Tracking Spam to the Source

cygnusx writes: "MSNBC is carrying a Wall Street Journal article on one reporter's attempts to track the spam she receives to the source. Armed with a few Hotmail and Yahoo accounts, reporter Stacy Forster actually responded to most of the barrage of spam she began to receive after a week or so. Not quite the best investigative jounalism ever seen, but still a good glimpse (or so I thought) at those who send us those unloved missives about "exciting business opportunities" and "millions of $$$ waiting"."

Bellsouth = Spam

[Renraku]

When I signed up for their ADSL service, I used a very odd username which I haven't used before, nor have I ever seen. I checked my email a day (after the account was made, not after I got DSL) later and guess what? Two email from Bellsouth, one from some porn company. I posted my findings to DSL reports, and got fired from my tech support job at Bellsouth DSL for that.

Re:Bellsouth = Spam

[Pituritus+Ani]

Did you contact an attorney about suing for wrongful termination? Can you provide a link to your post?

Just use PINE and...

[Colin+Bayer]

turn on "enable-bounce-cmd" in your prefs. Open the spam, hit "B", tippity-tap out the source e-mail address (or flex your gpm muscles if you're so inclined), and off it goes back to the sender; alternately, do your best to fudge a mailer daemon bounce. When they get the message, 9 times out of 10, they stop sending. Failing that, just redirect known bad domains (I do this with Yahoo and Hotmail because I don't know anybody who uses those accounts) into a spam folder; check it occasionally to make sure the signal-to-noise ratio is non-zero.

It's not worth getting all hot and bothered over some "INCREDIBLE MONEY MAKING OPPORTUNITY" someone felt like telling you about.

On another note, check out somethingawful's pranks section under spam for Lowtax's take on the whole thing. :)

Re:Just use PINE and...

[forkboy]

I bet that works great when the source address is spoofed.

Re:Just use PINE and...

[walt-sjc]

Bouncing spam after it's in your inbox is useless. Since most spam is forged, all this will do for you is get you another email from "Yahoo" (or whoever the spammer used as a forged address) claiming the user is unknown.

Spam has to be bounced at the SMTP server level before reception is complete to be effective at all, and even at this point it's usually pointless as the spammer is probably just bouncing off some random open relay in China. All this will do is fill up the clueless administrators mailbox of the relay in china with bounce messages. Maybe this will cause them to close their open relay, but with hundreds of thousands more open relays to choose from, it does little good in the overall picture.

Spammers have found another method too. Relay through some lammer's poorly-configured wingate or squid proxy.

Use spamcop, bounce messages, write nasty notes all you want, but you will not make a dent in the spam problem.

The only thing you can do that might have ANY impact at all would be to complain to your congressmen that they need to outlaw spam. Once laws are in place we can sue the pants off these assholes, and maybe even get them some jail time.

What scares me more than the "make money quick" or "loose 150 lbs in 10 minutes" spams are the pseudo-legit type used by businesses.

Think about that... If only 1% of american businesses decided to use spam, and they only sent one spam email a year to 1% of the population,
that's still thousands of messages A week per person!

With all the filters I have setup, I block about 600 spam attempts per day to my server, another 50 or so a day get filtered into a spam folder automatically, and about 2 or so a day get all the way through to my main inbox folder. This is on an email address I've had for 7 years, so just about every spammer seems to hit it.

Considering that I only get about 100 legit emails a day (including several mailing lists) I'd say the problem is WAY out of hand. With the levels of spam increasing about 10% per month, my guess is that we have about a year left before email is completely saturated with spam making it impossible to communicate.

So Please, do as I have and write a physical letter (no emails, they just junk those) to your congress critters (or what ever government officials you have in your country that pass laws) to ban spam.

Recommendation

[doorbot.com]

The article says the FTC recommends that you forward all of your spam to uce@ftc.gov. I know I will be doing so from now on...

Re:Recommendation

[kinko]

I'm not even an American, and I know this one... they don't want ALL spam. They only want spam that is in some way fradulent or illegal - eg pyramid schemes.

maybe if we stop answering it...

[spacefem]

One spammer interviewed in the article says he sends out about 15,000 spam messages a day and gets 10-15 new customers out of that. So I guess the message about spam we send to these people is that's it's worth it.

It feels like we're kinda stuck - it's annoying and stupid, but spam is here to stay. That 1/1000 is a good enough target for these businesses, and e-mail addresses are so cheap to get they might as well go for it. The only thing I can think of is being extra careful to NEVER look into an e-mail that even looks like spam - don't go to the website, don't buy the product, even if it could be interesting.

I once asked a telemarketer if he hated his life, he said he did. I thought it was kinda funny that he admitted it straight out - it was proof that the underbelly world of cheap advertising is evil.

Re:maybe if we stop answering it...

[oregon]

NEVER look into an e-mail that even looks like spam

Absolutely, these HTML mails are dangerous with their 1x1 gifs with a custom URL so "they" know you've read the message.

I check the source and add the urls to junkbuster's list. If the filters don't get the mail, then the images still don't get requested.

Re:maybe if we stop answering it...

[javilon]

I have got a better Idea.

Somebody writes an e-mail system where sending messages cost money. Lets say 50 cents per message. That looks like a lot, but bare with me...
You read the message, and, if you want it, you accept it and the operator cancels the charge. Otherwise the sender gets charged.
You don't charge your friends, or any wanted mail but you do charge commercial entities and spammers (if you want).
Money from charges goes to the mail operator, so it does make some $$$ from the service. But this $$$ don't come from you, unless you are adept to send unwanted mail.
Now lets see how much do this 10-15 new customers cost: 15,000 cents x 50 cents / 10 new customers = 600$.
That would be a day. For a year he would be charged about 200,000$.
That would stop most spammers.

Re:maybe if we stop answering it...

[dangermouse]

The only thing I can think of is being extra careful to NEVER look into an e-mail that even looks like spam

I looked at the trap, Ray.

My solution to stop spam...

[Flavio]

... was to install Spambouncer, which is a large set of procmail filters.

Before installing it, I got ~20 spam messages a day. Now I get at most 1-2 a week. Spambouncer does come with very restrictive default settings, though. For example, you must specify if you want to receive email from free web mail services like Yahoo and Hotmail, otherwise it'll filter those out.

It also logs everything it does and has the option of sending blocked email to a file instead of /dev/null in the case it filters something it shouldn't.

In my case the only inconvenience was it blocked legitimate email from Amazon.com and eBay -- these are filled with disclaimers and have HTML, which Spambouncer doesn't like to see. In any case, it's easy to mark those domains as safe and start receiving their email again.

An alternative approach to SPAM filtering

[chrysalis]

Instead of using SPAM filters (accept everything by default, deny some mails according to filters), a new and very efficient approach is to do like firewalls :

• Deny everything by default
• Only accept mails from known sources.

Software like TMDA implements this. When a mail comes from an known source, an automatic confirmation mail is sent by the script. If the sender acknowledges, his address will be added to the 'whitelist'. No more confirmation will be needed.
This is extremely efficient, and it basically reduces the SPAM actually delivered to your mailbox to zero.
Just don't forget to manually add mailing-lists you're subscribed to, to the 'whitelist'.

I want to know HOW they got her address...

[writermike]

I want to know about one more part of the story.

She says she signed up a Yahoo account, bought one book from Borders.com and promptly received spam thereafter.

Sooooo.... if Borders _and_ Yahoo both say they there's no way the e-mail could have been sent out by either of them -- (and if the reporter is completely accurate about her sequence of events) -- how did the company get her e-mail address?

Either someone's lying, is mistaken, or her e-mail address was "created" through some sort of bruteforce e-mail address creation application.

Cheers,

Mike...

Re:I want to know HOW they got her address...

[Technician]

I had a paper trail on a snail mail issue I had with the Oregon Department of Transportation. I registered my new car (got plates). Due to a typo, my middle initial was wrong on the title and registration. I was going to correct it when I got a chance, but changed my mind when I got my first junk mail with the same mistake. After that, I decided not to correct the error. About 1/3 of my junk mail had that error for as long as I owned my car. About half the telemarketers also asked for me by that name. It was mostly chimney sweeps, re-financers, and vinyl siding salesmen. They were totaly useless calls as I was renting an apartment at that time and it didn't have a fireplace. I should have had them drop by for the free estimate to waste some of their time. Maybe they will get their demographic close enough to quit bothering me.

I want server configured from client

[GCP]

I think we should have a server feature that is configurable from the client. The client would be able to tell the server that if a message has certain characteristics, the server should respond to the sender in the same way it would respond if the address didn't exist at all.

Any message that your client would filter into the trash, your client should be able to tell the server to bounce.

Perhaps we could also use the "plus convention" to allow users to effectively manage their own email address(es). Many servers are set up so that if my assigned email address is fred@foo.com, then fred+[anystring]@foo.com is still sent to fred. Tell your friends to address you as fred+friend@foo.com, and then have your client sort the "+friend" messages into a friends folder.

Why not be able to create a list of valid plus extensions in your client, which would then post them to the server? Why not be able to create your own rule for messages that arrive with no extension? You could instruct your client to instruct the server to accept them or to bounce them back to the sender as simply nonexistent addresses.

You could create an extension in your client and specify an expiration date. Your client informs the server. Then you post your email address publicly, a Usenet question perhaps, and your server would accept responses until the date you specify, and then bounce everything thereafter as spam.

With so many addresses expiring quickly and users able to get their servers to hide their non-expiring addresses from mail with certain characteristics, the spammers databases would become much less usable.

Re:I want server configured from client

[Saeculorum]

GCP says: Perhaps we could also use the "plus convention" to allow users to effectively manage their own email address(es). Many servers are set up so that if my assigned email address is fred@foo.com, then fred+[anystring]@foo.com is still sent to fred. Tell your friends to address you as fred+friend@foo.com, and then have your client sort the "+friend" messages into a friends folder.

I think that's a good idea, but only a short-term solution. If it ever becomes wide-spread, spammers will just use brute force and send emails to fred+%dictionary_word@foo.com. It wouldn't even be that hard - most likely, people would somewhere accidentally post their "secret" email address (which happens right now) and a spambot would pick that up. Above that, most people would use common words, "secret", "spam", "free", etc. There would be huge incentive to break the system for the spammer - if they're the first to find out how to bypass the secret system, their spams are able to be read by everyone, while other spams will be filtered out. It'll simply be a race to be the first spammer to be "heard".

The solution must inevitably be, in my mind, to make spam cost something. Not necessarily money, but some sort of tangible resource. Various solutions have been proposed, all of which in my mind are not completely up to the task. However, they're the only effective long-term solution. So long as spam is free, there's no disadvantage to sending 1,000,000 emails to get one responce. I personally like Adam Backs' Hashcash program, which is at www.cypherspace.org/~adam/hashcash/> . However, the site seems to be down at the moment, so one can use Google's quite convinient cache of it at http://www.google.com/search?q=cache:-g8yVfQ3vFwC: www.cypherspace.org/~adam/hashcash/.

Don't you think...

[whipping_post]

...the reporter could have gotten more info if she didn't keep telling these people that she is a reporter?!?!

How's this for investigative journalism?
1. Locate Spammers
2. Call and explain to spammers that you are a reporter
3. Determine if spammer has hung up
4. If step 3 is yes, call spammer back and leave message
5. Repeat

Beware spammer dictionary-attack

[Seth+Finkelstein]

Quoth the writer:

In only one of the e-mail accounts, I provided all of the information requested (name, address, demographics, etc.) during the registration process, and I used this e-mail address just one time - to purchase a gift certificate from Borders.com. Less than a week later, the spam started rolling in - jamming the in-box with more spam than the other new accounts I had created.

The writer seems to think spammers couldn't get the address unless they got it from Borders.com. This may be unfair. What spammers sometimes do is to dictionary-attack ISPs, trying lists of usernames (after all, what do they care if the mail bounces - it's not like it's THEIR problem ...). Once they find an address works, (by not having it bounce), they sell it to other spammers as a "verified" address. I saw something similar happen where an account I only used to received a few mailing lists (never send) suddenly received a huge upsurge in spam. The list-maintainers were above reproach, they hadn't sold the user list. What seemed to have happened is that spammer found the address in a dictionary-attack, and then it was all over ... :-(

Sig: What Happened To The Censorware Project (censorware.org)

Idea for getting removed from e-mail databases.

[e_n_d_o]

This is probably old news, but its just a thought.

What if it were required by law that every company must track WHERE and WHEN they obtained any e-mail address that they send bulk messages to. If you requested to be removed from their list "recursively" the offending company would have to notify its provider. Each company would have to notify any company they bought the address from that you want your information kept PRIVATE. The recursive notification would only go UP the chain. I'd love if it they had to notify everyone they sold it to as well, but this might not be practical. Each provider would send you a message as they removed you from their list. Each company would have to keep your e-mail address on a black list for a period of time you specify (such as "until hell freezes over") and not send you further mesasges until that time elapses.

You would have as evidence the date/time you were removed and would have grounds for damages in the event that someone repurchased your address from a provider or they didn't remove you.

Until then, I'll just continue to give my email address out as myname_companyimgivingitto@mydomain.com
So far, 99% of the spam is coming from myname_usenet@mydomain.com, which is about to be automatically filtered and deleted.

How to track who sold yours email to spammers

[Em+Ellel]

A year or two ago I came to the conclusion that you cannot stop all the spammers using filters. You can use any filtering program you want, but either you going to loose some e-mail or some spam will get though (or both). You can use fake e-mail addresses but many sites now-days check by sending you a confirmation e-mail that requires you to do something with information you get in the e-mail. But what you CAN do is control how they get your e-mail address in the first place.

Here is my easy method to track the bastard that sold your address. All you need is your own domain and control over the e-mail server - as many of my fellow geeks do.

Using my domain - I created an account for dealing with spam. I then created an alias which will put all e-mails without a specific mailbox into that account. (for example - the qmail/vmailmgr allows you to create "+" alias as such catch-all address)

Now comes the fun part- every time I need to use my e-mail in public - I make up an e-mail address that makes it easy to figure out where I used it. To make sure I do not create a real mailbox with same name - I use a specific prefix (like ns- for no spam) to make all of those e-mail addresses stand out (example - when signing up for e-bay, I sign up with ns-ebay@mydomain.com. Now when that spam arrives I can find out which e-mail address it is destined to - and which place it came from.

The last part of this comes after a while. Eventually some addresses start getting too much spam and you seem to end up where you started. No problem. I create a new alias that bounces or /dev/null's email coming into that account.

If I find that I gave out an address to a trustworthy source, I can even create an alias to go to my main mailbox.

Of course, if you go to a source that is guaranteed to leak your address to spammers, no point to even bother with all this - that's what the free webmail accounts are for ;-).

The interesting part of all this is that to my own surprise I find that most sites are pretty good at keeping your privacy when you sign up. So far the biggest culprits were postings on USENET (well, duh!) and ebay - but e-bay were all from massmailings by people I bought from and they were good at removing my address when asked to.

Hope this helps.

-Em

Re:How to track who sold yours email to spammers

[aiken_d]

This is very, very simpleminded and outright wrong.

I operate a service that collects emails for a private mailing list. I am the only one with access to the database. There is no web-based facility to harvest the addresses.

Every now and then I get an 8 page rant from some joker using this method to "prove" that I gave their email address to spammers. It's always very self-righteous because they are so sure that this is the pefect way to figure out where spammers got their address.

Well, I know firsthand that it simple is not. I have two theories:

1) email scanning. I also operate a semi-public smtp server, and I have it set to log multiple "user does not exist" messages going to the same ip address. At least once a week, there are thousands; "a@x.com" then "b@x.com" and on up into "aacd@x.com".

2) However, they probably aren't going to get longer addresses that way. What seems likely to me is that someone is sniffing traffic at public peering points, or on ISP's networks themselves. It wouldn't be a bad way for some tech to make extra cash.

But no matter what the real reason is, please don't assume that if get spam to a made-up, one-time-use address, that the person you originally gave that address to is at fault. I can assure you that that is simply not the case.

Cheers
-b

A simple solution

If you have your own domain name, simply use abuse@yourdomainnamehere.com as your primary e-mail address and you'll never be spammed. After 3 years I am still waiting for my first spam

More mainstream media on spam

[Floyd+Turbo]

There's a column in today's Washington Post on spam:

I arrive at my office, uncap my coffee, unwrap my bagel, open my e-mail and face the first searing public policy question of the day: "Do you want to watch teens make their first porn video?"

It's called "The Great American Spam Attack", by Ellen Goodman.

Report that spam!

[Parsec]

The least you can do is cost the spammer their account. Depending on the spams contents I...

Traceroute the last reliable IP of the sending email address. Know your mail gateways and take the IP address it received the mail from, traceroute it and report to abuse@[someisp].[ext]. If seems unreputable, cc their isp.

Visit the web page. Do it. This is to find out if there's a redirect in place. http://[somefreewebhost].com/[directory] redirects to http://[scumballspammer].com/ . Traceroute and report the site it redirected you to to the appropriate ISP. Least it will do is annoy the sysadmin, and we know how sysadmins can be. Best case is they lose their site, any money put toward it, and pay a penalty fee.

If the web page sends you somewhere to order, visit it, traceroute it, and report. (Same reasons as above.)

In the case of javascript encoded html, it's easy to rewrite. Look for the document.write( xxx ); statement and change it to document.write( "<form><textarea>" + xxx + "</textarea>" ); . Repeat as necessary. Follow steps above.