Slashdot Mirror
Fighting Spam on the Home Front
Saint Aardvark writes: "Something interesting from the SecurityFocus Honeypot mailing list: a couple of honeypots for spammers. This message has a link to a how-to page for setting up a Sendmail honeypot to trap spammers, and the status page for a honeypot in Moscow that's trapped spam meant for >1.7 million recipients. The author mentions using a honeypot in conjunction with the Distributed Checksum Clearinghouse -- this seems like a great way identify both spammers and their messages."
And C-Moan writes: "Wireless spam volume is likely to increase in the coming years. But smart use of spam-fighting measures can go a long way toward eliminating the problem. This article provides info about the latest crop of e-mail filters and enhanced mail client options, as well as two roll-your-own programming platforms that could help keep your in-boxes spam free."
I read the article, and it seems to be based on this.
(1) Spammer sends bunch of stuff to someone who is throwing it away, unread
(2) ? ? ?
(3) Spammer is discouraged from sending spam
In other words, I understand that that spammer THINKS his spam is reaching endusers, when, in actuality, it is not. But I don't understand how that discourages or harms the spammer in any way.
God is real unless declared integer
The most effective solution for fighting spam is NOT legal; it is also not honeypots, or open server bans. It's community action.
Did you receive a spam directing you to a website? Good. Surf there. Reload. Reload a few hundred times. 800 number? Call it and complain. When they hang up on you, call back.
Multiply this by even a small fraction of the people the company sent spam to and swamp their lines and slashdot their servers. They won't be making any sales, and any earnings they do make won't come close to paying their bandwidth or phone bills.
I remember a while back, someone did a story about a day in the life of a script kiddie type person. I think a day in the life of a spammer would be much more educational!
"it's useless to attack the unwitting/stupid party"
I know someone who knowingly runs an open relay at work. He'd love to close it - he's *begged* to be allowed to take the time - he's overwhelmed with other work and he's too wiped to fix it on his own time.
We both think that the only way to get the Powers That Be to allow him to do the job, is for the company to be threatened by lawsuit or legislature for having an open relay.
2) at times HTML emails contain images located on a server. This allows them to track if a message has been read and which message.
o urisp.com"
This is exactly that, most HTML e-mail messages you get contain an image. Alot of those images are formatted in such a way like:
img src="http://www.spammersite.com/spampic.jpg?you@y
So the image display's, and they now have a list of e-mail addresses of people who looked at the message.
So now you don't even have to click anything, they know you are looking at the message just by your mail client opening the picture.
Do you Gentoo!?
This isn't flamebait, but what is the point of doing all of this?
So now the spammers have a lot of worthless addresses. Well let's think about that for a minute. Spam is built around a theory that next-to-no-one will reply anyway, so that doesn't matter much. Spammers also rarely pay for their own bandwidth, choosing instead to spoof unsecure machines to do their dirtywork. So in the long run, you only end up giving them more worthless addresses that creates more wasted bandwidth, neither of which really harms the people you are attempting to target.
------
Today's Top Deals
We do not need more laws "protecting" us! What we really need is a easy to use universal email crypto standard where everyone will sign thier email. Any mail not signed is immediatly suspect. Any keys you do not recognize are suspect.
Standard crypto would serve us much better then any new law (set of laws) and the possible abusive applications of said law(s). We would surly end up with all sorts of lawful and awful unintended consequences as a result af anything that is generated by any government.
~Sean
I've occasionally replied to spam posing as a potential customer, usually when I want to know who's really behind a particular spam. I don't hear back from humans very often, either. I doubt it's that the spammer (or his client) doesn't want our "business." In most cases I think it can probably be explained by one of the following,
a) Spammer sent spam, checked for replies for awhile, then abandoned that dropbox for a fresh one. By the time I replied to his spam, he was no longer checking on that box.
b) Spammer sent spam, and because everything under the sun was in tune, someone with a clue was reading abuse@ and nuked his dropbox.
c) Spammer sent spam, got mailbombed with thousands of junk letters and didn't bother to clean the dropbox out. Both Hotmail and Yahoo - from my experience, anyway - will spool new messages for you even when you exceed your storage quota. Those messages won't show in your inbox until you delete some of the existing drek, but they don't bounce either; we could be sending order inquiries to a "full" dropbox that's never cleared.
Of course, we can always dream about
d) Spammer sent spam, was visited by a few guys with baseball bats, and was rendered physically unable to reply to our solicitations!
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
You know why? It's entirely likely that spam would become 'legal', except pornographic spam. The second this whole thing started, the DMA will leap in about all the evil pornographers, the newspapers and 'parent groups' would have a field day about 'smut', and we'd end up worse off than we are now, because, while we'd stop getting prono spams, we'd end up get more of other kinds, because they're magically 'legit'.
OTOH, it's already illegal to distribute pornographic materials to children, so if you want to have spammers who do it locked up, you have pretty good grounds to do so.
If corporations are people, aren't stockholders guilty of slavery?
Years ago a friend of mine used to do something similar: He had a web page that celarly stated the terms which he would accept mail.
The page had a clearly stated no-spam accepted policy, and that the spam would be reported to the authorities; and in the wording of the policy, he had the email addresses (both semi-private work and public function) for legislators and gov. offices that deal with spam. [with of course abuse@[localhost] ]
This way if someone was using a harvester to get email addresses, they would end up possibly sending to the legistlators that did not think spam was a problem.. [ in 1997]
So it was not JUST a honeypot. It did have a function of informing.
--
Time is on my side
I might be wrong but I am pretty sure that the spammers know enough not to send their crap to any address that ends in .gov The email spiders they use probably screen it out so that the addresses never get put onto their lists.
Of course if some unscrupulous person were to set up some fake email addresses in hotmail,yahoo etc etc.. and set them up to forward anything sent to the addresses to the senators email the results might be interesting. especially after using the fake email addresses in a few select newsgroups.
It isn't really fair to blame interns who happen to work for [insert name of evil corporation] for the company's possibly unethical behaviour. I doubt that many people here agree with everything their employer's does. (I know I disagree with my employer's decision not to promote me and give me a big fat pay rise...)