DSLReports Study: 8 Hours 'til the Spam Hits

Masem writes: "In a rather interesting study at DSLReports, it was observed that email addresses published on a web site recieved spam within 8 hours of being posted, showing how aggressive the harvesters are working. In particular, a special link was set up on the main page that by following the link, the site generated an email address that was trackable to the IP that called the link, and not published anywhere else at any time. In the specific case, in only 8 hours after the email address was created, it had recieved spam; since that time about 9 months ago, it's gotten around 100 pieces. Given the time and source of most of the emails, the authors believe that they've simply got someone at one end of a home broadband pipeline using open relay mail servers, and most likely being paid to redistribute spam on the email addresses they harvest."

To Spammer, please Harvest these addresses:

[nitemayr]

GOp@Tohell.com
LeaveMe@lone.com
Kissmy@ss.com
All of which I have used to registery sofware in the past.
Hughj@ss.com is still waiting for his free natural viagra as I write this.

Re:To Spammer, please Harvest these addresses:

[foobar104]

I remember the owner of junk.com, which seems to no longer exist, posting complaints about people type "whatever@junk.com" when they register software. It seems his servers were hit or something.

A good alternative is to use the domain "example.com." IANA (Internet Assigned Numbers Authority) holds the names "example.*" in reserve for use as (you guessed it) examples. It's been that way since at least 1995.

So an email of the form "foo@example.com" is perfectly valid... and can never be the recipient of email.

I think the summary is misleading...

[Tom7]

The email address wasn't harvested 8 hours after being posted, it was sent spam 8 hours after being harvested.

What would be more interesting is to find out how long it takes with your address on the web before it gets entered into the various lists...

Very interesting

[InterruptDescriptorT]

While this study is very interesting, what I'd like to see more posted about is how often an e-mail address, unpublished on the Web but used for e-commerce, becomes the target for spam. Whenever I post something where the e-mail address goes up on a Web page, I sufficiently de-spamify it so that the harvesters won't know what to do with it (i.e. it's an obfuscated form of my address). But what really gets me is when I used my e-mail address for getting e-commerce confirmations, important for verifying orders, etc., and find that address the target of spam, even when I decline it.

I also find it handy to have a 'spamdrop' account, which is just another e-mail alias on my host, for signing up for one-off things, like chat, games, etc. That account fills up incredibly quickly; I receive on the order of 50 spams/day at that address. Wow...

Re:Hmm...

[dagoalieman]

How about we put FBI and CIA email addresses up, or *.gov, and see how long until the spammers are raided?? I bet it could even be before that first spam gets out if we use the right addresses/web links..

I bet that time period for harvesting goes down pretty quick.. :)

.

How?

[SevenTowers]

On 6.26am the morning of May 13th, 2001, the link is hit from IP 24.1.197.144 - a residential cable modem in Arizona

Google is big. Google has a very fat spider going around. Google definitly does not check a nowhere webpage as soon as it is created! How can somebody on a cable account (limited bandwith?) scan pages at a high enough rate that they hit an almost invisible webpage soon after it was created? Big machine, big connection? spoofed IP?

Is this business really so lucrative that people are willing to spend hours working on it? It'd like to have some stats on how many people actually subscribe to the "services" advertised for in spam. I know a spider is not a lot of maintenance once setup and the distribution cost for the spammers is almost null because they make everybody else pay for it, but where the hell do they get the profit...

Re:How?

[Restil]

From what it sounds like. spammers delegate spamming to smaller, entities. Each of these enitites constantly scans its own set of pages, then sends spam to every address it finds. It might keep a list that it updates a master list with, or it might not. But the harvesting and spamming is done from many boxes on many networks.

This means, if there are enough of them, you could easily scan several tens of thousands of pages every day with little difficulty. And if one or even many of them get shut down, the spamming operation is not affected much. This is probably the first good example of a distributed network for profit. Too bad its such a slimy one.

-Restil

Random E-mail address?

[Peyna]

I'm curious how random the e-mail address was. If was something like 'bob79@', then I would expect it to receive spam regardless of being harvested.

I used to have an e-mail address that was andrew@, it was great for a year or two. I still have it, but I do not retrieve the messages since it receives 30+ SPAM messages per day. My other e-mail address is my first initial + last name, and my last name is rare enough that I get maybe 1 Spam message per month.

Re:Random E-mail address?

[leeward]

I think the point the article made, which got lost in the summary on /., is that the web page was up for awhile (the article only says A while ago) without receiving spam at the associated email address. When it finally received spam, they went back to the web logs, and found the entry corresponding to the unique email address that was generated for that particular hit. And they discovered that the particular web page hit corresponding to the spammer happened 8 hours before the spam arrived.

The interesting part to me is the conclusion that all subsequent spam over a 9 month period was the result of that single web page hit. That tells me that addresses are harvested off obscure web pages only occasionally. I suspect that most spammers get email addresses come from other sources.

New use for this?

[iamplasma]

Could this technique be changed. Rather than generating a mailbox for the spam to go to, based on IP, instead generate the abuse address for the IP's netblock owner.

That way, whoever is running the spider can start spamming direct to the abuse address, saving the site owner from having to report them. :)

maybe

THey don't need to work like google. Not that I am a spamspider developer, but my guess is that they scan IPs and connect to port 80. If they get a reply they follow all the links and snatch anything with an @ sign. It's incredibly simple and 8 hours seems reasonable. Try setting up a new web/ftp/mail server and look at the logs how much time it takes before they've been scanned. 8 hours is even to much. They probably got harvested much faster than 8 hours but got the first SPAM in 8 hours.

posting anonymously not to fatten my fat fat kharmah.. ;-)

CH

Solution?

[gnovos]

Does suing spammers work? For example, if you made a web-page that CLEARLY reads: If you agree to pay me $52,000, please send email to foo@bar.com. Consent of this contract will be shown by sending an email to that address, regardless of content.

Post this email NOWHERE else. Wait for a spider to come around and harvest... Is such a contract legally binding? I would think it would be, considering you can make online-payments and such, and those contracts are binding (i.e. if you promise to pay Amazon for your book, you have to do it, right?)

Re:Solution?

[edp]

I don't know if a judge will enforce such an agreement, but, just in case, here's an embellishment: Make the generated address contain not only the IP address, but also the agreement. E.g., I_the_user_of_IP_address_aa.bb.cc.dd_promise_to_pa y_you_$100_for_reading_this_email@mydomain.com.

That simplifies the process of proving you offered them an agreement and so on.

Re:Solution?

[Pussy+Is+Money]

This is just a variation on:

IMMA JUST GONNA GO LIKE THIS,

(Bart Simpson closes his eyes and starts spinning his arms)

AND IT'S NOT MY FAULT IF YOU GET HIT!

(Bart comes flailing towards Lisa)

Of course that's not legally binding. The law is not stupid.

Mod this question up, please.

[Lendrick]

How exactly does someone running a standard Windows install go about faking an email bounce? Or on Linux?

Lendrick

Re:Mod this question up, please.

[AragornSonOfArathorn]

This is why I love Mac OS X's Mail program... There is a menu option to bounce email :-) Why doesn't M$ put this in Outlook? Maybe they don't want people bouncing their (Microsoft's) spam?

Re:sneakemail

[Matthaeus]

Qmail is also great for this. In its default setup, if a user has e-mail address foo@bar.com, he can use foo-baz@bar.com for any values of baz (e.g. foo-realplayer@bar.com, foo-amazon.com@bar.com, etc). No work on the part of the admin is required unless an account starts getting too much spam.

Spam by unique email address

[slashdot.org]

I've been using the 'theirname@mydomain.com' technique whenever I provide an email to on-line stores.

I was amazed when I started receiving spam on 'premaritalagreement.com@mydomain.com' (only the mydomain is fake!) and I contact the people and they denied everything. But at least you can ban that email address and ban the company.

On the other hand it's funny when (for some reason) the company calls you to verify something, and they go over all the stuff and then get to the email. There was one person that just didn't get it: 'yeah, but that's OUR email address', recognizing her companies name. :o)

For those reasons some people generate an obfuscated (rot-13 for example) address.

In any case, the sad thing is that there's not much you can do against the companies that sell your email address, legally...

Comment removed

[account_deleted]

Comment removed based on user account deletion

this in nothing compared to hotmail!

[Not+Public]

for reasons I won't elaborate- I wound up creating a Hotmail account.. the suprise that makes this article trivial is that there was blatant spam WAITING for me the first time I'd ever checked it- at confirmation! needless to say, it hadn't been posted on any web site, newsgroup or used in any electronic transaction prior. Hell, I hadn't even written it down on the napkin I was taken notes on yet! Within 5 MINUTES I had 4 spam mails in my inbox. By the time I had sent a message to their support folks (customer and tech, with full header info- who STILL haven't responded) I had 12.
Obviously, its unusable. How many others have similar experiences?

ISPs / hosts selling e-mail addresses?

[aussersterne]

The following experiences have led me to wonder whether my ISP (AT&T Broadband) or my Web host (Doteasy) are selling e-mail addresses to spammers as they are created:

1. Created a new e-mail account for a friend at my doteasy domain. I am the only owner of the domain ever, and have held it for years. The e-mail address had never existed before. About 12 hours later, while helping my friend to configure outlook express to check the account, I was surprised to discover two pieces of SPAM already in the account. This is a new address that has never been used or given to anyone, ever.

2. After the AT&T @Home to AT&T Broadband fiasco, new e-mail addresses had to be created. One of the accounts I created (and did not use for anything) got spam within hours of its being created. Here again, this e-mail address had never been supplied to anyone but AT&T Broadband, in the process of creating it.

My reluctant conclusion (unless someone can explain some other solution to me) is that both ISPs and Web hosts routinely place e-mail addresses they host on lists which are sold to spammers, I guess as a way to supplement the revenue stream.

Re:ISPs / hosts selling e-mail addresses?

[rnicey]

They don't need to, their own incompetence gives away your email address for free.
I used to be a media1 (now ATT I believe) customer and logged into one of their big sun boxes for my free 5MB website via ftp.

cd ../..
ls -l

50,000 directory listings later I'm almost in tears. Simply add @mediaone.net to them and you've got a really saleable list. Tech support couldn't even understand what I was saying and I didn't want to push it, you never know what these stupid companies will accuse you of.

Yes, or at least it used to.

[aussersterne]

In 1997, I worked for a very small travel company that decided to try its hand at SPAM. Of course, take this anecdote for what it's worth (it *was* five years ago).

They set up a small server that would just browse around the Web and usenet harvesting e-mail addresses wherever they could be found. The first week they sent out about 80,000 pieces of e-mail per day. They got tons and tons of hate mail in return but also a few hits. The first day, there were about 60 sales of a $69.99 "travel club membership" product (essentially a hotel and airline coupon book), and by that Friday they were up to over 200 sales a day thanks to the SPAM. Totals for the week were something like 350,000 e-mails sent and 900 sales for a total of about $63,000 in revenue that week thanks to SPAM. The coupon book itself wasn't all that expensive -- the deals were promotional and each book only cost the company something like $12.00, so the net was around $52,000 for the week. Not bad for a computer sitting in the corner with a $100 piece of software -- this likely explains why spammers stay at it.

I left shortly thereafter so I don't really know whether they "stuck with it" or not, but it obviously can generate sales.

Open Relay Mail Servers...

[Hyped01]

On our networks, logging for almost two dozen domains, the largest source of spam via "Open Relay Mail Servers" is Hotmail. These emails are being sent via other servers, and mass mailed via hotmail servers being used to relay them. Hotmail's responses to the numerous complaints? "We'll cancel that user's account..." Often though it's not the user at fault, since you dont even need a valid Hotmail address to do this. So, even with notifying them of the real problem (open servers) and showing them headers that confirm it, they do nothing. Our incoming spam would drop by over 45% if they'd fix it. - Rob

Re:Open Relay Mail Servers...

[buss_error]

Or simply configure your MTA to reject hotmail.com, with a message to get a Yahoo account to mail your domain. That'd work too. Of course, MS will scream if you are a moderate to large ISP.

i0a5cpytzycvf001@sneakemail.com

i0a5cpytzycvf001@sneakemail.com

Just curious how long it takes from slashdot...
(11:06am Mon, Feb 18, 2002 JST)

Re:Have some fun

[Spackler]

Make their lists worthless. Compile this, run it...(snipped out overly long, but runnable C proggy)

Dood, learn some perl. Not only would it cut this down to a nice readable couple of lines, but you could also generate a different list every time the web page was hit. That way, it would really poison the well.

Spackler

PS: Yes folks, right tool for the job. Not every job.