Slashdot Mirror

If the spammers want so bad email addresses, why not give it to them? List poisoning will sting them right in the buttocks, and will make them think twice before they even consider sending there dumb spiders to your servers again. Take a look at the following sites for more info:

http://www.monkeys.com/wpoison/
http://www.spampoison.com/

The Wpoison copyright requires you to put their logo on your website, which would be kind of a tipoff, right there. If I wrote a spider that did look at robots.txt I might not crawl a site with that logo. Some people just don't like spiders.

WPoison is a Perl script, as source (naturally).

WPoison is actually better from a technical standpoint, as it's a random page each time, not just a block of pages you download.

a "demo" can be viewed here

the email harvesting poisioner? yeah, I got it from... here

I modified mine a bit and hide it as tiny links all over my site.

A spambot that hit's my website wil get thousands of email addresses. All of them un-useable.

Every day I get dozens of delivery attempts at an address I used to run a listserver on, which has been invalid since 1998. No human has *ever* been behind that address. The spambags do not care about invalid addresses.

How true. But you can use that against them!

I have several addresses like that. Some were accidentally created for me on other sites by scripts like wpoison. Others are spammer-specific mutations of my real address. And I have a number of old addresses, like special ones generated for Usenet News posts five years back.

Now I feed them all into SpamAssassin's Bayesian classifier. I even looked in my logs to see the 100 most common choices for dictionary attacks and feed those in, too.

Now, thanks to the spammers, I get a lot less spam in my inbox! Yesterday's score was 356 messages fed to the trap, 145 spams in my spam folder, 1 spam in my inbox, and no false positives.

No, dipshit, I'm not making this up. Here's a mental experiment, since you're obviously in denial. If you run a web site, and you accept sign-ups for a mailing list, then anyone can enter any email address. If you do not confirm that that person is in control of that email address and wants to receive your mailings, then you are sending UNSOLICITED BULK EMAIL to that person, which by anyone's definition is spam. If I enter your email address and the website doesn't confirm it, then they are spamming you. That is by definition, there is no wiggle room. If you did not ask for it, it's spam. And the question is not "Could this happen?" but "When will this happen?" If you do not practise confirmed-opt-in then you WILL have email addresses on your lists that did not want your mailings which means by definition you are a spammer.

Your complaint about "having to sign up multiple times" is complete bullshit. There is nothing about the process that would require you to sign up more than once. You enter your email, the site sends a confirmation email, you hit reply, and you are on the list. ANYTHING ELSE MAKES THAT SITE A SPAMMER.

http://www.pan-am.ca/spammyths/rants/27jul2002.htm l
http://www.cluelessmailers.org/glossary.html
http://www.spamfaq.net/spam-evils.shtml#opt_in
http://www.monkeys.com/spam-defined/
http://www.euro.cauce.org/en/optinvsoptout.html#do uble
http://www.spamresource.com/nadine/default.htm

I think you mean wpoison

And here's the link to WebPoison

You're probably right, they will eventually want to charge money, and, IMHO, thier solution looks overly complicated and manipulable (spammers pay for "trusted" members to list them as "trusted").

It would be better if ISPs participated in services like the ORDB, SORBS and Monkeys that have simple network testable criteria for listing open relays. Spews, Spamhaus, and DSBL have reputable lists of usernames and addresses that send spam. If ISPs and admins would participate in projects like these, the spam problem would be greatly reduced. And it seems that these projects are mostly run by admins who are interested in blocking spam, not selling a service.

By the way, MAPS is currently free for individual use (look at the bottom of the page).

Try wpoision, it's a CGI script to generate a random set of email address, infinitely deep. Very fun.

Can you imagine what would happen to a spambot crawling through this?

Can you imagine what would happen to a spambot crawling through this?

Used to be, replacing www with archive let you in, no reg needed. Then NYT plugged that hole. You had to register until somebody noticed that you could just add ?partner=GOOGLE and registration was unneeded. Then NYT added a unique ID(I think) to every story, which you must pass with the partner name. If you can get news.google.com to hand over a link, it is easy. In theory, there is a scheme to the unique ID(Has anybody looked, is it even unique?) which could be reverse engineered, but that is a lot harder than just giving out bogus info (a@a.com is already taken, but I could just get an addr out of WPoison)

My favorite part is the page generating fake e-mail addresses for the spam bots to consume. If you missed it, you can go straight there.

You might like Wpoison.

Why are there not programs that spam the spamers with email adresses or something like that?

There are.

Why not use wpoison then? It's available at http://www.monkeys.com/wpoison/. I think read about it here on Slashdot.

What really needs to be done is EDUCATE isps that an open relay can get you in a whole heap of trouble. Of course many have closed their relays, but a lot still have open ones.

"If we close the open relays, spam will go away" is actually what a lot of spamfighters thought five years ago. A common opinion then was that spam was basically a technical problem, like a security hole or smurfing, and that applying the appropriate technical fix to mail servers would prevent it.

Unfortunately, that hasn't worked. First off, open relays are not the only technical problem that makes spamming easier. Open proxies are just as common today -- and worse, since they hide the tracks of spammers. (They're also used by all sorts of other abusers.) Moreover, open proxies are harder to get people to close down, since blocking access from them to mail servers doesn't usually affect their legitimate users -- and thus doesn't draw their attention.

Second, it has been increasingly realized by most spamfighters that spam is a social problem, not merely a technical one. The problem isn't just that there are abusable resources, but that there are people who are willing to abuse them for profit, and other people who are willing to aid and abet those abusers in order to reap a share of that profit.

As a parallel, consider burglary. Sure, it is good to employ technical means such as deadbolt locks and alarms to block or deter burglars -- but nobody thinks that burglaries are solely technical problems, and that we should pursue only better locks rather than the arrest of burglars. Burglary is a social problem; specifically, a problem caused by some people's willingness to violate others' rights. We call those kind of problems "crimes".

Spam is a particularly frustrating crime since anyone who considers the proprieties of the situation can recognize it as lawless, but few legislatures have chosen to formalize its criminality in statute. It's lawless because it defies the property rights of mail server owners, alienating their resources for the spammer's use without permission. That's often covered by statutes regarding theft of service, computer crimes, or various sorts of tort, and there have been a number of cases wherein spamming was recognized by judges and juries as such. However, in many jurisdictions there's no statute to point to that says "spamming is a crime".

Third, there's also an social-technical problem. There's a small number of crooks who can profit themselves greatly by finding means of sending spam. Each of them has a much greater incentive to locate these means than any individual spamfighter does. This is a social problem in a different sense: insofar as spamfighting relies on discovering paths for spam propagation and getting them shut down (e.g. closing open relays) the crooks are always going to be several steps ahead.

By targeting organizations and persons known to be sources of spam, rather than the victims they exploit to send that spam, we can get around that problem. The number of large-scale spammers is actually rather few. Steve Linford's ROKSO (Registry Of Known Spam Operations; same guy as the SBL) lists around 100 organizations which have been thrown off of ISPs three or more times for spamming.

Fundamentally, I agree with you that the problem is one of education. However, it is not merely the education of ISP technical staff that must take place. It's the education of everyone involved -- technical staff, their managers, mail software authors, spammers, the legal system, spam recipients, and businesses that might consider spamming. Everyone needs to wise up about spam.

I applaud the US judical system for approving and using such laws in America, but the whole world isn't the USA. We need a world-trade law, perhaps mandated by the WTO, to prevent spammers from breeding.

It's been a long day -- I read this and had a mental picture of a law that required all spammers to use condoms.... ;)

On a more serious note, international law isn't up to dealing with spam and spammers yet, and I don't think it will be any time soon. It can't even deal with terrorism and terrorists effectively. :/

Of course, there's always relays.osirusoft [osirusoft.com] - a cross-referenced database of nearly all DNS blacklists.

Osirusoft is an excellent resource, but it doesn't contain anything even close to all of the available anti-spam blacklists. MAPS is pretty irrelevant these days, but don't forget the DSBL , Five-Ten-Sg , Monkeys.com , RFC-Ignorant , and Wirehub , all of which are publicly queryable and none of which are mirrored by Osirusoft.

There are a whole bunch of other blacklists out there, as well. Not all are well maintained and not all have consistent policies about which IP ranges or domains get listed and how a domain can be removed, though, so I stick to the established ones.

I am sure there is one in here somewhere.

Check out wPoison if you want to make harvesting e-mail addresses painful and pointless.

And somewhere out there is a far nastier variant on a teergrube that can keep a typical smtp session up for hours with only a few kilobits/minute, using tricks like setting TCP windows very small, NAKing lots of packets so TCP retransmits them, etc. (It basically works by saying "No, SMTP/TCP/IP isn't a set of protocol drivers in my Linux kernel, it's a definition of a set of messages and there's no reason I should user a bunch of well-tuned efficient reliable kernel routines when I can send raw IP packets myself designed for maximal ugliness."

• Spamido is an automated tool for collecting spammers' addresses so they can be fed back to other spammers.
  
• Wpoison and Sugarplum are spidertraps that generate lots of fake addresses for a long time.
  

Now however, I have changed the URL I use to link to it to be:
/cgi-bin/spambot_trap/guestbook/journal/mess age
so that all the spambots he mentions will follow it :-).

However, the instructions for installating Wpoison more or less assumes that one has a single website to protect. I have around 20 virtual hosts. So instead of creating a renamed cgi-bin in every DocumentRoot, I added a single

ScriptAlias /runme/ "/var/www/cgi-bin/"

to httpd.conf and then linked it like this:

<A HREF="/runme/addresses.ext"><IMG SRC="pixel.gif" BORDER=0></A>

I also added a single transparent pixel to the link to keep it invisible but still fool the spiders. Add the runme directory as excluded in the robots.txt and you should be on your way. Muhahahah, and so on.

From the website: Wpoison is a free tool that can be used to help reduce the problem of bulk junk e-mail on the Internet in general, and at sites using Wpoison in particular.

It solves the problems of trapped spambots sucking up massive bandwidth/CPU time, as well as sparing legitimate spiders (say, google) from severe confusion.

formmail itself (even the most recent version) can still be abused by spammers to use your webserver as a bulk mail relay - see the advisory at
http://www.monkeys.com/anti-spam/formmail-adviso ry . df

It's a shame he didn't suggest the more robust formmail replacement at nms which is maintained, and attempts to close all the known bugs and insecurities.

You just put hidden links in your HTML which only a spider's HTML parser would notice and follow. This technique is already widely used by wpoison which is a Perl CGI solution to the spider problem.

Check out the robotcop.org site. It has examples of how to set all this up.

I recall a number of scripts meant to trap spidering harvesters by generating endless pages of bogus content, with bogus addresses.

You are probably refering to Sugarplum or Wpoison.

I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.

They perform two very different purposes: the poisoning scripts mentioned above are designed to fool the robots that harvest e-mail addresses. They slow down the spammers and introduce many invalid addresses in their list, but they cannot completely prevent the spammers from collecting e-mail addresses.

The fake open relays mentioned in the article are designed to stop the spammers from sending their spam. The spammers think that they have found a nice open SMTP relay and they dump all their spam to it, but in the end nothing is sent to the intended recipients.

You could of course run both on the same machine, but this is probably not a good idea because the goals of these spam traps is to convince the spammers that they have found a "live one". If there is anything that looks strange on the target site (such as a warning generated by their harvesting robot), it is likely that they would consider this to be a suspicious site and they would not try to use it to relay their spam.

From WPoison's Safety page:
The second problem was the potentially bad effects that having a locally installed copy of Wpoison might have on one's own CPU and bandwidth usage. Obviously, given the nature of how Wpoison actually works, it can easily be seen that (unless something is done to prevent it) the evil spammer address harvesting web crawlers may get trapped by Wpoison (as intended) but that then, they might begin to access your installed copy of Wpoison over and over again (as intended) perhaps even to such an extent that they end up using up most/all of your available CPU cycles and/or most/all of your available network bandwidth.

This problem also was solved in a fairly trivial and straightforward way. In a nutshell, just prior to the time it generates the very tail end of any one of its randomly-generated pseudo web pages, Wpoison pauses for several seconds. It just does nothing (other than wasting time) during those several seconds.

The effect of these calculated pauses is that they insure that any address harvesting web crawlers that may be diligently attempting to suck as many Wpoison-generated web pages out of your site as fast as possible will in fact only be able to suck pages out at a reasonable and moderate pace which will not have any sustained dramatic effect upon your CPU

So unless the web server is running on a older machine, it should have no problems with creating a new page every few seconds.

Perhaps there should be some sort of ORBS database for webcrawlers that don't adhere to the robot exclusions protocol (i.e. ignoring the robots.txt file)...may be kinda hard with someone scanning with a dynamically assigned IP address.
- grunby

Mod this up so that some spambot'll catch it :)...

http://www.monkeys.com/cgi-bin/wpoison/wpoison.cgi
http://www.monkeys.com/cgi-bin/wpoison/wpoison.cgi /spamkiler.html
WANT LOTS OF FREE EMAIL ADDRESSES? CLICK HERE OR HERE!

--pi

Mod this up so that some spambot'll catch it :)...

http://www.monkeys.com/cgi-bin/wpoison/wpoison.cgi
http://www.monkeys.com/cgi-bin/wpoison/wpoison.cgi /spamkiler.html
WANT LOTS OF FREE EMAIL ADDRESSES? CLICK HERE OR HERE!

--pi

Mod this up so that some spambot'll catch it :)...

http://www.monkeys.com/cgi-bin/wpoison/wpoison.cgi
http://www.monkeys.com/cgi-bin/wpoison/wpoison.cgi /spamkiler.html
WANT LOTS OF FREE EMAIL ADDRESSES? CLICK HERE OR HERE!

--pi

Mod this up so that some spambot'll catch it :)...

http://www.monkeys.com/cgi-bin/wpoison/wpoison.cgi
http://www.monkeys.com/cgi-bin/wpoison/wpoison.cgi /spamkiler.html
WANT LOTS OF FREE EMAIL ADDRESSES? CLICK HERE OR HERE!

--pi

Something like WPoison has to be used more often. Until a higher percentage of harvested emails are faked, these web spiders will continue roaming the web, adding email addresses to their collection.
- grunby

You mean line Wpoison?

Now, many of those formerly compelling reasons have evaporated:

IM - is a world of divided standards, so you can only talk to AOL users if you're an AOL user, MSN if your an MSN user, etc.

email - is a world where you need to sift through 20 spam messages to find your one message. Also the monoculture of email clients created a nightmare reality of viruses.

nntp - spam is certainly a problem, as is the bulk of news services no longer carrying binaries.

Search - pay per search, or commercially-supported search (ie - paid-for results placement).

Stock Trading - find me a stock worth investing in today. It was half a function of cheap trading, but also half a function of stocks where you could actually make money.

Nobody can afford to host anymore, so people's websites are either overrun with popups or they're very small, and hosted on very slow hardware, and anyone posting material of any worth has been shut down due to copyright concerns.

Anything interesting or non-mainstream is either impossible to find now, or shut down.

I recently went through my bookmarks.html list, of 500k, accumulated over the past 8 years or so - and a good 70% of the URLs were dead. Making me regret not saving the content to my local hard drive. (and I have saved a great deal anyway).

Free Music - the age of napster is finished.

Free Software - I'm not talking about Free Software, I'm talking about that which the BSA is making extinct. Warez. Right or wrong, it was one major compelling reason people got onto the internet.

The only compelling things left I can see are: email/im - despite the fact that they're not what they used to be, they're still very useful, but there's no need for broadband here.

Corporate Software websites - where you can usually get up to date drivers and updates. Most of the time, broadband isn't required.

Free Software - If you're a Linux-head - you still need broadband for downloading those isos.

Marketing - ah yes. If you're an advertiser, the internet is your friend, and a very compelling reason to get broadband, or even a T1. That is, until everyone who has signed up for the internet in the past 3 years finally realizes that there's nothing out there for them but advertising and crap, and drop the service.

If you think you have a better solution to these problems, how about proposing them, and actually DO something about it. Complaining here on Slashdot is not a guarantee that things will change.

It's called wpoison, and it's found at http://www.monkeys.com/wpoison/. The problem is that it's very easy to detect -- note the lack of punctuation marks, scarcity of two and three letter words, capital letters, verbs... and the fact that there's a four second pause in the same place, page after page... in short, it would be easy enough to spot a wpoison-generated page.

I've coded up an alternative that suffers none of those obvious defects, and instead of throwing out bogus email addresses, it throws out valid spamcatcher addresses. Any SMTP host who sends a message to one of those addresses is blocked (via DJB's rbldns) for a month from sending mail into my domain. The blocklist is self-maintaining, so I never need to mess with it.

It's been in place for about three months now, and my blocklist contains 125 entries right now -- five of which are netblocks I've manually added. The URL, sure to catch a bucketful of bad spiders thanks to this link, is http://www.artsackett.com/personnel/ and it is intentionally as slow as the rectification of sin.

It's still at:
http://www.monkeys.com/wpoison/.

First, you put the e-mail addresses on their own page. You then modify (or create) a robots.txt file to tell the legitimate crawlers not to look at that page. Then, you put a "hidden" link on that page that links to the wpoison page. If anyone is rude enough to go there, it basically creates a randomish link (that actually goes back to itself) and a randomish e-mail address. The web crawler thinks that it has hit the motherlode and harvests away.

They get tons of e-mail addresses that don't go anywhere, plus they wasted a ton of time/resources.

So you're suggesting something like a Wpoison Web Ring. Or some other Wpoison central registry. It's tempting, but then spammers will crawl the list and use it to filter out Wpoison sites.