that mirrors it. If the data is signed, then the offical sources of such signed data are vulnerable (if you need to revoke the key). The general problem of anonomizing traffic, while being able to trust the data on it at the same time, is Hard.
Re:This is NOT Simple (Score:3, Interesting)
No, not at all. All you need is PGP. If the file's signature matches, it's the real thing. If it doesn't it's not. Pure P2P.
Gnutella would be much better. No central server.
Re:Spammers are beginning to organise (Score:3, Funny)
Re:Spammers are beginning to organise (Score:4, Funny)
Re:Spammers are beginning to organise (Score:5, Interesting)
Having run an opt in mailing list for a previous employer I can tell you that some people sign up then go complain to spamcop when they actually get the email. And then the mail server gets an Instant blacklist thanks to the automated system and your stuck with the rest of the emails getting bounced.
The problem gets worse when they black out the email addresses so it becomes impossible to tell who actually wanted off.
Re:Spammers are beginning to organise (Score:5, Informative)
I don't run a mailing list, but some of our customers do - and you're correct, this part does happen.
then the mail server gets an Instant blacklist thanks to the automated system
Never seen this happen. In every spamcop case, we were always given the chance to respond - we've never been blacklisted. (A simple response showing the opt-in confirmation clears things up.)
The problem gets worse when they black out the email addresses so it becomes impossible to tell who actually wanted off.
Blacking out the email address doesn't make it impossible to check the recipient - unless you have the (bad) habit of deleting your mail logs too soon (IMHO a month is pretty much a minimum to keep logs - which shouldn't be a problem, as spamcop rejects submissions that are over 3 days old.)
You'll have the destination server and the SMTP ID - both of which are in your logs. (If you don't have access to the logs, your ISP should be more than willing to provide them - especially if your claims about being blacklisted are true.)
All in all, spamcop does a pretty good job.
Re:Spammers are beginning to organise (Score:5, Insightful)
Woohoo! Lookie here! A PISSED OFF SPAMMER!
Awwwwwwww, isn't that cute?
They blacklist people regardless of if the user tried to unsubscribe.
Fuck off and die. You have absolutely no right to expect people to burn up an entire LIFESPAN unsubscribing to your computer generated bulk crapflood.
Lets assume you never spam any address more than once. Lets assume that the average internet user goes through a mere two email addresses in his entire life. Let's even forget the 600 million global internet users and assume you only e-mail the 150 million or so American internet users. Lets assume it takes an average of 5 seconds to download, review, and use the unsubscribe process.
Unsubscribing from a SINGLE spammer:
150 million people * 2 email addresses * 5 seconds
= 1.5 BILLION seconds.
One human lifespan:
60 second per minute * 60 minutes per hour * 16 (waking) hours per day * 365.24 days per year (0.24 factors in leap years) * 71.3 years
= 1.5 BILLION seconds.
So each and every "unsubscribe-system" spammer can easily KILL an entire human life! Yeah, it only consumes a tiny portion of each person's life, but that does not change the fact that the final cumulative impact equals an entire human life.
If the user is too damn lazy to use unsubscribe it's our fault?
Lazy - that's a real hoot! He had to work to file a complaint against you. That takes quite a bit more time and effort than simply clicking an unsubscribe link.
That proves there's an error in your mental perception of the situation. You are trying to place the blame on people who are "simply too lazy to unsubscibe". THEY are not the problem, and THEY are obviously not lazy, or they wouldn't be making the effort to cause you trouble. They make that effort because YOU and YOUR COMPUTER are causing troube for THEM with computer generated bulk messages that need to be dealt with BY HAND. You burn up a few milliseconds of computer time to generate each message, messages that cumulatively burn up hours, days, years, or decades of human time to deal with.
YOU should not be burndening MY TIME with computer generated bulk mail unless I specificly requested it from YOU. NO stupid-ass games constantly trying to shoe-horn people onto global "opt-in lists" to sell around the planet.
If I want your bulk mail then *I* will give you my address, and I will give it to you for FREE!
-
Re:Melior, Inc.'s iSecure to fight DDoS (Score:3, Insightful)
Why? (Score:2, Interesting)
Re:Why? (Score:5, Insightful)
Re:Why? (Score:4, Funny)
I swear officers, I was just going to use it for making cookies. What? You mean thats illegal too? Dang it, now how am I going to be able to sit through the Matrix trillogy!
Re:Why? (Score:3, Funny)
speed of light (Score:4, Funny)
Those odds approach 1 at the speed of light if you send me your address and you are within 100 miles of where I live.
/dev/random CD for sale! (Score:5, Funny)
And if you act now, I'll send you the
Re:/dev/random CD for sale! (Score:2, Redundant)
Re:/dev/random CD for sale! (Score:5, Insightful)
You joke, but this algorithm was sufficient for human evolution. (Hmm, spam as sperm?)
Re:/dev/random CD for sale! (Score:3, Funny)
Right, but that took millions of years. Maybe in that amount of time
Re:/dev/random CD for sale! (Score:2)
If you filtered
Re:/dev/random CD for sale! (Score:2)
Re:/dev/random CD for sale! (Score:2)
You can't use a theory as basis for such a statement. There are many other theories out there that can explain human evolution in the given amount of time much better than the /dev/random theory.
Re:/dev/random CD for sale! (Score:2)
Unless by taking his comment seriously, you want us to also believe the other theories you fail to mention are also the basis for jokes?
Re:/dev/random CD for sale! (Score:3, Informative)
Re:/dev/random CD for sale! (Score:5, Insightful)
To return to the
No surprises here (Score:5, Insightful)
On the other hand, why would someone sending spam care too much about the integrity of the data? You're still getting over 6 million email addresses. So several million messages bounce...does the spammer care?
Re:No surprises here (Score:2, Funny)
Re:No surprises here (Score:3, Insightful)
Poisoning the list (Score:3, Insightful)
And most likely, they generated some of the email addresses themselves anyway.
The same thing happens here... (Score:5, Interesting)
Spammers aren't just evil for selling addresses, they are evil for making up about 3/4 of the ones that they do sell, and anyone who buys a CD with email addresses on it should be aware of that.
Re:The same thing happens here... (Score:2)
Spammers are evil for everything they do.
bulletproof hosting? we'll see about that.... (Score:5, Funny)
And if there are a few bullets left over, I'm sure someone can come up with some creative spammer-related uses for them...
Re:bulletproof hosting? we'll see about that.... (Score:5, Funny)
Are piranas dangerouse to humans?
Can nude people survive on the North Pole?
Is there really no air in space?
Is smoking in a gasoline filled room dangerous?
Can humans conduct electricity between high voltage lines?
Can people really live inside a whale?
If an anvil is droped on someones head, does he really see birds and stars flying around his head?
Spam in Europe (Score:4, Informative)
Unfortunately, as this article [theregister.co.uk] on the Register points out, most spam comes from outside of the EU, or turns out to be untraceable anyway... so the question is if this new legislature would have any noticeable effect.
A quote: Anti-spam software outfit, Brightmail, says the legislation only affects European registered companies and they're unlikely to flout the legislation. However, it claims nine out of ten spam emails are either untraceable or come from operations outside the European Union. Either way, professional spammers - whether inside or outside the EU - are unlikely to heed the new legislation. So in effect, this new law will make bugger all difference to the amount of spam we get in Europe.
IMHO this new law certainly is a step in the right direction, since the ISP's would be legally obliged to take action against spammers on their network. Now if only the rest of the world would go in the same direction...
Re:Spam in Europe (Score:3, Interesting)
Re:Spam in Europe (Score:3, Interesting)
So, for the purposes of legislation, maybe the answer is to divide spam into two categories.
First category would be random junk, with no real product, or with no realistic way to reach the purveyor of said junk. It happens, you can't do much about it, let it slide.
Second category, however, would be the spam advertising a real product/service, with s
While they are at it... (Score:5, Funny)
Re:While they are at it... (Score:3, Funny)
Re:While they are at it... (Score:3, Funny)
Re:While they are at it... (Score:5, Funny)
I think if you're willing to give your money to spammers, you've proven yourself safe from any harmful side effects to your alleged brain.
Re:While they are at it... (Score:2)
I wonder (Score:2)
Re:I wonder (Score:2, Insightful)
Re:I wonder (Score:3, Insightful)
To accomplish what, sue the person selling the list?
To sue someone, you need to exist, and provide contact information. Considering that the linked article basically states that this CD of supposedly valid and unique email addresses amounts to little more than false advertising (and for the purpose of something that counts as a crime in an increasing number of places), only an idiot would out themselves over $60.
More impor
Once again.... (Score:2)
Email used to be a good tool for keeping in touch with people before spam. It's probably more useful for individuals than many businesses.
"Unregular syntax" (Score:5, Informative)
Re:"Unregular syntax" (Score:2, Interesting)
I used to get a whole lot more spam CDs (Score:3, Funny)
What I really miss are the days of spam floppies, now I never seem to have a floppy when I need one.
Priceless (Score:5, Funny)
which translates from dutch to english to something like: me-steal-car@from.you
I've often wondered... (Score:3, Interesting)
Yes, its great that people embed "remove-this" and so on into their email addresses at Slashdot and other places (like Usenet), for example to make it harder for bots to parse and detect valid email addresses..
But one wonders if tools cant easily be written to remove basic patterns of that sort ... a simple substitute (or regex, whatever) would cleanse quite a few addresses, especially on UseNet..
Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?
Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..
It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..
Re:I've often wondered... (Score:3, Interesting)
If your business model depends ot targetting spam at people who hate spam enough to obfuscate their e-mail address, you are no
You are misunderstanding... (Score:3, Insightful)
They probably can. And they are probably already in use by some spammers. No big deal here.
Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a f
Selling e-mail addresses shouldn't be illegal (Score:5, Insightful)
What should be illegal is selling generated, known to be false, addresses. This is basically false advertising.
What should also be illegal is bulk mailing to people who do not subscribe to a service. We need better mail servers that optionally require a "key" to receive mail, otherwise it goes straight to "File 13".
Sadly, all this bulk mail, even if "bounced" back to the sender, uses tons of bandwidth and is ultimately a tremendous waste of everyones time.
Unfortunately, all this Spam would stop is people STOPPED BUYING FROM THE SPAMMERS, but even if 0.0001% of recipients say "yeah, I DO want a larger
Re:Selling e-mail addresses shouldn't be illegal (Score:3, Interesting)
I agree with the rest of your post. This part seems a bit forced if you think about this reality that we come across:
When searching for a long lost friend, it is nearly impossible to find a phone number, or a working email address, and sometimes phonebooks list only partial names. Also, chances are that any user of a plain-old phone book will find a S
Re:Selling e-mail addresses shouldn't be illegal (Score:3, Insightful)
Wrong. Totally wrong.
Even if nobody ever responded to spam (and there really is no hard evidence that anyone does) spammers would still be able to find victims, because there are people who believe "well, they wouldn't be sending it if it didn't work."
Spammers are con men. They con victims into believing that spam is effective, regardless of whether it's effective or not.
Re:Selling e-mail addresses shouldn't be illegal (Score:5, Interesting)
Unfortunately it CAN be profitable. You missed the fact that the cost of sending spam is vanishingly small.
Lets assume that one in ten thousand response rate. Lets assume $50 total profit. Lets assume you send a measly 2 spams per second (1.2 million per week). That is over $314,000 per year.
It will be profitable as long as your expenses are less than that. Hardware costs: insignifigant. Software costs: insignifigant. Address lists: insignifigant. Labor: one person part time. Bandwith: Maybe several thousand, but still not signifigant.
If some of them keep buying herbal viagra every year it becomes that much more profitable. When you find such a "live one" they are prime candidates for every other crack-pot offer you dream up. One single fruit-cake can be a gold mine giving you a few thousand per year.
I hate working out this math, it almost makes me want to go into the spam business. On the other hand if you do the math it becomes clear that each spammer can easily kill entire LIFESPANS worth of other people's time just deleting this crap.
-
I'm not sure this is a good idea... (Score:5, Insightful)
Do me a favour (Score:5, Interesting)
We'll soon see a change in the law.
Ahh I can dream.
Re:Do me a favour (Score:4, Insightful)
Yes - to make intentionally submitting the email addresses of such people to spammers illegal. Hell, they can probably swing it as a terrorist act - interfering with the democratic process, distributed dos attack on their email, etc.
Speaking from experience... (Score:5, Informative)
Over here, the rule is opt-in. The recipient of the spam has to have consented to it beforehand. (for the Norwegians here - markedsforingsloven 2 b).
I used to have a job where I had to deal with different kinds of questions from the public that dealt with, among other things, spam. After contacting various Norwegian spammers to lay down the law, I found that a lot of them bought CDs or whatever with e-mail addresses. They seemed to (usually arrogantly) think that because they bought these lists, they were fully legal to use. This is not the case.
I don't know if these CDs were sold with the implication that their use was legal. Hindsight is 20-20 and I realize now I should have told these spammers to demand their money back from the people who sold them the CDs.
Yep.. but it doesn't stop the SPAM from flowing... (Score:5, Insightful)
I think the only way to do it is to have
a) hashcash payments (CPU time) OR
b) cryptographic pass-through "token"
The former for all the low-volume mail, where you can "afford" to burn a little CPU. The latter for mailing-lists and similar high-volume stuff, which would allow it through without paying any hashcash, but must be specifically issued (by the server, at the user's request).
The server wouldn't need to keep a database of them, it would simply have to verify them. Yes, this is my own signature, a valid user@mydomain.tld token with the name "Slashdot". They could also be time-limited. Furthermore, the token email address should be different from the non-token email, so that I can issue them "anonymously". (e.g. the SHA hash of the real email...)
Compromised token? Reject any further mail from that token, preferably at server (revocation database, wouldn't be that large). By default, mailing lists should take a rejected token as an "unsubscription".
That would also allow for degrees of "blocking", not simply black&white lists.... these semi-spammy domains get higher hashcash, these highly no-spam areas get lower hashcash.
So how would this work. Let's say I want to sign up for a slashdot newsletter:
Subscribe
1. Send subscription email to server, check box for "Issue token", and call the token "Slashdot".
2. Server recieves requests, generates a cryptographic token, and sends it to the list from the TOKEN address (say e.g. a hash of the real email, server has a hashmap).
3. Server recieves mail from mailing list, looks up real email based on token, verifies token, and pass it on (with proper "X-Token" header or soemthing like that). Replies to messages with an X-Token also sent over token address.
Unsubscribe (either due to compromised/SPAM/leaving list):
1. Revoke token
2. Mailing list tries to send mail, but fails on invalid token. Removes you from list. They could try again but the result would be the same.
What information does slashdot have now? Nothing. No valid token, no valid address. No matter how hostile/compromised they got, they can't do any more damage. They can't even sell my real address to spammers.
Having removed all "high-volume" automatic lists from the equation, we can jack up the hashcash requirement high enough that it really hurts spammers. You can finally have a SPAM policy without directly rejecting mail.
Hell, you could even have a two-stage hashcash deal. One based on origin (before wasting bandwidth) and one after retrieving mail and passing it through spam-assasin, with higher hashcash the more "spammy" the mail is (wasting bandwidth, but saving space in inbox).
The only ones hurt by this are those sending mass amounts of unsolicitated mail. Which are, in approximately 99,99% of the cases, spammers. If it isn't, it's mass requests to sign "save futurama/the rainforest/whatever" campaigns or similar. That much collateral damage, I'm willing to take.
Kjella
Great Tutorial (Score:2, Funny)
Nothing New About This ... (Score:5, Insightful)
As for the author's assertion that the "bulletproof" spam hosts are in India, I give you ... China, Brazil, most of the Pacific Rim, as well as clueless/malicious providers such as Level3, Wanadoo.fr, etc. I can count the number of spams I've received from Indian sources recently on one hand, while the Chinese/Brazilian spam numbers in the tens of thousands.
Bullet Proof Web Hosting & Server (Score:2)
We offer reliable bulk email friendly web hosting services. You can now have the
peace of mind knowing that your web site is secure during your email marketing
campaigns.
[...]
You can use the server for any of the following:
Direct Bulk Mailing or Proxy Mailing
Web Site Hosting
Proxy, Relay or Port Scanning
If only there was some way to deprive "ContactHosting@tom.com" of peace of mind
Interesting math... (Score:2)
So could someone explain how, with 56% of them unique, only 1,795,633 addresses appear only once on the list? Does appearing "1 time" not mean the same thing as "unique"?
I though perhaps those numbers might mean "once more than unique", but that still doesn't add up - Just looking at the "1 time" and "2 times" columns, I see 1,795,633 + 4,107,246 = 5,902,879, while 10,9
Enforce valid WhoIs records? (Score:2)
Protecting Privacy is Much More Important (Score:3, Insightful)
Re:Force Registrars to do their Job Up Front (Score:3, Insightful)
Exactly what I was thinking of, but it would have to be enforced by generally accepted policy (maybe from ICANN?). This is the hard part. There would have to be consequences from higher level domains for not enforcing valid WhoIs records on their lower level domains. And ICANN's history does not indicate a real interest in taking the end user's side over biz interests.
"Heck, we force one in the US for guns, among other things - a misused domain can be j
Great Tutorial (Score:2, Interesting)
But...thanks to this new and wonderful tutorial, they can vastly improve the quality of their spam e-mail lists. The tutorial was even kind enough to provide the appropriate regex patterns at the bottom. How thoughtful
Re:Great Tutorial (Score:5, Insightful)
If you think this will make a difference in the quality of the lists, think again. These people are more interested in volume than quality, or they wouldn't have spent time on spam in the first place.
The more unsophisticated spammers don't really care about the list quality, as they'll just keep accumulating addresses since sending out the mails cost them next to nothing anyway. The sophisticated spammers are more likely collecting their own lists.
And the people selling these lists have every interest in inflating the number of addresses as much as they can get away with from their prospective customer base.
No sympathy here... (Score:2)
Part of me is wondering if this is necessarily a bad thing. Why not sell CD's containing bogus addresses to "poison the well" of spammers as it were? The ideal situation would be one in which 1.) every address was invalid, and 2.) the spammers paid for every bounce via bandwidth charges.
To be honest, this might be the most effective way of reducing spam. Simply register a large number of TLD's with the same IP address, make up bogus email addresses using said TLD's, and sell it on CD. Use the money
What you get when you buy a spam CD? (Score:5, Funny)
/obvious
the master plan (Score:4, Interesting)
Once lots of them have purchased, send out the CDs with the list of people who purchased the CD.
Profit and the joy of justice, all in the same business plan!
"Oh yeah."
- The Duffman
"Evil's no good. Ya just don't cotton to it. You've gotta whack it on the nose with the rolled-up Newspaper of Justice, and say, 'Bad dog...bad dog!'"
- The Tick (as best I can remember)
How about a private-public key? (Score:4, Interesting)
Then, have a specifically formatted message type to handle key requests. Say if Betty wanted to email Veronica to request her private-public key, it would have to be in a strict format, say with the subject line: KEYREQ . For example: KEYREQ veronica@archie.com Hi it's veronica. ?? Then your email client could have a button called "Reply/Authorize".
Re:How about a private-public key? (Score:5, Insightful)
By the time I've received an email, ie downloaded it to my local machine, it has just polluted (ie stolen/consumed the resources of)
- my cpu
- my disk
- my bandwidth
- the ISP mailserver cpu
- the ISP mailserver disk
- the ISP bandwidth
- the ISP bandwidth of every ISP it transits to get across 'the internet' to me
So, tell me again how your "solution" actually solves *any* problem?Repeat after me the problem with spam is *NOT* that we're unable to recognise it for the SPAM that it is.
The problem with SPAM is the resources it steals from me and all the ISPs.
Face it people, SPAM is THEFT, inbound SPAM steals resources from me, and resources from my ISP. In the end, I (the consumer) pay for that theft (eg increased internet access costs etc).
Attack the Bulletproof Hosting Companies (Score:5, Interesting)
Why aren't these sites listed, real-time blacklisted, and DDoS'd by the good guys? If there is a SETI screensaver, why not a Pitchforks-and-Torches (my name for the angry mob of ordinary folks) one that, say, once a minute sends a query to known spam-friendly ISPs. A million of these would be a million messages a minute. Hard to call that a real DDoS attack from any one person since all I wanted to see if their page has updated.
Whitehat CD (Score:4, Interesting)
Besides cutting down spam you'd be tranfering month
directly from the spammers to yourself.
But they'd find out The Hard Way (Score:3, Interesting)
You're not going to sell this CD to Alan Ralsky or his ilk, the professional Florida ROKSO members or the newer mafiosi who run their own harvesters (you'll leave attractive-nuisance web pages around for them :-) This kind of product is designed for the Gullible Bottom-Feeder spammers, the anklebiters who think they'll Make Money Fast by buying a CD from the big professional spammers. That means they'll either see your ads and believe them, or the
What about Rule #5? (Score:5, Insightful)
They don't care who you are, what you think, what you would or would not like to receive, what sex you are, if you are a minor or not, if the address they are sending to is valid or malformed, or if you are dead. All the lying that they do and the rationalizing of their behavior exists soley because -- lets chant together -- "Spammers don't give a shit"
The notion that a spammer should clean up a spamming CD to remove duplicate addresses or to remove role addresses at ISPs is simply ridiculous. Why spend the time? It will have zero impact on the number of sales that they make and -- chant it -- spammers don't give a shit.
So forget all the other rules. It is a waste of time to assign qualitive analysis to the behavior of sociopaths. They want money, and they don't give a shit about how they go about doing it. Once you realize that, you will see that all the other "Rules" for spammers are superfulous and stem from Rule #5.
P2P + PGP == Unasailable Spamcop Source (Score:3, Interesting)
1) Take a well known provider of such lists and have him generate himself a PGP/GPG (etc) key.
2) Create a hashing algo that can be applied to email addresses and domain names and produces (about) 60 or so distinct hashes.
3) Coordinate the email blacklists into N files where N is the number of hash results from item 2. These are the N components to the complete list. IF you have an address X and its hash is Xn then if the address doesn't apear in file N the address isn not blacklisted.
4) Construct (or use an existing) P2P app to distribute these N files. Ideally the P2P system in question can "bias" the fetch operation to favor retrevial from "previously known good" sources.
Here are the fine points:
A) The GPG secret key, and not the "location fetched from", is the magic that marks the list valid. You can not DDOS a secret key, just an originator.
B) A first-order web of trust, instead of a simple key, could also be used. That is, instead of requiring a signature from the master key, require a signature from a key signed by the master key. This way "the one key" can stay relatively unused while persons need to attack the rotating and regularly expiring frontage keys if they want to game the transfer for any reason.
C) The master key and the frontage keys don't have to equate to any real nor active network facility. They only need to be unique in key space. You simply *CANNOT* attack a namespace that isn't backed up by a physical facility. (For instance, if the master key were "master@control.spamcop.org", spamcop.org itself could be pointed at Geocities or something or nothing at all.)
D) While a current (Kaza-esque) P2P app would probably be less than ideal for the actual transport, it wouldn't be dificult to design a P2P style distribution mechanisim. It wouldn't need to be any more subtle than a bunch of http mirrors really, as long as the mirroring system (rdist/wget alike) would only put the files in the public directory if they passed a frontage-key/master-key signing test.
In practice you would probably want to distribute a signed known-mirrors (root) file too.
[Then again, a shite load of ptr records in a "spamcop.org" dns table could function as the analog of an MX table for this rooting purpose. Those sites would tend to become targets, but only for as long as the list size were small.]
If a "real" P2P app, or even a well designed friend-of-friend http-based network were put together and reached a core complexity of a at least a couple dozen known base points, it would be unquenchable. The target density would be too diverse to attack effectively. It would be like trying to DDOS "all the bloggers on the net".
Heck, set a pseudo standard: Every doman that wants to join the P2P network "backbone" should issue itself a "spamcop@my.domain" key and then do a challenge/response signing (on connection each party sends the other a challenge, gets the challenge back signed, checks the signature as valid) when it comes onto the backbone. Organize the thing like IRC but with records kept for keys used. Add some throttling (like IRC flood protection) and you are off. Abusers can be tracked down to their hosts and keys.
Then you can devolve. Regular users don't have to have keys to join the net and request information. Keys and domains can be blacklisted (possibly together?).
Heck, use the haxors techniques. Actually get permission to stake out some IRC channels to act as the root seed broadcast-style distribution system (list of known good core hosts, again, such lists are signed).
All you have to do is get some distribution without losing authenticity. That is what public keys are all about. The anti-assailable nature of P2P and the semi-chaotic nature of IRC have their legitimate purposes. Now all you need is to use these systems for good instead of evil.
Re:Spam Prevention? (Score:5, Informative)
Re:Spam Prevention? (Score:3, Informative)
The Email "From" address would have to originate from an Email server that matched its DNS entry. You could still fake the IP address or the DNS Service, but this is not as trivial as faking the "from" address.
Spammers will probably circumvent SPF by registering many disposable domain names, and configuring the DNS for those names to return SPF-style authorization for the IP numbers of whatever proxies or compromized machines they are currently using to transmit messages.
So SPF wi
Re:Spam Prevention? (Score:3, Insightful)
This is almost exactly what SPF (and RMX and DMP) actually do. With SPF, your server makes a query to the claimed from domain and asks HOW to test if the IP number is an authorized sender. Many different methods are defined by SPF, and if any of the ones retu
Re:Preventing Spam (Score:2)
You're wrong (Score:2)
you should read the SMTP rfcs