Slashdot Mirror
Spambot Poisoner
halfelven writes: "Sugarplum, the anti-spambot fighting machine, is out! Quoting from their website: Sugarplum is an automated spam-poisoner. Its purpose is to feed realistic and enticing, but totally useless data to wandering spam-bots such as EmailSiphon, Cherry Picker, etc. The idea is to so contaminate spammers' databases as to require that they be discarded, or at least that all data retrieved from your site (including actual email addresses) be removed." I've seen this sort of thing before, but I just figured it's a fun thing to chat about on a holiday. It would be cool to put this on Slashdot some time: I bet I'm not the only Slashdot reader whose email address has been slurped.
Thanks for the attention, all. The freshmeat posting was quite managable, but slashdot's is more than the 128kbit outbound can handle. Asymmetric DSL sucks in a substantial number of ways.
aqua
(sugarplum's slashdotted author)
Fascinating idea. Tell me though, what does invisible text sound like?
Is it also invisible in lynx?
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
So the spambot can be programmed not to be trapped forever. BUT, if you have Wpoison generate links to Wpoison'ed pages on other domains, that could make life harder for the spammers. Given a large enough network of participating websites, said spambot might never figure out it has been fooled once it first took the bait.
It just might work.
Ahh - My eye!
The doctor said I'm not supposed to get Slashdot in it!
FWIW, there are patches available for qmail such that after a configurable number of RCPTs, the smtpd turns into a tarpit (starts deliberately slowing down the connection unto unusability). It wouldn't be difficult to adapt that to count only bad RCPTs, or similar. That, or issue transient failures after a smallish number of RCPTs, so legitimate MTAs will try again in a bit. Stateful comparisons would help quite a bit too (if >75% of usernames requested are in /usr/dict/words, you're probably the target of a dict attack).
From the Teergrubing FAQ:
E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP
connections from/to a certain port. But in most cases it's a lot less due to limited resources.
If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts.
Only likely to work if you can force massive rfc 974 complience. Otherwise it's just another reason for spammers to prefer to use a third party (including ISP provided) relay.
Maybe when the hapless admin is paged at 2 am she can stop their server from acting as an open relay.
Doubt it would stop ISP's providing their own third party relays. with some ISP business models there is little difference between the ISP machine and an open relay anyway.
The spammers try to filter out invalid addresses, so all you need is a real address that seems to be invalid.
Only if they are delivering their own mail. If they are using a relay they probably arn't going to care, since someone else will be getting the error messages
When submitting a form, I usually give my email as theirs. For example, I've signed up RealPlayer to send as many 'product updates' as possible to support@real.com. I hope they like it. Or, I use the one mailhost garunteed never to point to a real machine, example.com.
Then there's anything@spamcheck.bizland.com, where I can change 'anything' to the name of the site I'm giving it to (see my slashdot email), and later filter all mail coming to that address if it starts getting spammed.
--
The speed of poisoning depends on what poison you use...
I tend to think a spammer with an address database containing root@localhost, postmaster@localhost, abuse@localhost, root@localhost.localdomain, , abuse@localhost.localdomain, root@[127.0.0.1], postmaster@[127.0.0.1], abuse@[127.0.0.1], and uce@ftc.gov wouldn't have too much fun before being kicked by his ISP.
Unfortunately, many spambots are probably intelligent enough to filter out the common variants of these...
This message is provided under the terms outlined at http://www.bero.org/terms.html
http://www.spamgourmet.com -- while surfing, you can invent limited-use email adddresses whenever you want them. Any mail sent to such an address after its limit has been reached becomes nothing more than a statistic...
who's moderating the meta-moderators?
Blow the spammers away by stopping their tools:
From the Teergrubing FAQ:
E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources.
If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts.
A teergrube is a modified MTA (mail transport agent) able to do this to specified senders.
Read the full story in the Teergrubing FAQ:
RFC1925
The problem is, spammers will sign up about 50 accounts, many times using fake credit info, names and phone numbers. They do this on online signup pages for ISPs, usually the little mom and pop ones that don't do the immediate credit checks. They do this on Fri nights mostly. This way they have around till mon or tues before the accounts start getting whacked, problem is, in those few days, they can send millions of messages.
Problem here is the business model of allowing access before verification. But if this is what the "big boys" do then the mom & pops have to do the same to stay in business at all.
Using a your domain as a return address for spam strikes me as terribly unfair. It's a shame there are no existing laws to put folks who do that in jail.
I used to own "boy.com" many years ago and gave up the domain for similar reasons. There would be a ton of email forged with that as the return address. The last straw was possibly illegal porno being posted to USENET with "boy.com" as the hosting site (forged, of course.) Back then--in 1995-1996--I decided to get rid of it because I thought it may be impossible to convince authorities that we had nothing to do with those postings.
I use Bizland.com mail forwarding. It works the same way as the first poster's idea, but with a free subdomain. If I remember correctly, with Sneakemail you have to log onto their site every time an address gets spammed and delete/change the account. This way, all you have to do is add it to your filters, which seems to be more convenient to me.
--
I do the exact same thing with a free subdomain from Bizland.com.
--
I notice one of the fake email addresses they have in the sample output is one @yahoo.com. Surely, this isn't really a _fake_ email address, as it's pointing to a valid mailserver? (Thus causing yahoo.com to be clogged up when the next round of spam discharge is fired.)
And you've got to feel sorry for sweetp@dash.com!
So the solution is: Get yourself a valid email address with "nospam" or the like in it - The spammers will do the work for you and exclude you from their lists.
That's something like reverse psychology for the spambots, isn't it?
Of course, if I were a spambot author, I'd include all sorts of regex's to de-mangle the most common forms of address mangling. With that in mind, I reason that the best course of action is to just mangle your address to the point that it doesn't look like one.
As an example, you may note that *my* slashdot email address has the @ and . enclosed in both braces and spaces. Any human would be able to demangle it to a vaild address, but spambots don't even see it. As an added bonus, the humans who email me don't have to decide which words of the address to delete, lessening the margin of error.
Well, this also has been posted many times...
Sneakemail.com does all that for you without all that hassle.
Sneakemail is to spam filters what an ounce of prevention is to a pound of cure.
Gave me an idea: Why not set up a hole load of domains that resolves to 127.0.0.1 (Or, if that can be done in teh DNS protocol, I don't know the details of it (Sorry, I'm a luser): resolving to the requester)? They may be subdomains of "real" domains, and with just random names, so that they are hard to distinguish from real ones, and then poisoning the spambot with randomstring@random.spam.poison.domain?
--The knowledge that you are an idiot, is what distinguishes you from one.
His one actually generates addresses at subdomains of cooperating domains. These subdomains have special qualities - they typically have 30 MXs, and each MX host has 30 As. Every single one of the As will go to a host that doesn't exist, but is on a routable network. Given the timeout for opening TCP connections of 70 seconds, you can keep a spammer (or their third party relay) busy for 30 * 30 * 70 seconds, for a total of 63,000 seconds, or 17.5 hours.
I think Ron even has instructions on how to set one of these up.
Don't just pollute their database - make them (and the the queues at 3rd party relays who won't close up) spin their wheels for a day or so per address they scrape.
One thing that answers my first concern (the ability to make a screenshot) seems to be answered by the spammer's like of PC Anywhere. I thought of BO... but thought that installing the server would be unlikely at sudden notice. A misconfigured PC Anywhere session, though, would be usefull and fortunate for the attacker indeed!
while upgrading sendmail, I had somehow allowed the world to realy :-(
A spamer hit my box and out of 23 messages only 6 were valid.
From what I've seen, they love sales@ and webmaster@. I get email for those and I've never used them with my domain.
I know there are spam reporting systems. Do any of those alert ISPs of the contact addresses contained in spam? So when a spammer uses mail or Web addresses as contact points for victims, that information will quickly be pointed out to the affected ISPs?
The Wpoison web generator creates web pages with fake email addresses, and links to itself so a spam web crawler will be trapped within generated pages. Obviously a spam web crawler can be programmed to not be forever trapped, but Wpoison at least provides a trap for the unwary crawler.
Spammers are now running dictionary attacks against SMTP servers. A spammer will connect to mail.example.com and try a large (if not exaustive) list of possible usernames. If the mail server gives an 'OK' message the address is added to the spammers list; if it gets a 'user unknown' it discards it and goes on to the next. There was a piece of spamware that had the ISP that I admined hardcoded into it's searches.
No replies made to AC posts. Please log in.
Second, I use the address as an identifier in my addresses. At mp3.com it's mp3@world-domination.net, at yahoo it's yahoo@world-domination.net.
You just poisened your own method by posting those email addresses on slashdot. If a spambot finds them here, you'll think mp3.com sold or yahoo your e-mail address.
And yes spambots visit slashdot!! (so this program might be something they should use.)
I have been using it for a few years now and have never upgraded it (or even looked to see if it was upgraded!) The thing is running here.
It does catch the spammers! I have seen spam harvesters sit there for days just going through page after page after page. And of course I just let it.
However, make sure you have your robots.txt set up properly. I made a goof in the original one I had set up and ended up doing quite a number on Web Crawler. With some help from their tech support staff I got that fixed pretty fast.
There is a third party module for the Roxen webserver that's called the Email Address Cloaking Device.. I use it, and it works very well..
Before any content is served, it checks the User Agent; if it's a bot, it translates any MAILTO: links in the HTML into gibberish.. it eliminates the need to "spam-proof" your MAILTO: links.. (The only thing I'm worried about is spammers altering their bots to ID themselves as Mozilla, or something similar..)
personally, I'd be inclined to use something like lightgreen on palegreen1 :-).
I definitely like the idea. I guess that the next thing would be to put invisible (to human readers) links to poison pages on my main web pages. That and generating aliases to localhost.bcgreen.com, to point email adddresses at.
`ø,,ø`ø,,ø!
Free Software: Like love, it grows best when given away.
Nowadays, there are an awful lot of people who are working to fight spam, which makes is quite a bit harder for a spammer. With cool services like Spam Cop (you copy-n-paste the spam w/ headers, and they track the spammer and stop that account, often within minutes), anyone can easily contribute to getting whatever account a spammer is abusing shut down as rapidly as possible.
It works. I've tried spamcop several times, and every time the result was that someone had already beat me to it and the ISP had already shut down the account that was being abused. The spammer wasn't caught, but they were delayed and their job was made harder.
This forces spammers to work harder, so the cost of sending a message is not zero. An an example, take a look at the material a hacker stole from spammer Premier Marketing, Inc. It's clear that they had to use multiple people and a never-ending supply of stolen dialup accounts. They went to a lot of trouble to compile a giant list of know anti-spam activists who used services like Spam Cop (or read the headers themselves and called ISPs), so that their stolen dialups would hold out a little longer.
It's easy to just throw your hands up in the air and accept spam as a fact of life. It's easy to feel like spammers are unstoppable. The truth is that these anti-spam countermeasures do make things harder for spammers. They increase the cost, from virtually nothing, to something. Admittedly, not much, but it doesn't take much to make some of the really lame-ass scams these folks spew unprofitable.
There's also hope for the world in the kick-ass efforts of Paul F. Pete Wellborn III, the lawyer who's taken down a couple big-time spammers, most recently that annoying printer supplies guy!
So don't give up. Even if you just press delete without a second though, don't discourage others. There is hope. A lot of people are working against spam, and as more things like this come on-line, the cost and risk of sending spam will continue to slowly rise. A very Good Thing!
PJRC: Electronic Projects, 8051 Microcontroller Tools
Bill - aka taniwha
--
Bill - aka taniwha
--
Leave others their otherness. -- Aratak
According to the terms of agteements, they cannot use this the information from the board for spam.
There there is a statutory amount for copyright violation, why not use that against the list providers?
Fight Spammers!
It is too bad there is no way to poison the sender of the spam. Spammers will evolve beyond this, they always do.
On my Christmas Wish List, I want Santa to bring me something that doesn't exist. Something that's a great idea, but not actually possible. Ya know, like world peace, honest politicians or stable Microsoft products.
I want an e-mail client that will automatically detect spam and e-mail virus hoaxes - with 100% accuracy, so I don't lose real messages - and without any intervention on my part, smurf the sender.
Because, Dear Santa, I wish to be able to post my e-mail address with impunity, for all to see.
Fire and Meat. Yummy.
Burris
Don't forget, your average spammer is desperate for the low margin of sales he can hope to achive. Thus, many of the spams I have recieved often contain 1-800-xxx-xxxx numbers for contacting them. Remember, with an 800 number, the reciever of the call is charged money for each incoming call to it.
A friend of mine runs a script which intermittently dials the numbers in the evening when he's asleep and not otherwise using his line. Vindictive, evil, yet somehow it seems just.
---
man sig
---
the pen is mightier then the sword. the sword is mightier then the court. the court is mightier then the pen.
It's about numbers. If a spammer sends out 10 million spams asking for $10, and 0.01% of the recipients are sufficiently naive to reply, he has made $1,000. If the spammer is just looking for credit card numbers to defraud, all it takes is one bone-dumb idiot out of millions of recipients to send theirs in. The odds look pretty good for the spammer.
Unless you can get politician's email addresses that don't end in .gov, there is no point. Even a spammer isn't dumb enough to spam .gov addresses. After all, that's what got junk fax in deep shit. And if the politicos have other addresses, they are a closely guarded secret.
.gov that you could supply to the spammers that would forward all the spam to everyone in congress.
.gov if you aren't in gov't? If ordinary people used .gov addresses, the spammers would have a harder time figuring out who they can shit on with impunity.
However, it might be worthwhile to set up a bunch of forwarding addresses that don't end in
Another thought -- is it possible to get an email address that ends in
Concealed Handgun License Courses in Plano, Texas
There are several spambot poisoning programs out there, but spam continues. The reason is simple; spamming doesn't cost anything. The only ways to make any dent in the spamming will have to involve ways of making it cost something.
There is at least one fellow who may have found a way to do something effective.
Check out the email address on this post. It is a real, non-munged email address. After you have admired it a few seconds, then go to http://www.suespammers.org, and get your very own free Washington-state based email account from a guy who is hoping to make a living suing the bastards.
Concealed Handgun License Courses in Plano, Texas
The trouble I have with all these schemes is that it causes lots of extra work for the root servers of the DNS. By forging bogus addresses in invalid domains and offering those addresses to harvesters, you're guaranteeing that people using these lists will cause tons of root server queries. If the addresses are at valid domains like hotmail, you're burdening hotmail with the effort of looking up these (maybe) bogus users.
I just munge my address, adopting the form: mailto:foo%2bdomain%2etld , which all the browsers I tested understood just fine. So far, so good. A nice bit of poison that I like: postmaster@[127.0.0.1] and postmaster@localhost.
1-800-206-3934 ex. 5858
***1-800-224-5988****
On checking the headers, I saw that my email address was contained in every message (in other words, no aliases or other things that merely resolved to my address). These guys deliberately spammed me multiple times.
That's fine, though, because I collect 1-800 spam numbers. It would be a real tragedy if they were called repeatedly from a worldwide audience who hates spam, wouldn't it?
Don't use your home phone. ANI will bite you on the ass if you do.
-Legion
Still, it's great to see a means of getting the spammers to spam each other. If only the same thing could be done for junk snail-mail.
The site looks interesting. But as the AC pointed out, the ability to get a screen capture via a sudden-notice attack on a Windows box (Win9x? WinNT?) seems very unlikely. There's reason to be skeptical.
To try it, run lynx -useragent=EmailSiphon http://ibgwww.colorado.edu/
It is really funny to see some poor spambot spend an hour or two thinking it has hit some really rich website.
The spammers try to filter out invalid addresses, so all you need is a real address that seems to be invalid.
I discovered this by accident: I wanted to track which companies give my email address out, so I created a subdomain with throw-away addresses: "nospam.sig11.net", and gave out unique identifiers for the username. (See my email in the header - it is a valid address - do not remove "nospam".)
But the funny thing is: I never received any spam to these addresses. (And for the other addresses I see about 5-10 spam mails a day rejected by my spam filters...) It seems the address gets sorted out because of the "nospam" part.
So the solution is: Get yourself a valid email address with "nospam" or the like in it - The spammers will do the work for you and exclude you from their lists.
--
This thing should work due to the combination of multiple spam-evasion techniques. Spamming is like recycling cans or telemarketing in that the profit margine is very narrow, and the tiniest variables can upset that margin.
Spammers designed ways of gleaning email addresses from websurfers in order to avoid having to pay for verified email addresses; without a way of verifying the addresses they collect, spammers will have to switch back to paid lists gained from registrations, etc.
In this case, the need for verification will create that extra step for spammers, making it cheaper not to use the lists at all. Is anyone aware of a cheap and easy way, other than just emailing the person, to verify a valid yet false address?
The only way I can think of for spammers to evade Sugarplum would be the establishment of intermediate businesses to vet email lists gathered by spammers.
Goat sex free since 2001
Spammers are a type of thief. It's that simple really. It's the online equivalent of if people could steal your car while you weren't using it, and return it when they are done with it but without paying for gas. They can make a big fuss about how they aren't stealing your car but they're using it and wearing it out without paying for any of it, and whether or not you also can use it is not relevant.
The law doesn't let people steal your car just in case they plan to return it before you need it again. It forbids people from stealing your car in general terms because the stealing is taking place without your permission or consent. By the same token, spamming is use of your internet resources (from ISP right down to use of your inbox and 'mail visual scan' for important stuff) without your permission or consent- the resources being used are all YOURS, not the spammers. They have no right to use 'em, any more than they have a right to steal your car temporarily and use the gas up.
There is also no legitimate argument that their use of your resources is doing you some kind of informational favor. You would be just as able to access that information if you went to their website on your own- you don't owe them the attention, just for existing. I guess that's the bottom line really- spammers behave like attention is a right, calling it free speech and basically insisting they must be allowed to _seize_ the attention of anybody in the world. Attention is a privilege, not a right. Free speech laws never considered the situation of a person with a megaphone loud enough to yell at every single person that exists- free speech is based on an assumption that the speech is going to be somewhat localised, and that if you are somewhere else or not paying attention you won't hear it.
In a weird way stalking laws seem oddly applicable. If you continually follow a person berating them you may well be legally forced to stop as your demanding of their attention is considered a sort of assault. Spammers are, effectively, 'stalking' millions of people at a time. No-contact laws might be a good idea- if no-contact to specific individuals is too much like 'opt out' or too unrealistic, perhaps what's needed is 'no bulkmail/email at all' laws for a digital version of no-contact. The former would be a legal acceptance that spamming is a form of harassment, and a block against that person doing it again for any reason through any means- and the latter would be a recourse if the spammer refused to stop harassing.
If Kevin Mitnick can be forbidden to work in the computer industry just for being a troublemaker, why can't unrepentant spammers be forbidden to use email for any reason? There's always postal mail, the phone, and face to face contact- ALL of which already are covered legally against harassment situations.
That's the holiday spirit alright... ;)
---
seumas.com
Would it be possible to seed the spambots with the email addresses of politicians who support pro spam policies/laws. It would be wonderful to subject them to the same crap they shove at us.
rm -rf microsoft*
Reminds me of that TNG episode where they found a way to make the Borg examine a picture that constinued forever.
Hmm.. wouldn't that be interesting, have the feeder continuosly feed it email addresses and never stop. It's a better way to fight, don't resist, just give them exactly what they want, and lot's of it, until they stop it by themselves.
Have you read my journal today?
Well, even though his has been posted many times, I cant see any hurt in porting it again, to remind everyone.
1. First - get a domain
2. Second, get hosting company that offers a default-mail-redirect. (i.e. If someone mails a message to jsahjfhjdkdsueue@yourdomain.com the server automatically forwards it to you@yourdomain.com
3. Now, when you enter you email-addy in a signup form somewhere, enter the name of the company as your adress (i.e. amazon@yourdomain.com, yahoo@yourdomain.com)
4. Now, everytime someone sends you spam, you can simply block them in your E-mail filter PLUS that your see what comany has been flithy enough to sell your adress!
It might not be perfect, but it's damn good.
There has been a CGI script called wpoison that has been around since 1997 which feeds spambots articial e-mail addresses.
From what it seems, the only two things this does that wpoison doesn't, is spams spammers and crashes the spammer's machine with denial of service attacks.
Having spammers spam other spammers seems okay, but attacking spammers with denial of service attacks? Sorry, but it my opinion, performing denial of service attacks on people you don't like makes you almost as bad as a spammer.
Aside from all that, if CmdrTaco hasn't noticed, this is Slashdot, not Freshmeat.
When a spammer makes his spam run, he uses stolen resources. He hijacks a mail server, and forges the from address, and the reply to address, so whether he has a db of 1000000 real addresses, or 1000000 addresses that are crap without 20 real addresses by luck, he does not care. Because the address he forged will be the recipient of the bounce back messages.
Spammers don't follow the rules, all the crap they spout in emails about this bill and that bill making this legal are complete bullshit.
Spammers are the murderers and rapists of the techno world, they steal resources of other peoples networks, and the traffic they generate is enough to drop small networks and mail servers.
I came, I conquered, I coredumped
I have two methods that I personally use. Since I own my domain and recieve all e-mail sent there, I can be anything@world-domination.net. So the first technique is to choose mail addresses that get rejected by spambots, webmaster@world-domination.net, support@world-domination.net, etc., or in the case of slashdot, root, for the l33tness factor.
Second, I use the address as an identifier in my addresses. At mp3.com it's mp3@world-domination.net, at yahoo it's yahoo@world-domination.net. Then if I start getting spammed at one of those addresses, I know which site's fault it is, and I can change my address at that site and block all future mail to that address.
I admit this solution isn't for everyone, but it works great for me.
---- "A programmer is a person who solves a problem you didn't know you had in a way you don't understand."