Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spambot Poisoner

Posted by CmdrTaco on from the have-a-great-thanksgiving dept.

halfelven writes: "Sugarplum, the anti-spambot fighting machine, is out! Quoting from their website: Sugarplum is an automated spam-poisoner. Its purpose is to feed realistic and enticing, but totally useless data to wandering spam-bots such as EmailSiphon, Cherry Picker, etc. The idea is to so contaminate spammers' databases as to require that they be discarded, or at least that all data retrieved from your site (including actual email addresses) be removed." I've seen this sort of thing before, but I just figured it's a fun thing to chat about on a holiday. It would be cool to put this on Slashdot some time: I bet I'm not the only Slashdot reader whose email address has been slurped.

21 of 187 comments (clear)

  1. Re:Mirror Please... by aqua · · Score: 3
    http://www.svn.net/~aqua/atlantic/s uga rplum/

    Thanks for the attention, all. The freshmeat posting was quite managable, but slashdot's is more than the 128kbit outbound can handle. Asymmetric DSL sucks in a substantial number of ways.

    aqua
    (sugarplum's slashdotted author)

  2. Re:Poison? How about crasher? by bero-rh · · Score: 3

    The speed of poisoning depends on what poison you use...
    I tend to think a spammer with an address database containing root@localhost, postmaster@localhost, abuse@localhost, root@localhost.localdomain, , abuse@localhost.localdomain, root@[127.0.0.1], postmaster@[127.0.0.1], abuse@[127.0.0.1], and uce@ftc.gov wouldn't have too much fun before being kicked by his ISP.

    Unfortunately, many spambots are probably intelligent enough to filter out the common variants of these...

    --
    This message is provided under the terms outlined at http://www.bero.org/terms.html
  3. Teergrube by geirt · · Score: 5

    Blow the spammers away by stopping their tools:

    From the Teergrubing FAQ:

    E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources.

    If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts.

    A teergrube is a modified MTA (mail transport agent) able to do this to specified senders.

    Read the full story in the Teergrubing FAQ:

    --

    RFC1925
  4. Valid email addresses... by darylp · · Score: 4

    I notice one of the fake email addresses they have in the sample output is one @yahoo.com. Surely, this isn't really a _fake_ email address, as it's pointing to a valid mailserver? (Thus causing yahoo.com to be clogged up when the next round of spam discharge is fired.)

    And you've got to feel sorry for sweetp@dash.com!

    1. Re:Valid email addresses... by bleh-of-the-huns · · Score: 3

      You have no idea how it works do you....

      With the exception of psi.net, the rest actually do enforce their AUP.

      The problem is, spammers will sign up about 50 accounts, many times using fake credit info, names and phone numbers. They do this on online signup pages for ISPs, usually the little mom and pop ones that don't do the immediate credit checks. They do this on Fri nights mostly. This way they have around till mon or tues before the accounts start getting whacked, problem is, in those few days, they can send millions of messages.

      I have played whack a mole with hundreds of spammers at my previous job as an Abuse person at a very large ISP (will not name the backbone provider who is based in louden VA :). Anyways, untill their is a law that can be effectively used (not proposed bills), and enforced, spammers will use every which way they can. And every spammer that my dep managed to get rid of permanently, moved to psi.net, and as far as I can tell, they are still with psi.net after me changing jobs over a year ago.

      --
      I came, I conquered, I coredumped
    2. Re:Valid email addresses... by Nodatadj · · Score: 3

      I'm certain that spammers automatically spam random addresses at yahoo/hotmail anyway.

      I have an address, no-one else knows it, and it wasn't published anywhere. It gets 3 spams a day from sexamp.com. It's also not an easy to guess one.

      Either spammers spam random addresses, or hotmail is selling addresses to sex spammers.

      Maybe one day I'll set up a uuidgen'd address like
      29f03ca7-8f26-4675-b1a7-b61ebb13bb8f@hotmail.com and see if it gets any spam.

    3. Re:Valid email addresses... by Howie · · Score: 5

      Indeed, like the number of people that assume that thingy@thingy.com doesn't go somewhere when entering 'fake' details for registration - I get all those, thanks.

      (there are a few amusing upsides - I've recieved other people's (paid for) passwords for, uh, 'premium content', before now)

      A neat spamtrap I saw somewhere was a sentence halfway down someones page that just said: "Whatever you do don't mail me at pink-and-wobbly@asdkjlwelkj.com, because then I'll know you're just an address-harvester, and blacklist your IP until the end of time", just before their normal contact details.

      --
      "don't fall into the fallacy of believing that Perl can solve social problems. Maybe Perl 6 can, but that's a ways off"
  5. Re:Anti-Spam technique by KevinMS · · Score: 3


    Well, this also has been posted many times...

    Sneakemail.com does all that for you without all that hassle.

    --
    Sneakemail is to spam filters what an ounce of prevention is to a pound of cure.
  6. Domain poisoning? by redhog · · Score: 4

    Gave me an idea: Why not set up a hole load of domains that resolves to 127.0.0.1 (Or, if that can be done in teh DNS protocol, I don't know the details of it (Sorry, I'm a luser): resolving to the requester)? They may be subdomains of "real" domains, and with just random names, so that they are hard to distinguish from real ones, and then poisoning the spambot with randomstring@random.spam.poison.domain?

    --
    --The knowledge that you are an idiot, is what distinguishes you from one.
  7. There are much better, older tools for this by TekPolitik · · Score: 5
    The granddaddy of these was by Ron Guilmette (aka RFG). He probably still has it downloadable from www.monkeys.com.

    His one actually generates addresses at subdomains of cooperating domains. These subdomains have special qualities - they typically have 30 MXs, and each MX host has 30 As. Every single one of the As will go to a host that doesn't exist, but is on a routable network. Given the timeout for opening TCP connections of 70 seconds, you can keep a spammer (or their third party relay) busy for 30 * 30 * 70 seconds, for a total of 63,000 seconds, or 17.5 hours.

    I think Ron even has instructions on how to set one of these up.

    Don't just pollute their database - make them (and the the queues at 3rd party relays who won't close up) spin their wheels for a day or so per address they scrape.

  8. Re:Poison? How about crasher? by SEWilco · · Score: 3

    The Wpoison web generator creates web pages with fake email addresses, and links to itself so a spam web crawler will be trapped within generated pages. Obviously a spam web crawler can be programmed to not be forever trapped, but Wpoison at least provides a trap for the unwary crawler.

  9. Wpoison rocks by Randy+Rathbun · · Score: 3

    I have been using it for a few years now and have never upgraded it (or even looked to see if it was upgraded!) The thing is running here.

    It does catch the spammers! I have seen spam harvesters sit there for days just going through page after page after page. And of course I just let it.

    However, make sure you have your robots.txt set up properly. I made a goof in the original one I had set up and ended up doing quite a number on Web Crawler. With some help from their tech support staff I got that fixed pretty fast.

  10. Re:Spammers cheat, this will not work by pjrc · · Score: 5
    Thus wrote "bleh-of-the-huns":
    ...so whether he has a db of 1000000 real addresses, or 1000000 addresses that are crap without 20 real addresses by luck, he does not care.

    Nowadays, there are an awful lot of people who are working to fight spam, which makes is quite a bit harder for a spammer. With cool services like Spam Cop (you copy-n-paste the spam w/ headers, and they track the spammer and stop that account, often within minutes), anyone can easily contribute to getting whatever account a spammer is abusing shut down as rapidly as possible.

    It works. I've tried spamcop several times, and every time the result was that someone had already beat me to it and the ISP had already shut down the account that was being abused. The spammer wasn't caught, but they were delayed and their job was made harder.

    This forces spammers to work harder, so the cost of sending a message is not zero. An an example, take a look at the material a hacker stole from spammer Premier Marketing, Inc. It's clear that they had to use multiple people and a never-ending supply of stolen dialup accounts. They went to a lot of trouble to compile a giant list of know anti-spam activists who used services like Spam Cop (or read the headers themselves and called ISPs), so that their stolen dialups would hold out a little longer.

    It's easy to just throw your hands up in the air and accept spam as a fact of life. It's easy to feel like spammers are unstoppable. The truth is that these anti-spam countermeasures do make things harder for spammers. They increase the cost, from virtually nothing, to something. Admittedly, not much, but it doesn't take much to make some of the really lame-ass scams these folks spew unprofitable.

    There's also hope for the world in the kick-ass efforts of Paul F. Pete Wellborn III, the lawyer who's taken down a couple big-time spammers, most recently that annoying printer supplies guy!

    So don't give up. Even if you just press delete without a second though, don't discourage others. There is hope. A lot of people are working against spam, and as more things like this come on-line, the cost and risk of sending spam will continue to slowly rise. A very Good Thing!

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools
  11. Use the DMCA by www.sorehands.com · · Score: 3
    I know people who have gottten spam on the address used on EBAY and NSI's whois.

    According to the terms of agteements, they cannot use this the information from the board for spam.

    There there is a statutory amount for copyright violation, why not use that against the list providers?

    --
    Fight Spammers!
  12. Re:Spammers have evolved by 13013dobbs · · Score: 3
    What? Are you trying to claim that all SMTP servers know all valid email addresses the world over?

    Calm down. I never stated that. The spammer will start an interactive SMTP session and run thru a series of RCPT's and keep the OK's. Thus if a spammer got an OK on joe_blow while on 'mail.example.com', he would know that 'joe_blow@example.com' was a valid address.

    What you have described is only going to work over a single domain, and even then only with an incredibly badly adminned mail server.

    Even well adminned servers are abuseable. The attack does not use EXPN of VRFY; it acts like it is a normal mail transaction. Most pro-spammers have multiple phonelines (I know one who has 8 lines), so they can run against multiple servers at the same time and can easily snag 1/4 million addresses a night.

    What ISP was this? indy.net (RIP)

    --

    No replies made to AC posts. Please log in.

  13. Get automatically sorted out by ee23 · · Score: 5

    The spammers try to filter out invalid addresses, so all you need is a real address that seems to be invalid.

    I discovered this by accident: I wanted to track which companies give my email address out, so I created a subdomain with throw-away addresses: "nospam.sig11.net", and gave out unique identifiers for the username. (See my email in the header - it is a valid address - do not remove "nospam".)

    But the funny thing is: I never received any spam to these addresses. (And for the other addresses I see about 5-10 spam mails a day rejected by my spam filters...) It seems the address gets sorted out because of the "nospam" part.

    So the solution is: Get yourself a valid email address with "nospam" or the like in it - The spammers will do the work for you and exclude you from their lists.

    --
    -- .sig deleted
  14. Happy Thanksgiving, You've Been Slashdotted! by Seumas · · Score: 4
    Aw, man. How cruel. Post a link to this (apparently) small-time site on a day when everyone in the country has the day off and is surfing Slashdot, while his ISP is probably minimally (if at all) staffed to respond to problems -- and get him slashdotted.

    That's the holiday spirit alright... ;)
    ---
    seumas.com

  15. politicians' email addresses by Peter+Koren · · Score: 5

    Would it be possible to seed the spambots with the email addresses of politicians who support pro spam policies/laws. It would be wonderful to subject them to the same crap they shove at us.

    --
    rm -rf microsoft*
  16. Anti-Spam technique by truelight · · Score: 4

    Well, even though his has been posted many times, I cant see any hurt in porting it again, to remind everyone.

    1. First - get a domain

    2. Second, get hosting company that offers a default-mail-redirect. (i.e. If someone mails a message to jsahjfhjdkdsueue@yourdomain.com the server automatically forwards it to you@yourdomain.com

    3. Now, when you enter you email-addy in a signup form somewhere, enter the name of the company as your adress (i.e. amazon@yourdomain.com, yahoo@yourdomain.com)

    4. Now, everytime someone sends you spam, you can simply block them in your E-mail filter PLUS that your see what comany has been flithy enough to sell your adress!

    It might not be perfect, but it's damn good.

  17. Spammers cheat, this will not work by bleh-of-the-huns · · Score: 4

    When a spammer makes his spam run, he uses stolen resources. He hijacks a mail server, and forges the from address, and the reply to address, so whether he has a db of 1000000 real addresses, or 1000000 addresses that are crap without 20 real addresses by luck, he does not care. Because the address he forged will be the recipient of the bounce back messages.

    Spammers don't follow the rules, all the crap they spout in emails about this bill and that bill making this legal are complete bullshit.

    Spammers are the murderers and rapists of the techno world, they steal resources of other peoples networks, and the traffic they generate is enough to drop small networks and mail servers.

    --
    I came, I conquered, I coredumped
  18. My technique... by SupremeOverlord · · Score: 3

    I have two methods that I personally use. Since I own my domain and recieve all e-mail sent there, I can be anything@world-domination.net. So the first technique is to choose mail addresses that get rejected by spambots, webmaster@world-domination.net, support@world-domination.net, etc., or in the case of slashdot, root, for the l33tness factor.

    Second, I use the address as an identifier in my addresses. At mp3.com it's mp3@world-domination.net, at yahoo it's yahoo@world-domination.net. Then if I start getting spammed at one of those addresses, I know which site's fault it is, and I can change my address at that site and block all future mail to that address.

    I admit this solution isn't for everyone, but it works great for me.

    --

    ---- "A programmer is a person who solves a problem you didn't know you had in a way you don't understand."