Slashdot Mirror
DSLReports Study: 8 Hours 'til the Spam Hits
Masem writes: "In a rather interesting study at DSLReports, it was observed that email addresses published on a web site recieved spam within 8 hours of being posted, showing how aggressive the harvesters are working. In particular, a special link was set up on the main page that by following the link, the site generated an email address that was trackable to the IP that called the link, and not published anywhere else at any time. In the specific case, in only 8 hours after the email address was created, it had recieved spam; since that time about 9 months ago, it's gotten around 100 pieces. Given the time and source of most of the emails, the authors believe that they've simply got someone at one end of a home broadband pipeline using open relay mail servers, and most likely being paid to redistribute spam on the email addresses they harvest."
When I started working for Lockheed Martin, I had 4 spam emails in my mailbox that was delivered prior to my first day of work. In addition to this, I had 2 personal (they seemed personal IT related) job offer emails in my mailbox, also from prior to my first day of work. Both from recruiting companies.
Bringing irony to the Slash-masses
Hmmm, using these sorts of e-mail addresses can lead to annoyances to legitimate domain owners. For awhile I remember the owner of junk.com, which seems to no longer exist, posting complaints about people type "whatever@junk.com" when they register software. It seems his servers were hit or something.
I always like to use the webmaster's e-mail account when registering software. For example, if I was registering software on widgets.com, I might use the e-mail address "webmaster@widgets.com" or "abuse@widgets.com" to register the software.
I feel torn, as I want to support free software vendors by allowing them to make money, but I just don't want my e-mail address to be sold for spam. Ever. I also don't want those annoying newsletters that I could care less about unless I *explicitely* ask for it (and not be tricked or required by default).
Something like WPoison has to be used more often. Until a higher percentage of harvested emails are faked, these web spiders will continue roaming the web, adding email addresses to their collection.
- grunby
Well remember the guy put up generated email addresses, meaning each address could be datetime/ip stamped as to when it was harvested. So basically when he got spam it was as little as 8 hours after that generated email address was created. I do wonder what the time span from when the site when up till the first harvester hit, and maybe a nice graph of time up/number of harvesters would be interesting.
Like many domain owners, I have a catch-all email address set up. So when I register I generate a new email address every time. And I link back when I get spam. It's not perfect - sites can leak my address fairly innocently (Salon on its chat pages, for example).
IME, very few ecommerce sites spam. And almost all of those are obviously from the company I gave the email to.
Note: I don't live in the USA, so don't deal with some of the more egrarious spammers.
I tend to go for postmaster@localhost, or, failing that, postmaster@127.0.0.1. You can also try other names -- root and webmaster are also good fun.
Google has to do a lot to process a page. It tries to analyze the content, it crossreferences complex networks of linking, building a very complicated database for searching.
A spammer-spider can be much more simple, and thus move much more quickly. All it is interested in are email addresses. Period.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
That could be a fun one too.. set up an email address in your domain, set forwarding on the account by rule/filter/whatever equiv for your email system so that it goes to uce@fbi.gov or whatever that spam collector address was. Or find a higher up address to send to, even. (Like an employee for the FBI who has no SSN, Name, DOB...) Just add a little script to tag into the email before forwarding that says "This person was inquiring about you.. thought you'd be interested.."
:)
.gov addresses get blacklisted, but on the otherhand I know some people at the state level who get spam at their addresses. So we'd at least get rid of the so-stupid-they-can't-spam-right people.. :)
You know, even mentioning that idea, I'm suprised I haven't gotten a knock at my door already..
You've got a good point though- I would imagine that
.
We don't need no Net Explorer We don't need no Thought control
Karma...
Bah -- do what I do (and other smart people that run their own mailserver) -- set up an aliases list for your email address. Everytime you need to give somebody your email address (For required registrations and all the other stuff that makes the web annoying as hell these days) just make an alias to your "real" address, get your mail from the company, then go and remove that alias -- Voila! You got your registration ID or whatever, and now that company has a bunk email address that they can sell out to spammers, with no concequence to yourself.
As easy as proverbial pie.
"The Wright brothers were the first to fly with a heavier-than-air machine, but boy did they have a lousy plane"
I use html code in my email address on my web page, like this:
rsidd@yaho 1.com
Amazingly, not a single spammer has gotten hold of it yet, in over a year; whereas, unobfuscated
addresses used only once, on mailing list archives for example, are picked up immediately.
Obviously these spambots aren't so intelligent.
Spammers rarely receive bounces, it's not worth the effort. You'll just be adding to tens of thousands of others sent to the unfortunate person whose address was forged as the SMTP sender.
>
> Last week I applied for a telemarketing job.
> Within hours I started getting calls, and I've gotten 5 a day since.
Since only a moron would want to be a telemarketer (i.e. would believe the "Make $$$ at our call center, d00d!" flyers on campus), it stands to reason you got placed on a "sucker's list" as a result of applying for the job.
If I were in a good mood I'd call it poetic justice and leave it at that.
But I'm not in a good mood today, so I'll just gloat by pointing out that payback's a bitch, and on behalf of the rest of us who no longer answer our phones because of pieces of subhuman shit such as yourself (oh, sorry, you only applied for the job, that makes you a wannabe subhuman piece of shit :) that I sincerely hope you never receive a non-telemarketing phone call again as long as you live.
Now go away or I shall taunt you a second time.
Since he didn't say if it was inbound or outbound TM, you might be premature on that rant. Sure, outbound (where they call you) sucks, but what's wrong with inbound (where you call them)?
As for being a moron if he was going for an outbound job, let me say that if it comes down to feeding my family or not, I'm going to feed them. If this means I have to take an outbound TM job, well, I'll just have to do it.
As much as I hate the Telemarketing business model, remember that the person on the other end of the phone (99 times out of 100) is just trying to make an honest living. I'm (mostly) polite to the TM's that call, and ask to be put on the "do not call" list. That works, except for some chairities that won't leave you alone until you are dead 5 years.
The long and the short of it is -- lighten up, 'cause life's too short to blow a fuse over a phone call.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
Altogether though, ebay remains the absolute worst place to get your address harvested, with usenet a close second.
Ebay must be lucrative for spammers; a whole 'audience' of people either with money to spend (buyers), or who are about to have money to spend (sellers). And this 'audience' has already self-selected; they're not afraid to spend their money online...
deus does not exist but if he does