Slashdot Mirror
Handling Spam from Large Commercial Entities?
"It was at this point that principle kicked in. It's MY e-mail account. I wanted Amazon to stop mailing me information about whatever special they were advertising. Seeing no easy way to contact them electronically, I picked up the phone and gave them a call. Three operators and getting hung up on once later, I was told that Amazon.com would not stop sending me their spam, because I was not the Amazon.com account holder.
This brings up a new twist on spam, privacy, and recourse to be taken. It is in fact my e-mail account, paid for by me, and Amazon tells me I have no control over what I may receive via it. I could in fact notify my ISP to block incoming mail from Amazon, but I know people who work there and may actually wish to receive mail from them. There doesn't seem to be any 'complaints@amazon.com' alias available on their site. What action can be taken in this instance?
As it turned out, I forked over the phone to my wife, who in the process of 'modifying' her account information, wound up hunting through her wallet to find those last five digits on her credit card, which sounds more dubious than entering them into a text field on a website.
There are many other variables which might have factored into this: What if my wife had died since last Christmas? What if she had left me in that time? (more probable ;-) Perhaps she had canceled the credit card in question.
In any case, I find it completely unacceptable that I as owner of an e-mail account could not easily get an e-commerce provider to stop sending me e-mail. What courses of action are available for this problem? Are there any precedents for this?"
And the never-ending problem of spam continues... You would think that after all of the debates, the new laws, and filters that spam would be less of a problem, yet now we have legitimate commercial entities able to fill your electronic in-boxes and in certain situations like the one above, you may not be able to do anything about it. Do any of you out there have ideas on any solutions?
Half the information you whined about is available to them the instant your computer contacts their web server with a browser...
MAC address, IP address, OS version, Browser version, etc.(the last three are recorded in the web server logs)
I doubt there is any validity to your claims.
I'm an IS guy for a small company. Recently a key employee employee quit, but since she was a key employee we could not just bounce all e-mail sent to her e-mail address. So, I receive it, and if it's important I relay it to the correct person.
She is on AMAZON.COM's spam distribution list. I contacted Amazon.com customer support no less than ten (10) times in my quest to get her e-mail address removed from their spam list. I was roundly defeated in every attempt; I did not know her password; I did not know her credit-card number; I did not know what book she bought recently; and I was not her; so, they CONTINUE to send their spam which arrives at my address!
I find this to be apalling, because I am now the owner of this e-mail address, but there is NO WAY for me to get that address removed from their spam list.
How rude!!! If anyone from AMAZON.COM is reading this, you should know that I discourage everyone I know from doing business with you as a result of this fiasco.
I totally empathize with the author of the original question.
Maps WANTS to get sued. They even have instructions on how to sue them on their website. They really want to blow this out in the open, and I commend them for this.
The feel that by getting sued, they will eventually get the chance to prove the constitutionality of spam or spam blockers. It will be interesting to see what happens.
First of all, mail from Amazon is not spam. Maybe in conversation, but generally, spam means unsolicited commercial e-mail. Let's go over this again:
...
This e-mail was solicited. It is not spam.
Then we have the issue that the husband wants to break into his wife's Amazon account to change the subscription. Does the husband ask his wife what her password and credit card are? No, he expects Amazon to just hand over this information to someone else, namely him. Let's go over this briefly:
Bravo to Amazon for protecting his wife's privacy.
The fact that this was difficult to do is good. The fact that this gentleman found dealing with a large corporation frustrating when he could simply have asked his wife, and then turns this into a Slashdot complaint, is bizarre. Particularly when his wife chose to receive the e-mail. Yes, Amazon greased the way, but c'mon
Bottom line:
this problem was solvable.
Bottom line:
complainant didn't feel like following through.
Next!
----
lake effect weblog
{Network engineer in Chicago--looking for work!}
It's not fixed if "some people don't have this problem". It's fixed if "no people have this problem".
Amazon has spent years running opt-out spam, spamming harvested addresses, and generally playing fast and loose with things. They've made people jump through opt-out hoops, they've managed to fail to handle unsubscribe requests, and they've never, ever, responded substantively to complaints about this process.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
> They won't let you unsubscribe from their spam-list without deleting your account with them.
One solution to that problem comes readily to mind.
Seriously, the internet is going to keep getting crappier until people learn to say 'no'. There's not a site out there that has anything I need badly enough to put up with a bunch of crap just to get it.
If a site won't let me in without JavaScript and cookies enabled, fine. There are about 21,166,911 other Web sites out there that I can visit instead. Site supports Windows/IE only? Same deal. News site has a single paragraph per page so it can crowd in all the ads? Ditto.
I wouldn't wade through a pond of poop to get a free doughnut. Why should I lower my standards for the internet?
If people would quit visiting the sites that suck/stink/screw_you, then those sites would have to reform or go bust. Imagine.
</rant>
Sheesh, evil *and* a jerk. -- Jade
...Coz I have the patent on One-Click(tm) Mailing List removal :)
Gfunk007
Send lawyers, guns, and money!
I ordered some books from Amazon.co.uk last Christmas, making sure at the time that I didn't miss any checkboxes asking them to send me junk relentlessly. As a result, I was somewhat surprised when I started getting adverts from them via email. Apart from the sheer terribleness of the removal instructions (that really didn't cope well with the concept of me replying from a different address to the one they were sending mail to. Why should I have to reconfigure my mail client to deal with their poor quality system?), I was sufficiently annoyed to reply asking why they felt that it was acceptable to email me without asking first. In return I received a form letter telling me that I'd been unsubscribed. I replied saying that this didn't actually answer my question and received another copy of the same email. This happened three more times before I gave up headbutting the sheer wall of cluelessness and simply vowed never to go near them again.
Microsoft were similarly bad. Even after following their unsubscribe instructions, I was still getting mail. I rang up the agency doing the mailing, was politely annoyed at them for 20 minutes and eventually received a full apology and an explanation that Microsoft departments can obtain email addresses up to 3 months in advance of mailings, meaning that even once you're unsubscribed you'll get junk for up to 3 more months. Still, this time they promised that I'd been taken off their lists fully.
Right.
Another ad arrived a week later. A decidedly pissed off email to Microsoft later, I received a copy of my complaint that had been forwarded through 4 levels of customer service drones each adding something like "This customer appears annoyed. Can something be done?" culminating in webmaster@microsoft.com telling me that I'd been removed from all their lists. This time it seemed to work.
Moral of the story? Companies seem significantly more worried about having lots of customers on their email lists than they do about the small number of people who get annoyed at them as a result and probably will carry on doing so until enough people realise that they're not obliged to put up with it.
I use a great little Windows utility called Bounce Spam which sends an email to the spammer looking very much like a message from the server indicating that the message couldn't be delivered.
Spammers don't generally get the bounce messages. Most of them are relay raping some misconfigured mailserver using nothing more than a 33.6 modem with forged envelope from, forged from headers, forged receive lines and more. The bounces will usually end up sitting in the lap of an entirely innocent postmaster. It would take more time for the spammer to process bounces than it would save them when sending the spam in the first place.
However, this does stand a fairly good chance of working with "legitimate" spam (ie, that sent by companies on behalf of themselves) since they're actually paying for their bandwidth.
I thought, 'Naah, this can't really be the Republicans. They wouldn't do something as stupid as spamming people for support.' But then I did some research...and apparently they really are this stupid.
Here is a Salon article from 1999 about a Republican senate candidate's spam. And there's an anti-spam spite with an article about the Californian Republican party spamming people. A mention in the Seatt le Times. And then of course there's EChampions, the RNC-funded group who sent the spam that hit my mailbox.
If I needed a reason not to vote Republican, this gave me one. Bastards. But I suspect that the next election will be far worse, with candidates spamming from all sides.
Genocide Man -- Life is funny. Death is funnier. Mass murder can be hilarious.
As seen on news.admin.net-abuse.email:
If you own the domain, configure sendmail to bounce connections from .cn domains with "550 Free Tibet JUNAQ DJQVD". The last two bits are randomness translated into bits of ASCII, and you can set up a cron job to change the random blocks every few hours or so. The result is "crypto" that the .cn government will never be able to crack, which is therefore bound to attract a lot of attention.
If you're more courageous, reply to the spammer. "Message received. Funds received and transferred to Falun Gong account as per your instructions. Sorry can't send back mail with PGP, I'm on friend's computer. Bye."
The Chinese government wields a mighty LART. If just 1% of American hosts receiving relay attacks from .cn machines did the "550 Free Tibet [crypto block]" trick, the Chinese government would wake up and solve the problem for us.
Microsoft were similarly bad. Even after following their unsubscribe instructions, I was still getting mail.
Did the mail look like an advertisement for a developer's conference? Did it have remove instructions asking you to send a reply or visit a web site to be removed? Did sending a reply bounce, so you had to use the web page?
If so, it wasn't just spam. It was an attempt to mine your machine for information.
I started getting those spams from microsoft - and I didn't even have a windows-capable machine anywhere in my domain. So after the unsubscribe email bounced I probed the web site (with an ancient version of Mosaic that didn't know how to do most of the dirty tricks B-) ).
The main page gave a link to a mailing-list manipulation page. The button on the page where you delete yourself from the mailing list downloads a very interesting page.
The page is a mix of HTML, Javascript, and VBScript.
- The HTML uses the instant-refresh trick to forward you to a page at register.microsoft.com if you're not java-enabled, else it runs the javascript.
- The javascript forwards you to the same page if you're not on a VBScript-enabled browser, else it runs the VBScript.
- The VBScript (judging by the names of the classes it uses) sniffs your registry and then forwards you to the same page, but with the registry information added to the URL.
I didn't follow it to the next page to see what other dirty tricks might have been embedded. (I presume the automatic forwarding eventually terminates on an 'unsubscribe me' page, so everything looks dandy.) But by this point register.microsoft.com already has the sniffed registry info (at least your Windows and browser versions), tied to your IP address and whatever other stuff the browser includes in the HTML request. And their server can feed you other pages, tuned to your configuration, to mine more info or maybe do some damage, before they finally give you the page you wanted.
So Microsoft found a new use for spam: Populating a database by sucking registry info out of the machines of any Windows user they could sucker into trying to use the web to get off their spam list.
The registry has all sorts of information in it. Here's some that I know exists there, for starters:
- The MAC address of any ethernet cards. (These are a unique identifier that can be used to recognize your individual machine, just like the Pentium CPU serial number that caused such a flap for Intel.)
- The names, version numbers, serial/program key numbers, etc. of any installed software, both from Microsoft and from most other vendors.
I leave it to you to imagine the intended uses of this information.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Web servers can't read your registry, plain and simple.
R F=Y&".
/REGWIZ/win40.asp from immediately downloading a more extensive subversion that might be visible on a non-subvertable software configuration.
=
0 0" WIDTH=0 HEIGHT=0>
, _
R F=Y&"
But web clients, running on your machine, sure can.
The only possible way is if you ran an ActiveX control or an executable(scripting languages can't do this) that accessed the registry, but if you did that, it would be your own fault.
How about running a VBScript fragment that uses a Microsoft backdoor object to read the registry?
I've dug out and reviewed the code. I know zilch about VBScript except that it's object oriented. But by analogy with other OOP languages this VBScript checkFlags() routine sure looks to me like it uses a class called "RegWizCtl" to:
- Extract your MSID (your product key?)
- Start a string with:
"/REGWIZ/wiz40.asp?CRF=Y&RegMSID={your MSID}&"
- Iterate through the registry entries for the Windows and Windows NT version numbers:
- Check if they're registered and
- If they are, add "&D={n}" to the end of the string (where {n} is 1 for Windows, 2 for Windows NT).
- Return the string to the Javascript routine.
The Javascript routine looks like it checks whether your browser is internet explorer and your OS is Windows 98 or Windows NT 5, making a reference to the return from the VBScript routine if so, else making a reference to "http://register.microsoft.com/REGWIZ/wiz40.asp?C
The HTTP looks like it puts up a web bug to get an object named "RegWizCtrl" with class ID "CLSID:50E5E3D1-C07E-11D0-B9FD-00A0249F6B00" loaded, the zero-delay refreshes to "/REGWIZ/wiz40.asp?CRF=Y&" (if the Javascript hasn't done it already).
Tell you what: Here's the web page in question (minus a BUNCH of leading blanks on each line apparently designed to throw the code off the right of the window if it happened to be viewed). Maybe some of the HTML, Java, and VBScript experts on this board can tell us all what it really does.
(Of course this means that the whole slashdot community can see it and make their own versions. What a pity.)
Remember: Though this part might seem benign, it tells the server at "/REGWIZ/wiz40.asp":
- That you're running Windows 98 or Windows NT 5.
- That you're running Internet Explorer.
- That your system is subvertable using this mechanism.
So if your system IS subvertable there's nothing to keep
==============================================
To restore the original:
- Change leading blanks to tabs, 8 blanks to one tab.
- Add three leading tabs to every line starting with the "!--" line.
- Add seven more tabs to the start of the line containing "\Windows NT\"
- Change all occurrences of "[" to left-angle-bracket. (Someday I'll figure out how to put that character in a slashdot posting.)
- Join the lines beginning with "[OBJECT" and "CLASSID" (a long line that got wrapped by slashdot).
===============================================
[HTML>
[OBJECT ID="RegWizCtrl" STYLE="display: none" CLASSID="CLSID:50E5E3D1-C07E-11D0-B9FD-00A0249F6B
[/OBJECT>
[SCRIPT LANGUAGE="VBScript">
[!--
Function CheckFlags()
on error resume next
Dim sBuffer, sRegMSID
sRegMSID = RegWizCtrl.MSID
aProdKeys = Array("SOFTWARE\Microsoft\Windows\CurrentVersion"
"SOFTWARE\Microsoft\Windows NT\CurrentVersion")
sBuffer = "/REGWIZ/wiz40.asp?CRF=Y&RegMSID=" & sRegMSID & "&"
for iCounter = LBound( aProdKeys ) to UBound( aProdKeys )
RegWizCtrl.IsRegistered = aProdKeys( iCounter )
if RegWizCtrl.IsRegistered then
if err.number = 0 then
sBuffer = sBuffer & "&D=" & CStr( iCounter )
end if
end if
if err.number then err.clear
next
CheckFlags = sBuffer
End Function
' -->
[/SCRIPT>
[SCRIPT LANGUAGE=JavaScript>
[!--
if ((navigator.userAgent.indexOf("MSIE") >= 0 && navigator.userAgent.indexOf("Windows 98") >= 0) ||
(navigator.userAgent.indexOf("MSIE") >= 0 && navigator.userAgent.indexOf("Windows NT 5") >= 0))
{
location.href = CheckFlags();
}
else
{
location.href = "http://register.microsoft.com/REGWIZ/wiz40.asp?C
}
//-->
[/SCRIPT>
[META HTTP-EQUIV="REFRESH" CONTENT="0; URL=/REGWIZ/wiz40.asp?CRF=Y&">
[/HEAD>
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Get your own domain, and create a new address for every company that requests one (e.g. amazon@mydomain.net). Then use mail aliases to decide if the company gets to send mail to your ccount or to /dev/null.
That's exactly what I do. It also helps to find out what sites are being mined by the mailing-list sellers. (I've only gotten about three spams to "rod" so far. B-) )
Unfortunately, the WHOIS database of domain contact information is open and has been mined by the mailing list sellesrs. So having a domain gets you spam - to an address that you CAN'T ignore if you want to keep the domain.
The "cybersquatting" procedure starts by sending notices to the posted contact information (which is also where billing info is sent). Don't answer and you might find your domain reassigned to someone else. So if your domain name is at all desirable, you have to deal with spam.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I was getting a bunch of "On sale today only!" e-mails from some company. I sent a typical "please remove me" e-mail every time a new message rolled in, but after a month I was still getting spammed.
So to make my plight a little clearer I created a 500K file with nothing but the word "remove" in it. I then quoted the file as text in the body of my next e-mail to them. The response I got back was from the system administrator was that they couldn't find my name in their mailing list and couldn't remove me. I responded back with the 500K text file again. The next e-mail I received was that I had been removed from their list. To this day I haven't received another e-mail from them.
The moral of the story, one 500K message is worth more than 500 1K messages.
-Hi, I want to *buy* a book from Amazon, but I can't, since I forgot my password. Could you please e-mail it to me (so I don't have to turn to B&N instead)?
I'm pretty sure you'll get your password this way.
Opus: the Swiss army knife of audio codec
Try Yahoo mail. I've had an account on there for a year and a half now and haven't gotten one spam mail.
-- Dr. Eldarion --
Yes, the registry contains lots of nifty information. Besides the stuff you mention, it can store your passwords. If you have Auto complete enabled it'll even store your credit card numbers.
There are several things your browser sends, and its available to any web server. Your browser brand and version, language, the URL you clicked through from, your IP address etc. A server can tell if you have Javascript enabled. Most of the stuff a web server can detect about you is defined in the HTTP standard. Yes, Microsoft was collecting this information. Then again, Slashdot collects the same information. /. knows your IP, browser version, Javascript capability, how long you stay, how often you visit, etc. Read the code. But so what. Most commercial websites collect this information.
However the registry and the information a browser sends are two very different things. There is no way a web server can get to your registry. And there are no secret API's that only Microsoft knows about. It would be way too much of a security risk, and someone would have blown the whistle a long time ago.
Actually, you would have more luck reading their registry than the other way around. IIS 4.0 and up provided a component that provided access to the web servers registry through a web page. You are able to set things up to perform any system admin task through a web page, if you want. Pretty insecure, if you asked me.
I watch the sea.
I saw it on TV.
No, Thursday's out. How about never - is never good for you?
Spambouncer has been running on Linux since at least the 2.0 kernel days.
-- Anne Marie
Hmm. It only takes 1-Click to buy something, but a bunch of personal information to get of their mailing list...
I'm sure I'll be lambasted for saying this, but this is about the stupidest Ask Slashdot I have ever seen. If you are going to give your credit card number to a company which you know they will have on file, you better be damn sure you don't forget the password.
Would you rather have someone crack your e-mail address password and have them realize all they have to do is go to amazon and click a few buttons and they'll have access to your amazon account as well?
Anyway, if it bothers you that much, and you can't even go through the trouble to get you credit card out to verify that this is your account, all of amazon's mass e-mails are sent from specific e-mail addresses from amazon.com, such as history-editor@amazon.com or alerts@amazon.com, and you can filter out those specific addresses really easily in most modern mail programs.
This all leads me to the conclusion that you are a troll.
"A great deal of intelligence can be invested in ignorance when the need for illusion is deep." --Saul Belloe
Or a better solution which tempts me: Get your own domain, and create a new address for every company that requests one (e.g. amazon@mydomain.net). Then use mail aliases to decide if the company gets to send mail to your account or to
/* The beatings will continue until morale improves. */
They are waiting for their one-click SPAM removal patent application to be confirmed. If they're not careful with such innovation, someone might steal it and use it to undermine their entire operation!
- Twi
I don't know about the links in the e-mail, but if you go to Amazon.com and scroll to the bottom you'll find a Privacy Notice link.
Click on it, and on the resulting page you find a Customer Communication Preferences link.
Click on it, type your e-mail, select the forgotten password option and hit continue.
This will e-mail the password. Then update your e-mail preferences using the same two starting links.
I don't seem to have your problem?
IMHO Amazon.com has done a reasonable job of responding to the privacy and spam concerns of their customers. YMMV
Hi!
Set up a free account with excite mail and use that for everything else. When it gets too spam-ridden, cancel it. Set up a new one.
I had 7 email accounts and usually got about 5 spams a day on some of them. I canceled those acounts, set up a new account which NO ONE but my friends/family gets, and set up an account at Excite (which is a nice one).
Email's cheap enough (free) that you can afford to set up a new one.
On the other hand, if you're already bombarded by spam, that is a problem.
Be ot or bot ne ot, taht is the nestquoi.
Sort of a similar story. Once a few years ago I bought my wife a book from Amazon and have since received email from them at various points. I finally decided I no longer wanted it and looked for an easy way to "opt-out." Just as stated, you seemingly had to jump hoops if you didn't know your password (I didn't, I had ordered a long time ago). I wasn't looking forward to calling them and wasting more time, so I tried the obvious. I simply replied and put "unsubscribe" as the subject line. They sent me a confimation email within a day stating I had been removed and I haven't received another email from them since. Sometimes the simplest solution really is the best.
For example, my Yahoo member account has the word "yahoo" encrypted in the email address. The email address kiwi-nody4la is the word "sldot" (short for `slashdot') encrypted by the program.
This program also has support for encrypting time stamps (email addresses that time out), having a different encryption code for messages posted to Usenet, and encrypting the IP someone views a web page from.
The program is completely free, being under the public domain. Source can be found here:
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
I've had great results with my method for handling spam - I use a great little Windows utility called Bounce Spam which sends an email to the spammer looking very much like a message from the server indicating that the message couldn't be delivered. I don't know if a similar utility exists for Linux but I wouldn't be surprised to find one.
Dead email addresses are less than useless to spammers - making them think yours is dead is the fastest way to get off their mailing lists.
/* The beatings will continue until morale improves. */
Ironfist.cmg is whining without thinking, and Slashdot has no discernably legitimate reason to post this story:
Making a long story, shorter: it wasn't that simple. It should have been, but it turned out to be much worse.
In my experience, most things on Amazon are much easier and more straightforward. Create and cancel an order on Amazon - *very* easy. Now try the same thing with buy.com, outpost.com, or others - and good luck, because you simply can't do it through their web interfaces. The convenience of one-click (which I personally love) requires Amazon to be a bit more sure of who you are before sending out a password - passwords are for security after all, and your inability to manage your authentication credentials is hardly their fault.
It was at this point that principle kicked in. It's MY e-mail account.
Perhaps you should have considered this before letting someone else use your account. You hardly have cause to gripe here, as the situation is entirely of your own making...
This brings up a new twist on spam, privacy, and recourse to be taken. It is in fact my e-mail account, paid for by me, and Amazon tells me I have no control over what I may receive via it.
Again, you let your wife use it, and she, who was Amazon's customer, not you, selected the "let me know about things at Amazon" option. If this ticks you off, it's something you should discuss with your wife, not Amazon, as you aren't even a customer...
And the never-ending problem of spam continues...
Not really, your own post makes it clear that this was resolved with Amazon over the phone. This entire piece seems to be just an excuse to accuse Amazon of spamming, which they're clearly not doing here.
You may not like getting this mail, but what you've described is NOT spam. Not by a long shot.
And if the problem is resolved, just what was you motive for this posting? (and Slashdot's motive for selecting it for publication?) This whole thing looks like a very badly disguised attempt to villify Amazon on unjust grounds...
"The future's good and the present is nothing to sneeze at." - Roblimo's last
I dont have time to check, but perhaps MAPS can threaten to add them. Last that I heard, the main requirement is that the spammer wont stop even after being asked. http://maps.vix.com/rbl/reporting.html talks about how to report spammers. Give it a shot, I'm sure that they'd be in trouble to get blackholed. heh. Of course, I'm also sure that MAPS doesnt wana get sued again :)
Typical creationist pab, and I see it all the time. Just because something exists in nature doesn't mean it was necessarily placed there by an intelligent and omnipotent Creator. It goes back to Dawkins and the watchmaker -- complexity will manifest itself when given sufficient time and enough evolutionary pressure.
Look, the internet is going on thirty years old today. Do you have any idea how many doublings of Moore's law that is? Is it really that hard to believe that somewhere in there, when all those transistors got packed in really tight in warm dark quarters, they remained completely chaste? Is it so inconceivable that the result of just one of these matings could've produced the primordial ancestor of the modern internet filter?
The universe is an exciting enough place as it is. We don't have resort to unsubstantiated but entrenched rumors about divine intervention in these strictly mortal affairs.
-- Anne Marie