Slashdot Mirror

Remember this?

http://www.devin.com/penisspam...

With a simple Google Search:

http://www.openaddict.com/ie_reject.html
http://www.devin.com/ie_reject.shtml
http://www.findsimon.com/ie_reject.html
http://www.trojanpony.co.uk/ie_reject.html
http://doli.ic.cz/ie_reject.php

Just to name a few.

Eddie

The next question should be, "How do we make them regret their non-compliance?"

Tarpit them! Bonus points if you feed them bogus data at the same time.

Tarpitting unwelcome spiders not only limits the damage (in terms of bandwidth) they can do to you, but also the damage they can do to everyone else.

Software for this is available, for example Peachpit.

• Blocklists are of course a critical tool - identify the spammers or the relays/proxies/zombies they exploit, publish their addresses so that people can reject mail from them.
• Sugarplums and other spam poisoners generate web pages full of bogus trap addresses for spammer address harvesters, so that they can DDOS themselves. Infinite-loop web pages, bogus email addresses, email addresses of other spammers, email addresses of teergrubes, spambait addresses on your machines that tell you to block anything from that IP address. Imagine if everybody set your 404-not-found page to include a few bogus addresses for spammers to email to...
• Teergruben are modified tarpit mail servers that answer SMTP v...errrrryyyyyyyy... sssssssllllloooooooowwwwwwwlllllllly, and can keep SMTP senders that talk to them tied up for minutes or hours. If you're running real SMTP on the same machine, you can configure the tarpit function to only happen for recognized spammer IP addresses, or else you can run a dedicated server (e.g. if you're not running your own SMTP on your DSL or cable modem.) One of these doesn't make much difference. Lots of teergrubes can tie up lots of spammers.
• Bandwidth Suckers like Artists Against 419 repeatedly download images from spammer websites to tie up their bandwidth. Because many web sites and ISPs charge for bandwidth on a 95th percentile basis, two days of heavy downloads can totally jack their bandwidth bill for a month, and small sites (e.g. free web pages) that have quotas can be taken out for the month by aggressive downloads (1GB is about 6 hours at 384kbps, so you can blow out a small quota overnight.)

Yes, hence "reduce mangling," not eliminate mangling. Clean copy untouched by slashdot here.

My key is published on my account. A far more current copy is in the keyservers.

While I'm not totally sold on the idea, it seemed to have enough promise to be worth trying. So here's a plugin to qpsmtpd, a replacement smtpd for qmail (it also delivers to postfix, IIRC). Implements most of the basic suggestions in SURBL's proposal.

(I'd like to be able to slap a bell and yell "first implementation!" in a childish slashdot fashion, but I'd be surprised if this really was the first, since it's easy to do a simple implementation and parallels similar DNSBLs in some respects.)

This already exists... there's a simple CGI script for poisoning spam lists. It just generates endless links with email addresses on them, which the email address spiders just all (assumingly) blindly copy:

Sugarplum -- spam poison

sample...

If more people would use this, perhaps the spammers AND verisign will be discouraged. Two bastards with one stone. :-)

This already exists... there's a simple CGI script for poisoning spam lists. It just generates endless links with email addresses on them, which the email address spiders just all (assumingly) blindly copy:

Sugarplum -- spam poison

sample...

If more people would use this, perhaps the spammers AND verisign will be discouraged. Two bastards with one stone. :-)

Here's a mirror.

A nice example of spambot poison. But obviously hand-generated. The automatic kind is much more effective!

Other ANTI-SPAM techniques: Basically the best method is to never let your e-mail address appear in a machine-parseable format except in places where other data is supposed to go. For example, the 'from' address in all my e-mails is just a forwarder address and not my real address. The point of this is that when some luser that I sent mail to gets infected with the latest mass mailing worm, my real e-mail address will NOT appear in their address book and be spread across half the net. I can just change the forwarder whenever I want. Of course in the 'name' field if the e-mail it shows [My Name (myname-at-mydomain-org)] so the real address can be found that way by anyone with a clue.

Well, I thank the EFF for this analysis, but I think they've missed an important tactic. Let Microsoft and Co. lock out non-MS software all they want. They're at a fundamental disadvantage. If they wish to exacerbate their tenuous position vis-a-vis monopoly, fine. If they want to gamble shareholder confidence on a risky offensive against the general good will of the net public, we should help them.

The EFF warns that Microsoft's IIS web-server could block web-browsers other than Microsoft's IE. Well, Apache can just as easily be made to block IE. After all, Apache has run the majority of Internet web-sites since 1996. In other words, if MS doesn't play nice, we shouldn't reward them by rolling out the red carpet. Kick MS off the net (maybe for just a year or so.. mercy and all). You can start sending the message now.

You're wrong. There's spam that is illegal federally, so the FTC has a valid case, regardless of the amount of penis spam that is being sent.

Have you ever tried Sugarplum?

So let's beat them with their own weapons. Sugarplum is a WWW spambot poisoner feeding them with lots of email addresses which are faked, spam traps or addresses of known spammers and spamfriendly people - collected from spam emails or experience with spamfriendly ISPs. As a motivation, a lot of spamfriendly institutions don't see the problem "spam" as serious until they get a really high dosis of unwanted email per day.

My Sugarplum installation gets scanned really often. At the moment, the French superspammer Artmarket is coming back almost every day, harvesting my Sugarplum site and dumping about 100 spams each time into my spam trap box. My ratio between spam trap and spammer is 1:50, so each time Artmarket will spam about 5000 spammers.

Some German dialer operators who had a really big spam problem half a year ago are actually trying to hire people to fight against spam they are getting on their own - no wonder, their domains were about the first to be spambaited massively in Usenet newsgroups and on WWW sites. Some 419 scam gangs who spamvertise their email addresses have to change them about once a month, as they will get flooded with "counterspam", and what is worse, they rely on the availability of their email addresses to get replies from their victims - that's why they spam.

Problem is, the spammer probably isn't getting bounce messages. They fake a reply-to or stick in someone else's address, so all the error messages go to /dev/null or some innocent person's mailbox.

There are a bunch of scripts out there that will do what you are looking for. To wit:

Sugarplum: SPAM poison

Searches for stuff like "spam harvest poison script" should turn up more. There are also honeypots and tarpits designed to mire SPAMmers attempts to pump out spam by acting like an open relay, but sending back fake success messages with delays to slow down their progress.

The thing that gets me is that SPAMmers know everyone hates them, and they do all this underhanded harvesting, address spoofing, attempts to get around filtering, etc. If they would simply put "ADV:" at the start of their message header, we could all set up filters and not get so annoyed. I know since my annoyance level has increased I report each and every SPAM I get via SpamCop, and cackle with delight when I see their websites shut down in short order.

I suppose you haven't been paying attention to your e-mail lately?

JP

A classic instance is the "deep linking" cases, where somebody doesn't want to let you see their deep pages except by coming through their front page. Rather than taking this to court, as several content providers have done, and beat up on users one at a time, it's much simpler to check the HTTP-REFERER to find out what page the request came from, and send an appropriate response page to any request that doesn't come from one of their other pages. (Whether that's a 404 or a redirect to the front page or a login screen or whatever depends on the circumstances.)

Screen scapers are an interesting case for a couple of reasons. One of them is that blind people often use them to feed text-to-speech browsers, so banning them is Extremely Politically Incorrect, as well as rude and stupid. Another is that anybody with a Print-Screen program on their PC can screen-scrape - you're only affecting whether they get ugly bitmaps or friendlier HTML objects. So you not only have to ban custom-tailored CPAN objects, you have to get Microsoft and Linus to break the screen-grabbers in their operating systems.

The related question "ok, so how *do* I detect and block http requests I don't like?" is left as an exercise to the blocker (and to the people who build workarounds to the blocks, and the people who also block those workarounds, etc...) The classic answers are things like cookies (widely supported "need the cookie to see the page" features seem to be available), ugly URLs that are either time-decaying or dependent on the requester's IP address, etc., or just checking the browser to see which lies it's telling about what kind of browser it is. There's also the robots.txt convention for politely requesting robots to stay away, and Spider traps to hand entertaining things to impolite robots or overly curious humans.

I want to put something like that on every server I use

Actually, if you have access to a place you can put a CGI script, you can install SugarPlum, a spam database poisoning script which will generate realistic looking but fake email address on a web page.

This is a lot less work than setting up hotmail accounts.

Cheers,

Costyn.

From randomly generated webpage once around:

Blissfulness? Verdun blackcock.

Indeed.

What is more, these adresses get posted into Usenet *.test groups. These newsgroups get harvested like crazy, with spam incidents occuring only a few days after posting and hitting several times per day. Since there is no obligation to use realnames for *.test postings, the most effective way to have spammers spam each other is using their addresses as sender ("From" header).

A few weeks ago a 419 scammer annoyed some members of the German anti-spam community with his crap. Usually most 419 scammers spamvertize their email address within the email body, Reply-To or even From. As his address seemed to be valid (to receive answers of fool^Wcustomers), we posted it into quite some *.test newsgroups. A day later, someone with a Nigerian IP address answered "don't mess around with us, read ya". Followup was "Oh, you're spamming each other? Here is some more food" and a list with hundreds of spammer's and spamfriendly people's email addresses.

The occurrence frequency of 419 scam has actually declined since then.

or more interesting.. get the "snow" steganography program.. it (somehow -- still blows my mind) inserts binary into text using whitespace encoding. you can insert your gpg'd tarballs into spoofed journal entries created with the Sugar Plum junk HTML generator. You even have built-in timestamps!

Of course, they may only keep the last 25 comments... hmm... it still seems like all this could be easily scripted with perl.

I love these guys. They're easy to spot, because no human would come back to stare at the output of sugarplum day after day:


63.148.99.233 "GET /Babylonians/parallelize/fever/observed HTTP/1.1"
63.148.99.233 "GET /Babylonians/parallelize/fever/degenerate HTTP/1.1"
63.148.99.233 "GET /mark/Rooseveltian/reticulation/pork HTTP/1.1"
63.148.99.233 "GET /Babylonians/parallelize/fever/ferry HTTP/1.1"
63.148.99.233 "GET /mark/Obscurities/affable/Slavonicizes HTTP/1.1"
63.148.99.233 "GET /Babylonians/parallelize/fever/canonicalizing HTTP/1.1"
63.148.99.233 "GET /mark/Obscurities/communications/installation HTTP/1.1"
63.148.99.233 "GET /affable HTTP/1.1"
63.148.99.233 "GET /affable/civilized HTTP/1.1"
63.148.99.233 "GET /affable/fringed HTTP/1.1"
63.148.99.233 "GET /affable/fringed/agers HTTP/1.1"
63.148.99.233 "GET /affable/Gonzalez HTTP/1.1"
63.148.99.233 "GET /affable/Gonzalez/requesters HTTP/1.1"
63.148.99.233 "GET /affable/fringed/Collie HTTP/1.1"


I just hope I don't get a cease-and-desist telling me to take down the treatises on "affable fringed Collies" or "Rooseveltian pork reticulation."

And somewhere out there is a far nastier variant on a teergrube that can keep a typical smtp session up for hours with only a few kilobits/minute, using tricks like setting TCP windows very small, NAKing lots of packets so TCP retransmits them, etc. (It basically works by saying "No, SMTP/TCP/IP isn't a set of protocol drivers in my Linux kernel, it's a definition of a set of messages and there's no reason I should user a bunch of well-tuned efficient reliable kernel routines when I can send raw IP packets myself designed for maximal ugliness."

• Spamido is an automated tool for collecting spammers' addresses so they can be fed back to other spammers.
  
• Wpoison and Sugarplum are spidertraps that generate lots of fake addresses for a long time.
  

You mean like this?

I don't stop spambots, I feed them. I feed them phony email addresses and addresses of spammers (gathered from places such as my fake /cgi-bin/formmail.pl). I use http://www.devin.com/sugarplum/, mentioned before on /. to dish it out!

Of course, If you want to stick it to the man, you could do the reverse and Block MSIE from your Site.

Spider traps are good at handing out bogus email addresses. If some of those addresses belong to teergrube machines, anybody who harvests them and then uses them to send spam to the "users" gets stuck in the tar pit for a while. If you're only doing that for your own machines, that's nice, and slows down the amount of spam you get from a given spammer, and maybe lets you track them down, but it's a pretty unfocused attack. The way to make these things really effective is to coordinate a bunch of honeypots with a bunch of spider traps, so a spammer gets totally mired down in a few hundred honeypots at once instead of just one or two. Is anybody running a project like this?

Running a network of honeypots properly isn't trivial - it helps to keep the list of cooperating honeypots semi-private, because otherwise spamware vendors will start avoiding them, and you need to make sure that every machine on your honeypot list *is* really a honeypot, and not some poor sucker's machine that's suddenly DDOS's by tons of spam because 500 Sugarplums are handing out his address to spammers. If you're going to automate this sort of thing, you should probably require at least confirmation-mail from postmaster@targetdomain.org or possibly a digital signature. One convenient method for coordinating it could be an IRC channel or similar IM server, though you could just use email. An entertaining technique to use would be to have the bogus addresses all belong to domains that you control the MX records for, so you can use DNS to load-balance the spam among machines that have spare cycles for teergrubing (e.g. spammer asks for bogus1.bogusdomain.com, bogus2.widgets.org, bogus3.slashdot.org, etc.) Too bad Napster's dead - most machines running Napster were clients that didn't run their own Port 25 SMTP services, so adding teergrube features to Napster clients wouldn't have interfered with real email, wouldn't have added much bandwidth because it doesn't actually accept messages very fast, and would have made the Napster folks anti-spamming heros. Any other Peer-to-Peer services such as ICQ/Jabber/etc or for that matter IRC clients want to jump in?

I recall a number of scripts meant to trap spidering harvesters by generating endless pages of bogus content, with bogus addresses.

You are probably refering to Sugarplum or Wpoison.

I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.

They perform two very different purposes: the poisoning scripts mentioned above are designed to fool the robots that harvest e-mail addresses. They slow down the spammers and introduce many invalid addresses in their list, but they cannot completely prevent the spammers from collecting e-mail addresses.

The fake open relays mentioned in the article are designed to stop the spammers from sending their spam. The spammers think that they have found a nice open SMTP relay and they dump all their spam to it, but in the end nothing is sent to the intended recipients.

You could of course run both on the same machine, but this is probably not a good idea because the goals of these spam traps is to convince the spammers that they have found a "live one". If there is anything that looks strange on the target site (such as a warning generated by their harvesting robot), it is likely that they would consider this to be a suspicious site and they would not try to use it to relay their spam.

aqua writes "Two days after the announced ship date, Agenda Computing has sent mail to customers who preordered a VR3 PDA: "In keeping with our commitment to deliver the highest quality PDA possible - one that provides you with many years of enjoyment - Agenda has removed Linux and installed PalmOS3.5."

I often prefer displaying my real email on web site, on news groups, because I love fighting spammers. we have _tools_. *grin*

uce :
before spam :


http://www.devin.com/sugarplum/ to protect your webserver from search bots.
teergrubing to protect your MTA :
http://www.iks-jena.de/mitarb/lutz/usenet/teergrub e.en.html
(and of course, hide your email like that : xavieratbocaldotcsdotunivdashparis8dotSPAMfr ;-)

after spam :


http://spamcop.net/
http://www.samspade.org
http://mail-abuse.org(RBL)

tools to semi-automaticly report/fight spam :

http://freshmeat.net/appindex/console/anti-spam.ht ml

irl :

As other says, send back the empty enveloppe.

One funny thing about phone spam is the possibility to talk to the person which is trying to sell you something, like to a human being. (after all, it's often a woman poorly payed to do this job. she(he) deserve humanity). I usually ask if the person is in good mood, and it's easier to say goodbye after this.

The Spam Bouncer, a procmail script to identify incoming spam and either tag it, move it to a different mailbox file, or bounce it.

SpamCop, to file official complaints about the spam that gets through.

Sugarplum, to stick lots of irrelevant fake email addresses (and the addresses of other spammers) up on my web pages. If spammers want to harvest addresses from MY pages, they're going to fill up their databases with useless data and end up spamming each other.

And finally, Web Ad Blocking is a site which provides a new 'hosts' file which redirects major web page ad sites to 127.0.0.1, which removes a whole lot of banner ads from web pages.

I've used tarpitting to reduce the flow of spam through my mailserver, and it seems to work pretty well. There are patches out there for QMail (awesome) that seem to do the trick. There are other various recipes and such for procmail that work well. If you're looking to poison their spamlists, take a look at sugarplum, a spamlist poisoner for webservers. On a totally unrelated note, but on the same vein (poisonbots), take a look at peachpit, a censorware spider trap.

I've used tarpitting to reduce the flow of spam through my mailserver, and it seems to work pretty well. There are patches out there for QMail (awesome) that seem to do the trick. There are other various recipes and such for procmail that work well. If you're looking to poison their spamlists, take a look at sugarplum, a spamlist poisoner for webservers. On a totally unrelated note, but on the same vein (poisonbots), take a look at peachpit, a censorware spider trap.