Slashdot Mirror
Fighting The Spammers Down Under
An Anonymous Coward writes: "The Sydney Morning Herald is running an interesting article about fighting spammers. It mentions that "Most of today's email spam, however, comes from a handful of culprits, described by Barry and others as "known criminals"." Does anybody else wonder who these people are, and what are the odds of having them shut down for good?"
www.spamhaus.org has a list of spammers and the ISPs supporting them. They also have some quite interesting articles on this topic.
In my humble opinion, the problem with spam block lists as they are today is that
1) they are not consolidated which means your network may end up being wrongfully isolated from one or two networks and you'll never know why your legitimate e-mail isn't reaching its destination and
2) if you get added to a list, some people aren't responsible enough to keep them updated. So if for example you had open-relaying on by accident (a common problem alleviated in the recent versions of sendmail) you may end up being "blacklisted" and if you try to contact the maintainers of those lists, you get no response and your domain is forever banished from the internet.
I heard the FCC (or one of those acronyms...maybe the FDA) is starting to create a national "blacklist" maintained by the government. I don't know if that's true, but that might actually not be a bad idea.
Just my US$0.02.. Hargun
Think nothing is impossible? Try slamming a revolving door.
here is an interesting article about a network admins experience tracking (stalking) a spammmerl
http://belps.freewebsites.com/index.htm
I hate spam as much as the next guy, and would love to see it done away with... but after stopping to think about it, I don't see it as really possible without consequences for everyone. In the long run, little annoyances like this that get complained about until the government or whoever does something about it, lead to more and more restrictions and more and more freedoms being taken away.
We need to stop and think, "Is it really worth it to give up more of our freedom just to get rid of a few emails that you can easily delete without ever having to read them?" Also, we need to ask ourselves if we think we can really eliminate this problem anyhow. How are we going to be able to determine exactly what constitutes spam? And what happens when some business receives an email from someone requesting information and sends them an email in reply about their products. It could be the case that person forgot they ever requested the info or that someone entirely different submitted the request under a fake name. How can it ever really be proved?
I just don't think it's worth pursuing...
later,
thundercatzlair
I send them off a nice fax, on a 50% grey scale, full page background which orders them to stop spamming..
Why 50% grey scale? Because it's near worst-case for fax compression (which expects mostly blocks of white then smaller blocks of black). Faxing a 1 page grey scale at 1200 baud can take 90 minutes (800 number, remember? It's on their quarter).
I'll usually do a voice callback first to make sure I'm not responding to someone who's being smurfed by an enemy.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
This points to the only long-term solution to spam - take out the profit motive.
But this is tied to the question of strong authentication of the sender (at least at the ISP level), and all of the privacy concerns that raises. E.g., a good way to kill spam is to require each message provide non-trivial e-postage. Perhaps USD0.25 per 20kb block. (After getting over 15MB in less than our from a misconfigured spambot with a huge payload, I am *not* willing to accept "one price for all" scheme!)
If the recipient found the message worthwhile, they could send an ack to their ISP and release the money back to the sender. Or they could let a reaonable time elapse, say 2 weeks, and the money would be released back to the sender. This could probably even be automated for explicitly named friends and mailing lists.
But if the recipient said it was spam, they keep the postage.
At USD0.25 per message, there's no profit motive in me lying whether a message is spam. But at USD0.25 per message, it's a safe bet that few businesses will send out 10,000 messages (USD2500) to snare a single response.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Recently I have learned quite a bit about spammers. The problem with shutting spammers down for good is either they go from ISP to ISP or they use open or blind relays in countries other than the US and Canada. They say that if you use an open/blind relay in Taiwan, for example, the violated party will not check the logs and report them. The two options that I have thought of so far are that ISPs in a particular region should cooperate and ban people who are known spammers (I will happily give the names of the ones I know) or have an international committee that mangages offenses and reports them to the offending ISP.
The other thing that could happen is the tech community could educate the rest of the email community. For example, you should not respond to any emails that have no links, only phone numbers. Also, do not respond to any emails that are asking for answers to a survey. This is how the spammers "clean up" their list. The real reason people keep spamming is because banner ads are not working, but email does. Of course, real opt-in lists are more expensive, so SPAM it is.
I believe that until ISPs or companies with mail servers start cooperating, SPAM will keep circulating the internet.
Hey, if you have a better idea, let me know.
Everytime I see a thread pop up on /. regarding spamming or other email abuse, I find myself compelled to repeat my suggestion for how we can effectively battle against these forces which leech the life out of the 'Net.
My suggestion is quite simple: All SMTP servers should put in place policies which reject mail that is not digitally signed with a certificate trusted by a root authority. Personal email certs should be free, commercial (for marketing purposes) should cost a reasonable amount.
This would enforce accountability behind emails by guaranteeing the identity of the sender. Do this and things will clean up considerably, imho.
mje0w!!!1!
If the FTC is really serious about going after spam, then we need to give them our support. More than that, we need to make them do their job with this. If most spam is fraudulent, and if most spam is sent by a relatively small group of people, then it stands to reason that getting rid of these hard-core spammers will go a long way toward reducing the spam problem.
Now don't get me wrong here. I'm not naive enough to believe that this is going to be easy. Spammers are slippery little worms, and stopping them for good won't be easy. However, there's nothing like a court order to give someone an attitude adjustment.
So here's the deal. The FTC wants to receive spam at uce@ftc.gov, so send it. My guess is that they like getting all spam, but bear in mind that they don't have jurisdiction over spam per se, just spam selling fraudulent goods and services. This is something they can latch onto and run with because they are empowered to stop fraud. If you send, be sure to include full headers so messages can be tracked back to the source. That way, if a spammer hops from ISP to ISP, it may be possible to construct a pattern that can be used to find and nail him.
As I said, I don't count on this to work, but if the FTC really is serious, then let's give them the evidence they need to bust some balls.
That light you see at the end of the tunnel might be from an oncoming train.
How about the /. hero Dmitry Sklyarov, his company ElcomSoft makes bulkmailer and Advanced Email extractor as well as other tools to clean email address lists and localize them. His company has made lots of $$$$ selling spam tools.
The Direct Marketing Association has this little checkbox on their page, which says "notify me when my listing expires".
EXPIRES? WHAT THE FUCK?
If I were naïve enough to belive that any of the sleazebags in the DMA would actually honor this list for *any* amount of time, I'd be pretty pissed off when the spam started flooding in when their database says my "leave me alone" notice has expired.
I trust these people about as far as I can throw them.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Well, I think asking the government for help here is a little counterproductive. Given the Government Nature, the solution will be shortsighted, intrusive, expensive, and will exclude rational thought. In short, they'll probably:
Declare a national moratorium on e-mail while a congressional steering committee holds a conference to determine the nature and extent of the problem.
Industry and Community Leaders who have never actually sent or recieved an e-mail will be called in to consult, as well as a couple of Hollywood Celebrities.
A proposal will be made to Nationalize e-mail under the State Department.
Objections from Civil Liberties Profiteers Inc. will lead to a "compromise" proposal to place control of e-mail services with that well-known private organization, The Post Office.
New "Spam Free" e-mail will cost $0.34 each, and take 3-5 days to deliver, but you can pay $3.00 and have a guarantee of delivery... in 3-5 days.
A new congressional committee will congratulate the Post Office and themselves for eliminating SPAM!!! And hold hearings to examine the new problem of "unsolicited e-mail."
Okay, that's a _slight_ exaggeration.
But seriously, the obvious ways to help are:
1. Very Public Boycotts of companies that use Spam tactics.
2. Encourage use of Digitally Signed E-mail.
3. Encourage efforts by ISPs to block e-mail from "repeat offender" sites.
4. Encourage the "securing" of open relays.
None of these methods involve letting politicians write laws which include new taxes, new power, or new public swimming pools named after them.
And by the way, given the nature of Enya's music and Eminem's "anti-music," I imagine that if they were to actually meet, the resulting music-anti-music reaction could deafen an entire medium-sized city.
All that pays do exist, both in Nature and Economy. The only way to solve the SPAM problem is to make SPAM stop paying. Can it be done without creating a bigger problem? Without hurting innocent people?
I don't know. Law enforcement helps but is largely ineffective. Reports to abuse addresses at ISPs doesn't work very well either. One-shot email addresses work sometimes, but that's not enough. Using fake addresses damage the legitimate owners of the domain one pretend to be. Filters are good, but they are more a surrender to the problem than a solution for it.
I think that the community needs an extra tool to fight SPAM. We need to set up a counter-attack, aiming at the right targets, not at innocent people. I propose to target the databases of email adresses used for SPAM, polluting them in such a way that almost every email address they have is a fake one.
How?
Many of these addresses are collected harvesting web pages for email addresses. Fine, so we just need to make "normal" web pages that say to people visiting them that they are fake, and place fake email addresses there. The fake addresses must be from existing, consenting sites.
Say for instance that the owner of somedomain.com wants to cooperate on attacking spammers' databases. First it builds a list of, say, 200 fake addresses like somename@somedomain.com, and arranges his email system in order to collect all the email send to these addresses in a special "SPAM-bag". Then it builds a dynamic page (cgi, whatever) with some text and images and a few email addresses. The email addresses are randomly collected from the list above. That page must be linked somewhere in order to be easily found by the harvesters.
Finally, in order to validate the fake addresses, the system must fake reading the emails collected in the SPAM-bag. Several spam systems send email with html with special marks, used to tell the sender that the email was readed. All those marks should be used (the links present in the message must be used to generate requests as if opened for reading).
If the owner of the domain somedomain.com makes, say, 100 fake adddresses for each valid address he has, the result can be that the spammers databases gather lots of garbage. Since databases and bandwidth are both finite, the result will be that the 150 million addresses that Mr. J. Random Spammer uses will turn into almost complete garbage.
Drawback: Bandwidth. If the domain has 100 fake addresses for each legitimate one, it will be exposed to 100 times more spam-mail than usual. I can't guess if this is a problem or not. I believe its not, at least not compared with the phisiological bandwith a human spends cleaning the spam out of his mailbox. The computer works harder, the spammers work harder, but the spam' victims don't. All accounted for, it seems to be a good thing.
and
ht
provide automated implementations similar to the suggested techniques.
Consider, for example, the position of PaeTec Communications. They've been unable to kick a spammer off (Monsterhut), as said spammer was able to obtain a temporary injunction. When the case is resolved, PaeTec will presumably win. Until then, however, the address range they lease to Monsterhut is getting added to numerous blacklists. I see no reason to why that address range shouldn't be removed after PaeTec succeeds in ridding themself of this spammer -- at some point in the future, that address will get reassigned to a new customer. But if the people blacklisting that address are using an uncommented, static, ad hoc list that the snarfed from Slashdot, there's a decent chance that that listing'll be around indefinitely.
In summary, I strong encourage sysadmins to stick to well-maintained lists when it comes to spam blacklisting. They should carefully evaluate both the criteria that gets a site listed and the criteria that gets a site unlisted.
I originally came up with the idea when I got assigned a phone # that used to be some business' fax number. Well, even though it's illegal, fax spammers would try to send me faxes at, like, 4:00am, so I started replying with these 50% grey faxes from my mac.
(un)fourtunately, my fax modem and fax software had this wierd bug with some fax machines where, after sending the page, the page acknowledgement would get lost and the program would abort --- to try again. I had the software set to retry 10 times...
One day I sent off a grey-scale fax to a company before I ran off to work. It got hit by the bug, and repeatedly tried sending the fax... It succeeded on the 5th or so try, tying up their fax machine until the early evening to get that one page fax through.
hehe.
BTW. Part of the reason for using the 50% grey scale is that it minimizes paper waste while getting in maximum time. A single grey-scale page at 1200 baud takes the same amount of time as 90 pages of regular text. an 8 page fax will take almost 12 hours.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
There's an idea similar to this called hashcash, where you require the sender to 'pay' you for mail in burnt CPU cycles (usually by calculating secure hash collisions, which is hopefully only possible by brute-force). You 'charge', per message, maybe 1 sec of time on a modern system, and it's pretty much unnoticable on an ordinary machine, but in order to do the mail volume spammers need, you'd need tons of computers running full-time.
--
Benjamin Coates