Security Firm Creates Chatbot To Respond To Scam Emails On Your Behalf

An anonymous reader shares a report: Chatbots. They're usually a waste of your time, so why not have them waste someone else's instead? Better yet: why not have them waste an email scammer's time. That's the premise behind Re:scam , an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time.

An interesting tactic

[Baron_Yam]

Anything that increases the cost of spam scams relative to the returns is worth investigating to see if it's practical, because ultimately you have to attack the economics to kill the beast.

I'd actually like to see this run on my local system, though.

Re:

[boudie2]

Unless of course they end up selling your email addresses to spammers. What guarantee do you have that they won't? Or someone hacks them. Or a "rogue employee". This is 2017, you can't take anything at face value. Even though plenty do.

Re:

[Anonymous Coward]

Plus, if the spammer actually gets a reply, how do you know they don't send you on to their friends or mark the address as a "known good" address or a "possible sucker" address. Or heck, lots of the early emails are probably computer generated, so what you really get is bots replying to bots.

Re:

[gnick]

The summary says that they'll reply using a "proxy e-mail address". TFA gives little details and I'm not going to explore their site at work. It's not clear whether there will be enough information in Rescam's reply for the scammer to identify where the original message was sent. Is it common to include your target's information in the body of your initial scam invitation?

TFA does acknowledge that their efforts will result in a lot of bots talking to other bots.

Re:

[Obfuscant]

Is it common to include your target's information in the body of your initial scam invitation?

Of course. With HTML-ized email, it is almost standard practice to include at a minimum a 1 pixel blank image with an encoded URL. You don't see it, but the website logs that you retrieved it. That not only tells them that the email address is valid, but that someone reads the email going there.

And when the question is asked about "selling your email address to spammers", it's not the Re.scam people you need to worry about. It's the spammer who sent you the probe to see if the email address was valid. Gett

Re:

[pr0fessor]

I would say the business model is you freely send them information about Spam you have received so that they can improve security services like a spam filter that they sale but they appear to be a non-profit that receives support from various local and state government departments that they work with so I guess not.

Re:

[Aighearach]

how do you know they don't send you on to their friends or mark the address as a "known good" address or a "possible sucker" address.

That's a feature, it makes it like a virus!

Re:

[gnick]

What guarantee do you have that they won't?

None, but it doesn't seem likely. Unless there are buyers looking specifically for the demographic of people that would forward spam to anti-scammers, there are much easier ways [wikipedia.org] to harvest e-mail addresses. Any group that you share your email address with is subject to the risk of hacks or "rogue employees". We all set our own threshold for risk when we decide where to disclose our personal information. Developing a chat bot designed to frustrate scammers in an effort to collect data to sell to those scamme

Re:

[boudie2]

How many things happened in the last year that "didn't seem likely" or were "too bizarre"? They could be 100% honest, but when someone says "Here, I'll take care of that for you." beware.

Re:

[gnick]

Of course, an event being unlikely to occur does not guarantee it won't. But I decide on my actions based on perceived likelihood. If I think there's a 99% chance that Rescam will sell my email address to scammers, I won't use them. If I think there's a 1% chance (I think it's lower), I'll be much more inclined to use them. You can't go into every situation you encounter planning on the worst possible outcome, however unlikely. Well, you can, but I don't; you do you.

Re:

[boudie2]

Just saying be careful. Lots of pitfalls out there. Can't remember the last time I was 99% sure of anything.

Re:

[gnick]

Can't remember the last time I was 99% sure of anything.

When I left for work this morning, I was 99%+ sure I'd make it to work alive. Not 100% sure, but sure enough to take the risk. I'm less sure that Rescam wouldn't sell my email address, but still beyond 99% because it makes that little sense to me.

Re:

[boudie2]

Good luck and bon voyage on your drive home. Hope you didn't jinx yourself.

Re:

[gnick]

Unless you are naive, you have to assume that anybody that you don't know (and a good number of people that you do know) will be willing to stab you in the back for a few bucks. Never forget that.

I refuse to live like that. Consequences be damned.

Re:

[tlhIngan]

Anything that increases the cost of spam scams relative to the returns is worth investigating to see if it's practical, because ultimately you have to attack the economics to kill the beast.

I'd actually like to see this run on my local system, though.

There was an older tool that was basically an automated version of FormF*cker. Basically it went to the spam web pages and filled in the forms with crap. After all, back then spam sent you a link to get more information from you, so the tools would fill in the

Love the idea

[joshtops]

We need more of such ideas.

Re:

[Anonymous Coward]

A voice chat bot like this on the phone system? *666 and some bot can talk about all my detected viruses and overdue tax problems

Re:Love the idea

[pr0nbot]

Sir,

I am having many!! such ideas. In fact I have been a succesfull businesman more than 23 years and am in possession of a substantial!! quantity of monies. But, unfortunately I, am most Sorrowfully in dispute with the Ghanaian tax authorities who have frozen my accounts. However my esteemed solicitor, Dr Goodlove Simons III has assured me that through the payment of a fine of no more than $250US I will be able able to transfer these monies with much expeditiousness to an overseas bank account. I am prepared to offer a reward of $2500 in exchange for your immediate trnafser of $250US to the following account: IBAN002300203 Acct holder Ghanaian Tax Authorities, Apt 3b Rhodes House N2389 Lagos, Nigeria

In anticipation of your excellent assistance, and with many!! thanks, Rev Alfons Dauphine

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[hankwang]

Did you post your correspondence here? http://www.419eater.com/ [419eater.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Skeptic

[Anonymous Coward]

The skeptic in me says that this is a great way to harvest legitimate e-mail addresses for a future purpose.

Re:

[Baron_Yam]

True - that purpose being to feed it into a system that doesn't trigger the spam responder system.

It's an arms race.

Re:Skeptic

[Aighearach]

It may be that figuring out what the email addresses are is not the hard part of scamming.

Re:

[BlacKSacrificE]

This was my first thought. A great way to demonstrate your email address is valid and being used, and that the person on the end of it is a "rube" who will engage, thus making your address even more of a target. Pass.

Automation ok?

[duke_cheetah2003]

Can I program my mail system to automatically forward spam?

Re:

[thewolfkin]

Can I program my mail system to automatically forward spam?

Um.. .yeah of course. It's trivially easy.

Re:

[Obfuscant]

Um.. .yeah of course. It's trivially easy.

If it were so trivially easy then I wouldn't still be getting spam and there wouldn't be valid emails showing up in my spam filters.

It is trivially easy to automate forwarding of email, that is true, at least for some email systems. What is hard is perfect detection of what is and is not spam. I doubt your friends would appreciate getting some chat-bot response to an email they send you that was improperly classified.

Re:

[apoc.famine]

Sometimes hard to believe that this used to be a tech site which had the tagline News for Nerds.

Re:

[HiThere]

The problem is false positives. Otherwise it's trivial on any decent email system. But the false positive problem can be significant.

Jolly Roger

[Anonymous Coward]

See: http://www.jollyrogertelco.com/ . Keep telemarketers on the phone talking to a bot.

Re:

[real_b0fh]

love it!

spam the spammers

[FudRucker]

just start replying using lots of fake email addresses and sending them what starts out as clear readable text that quickly degenerates in to nonsense like lorem ipsum or something like that

Brilliant idea

[ilsaloving]

The only reason these phishing scams work is because they are so low effort on the part of the scammer. You just vomit spam and then handle the responders.

This idea will turn the tables on them by making them do the same thing they're trying to do to others. Of course, it will turn into a cat and mouse game as the scammers figure out what's going on, and implement a cheap test to weed out the automation as quickly as possible.

Of course, then I wonder if the scammers will start automating their own responses... it'll be like watching cleverbot talk to itself.

Re:Brilliant idea

[goose-incarnated]

These Nigerians are barely computer literate and barely literate at all. They will struggle to pass a Turing test themselves. I think that even Eliza level chatbots will fool them. The idea is that they will have to manually sift through thousands of emails per day to find the real mark, and I think that this idea will work.

Re:

[Obfuscant]

The idea is that they will have to manually sift through thousands of emails per day to find the real mark,

If Re.scam is to engage them in an ongoing conversation to waste their time, then Re.scam must use a valid, replyable email address. The "proxy address" that the summary refers to.

If you and I can filter email based on a domain, why don't you think that a spammer can do that, too? Especially spammers who don't care what your email reply is, they're looking for you to visit their website to order their scam products or log in or whatever?

Re:

[Obfuscant]

Why would the spammer, even one with an IQ lower than a brick, engage with a different reply address?

How do you know what email address will appear in a reply to something you send someone? If you think it will always be the address you sent the email to, then let me introduce you to the concept of "email forwarding service", such as those run by IEEE, ACM, ARRL, and thousands of other organizations and companies. I have an email address at all three of the ones I listed, plus a dozen more, and I am likely to reply using a completely different address if I do reply. It's more effort to change my outgoing e

Re:

[Gussington]

These Nigerians are barely computer literate and barely literate at all.

So where do they get their list of email addresses from? And how do they send bulk email (since any mail relay known for spam would be blacklisted immediately).
There's clearly some smarts in the equation somewhere...

Chatbot to Chatbot?

[ripvlan]

I thought that many of the chat scams are via chatbots already. So won't this be like Google Go AI playing Google Go AI ?

That'll be the future of the internet. A bunch of angry AI bots battling it out in a deadly embrace. That will be how the world ends !!

Cat Facts

[Hal_Porter]

Someone needs to do a Cat Facts bot to keep spammers busy

https://www.reddit.com/r/AskRe... [reddit.com]

email DoS

[kiviQr]

Like that will lower the spam sent.... That sounds more like distributed email DoS.

Re:

[Aighearach]

Right, but it is the human scammer who is the point of failure being DoSed. When you say "email DoS" you make it sound like the email system is being DoSed, which would be bad. But that isn't the case.

The bot is more coherent than the scammer...

[wardrich86]

Holy fuck - the bot is actually more coherent than the scammer.

Re:

[apoc.famine]

Way more coherent. I went and looked after seeing your comment, and I'm really surprised. I've had emails back and forth with customers who were less coherent than that.

Problem with this idea is,

[Anonymous Coward]

Most often the sending and reply to addresses are spoofed, and you would be "entertaining" the wrong party.

I was one of the early internet vigilante Paul Vixie Spam Fighters. I spent hours researching each turd that landed in my inbox and complaining to all the site hosting and system operators connected with the tripe.

I discovered that besides getting my name on a spammers black list there was no gain, my hours spent were squandered as the vulnerable spammers quit sending me crap new spammers sprung up or

Re:

[Aighearach]

You seem to lack comprehension. If they don't provide a usable contact, it wasn't a real scam, it was just a mistake spam.

As regards your past activities, you were part of a distributed effort. You had no information as to the number of people attempting to be spammers, or how many messages they were sending. So you had no way of knowing if your efforts should be expected to decrease the number of spams in your box, or if it would decrease the overall number in a way you can't detect, or if it would slow th

Similar: https://spa.mnesty.com/

[akeeneye]

Forward your spam to sp@mnesty.com . Hilarity ensues, once in a while (low response rate).

This is my new favorite thing

[roc97007]

Now if we could get our spam filters to automatically route spam to the spambot, we'd really have something. Either a significant number of spammers would go out of business, or the universe would enter a recursive sequence and pop like a balloon.

Not sure

[nospam007]

In the day, we got chewed up when we mailbombed the scammers, is it OK now?

Why are phiching emails not blocked

[Stan92057]

why is google delivering phishing emails?? they are sent to the LOL spam folder. well that's DELIVERING the email, why? I have reported 1000s of phishing emails to google email and ya know what they do? they put a stupid tag on it this MAY be phishing scam instead of just deleting it or allow us users to truly BLOCK an address or domain. i get tons of .jp phishing emails why cant we block them and by block i mean delete so it never getting into any folder ya ask me google in league with these phishing scamm

Re:

[rot16]

You can set up filters according to tags or domains. Why are you even on /.?

Always thought this was the way to fight this stuf

[Solandri]

Lower the signal to noise ratio.

• For scams, as in TFA.
• For spam, don't just block it. Everyone's spam filter should reply to every spam email they get. If a spammer gets one reply per 10,000 spam emails they send, well now they have to dig through 10,000 fake replies to find each real one. If the spammers start wising up and blacklisting your email, well problem solved. They're not sending you spam anymore.
• For sites that harvest your browsing data, pollute their data. Don't just block their cookies.

Re:

[SigmundFloyd]

Everyone's spam filter should reply to every spam email they get.

No, it shouldn't. The From: address is almost always taken at random from the same database where the To: address came from!

So, James Veitch replaced by a robot?

[Walt Sellers]

I guess James will have to shift to making videos about being replaced by robots....

Scamalot ... comedian replies scam emails

[bongey]

https://www.youtube.com/watch?... [youtube.com]

Not working

[Kristofer Vesi]

I tried to email it, but it haven't responded