Fighting Spam on the Home Front

Saint Aardvark writes: "Something interesting from the SecurityFocus Honeypot mailing list: a couple of honeypots for spammers. This message has a link to a how-to page for setting up a Sendmail honeypot to trap spammers, and the status page for a honeypot in Moscow that's trapped spam meant for >1.7 million recipients. The author mentions using a honeypot in conjunction with the Distributed Checksum Clearinghouse -- this seems like a great way identify both spammers and their messages."

And C-Moan writes: "Wireless spam volume is likely to increase in the coming years. But smart use of spam-fighting measures can go a long way toward eliminating the problem. This article provides info about the latest crop of e-mail filters and enhanced mail client options, as well as two roll-your-own programming platforms that could help keep your in-boxes spam free."

If you don't drop the TCP SYN, you're dead.

I run a fourth level .ca domain. It gets so much spam that the only solution for me was to put in firewall rules. TCP port 25 is open for my 5 friends, and a few mailing lists. For everyone else, it's closed.

I've got a longer rant on my web page, but I won't post it here, as the machine will die.

Suffix it to say that I can't afford 500k+ spams a day. The SMTP 'HELO', 'MAIL FROM', and 'RCPT TO' traffic for spam was getting to a gigabyte of
traffic every few days.

rbl doesn't work. The spammers that hit me aren't listed on it. 'teergrube' doesn't work. I can't afford the bandwidth or the CPU time to maintain millions of open connections.

When you get spam, if you do ANYTHING other than
drop the TCP SYN packet, you've lost.

Re:If you don't drop the TCP SYN, you're dead.

Well, a comment from your "Operator in Moscow" who is actually runs this system (h0n5yp0t url above). No, my system is well-running. It's i486DX4/100 machine (go to www.corpit.ru). I can control it to the level I need. But what I want this machine to be protected from is -- from being /.'ed... ;) I noticied that machine load average increased to about 8..9 and noticied huge amount of hits in my apache logs. I was unaware of this /. posting. Well, machine handled (and handles) this load pretty good.

Re:If you don't drop the TCP SYN, you're dead.

[Amoeba+Protozoa]

You should run teergrube, here's an answer as to why from the Teergrube FAQ:

How many connections will be tied up by a teergrube on my host?

A regular teergrube will hold up to ten connections open at a time. On the spammer's side there will be up to ten connections open for every teergrube he runs into. So decentral resources fight against centralised spammer ressources. The more teergrubes are installed, the better.

spider traps

[Alien54]

I recall a number of scripts meant to trap spidering harvesters by generating endless pages of bogus content, with bogus addresses.

I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.

Re:spider traps

[Raphael]

I recall a number of scripts meant to trap spidering harvesters by generating endless pages of bogus content, with bogus addresses.

You are probably refering to Sugarplum or Wpoison.

I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.

They perform two very different purposes: the poisoning scripts mentioned above are designed to fool the robots that harvest e-mail addresses. They slow down the spammers and introduce many invalid addresses in their list, but they cannot completely prevent the spammers from collecting e-mail addresses.

The fake open relays mentioned in the article are designed to stop the spammers from sending their spam. The spammers think that they have found a nice open SMTP relay and they dump all their spam to it, but in the end nothing is sent to the intended recipients.

You could of course run both on the same machine, but this is probably not a good idea because the goals of these spam traps is to convince the spammers that they have found a "live one". If there is anything that looks strange on the target site (such as a warning generated by their harvesting robot), it is likely that they would consider this to be a suspicious site and they would not try to use it to relay their spam.

Re:spider traps

[po_boy]

I just wrote a mod_perl apache module to implement a similar honeypot idea. The primary difference is, though, that if a spider requests a page from the honeypot, the webserver realize that it's a maliicious spider. After that the webserver refuses to serve any pages at all to that client for some time.

It's supposed to cut down on email harvesting bots and others that ignore the /robots.txt file

Delays with the sendmail-bd

[greyguppy]

I like the idea with sendmail -bd, not delivering any mail, but surely spammers will simply assume that an "open" relay that takes 2 days to deliver their test message is being moderated as such by somebody running a honeypot. Unless you can identify, and forward spam tests as quickly as if the mailserver was running properly, then the spammers will soon catch on.

Re:Delays with the sendmail-bd

[Raphael]

I do not think that many spammers pay attention to the delivery time for their test messages, because they usually send dozens or hundreds of probes at the same time. As long as the message is delivered (by hand) within a couple of hours, that should be sufficient.

But they will probably pay attention to this trick sooner or later. So we need a more sophisticated script than this simple "sendmail -bd". Maybe some kind of "limited open relay": a program that always delivers the first message received from any IP address, but delays (or drops) all the other ones coming from the same address. There could be a configurable threshold allowing more than one message per IP, in order to fool the spammers who would try to send two test messages.

Such a machine could be used as an open relay, but with limited consequences. As long as the administrator of the machine keeps the logs of all incoming IP addresses (with timestamps and as many details as possible), the messages that go through it will not do much damage.

Re:Delays with the sendmail-bd

[cornjones]

there was a school of thought on this that would increasingly delay the time between each message sent. first message goes right out. next takes 2 seconds, 4 seconds, 8, etc we all know how doubling works. simple but effective if I am sending a message to 4 or 5 people there is no noticeable delay. if I am sending to 50 people it will take a couple hours. any more than that you are probably spamming. in a real implementation you would probably come up w/ a more elegant scheme than doubling. B)

as w/ any spam ruleset there are exceptions. there should be a conf file for allowed mail senders such as if you are running a mailing list or the such.

it should be trivial to write something like this into a milter or to just put a wrapper in front of your port 25.

What am I missing?

[Carmody]

I read the article, and it seems to be based on this.

(1) Spammer sends bunch of stuff to someone who is throwing it away, unread

(2) ? ? ?

(3) Spammer is discouraged from sending spam

In other words, I understand that that spammer THINKS his spam is reaching endusers, when, in actuality, it is not. But I don't understand how that discourages or harms the spammer in any way.

Re:What am I missing?

[Carmody]

Uh, spammers send out spam to get orders, sales etc.. If their mails don't get through, they sell less and get discouraged.

You are misunderstanding me. I understand why it hurts spammers if their mail doesn't make it through to their destination. What I don't understand is why it is better to let them THINK it is getting through than it is to let them realize that it is not.

Re:What am I missing?

[GeorgeH]

(2) Spammer sees .01% response rate drop to .0000001% response rate (finding open relays, spidering email addresses, etc). Looks at books and sees that he spent 10 hours getting everything together to spam. Additionally, he spends 30 hours dealing with people who call pretending to be interested, keep him on the line, and then say that their credit card number is "spammers suck." So he spent 40 hours and only sold one widget, that he gets a $5 profit on. Realizes that he could have made more money working 40 hours at Mcdonalds, and there are nicer customers to boot.

The reason people spam is the cost is low. Increase the cost of doing business and they will reevaluate.

Re:What am I missing?

[ShaunC]

>What I don't understand is why it is better to let them THINK
>it is getting through than it is to let them realize that it
>is not.

Because if they think the spam is getting through, the spammer ends up wasting a whole lot of time sending spams which don't get delivered. If they realize they've got a honeypot, they move to another relay and start sending spams which do get delivered. Clearly it's better to have a spammer sending mail to nowhere than sending it to everywhere, but no spammer's going to intentionally send mail to nowhere. That's where the trickery comes in.

The idea is to occupy time and/or resources that the spammer would otherwise be using to pollute the net. The stats on the Russian honeypot show that they trapped a spam run which lasted four full days and totalled more than a million recipients. This adds up to quite a bit of wasted spamming time, and quite a lot of spam messages that would have otherwise been delivered.

Shaun

Re:What am I missing?

[Carmody]

(2) Spammer sees .01% response rate drop to .0000001% response rate (finding open relays, spidering email addresses, etc)

This is an interesting answer. If the spammer is looking at response RATES, that answers my question, because the honeypot will decrease the apparent response rate. But wouldn't a spammer be looking at the response TOTALS? In other words, "I spend $1,000 to send a spam, and I got $10,000 in orders, so I made 10x my investment." The response total will not change if there are honeypots or not, because the spam would be blocked by the ISP who set up the honeypot in either case.

Your argument works if the time investment (the 40 hours you detailed) goes up as the response rate goes down. I don't believe it does that - whether or not a honeypot is set up, the spammer still sends out the same quantity of spam.

Do you agree with me, or am I still being thick?

vipul's razor!!!1`

[notsoanonymouscoward]

This sounds alot like vipul's razor a fellow checksum'ing spam catcher. In addition to being free and open source, I think vipul's has been around longer than these other guys. They also use honeypots to catch lots of spam, but I believe not so much in the relay dept.

Spam only has a political/legislative solution

[GSloop]

I've come to the realization that the solution to spam is political/legislative.

I use SpamAssassin and it blocks virtually all spam, but that doesn't really solve the problem. Most users can't use spam assassin, or other good spam blocking system. Spamcop is good too, but that's now $3/month. Why should I be forced to pay to haul the spam, and $3/month not to see it?

The solution as I see it is this. We need legislation that allows for damages from the beneficiary of the spam. Almost all of the spam I get comes from SMTP servers in China and Eastern Europe. Good luck getting these people shutdown. Or, it comes from an open relay. Again, it's useless to attack the unwitting/stupid party, although it might have some effect here. But the spam beneficiary almost certainly has a bank account in your country, or some bank funds transfer mechanism. If they want to do lots of business with the US or other countries, there's going to be somefinancial presence there. So, we now have money...just tap into that money, by making the beneficiary of spam a civil tort, and spam just gets more expensive to promote.

When the demand for spam drops, because it's too expensive, then the demand for the out of country spam services drops, and eventually, most spam stops.

There would need to be some way to keep companies from being "set-up" as spam beneficiaries, but I think that shouldn't be too hard of a problem to solve. (Who's going to pay a spammer to "set-up" someone else, when the risk could be quite high if you get caught?)

Anyway, I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators. I don't know that they care, but I can pretty much guarantee they're going to get sick of getting such sicko stuff in the mail. Perhaps they'll actually do something. I've even pondered sending it all to every congressman and every senator, but that's a bit costly!

Well, do your damage...

Cheers!

Re:Spam only has a political/legislative solution

[hendridm]

Agreed. You can cite U.S. state-specific violations from this page. Remember, it's just as easy for them to ignore e-mail as it is for you to ignore spam, so send a postal letter to your representative or senator.

Re:Spam only has a political/legislative solution

[jazman_777]

I've come to the realization that the solution to spam is political/legislative.

I've come to the realization that the solution to spam is vigilante justice. That's how my emotions are, anyway.

Re:Spam only has a political/legislative solution

[Tazzy531]

EXACTLY!

In recent years, there have been talks about legistlations to pass a email fee. (in the same way that they would do with normal mail) I would gladly accept a couple spams rather than the alternative of a per-email fee.

Re:Spam only has a political/legislative solution

[mjh]

Do you want Congress passing laws about the content of e-mail??

The previous poster is not suggesting that congress pass laws about the content of email. He/she is suggesting that the beneficiary of spam be accountable for damages done through the sending of spam. So for example, if I set up an email account for my pre-teen son, and that email account starts getting lots of SPAM for porn sites, I should then be able to sue the porn sites who have attempted to benefit through the use of spam. Nobody's governing what can and can't be said, but someone does have to take responsibility for saying dumb stuff.

The idea is this: skip the middle man (the spammers) and go after the people who reap financial benefit - the sites/services/etc being advertised. If there's an additional cost to spam then perhaps the demand will dry up.

It's an interesting idea and I wonder if there are other implications that I can't think of.

Re:Spam only has a political/legislative solution

[david+duncan+scott]

I guess I'm just ignorant, but I've run Exchange servers, Mercury servers, and PostOffice servers, and my recollection is that closing the relay service was two clicks and a restart of the mail service in each case. What's your friend running that would make this so hard?

Re:Spam only has a political/legislative solution

[MillionthMonkey]

Well, if they did it right, it would be a natural step to take to combat spam. Of course, though, if they do pass laws about spam, they'll do it wrong, with a law that:
-Exempts a subset of spammers that includes all members of the DMA
-Has intended or unintended consequences for other, legitimate uses of email
-Has attached riders written by MPAA/RIAA lobbyists that criminalize a number of other things
-Spells out details of what should be in a valid SMTP header, thus creating a specification for legal spam (like the "ADV" subject line) that gives spammers a free pass, and that prohibits any further development or modification of the protocol
-Allows the government to snoop on port 25 traffic if they so choose (oh wait, we have that law already, don't we?)
-Places limitations on an ISP's liability if it becomes a spamhaus (unless it's a small ISP with no significant campaign contributions)
-Clamps down on alternative solutions that ire spamhauses ("now that we have these great laws, you shouldn't need those filters/blacklists/honeypots")
-Allows spammers to sue for damages if their packets are blocked or they are "falsely accused" (as larger companies start showing interest in spamming, you can bet on this)

Such legislation would naturally be approached from the angle of "Hmm, how can we turn this into a gift to corporations?"

When you think about it, programming and legislating are a lot alike. Programs have bugs, and laws have loopholes. The people in Congress look like they would make lousy programmers.

Re:Spam only has a political/legislative solution

[Swaffs]

"The solution as I see it is this. We need legislation that allows for damages from the beneficiary of the spam"

And watch as all Slashdotters start spamming each other with advertisements for Windows XP.

"I've even pondered sending it all to every congressman and every senator, but that's a bit costly!"

Email, man! :)

Re:Spam only has a political/legislative solution

[AnotherBlackHat]

And when the eco-terrorists, or the Republican party starts sending you "position papers" who do you sue then?

-- Is a "no soliciting" sign spam?

Re:Fight Spam

[Zach+Garner]

uce@ftc.gov is for this purpose.

UCE = Unsolicited Commercial E-Mail FTC = Federal Trade Commission

If you send it to someone like your congressman, YOU are spamming. If you do it often enough, I'm sure they will have a word or two with your ISP.

If someone sends you a letter filled with anthrax, forwarding it to the president will not make things better...

Teergrube

[quigonn]

What can be generally interesting when fighting spam is

1. razor (I recently posted a message about it on /.)
2. A "teergrube". This is german for "tar pit". In the ice age, animals like mammoths trapped into them, today the spammers shall trap into them. Lutz Donnerhacke wrote an interesing FAQ about it, you can get it from here (english, of course). IMHO every ISP should run such a teergrube on his SMTP host.

more documentation

I've just rented a dedicated server running freebsd, and I get messages of relay denied daily, now I need to accept relay for my users... so i've been reading about pop before smpt, thats a good solution, since I am not used to sendmail, it has been very difficult to configure it for me...I think we need a document to configure sendmail "for dummies"...all the documentation ive found is not so easy to understand.

Re:more documentation

[RollingThunder]

O'Reilly. The one word you need. The "Bat Book", which is their sendmail tome, helped me daily when I ran sendmail.

I now run postfix (or qmail, when I need EZMLM for mailing lists), and am eagerly awaiting their Postfix book.

Re:more documentation

[ncc74656]

I've just rented a dedicated server running freebsd, and I get messages of relay denied daily, now I need to accept relay for my users... so i've been reading about pop before smpt, thats a good solution, since I am not used to sendmail, it has been very difficult to configure it for me...

I've handled local relaying by just adding IP addresses and/or address blocks to the server config. It works as long as nobody has a dynamic IP address...since the addresses that are let through are all private-subnet addresses (people behind the firewall), this isn't a problem. Their mail gets out, but spammers in search of an open relay are cut off.

You might also want to look into qmail...it's much simpler to get going than sendmail, and IIRC no security holes have been found yet.

Somebody linked to this article on using Apache to find the bots that swipe email addresses from websites. While you're waiting for the bots to respond to their suggested changes, you might also consider searching your logs for other attempts at sending mail through your system. Searching all the logged 404s on my server turned up 91 attempts at exploiting webmail systems. Some were the result of Nessus scans I had aimed at my server, but filtering those out left 36 confirmed attempts.

Here are the user-agents that turned up:

• EmailSiphon
• Microsoft URL Control - 6.00.8862
• Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)

...and here are the addresses of the spammers (get a load of the last one on the list):

• 07-127.057.popsite.net
• 209.85.24.157
• 24-161-169-176.san.rr.com
• 24.27.210.44.pinecastle-ubr-a.cfl.rr.com
• 251.cleveland-05-10rs.oh.dial-access.att.net
• 2cust165.tnt2.ladue.mo.da.uu.net
• 63.116.175.28
• 64-214-40-67.brv.frontiernet.net
• ac85c77d.ipt.aol.com
• ac894f07.ipt.aol.com
• ac8b6f74.ipt.aol.com
• acb5c2f6.ipt.aol.com
• adsl-64-169-101-147.dsl.lsan03.pacbell.net
• adsl-64-172-45-126.dsl.snfc21.pacbell.net
• cm092.8.234.24.lvcm.com
• ip68-0-166-201.tc.ph.cox.net
• lsanca1-ar2-143-206.lsanca1.dsl.gtei.net
• pool-151-201-153-163.phil.east.verizon.net
• roc-204-210-146-77.rochester.rr.com
• tide86.microsoft.com

Wireless spam in Finland

Short-messaging (SMS) is enormously popular in Europe. Here in Finland, the porn spammers begun to capitalise on the popularity by sending "call this number to get your cock sucked by beautiful ladies" kind of SMS spam to arbitrary listed numbers including underage kids' cellphones.

This kind of spam exists no more. How? It was made illegal practically overnight and that shut the bastards down.

The spam problem is a political problem. Until there is enough political will in your governments to crack down on the spammers HARD, the spam problem will be getting worse and worse.

Re:Wireless spam in Finland

[ackthpt]

Political will in the US Government? Surely you're mistaken. Oh, sure they all jumped up and said their piece after Sept, 11, and a bunch of them actually are behind campaign finance reform, but they only do this AFTER it's a problem. Well, spam's a problem, but they've let phone solicitors drive us to screen messages on answering machines (which I swore I never would do, but do now) and all this BS is some twisting of "Freedom of Speech".

I'd like to see the House, Senate and Administration actually come up with some relief legislation on this and crack down hard. Pity, they won't do it, but they saddle us with DMCA.

Throw SPAM to the tarpits!

[weefle]

It would be really cool to take the relay blackhole list to an extreme, and enhance it with something like LaBrea. That way, instead of just immediately refusing to accept spam, freeing the spammer to move on to the next host on the list, a "tarpit" relay would bog the spammer down, maybe slowing their spamstream down to the point that they're sending only one message per hour. If we could get just a small percent of the SMTP servers on the 'net running such a tarpit, that would reduce the amount of spam that we all get. That is, until the spammers rewrite their software to give up on slow relays.

Re:Throw SPAM to the tarpits!

[Tazzy531]

One of the system administrators that I have worked with for a client has actually done this. He owns an ISP. Basically what he does is he setup the SMTP server to sleep for .001 milliseconds (or something small like that) for every email that you send. So if a person sends one email, there is no slow down. But if a person sends 100,000, after the 1000th or so, you'd have to wait close to a minute after each message sent. So at that point, the spammer figures his autospam program is bugging out and cancels to try again.

I've said it before and I'll say it again...

[Dimensio]

The only real solution to the spam problem is to kill spammers brutally, horribly and publically -- placing their heads on pikes as a warning to others. The US should encourage foreign governments to do the same under threat of airstrikes (though said airstrikes should only be centered on the locations of known spammers).

Yes, I'm serious about this. I despise spam and wish all spammers DEAD.

Re:Fight Spam

PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION ON "Unsolicited Commercial E-Mail"

On another front, the FTC set up a special electronic mailbox reserved for UCE in order to assess, first hand, emerging trends and developments in UCE. With the assistance of Internet service providers, privacy advocates, and other law enforcers, staff publicized the Commission's UCE mailbox, "uce@ftc.gov," and invited consumers to forward their UCE to it. The UCE mailbox has received more than 2,010,000 forwarded messages to date, including 3,000 to 4,000 new pieces of UCE every day. Staff enters each UCE message into the database; UCE received and entered in the database within the preceding 6 months is searchable. Periodically, staff analyzes the data, identifies trends, and uses its findings to target law enforcement and consumer and business education efforts.

What's funny is...

[linuxrunner]

I decided that one day I would reply to all the spam that I received in my non-personal mailbox.

I did
I then received all the mail back as undeliverable.
I replied the same day it was received so what good are these spammers doing? I mean, how do they expect to make any money if they were not there to take mine?

Re:What's funny is...

[dattaway]

I blame it on viruses.

My guess is that these spams come from infected computers that are infested with a virus designed to send out spam and infect more computers at random. It might have been months or years since the first round hit and the email address of the satan who sent it is long gone (hopefully dead.)

Re:What's funny is...

[Tazzy531]

Most spams do not use valid return addresses. They either have you click on a URL to go to a website or have you call a number or mail something to an address. The reason that this happens is that if they were to use valid emails, they could be tracked down easily. Their accounts would close once they are detected to be spammers. So they use dummy accounts at one of the free email services online. Or they setup dummy return address fields. This hides their tracks to an extent.

Another thing that they do is they send you spam just to check if you have a valid email address. There is probably greater profits in the sale of email addresses than what they seem to be selling in the emails. Even if you don't respond to it, 1) they don't get a auto-response bounce back (therefore it's valid) 2) at times HTML emails contain images located on a server. This allows them to track if a message has been read and which message.

Re:What's funny is...

[Binestar]

2) at times HTML emails contain images located on a server. This allows them to track if a message has been read and which message.

This is exactly that, most HTML e-mail messages you get contain an image. Alot of those images are formatted in such a way like:

img src="http://www.spammersite.com/spampic.jpg?you@yo urisp.com"

So the image display's, and they now have a list of e-mail addresses of people who looked at the message.

So now you don't even have to click anything, they know you are looking at the message just by your mail client opening the picture.

Re:What's funny is...

[AndroidCat]

That's why I never open spam. Instead, in Outlook Express, I use Properties/Message Source.

I got one spam that had code to cause a banner advertising hit for the spammer. I notified the banner ad company. I suspect the spammer was unhappy about the result.

Re:What's funny is...

[rbeattie]

The same thing happened to me, sort of. I had an email address that I was using through Mail.com and besides the fact that it's a horrible service, the amount of spam I was receiving was nuts - I just used it too much on the web during the 90s not realizing what I was doing.

So I changed email addresses and I set up the Mail.com email system to auto-respond with a message that said that it was an old email account and to check my website for the new one (thus not sending my email to Spammers ... Yes I know about web-scrapers... what can I do). Anyways, now I have to go into the mailbox every week or so to check for bozos who still email me at the old address and to clean out all the SPAM I receive AND all the Bounced Mail messages. It seems that every single instance of Spam uses a fake email address or an address at Yahoo or Hotmail which fills up in 10 minutes.

So trying to figure out why the hell would anyone send me a message from a fake address, I determined it was obvious if you read the email. They always include a link to some random website (.ru anyone?) and when you arrive, there's absolutely no contact info, but always a pitch for some product or service and a form to put your credit card info in. Fuckers. I HATE SPAMMERS.

From this experience I thought I'd really like to implement a sort of "thank you note validation" system on my mail server where every message that comes in would be responded to automatically with a "thank you note". Any response email that bounced would automatically mark the original message as spam. This of course would bring the Internet to it's knees if everyone did this (here's a thank you note for your thank you note) and temporary mail server or router outages would also cause false-readings, but still...

My COMPLETELY INEXPERT opinion is this: We're all using SMTP - SIMPLE message transport protocol. It's now time for a NON-SIMPLE solution. The CMTP if you like (c for complex). If you want to send mail, you have to register your email address with an officially sanctioned registrar (yes, I know, it'd be like ICANN except worse) and then those messages would be digitally signed and your mail server could be set up with levels and filters. You could still receive unsolicited mail, but if it was from a known corporate entity, you could acurately filter it out.

I remember when I set up my first SMTP server and email system and found out that you can basically lie in all the to and from fields and IT DOESN'T MATTER, I thought, that's sort of weird. Now I realize it's completely broken, not weird.

My thoughts...

-Russ

Re:What's funny is...

[Chops]

That means, hopefully, that the system is working: People get spam, people forward spam to abuse@sourcedomain, admin shuts down the spammer with extreme prejudice, spammer doesn't make any money.

I love spam. I really do. I love the malicious thrill I get from digging through the headers to find the magic Received-by: line that will be the target of my ire. I love the sudden urgency it brings to my day ("Gotta get this bastard before he makes a sale..."). More than anything I love to get that email back from the admin desk saying, "This account has been terminated. If you have any further comments blah blah blah..." When that happens, I do a little dance, because it means some pig bastard just lost money because of me. Someday, I'm sure I'll get bored and cynical and just starting using MAPS, but I don't think it'll be soon.

most effective

[TheSHAD0W]

The most effective solution for fighting spam is NOT legal; it is also not honeypots, or open server bans. It's community action.

Did you receive a spam directing you to a website? Good. Surf there. Reload. Reload a few hundred times. 800 number? Call it and complain. When they hang up on you, call back.

Multiply this by even a small fraction of the people the company sent spam to and swamp their lines and slashdot their servers. They won't be making any sales, and any earnings they do make won't come close to paying their bandwidth or phone bills.

Re:most effective

[TheSHAD0W]

Most advertisers won't pay for multiple hits from the same user. ;-)

Re:most effective

[mmontour]

www.overture.com (formerly GoTo.com) is a search engine where advertisers pay for clickthroughs, and each search result shows you how much your click costs that advertiser (more $ == higher search ranking).

Search for "bulk email".

Click through the first 10 or so.

Multiply by the Slashdot Effect.

Smile.

(I am not associated with overture.com, nor is this an endorsement of their services. But anything that bleeds money from spammers is good IMHO).

day in the life of a spammer...

I remember a while back, someone did a story about a day in the life of a script kiddie type person. I think a day in the life of a spammer would be much more educational!

Two spam stories in a day!

[cecil36]

We first got a way that can punish spammers that dates back to the 1600's, and now a way that we can trap them. Just think, instead of locking up Bernard Shifman in a damp dungeon in England, we could honeypot his resume, then smear real honey all over Bernie and leave him near an anthill with a bunch of red ants.

Another article about stopping spambots

[primetyme]

shameless plug

I posted an article that deals with stopping spambots with common apache tools last week in the apache section of slashdot. hopefully some can find use of it here as well :)

here's the link directly to the article as well:
Stopping Spambots II - The Admin Strikes Back

Yup, installed it a couple of weeks ago.

[Moderation+abuser]

Makes quite a difference. I've pointed my trollbox at the report script. My own spamido scripts were OK, but lacked the distributed functionality of Razor.

make people pay for email!

[supernova87a]

Perhaps this has been discussed before, but why not have ISPs levy a per-email-charge so that the real cost of sending these messages is reflected? It's not like it would take a quantum leap in billing technology.

Let's make it $0.01 per email, which will cost near nothing to the average email user, but for the lousy spammer who sends out 10,000 emails, this will set him back $100.

People will only change their behavior if it hits them right in the pocket, as soon as they carry out that unwanted behavior. Why should email be free for people to abuse?

Re:make people pay for email!

[Halo1]

That wouldn't help at all. The reason is that almost all spammers send all their mail through open relays which are located in Asia most of the time. Nowadays, they also often tunnel their smtp connections through open http and socks proxies, so even port 25 blocking/intercepting wouldn't help.

The only thing your suggestion would do, is increase the cost of complaining to the originating ISP's about spam sent by their customers.

Re:make people pay for email!

[supernova87a]

If you told the public that a $0.01 charge per email would reduce spam and lower the costs of ISPs doing business, I think they would accept it.

I think it would pretty simply eliminate the open relay servers flooding the world with unwanted email -- if they don't pay for what they send, then their emails are rejected.

Email is surprisingly similar to real mail. We want to receive something, but not get flooded with useless junk. It's a security risk. It's a nuisance. Let's apply models that have worked -- pay for email. Why not?

Move it up a level?

[martyb]

Question: If this idea is viable, why don't ISPs implement it, too? For example, if AOL used this technique on a few of its dial-up (or cable) IP addresses, they could potentially make quite an impact. Futher, they could apply this technique across each of their address blocks. They could also rotate through the address block the particular addresses which act as the honeypot.

Now imagine that AT&T, Earthlink, MSN, and other ISPs implemented this, too, that should put a HUGE DENT in spamming.

Granted, this would chew up bandwidth on their network, but delivering spam chews it up, too.

Please, if there are mistakes in this, don't mod me down but instead point out what ISPs COULD DO to make this work. Thanks!

Works on the clueless ones, I suppose

[damiangerous]

But any spammer worth his TOSsing will simply salt the list with a known address or two he set up himself to check his spam run.

Want to stop span?

Get 1000 /.ers to setup a web page on a simple box they already have or on a free web server... in fact, setup hundreds of pages. Embed in the page every political email address you can find as well as a honeypot one you setup. Set the honeypot one up to forward to the political addresses as well (all of them).

After senator what's his face gets spammed by 10000+ p04n addresses a day for weeks on end he might take notice.

Re:Want to stop span?

[TeddyR]

Years ago a friend of mine used to do something similar: He had a web page that celarly stated the terms which he would accept mail.

The page had a clearly stated no-spam accepted policy, and that the spam would be reported to the authorities; and in the wording of the policy, he had the email addresses (both semi-private work and public function) for legislators and gov. offices that deal with spam. [with of course abuse@[localhost] ]

This way if someone was using a harvester to get email addresses, they would end up possibly sending to the legistlators that did not think spam was a problem.. [ in 1997]

So it was not JUST a honeypot. It did have a function of informing.

Re:Want to stop span?

[/tmp]

I might be wrong but I am pretty sure that the spammers know enough not to send their crap to any address that ends in .gov The email spiders they use probably screen it out so that the addresses never get put onto their lists.

Of course if some unscrupulous person were to set up some fake email addresses in hotmail,yahoo etc etc.. and set them up to forward anything sent to the addresses to the senators email the results might be interesting. especially after using the fake email addresses in a few select newsgroups.

Anyone ever...

[digitalsushi]

anyone ever responded to a spam pretending to be interested in the product? I get about a 20% turnaround on "serious inquiries". If I am using a real email address and look like a real customer, and they arent even writing back to me... they must be spamming several times what they could "legitimately" handle.

Having looked over DCC

[Moderation+abuser]

It looks like it's designed to integrate quite well with sendmail while Vipuls Razor is easier to plug and play with Procmail.

Vipuls Razor looks easier to install and get running, but DCC might be more effective for high capacity sites.

Two slightly different approaches, Vipuls Razor is Perl based and DCC is written in C. How's about a common data format, common databases and servers?

It's for the Children!

[eth1]

Maybe we can capitalize on the It's For The Children idiocy that seems so prevalant in government:

1) Have your 14-year-old kid set up and email account somewhere.

2) Help him/her write an innocent letter to your representative complaining about the inappropriate spam s/he is recieving.

3) Watch them trip over themselves to Save The Children =P

Re:It's for the Children!

[DavidTC]

That is actually a horrible idea. Well intentioned, but horrible. It's been gone over in the newsgroups to death.

You know why? It's entirely likely that spam would become 'legal', except pornographic spam. The second this whole thing started, the DMA will leap in about all the evil pornographers, the newspapers and 'parent groups' would have a field day about 'smut', and we'd end up worse off than we are now, because, while we'd stop getting prono spams, we'd end up get more of other kinds, because they're magically 'legit'.

OTOH, it's already illegal to distribute pornographic materials to children, so if you want to have spammers who do it locked up, you have pretty good grounds to do so.

Re:It's for the Children!

[Ldir]

I actually had this happen to my 11-year-old. When I first tried to set up an @home account for him, his name (first.last) was already in use so I used another variant. With the disintegration of @home, their customers are moving to new ISPs. In the process, we discovered that my son's name had become available, both at @home and at our new ISP.

We switched his account to the first.last format, and he immediately started receiving lots of spam - including porn - meant for the previous user. My wife was horrified, and wouldn't let him check e-mail until she screened it first. Once we moved entirely off of @home, the problem went away ... for now.

ISPs need to do more...

[digitalsushi]

replying to this article as an isp with about 12k email accounts, I'd like to point out that the biggest thing holding an ISP back from implementing large global spam blocking routines is the fear of dropping more than zero legitimate emails. It's like that old legal thought, "better to let 10 guilty men go free than to jail 1 innocent man". If I blocked an email inviting someone's grampa to the family reunion and killed 500 pr0n spams, and found out about it, I'd feel miserable for days. (Not that such a ruleset would be that likely to trigger for both- if it did I'd prolly end up with a giant R branded to my forehead for "regex")

Re:ISPs need to do more...

[Masem]

What an ISP should do is not necessary block spam, but to simply add a header (something that should be agreed on) like "X-Possible-Spam: Yes", then instruct the end users that they can choose to ignore the header together, use the header to filter the mail into the right places, or simply refuse to accept the header altogether. Of course, in such instructions, a big blazing notificiation that "You may lose legitimate email by setting this option" for the last choice would be necessary else face a lawsuit. Or, even more detailed, use something like "X-Spam-Level: (number)" where a level of 0 is nothing that looks like spam, while some higher number, say 5, are perfect matches for known spam messages. Intermediate levels may or may not be spam. Of course, I don't believe that the GUI mail clients can do 'math' on the headers for filters, but the idea is there.

Basically, this doesn't block the delivery of any message to the end-user but gives the end user of filtering out spam if they desire. However, this puts the burden on the ISP to actually do such filtering, and unless one has a mail client with CPU cycles to spare, that might be hard to do. However, given what the averge person knows on email filtering, this might not seem unreasonable for an ISP to impliment to keep & gain customers. Of course, a key part of this is that there needs to be agreements on what format to take such that users that swap ISPs don't have to reconfigure their clients to use a different filtering system.

Re:ISPs need to do more...

[CritterNYC]

What about the bounce message? When you use a good open relay blocking list (like ordb, my favorite), your mail server refuses to let the offending server send the message. The offending server reports back to the sender that the message did not go through. So, if Aunt Alice is sending out the message to Grandpa about the family reunion and receives a message back that the message couldn't be delivered... she'd just call him. The only really bad anti-spam technique is filtering that just discards messages. The sender doesn't know it wasn't delievered. With blacklists, the sender knows.

Re:ISPs need to do more...

[ehintz]

So, if Aunt Alice is sending out the message to Grandpa about the family reunion and receives a message back that the message couldn't be delivered... she'd just call him.

Problem is, most endusers are far too daft for this. They get the bounce message, and because they're deathly afraid of these crazy machines, they read the message which very clearly says "We thought this was spam so we bounced it, call our customer service line at 800 555 1234 if we made a mistake"; then they turn around and ask their local guru "why did this bounce and what should I do"? And the local guru says, "Well, it looks like they thought this was spam so they bounced it, you should probably call their customer service line at 800 555 1234 and tell them they made a mistake". The problem here is that the boneheads with no guru will stumble off to the living room for a refreshing episode of "Everybody Loves Raymond" and gramps won't get to the reunion.

Checksumming -- defeatable?

[fm6]

Checksumming strikes me as very easy to defeat. Just have the mailer append a random string to each message body. I've noticed most spam already does this with subject headers. Am I missing something?

Re:Checksumming -- defeatable?

[zsmooth]

Am I missing something?

Yes. The DCC page states that they use a 'fuzzy' checksumming algorithm that doesn't just checksum the whole message, and that the algorithm is evolving as spam evolves.

Re:Checksumming -- defeatable?

[AnotherBlackHat]

Checksumming strikes me as very easy to defeat.

It is.
A rock will let you enter a locked car, but you still lock your car.
A filter doesn't need to be 100% effective to be useful,
and it's not likely that spammers will care until this kind of thing is guarding more than 50% of mailboxes.

The random string is more likely a tag to find out who responded than an attempt to bypass filtering.

-- Is a "no soliciting" sign spam?

Re:Checksumming -- defeatable?

[Amoeba+Protozoa]

Yes. The DCC page states that they use a 'fuzzy' checksumming algorithm that doesn't just checksum the whole message, and that the algorithm is evolving as spam evolves.

I cannot speak to what approach DCC uses, but razor only picks pieces of a message it believes to be static when computing its SHA1 hash. In the very near future, razor is going to implement Nilsimsa hashes which are 'fuzzy' and should be able to detect everything from spam with minor differentials to mutating e-mail viruses.

Combined with the new razor trust system, razor is going to be quite the tool; and when used in conjunction with SpamAssassin we'll have quite the arsenal to battle unwanted spam.

Hmmm

[NiftyNews]

This isn't flamebait, but what is the point of doing all of this?

So now the spammers have a lot of worthless addresses. Well let's think about that for a minute. Spam is built around a theory that next-to-no-one will reply anyway, so that doesn't matter much. Spammers also rarely pay for their own bandwidth, choosing instead to spoof unsecure machines to do their dirtywork. So in the long run, you only end up giving them more worthless addresses that creates more wasted bandwidth, neither of which really harms the people you are attempting to target.

Re:Hmmm

[pjrc]

This isn't flamebait, but what is the point of doing all of this?

So now the spammers have a lot of worthless addresses. I believe the point is/was to trick the spammers into wasting their time sending out emails to a server that they believed would relay them, but in fact was not.

This concept is a separate tactic from hosting pages filled with bogus addresses intended to "poison" the spammers lists.

The solution is not legislative!

[warpSpeed]

We do not need more laws "protecting" us! What we really need is a easy to use universal email crypto standard where everyone will sign thier email. Any mail not signed is immediatly suspect. Any keys you do not recognize are suspect.

Standard crypto would serve us much better then any new law (set of laws) and the possible abusive applications of said law(s). We would surly end up with all sorts of lawful and awful unintended consequences as a result af anything that is generated by any government.

~Sean

SpamAssassin!

[mr.nicholas]

I guess I have to throw in my $0.02 here. Instead of relying on a single services or technique for stopping SPAM, try something heuristic that combines the best of multiple worlds: SpamAssassin, for example.

It uses a weighted score that derives it's values from a variety of sources including Razor and various Black Hole Lists.

The type of heuristics are along the lines of:

SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (12.24 hits, 5 required)
SPAM: Hit! (1 point) From: contains numbers mixed in with letters
SPAM: Hit! (1.2 points) From: does not include a real name
SPAM: Hit! (1 point) 'Message-Id' was added by a relay (2)
SPAM: Hit! (1 point) Subject contains lots of white space
SPAM: Hit! (1 point) BODY: List removal information
SPAM: Hit! (1.56 points) Contains phrases frequently found in spam
SPAM: [score: 26, hits: accept credit, credit cards,]
SPAM: [fill out, for your, more information, our]
SPAM: [company, phone number, receive further, remove]
SPAM: [the, reply this, subject line, thank you, the]
SPAM: [subject, this email, wish receive, word remove,]
SPAM: [you for, you like, you wish, your]
SPAM: [email]
SPAM: Hit! (1 point) spam-phrase score is over 20
SPAM: Hit! (1 point) Received via a relay in inputs.orbz.org
SPAM: [RBL check: found 14.54.162.63.inputs.orbz.org.]
SPAM: Hit! (2 points) Received via a relay in relays.osirusoft.com
SPAM: [RBL check: found 6.223.155.212.relays.osirusoft.com., type: 127.0.0.9]
SPAM: Hit! (1.48 points) Subject contains a unique ID number
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------

Re:SpamAssassin!

[Amoeba+Protozoa]

I guess I have to throw in my $0.02 here. Instead of relying on a single services or technique for stopping SPAM, try something heuristic that combines the best of multiple worlds: SpamAssassin [spamassassin.org], for example.

Just for laughes, here's the record SpamAssassin score in one of my spam's:

SPAM: --- Start SpamAssassin results ---
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (31.38 hits, 5 required)
SPAM: Hit! (1 point) From: contains numbers mixed in with letters
SPAM: Hit! (1.2 points) From: does not include a real name
SPAM: Hit! (2.37 points) Message-Id generated by a spam tool
SPAM: Hit! (1.94 points) From: ends in numbers
SPAM: Hit! (0.9 points) Message-Id is not valid, according to RFC-2822
SPAM: Hit! (0.01 points) BODY: Asks you to click below
SPAM: Hit! (1.32 points) BODY: Contains word 'guarantee' in all-caps
SPAM: Hit! (1.93 points) BODY: Contains a 1-800- number
SPAM: Hit! (1.2 points) BODY: HTML mail with non-white background
SPAM: Hit! (4 points) BODY: Uses control sequences inside a URL's hostname
SPAM: Hit! (1 point) BODY: Link to a URL containing "opt-in" or "opt-out"
SPAM: Hit! (1.82 points) BODY: Link to a URL containing "remove"
SPAM: Hit! (1 point) BODY: Image tag with an ID code to identify you
SPAM: Hit! (1.56 points) Contains phrases frequently found in spam
SPAM: [score: 20, hits: click here, email address,]
SPAM: [from future, future mailings, here for,]
SPAM: [including shipping, offer order, this email,]
SPAM: [with our, with this, you not, your]
SPAM: [email]
SPAM: Hit! (3 points) Listed in Razor, see http://razor.sourceforge.net/
SPAM: Hit! (1 point) spam-phrase score is over 20
SPAM: Hit! (3.33 points) HTML-only mail, with no text version
SPAM: Hit! (1.8 points) No MX records for the From: domain
SPAM: Hit! (1 point) Received via a relay in orbs.dorkslayers.com
SPAM: [RBL check: found 11.124.183.200.orbs.dorkslayers.com.]
SPAM:
SPAM: --- End of SpamAssassin results ---

Now I've turned spam into something of a game. I have procmail rules tell me when a new record has come in so I can laugh at how cliché the message is. It's fun. Really.

The sad thing is that spammers are most likely already using these rules to try and author messages that will sneak in "under the radar" so to speak. I wouldn't be suprised if I start getting messages in pig-latin one day.

-AP

Re:SpamAssassin!

[GSV+NegotiableEthics]

"My mailbox is clear! How can we thank you, Spam Assassin?"

Seriously, I downloaded this and it looks like fun to use. I'll definitely give it a go. Thanks for posting this advice.

Users of Debian unstable can apparently just apt-get install spamassassin. Great stuff, but I'm paranoid enough to want to keep running potato for now.

Re:SpamAssassin!

[Kris_J]

I wouldn't be suprised if I start getting messages in pig-latin one day.

SPAM: Hit! (2.12 points) BODY: Contains ig-latin pay.

Re:SpamAssassin!

[krogoth]

I want a spamassassing "Worst Spam" contest - yesterday I had one message with 35.5 points (the only changes I made were to reduce the scores of a few rules).

Cratered or overloaded dropboxes

[ShaunC]

I've occasionally replied to spam posing as a potential customer, usually when I want to know who's really behind a particular spam. I don't hear back from humans very often, either. I doubt it's that the spammer (or his client) doesn't want our "business." In most cases I think it can probably be explained by one of the following,

a) Spammer sent spam, checked for replies for awhile, then abandoned that dropbox for a fresh one. By the time I replied to his spam, he was no longer checking on that box.

b) Spammer sent spam, and because everything under the sun was in tune, someone with a clue was reading abuse@ and nuked his dropbox.

c) Spammer sent spam, got mailbombed with thousands of junk letters and didn't bother to clean the dropbox out. Both Hotmail and Yahoo - from my experience, anyway - will spool new messages for you even when you exceed your storage quota. Those messages won't show in your inbox until you delete some of the existing drek, but they don't bounce either; we could be sending order inquiries to a "full" dropbox that's never cleared.

Of course, we can always dream about

d) Spammer sent spam, was visited by a few guys with baseball bats, and was rendered physically unable to reply to our solicitations!

Shaun

Not Quite So Easy.

[BadlandZ]

I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators.

How's that going to help if the porn sites are in China? Passing a law won't change it, your Congressman and Senator would have to be willing to support some kind of "punishment" in the form of economic sanctions or something on the country as a whole.... If that... It's not going to happen, not by just passing a law.

If it were to be stopped by law, it would have to be an INTERNATIONAL law (funny how electrons in cables don't know to carry a passport and stop to check in with the Customs Officer when they cross a border).

And, EVERY country would have to support the law. Or else the spaming operations would just move to a country that allows it. Good luck getting every country in the world to agree to an international policy just to keep spam out of your inbox.

Sorry to rant, but it gets on my nerves when ANYONE thinks the USA has some right to make any Internet regulation at all.... because, they are trying to control something that extends way beyond the countrys borders.

Re:Web Applications that Require Confirmation

[J'raxis]

A better trick: You should create multiple aliases that all point to that account, and use one alias for each transaction. Then you can track down who is doing the spamming.

spam-real@you.com
spam-ebay@you.com
spam-amazo n@you.com
spam-nytimes@you.com
&c.

If, for example, spam-amazon@you.com starts getting spammed two days after you created it, and you only gave this address when you signed up for Amazon, guess who sold or was sloppy with your address?

Here are some resources

[ShaunC]

Check out Rokso. This site maintains a database of well known spammers, as well as spam samples, MO's, partners in spam and, yes, personal info for many of the spammers.

Try going to SPEWS and searching on the IP addresses of any SMTP relays used in the mail. If you find a hit, view the evidence file. It will usually contain information about the sender of the spam, their ISP, and related domains.

Subscribe to news.admin.net-abuse.email via your news provider of choice, or search the archives at groups.google.com. If you type in some particulars about the spam - for example the domain being advertised, or maybe the email address listed on the whois for that domain - Google will usually bring up some pertinent matches from NANAE. When it's a new spam run, or a new spammer, remember that Google's archive is usually at least 12 hours behind.

If you don't find anything, or even if you do find something and you're in a sharing mood, post the spam you get to news.admin.net-abuse.sightings and if you've done any research into the spammer, include it at the top of your post.

Shaun

Careful - violate USPS requlations?

[Ldir]

You should be careful before sending pages of porn to your congress-critters. I don't know the details, but I know there are laws in the U.S. re. snail-mailing porn. Your spammers would probably really enjoy having you in court, possibly even in jail, while they continue to spam porn to the world.

Just a thought.

Does anyone know the requlations regarding sending pornographic materials via the US Postal Service?

Re:Careful - violate USPS requlations?

[GSloop]

Does anyone know the requlations regarding sending pornographic materials via the US Postal Service?

Yes, I'd like to know...

But, I think it would be very NEWSWORTHY for me to get "prosecuted" for sending porn in the mail to my representatives, when government refuses to do anything against the spammer and the beneficiary of the spam for sending it to me in th first place.

Plus, I think they would have a difficult time making it stick, as it would be the most protected speech. Speech to a representative for political discourse... (Or am I full of it?)

I would really hate the time spent fighting it, and the expense, but I could really raise the roof if I was able to get it in the press.

This is rather a cool idea. I might just "push the envelope" to see what a stink I can raise!

Any suggestions?

Cheers!

It would be fun...

[2Bits]

if we can set up a trap and let the email-harvesting bots come in, and the trap sends back a virus to blow the machine up, or something less dramatic like deleting the contents of the hard drive.

Is this legal? Is this feasible? I'm no expert is email system and scripting.

I set one up

[CaptainSuperBoy]

Follow my sig into the spam death chamber....

This doesn't have to be your problem.

[TheMCP]

Look, you don't have to make this decision. Install a solution, default it to "off" for all customers, put up a web-form for them to turn it on FOR THEIR INDIVIDUAL ACCOUNT if desired, and send all customers instructions including a full and accurate description of the consequences.

If they don't want to live with the possibility of not getting their invitation to the family reunion, well, fine, they can live with the spam. If they're willing to risk losing that invitation in order to kill the corresponding 50 spams that they would receive with it, great, they can turn on the solition for themselves and then they have no right to complain if some legitimate email gets lost because, well, YOU WARNED THEM.

You'd be surprised what thye get up to...

[grundie]

While I was doing my CS degree I spent my placement year at a small data mining software company. Once we got a request from marketing company based in Estonia asking if we could clean some 'addresses', as their cutomers had a tendancy to deliberately mis-spell their addresses. We found their attempts to hide the company background and extent of their business odd especially the ordinary ISP email address (not their own domain), but never thought any more about it. We asked them for a sample data set of these 'addresses' so we knew what we were dealing with, initially they did not want to hand them over after a while we said if you don't show us the data we are unable to tender for the work. What arrived was a text files containing email addresses along the lines of:
someone@REMOVETHISdomain.com
me@SPAMOFFhost. com
NOSPAMme@isp.net etc.

Suffice to say we did not tender for the work. What worried me was the fact that they were willing to pay good money (arounf 5,000 sterling) to extract maybe 250,000 email addresses, this goes to show there must be a good incentive to do all this spamming.

Re:They ain't that stupid...

[Tackhead]

> Often I see it encoded, such as /image.png?5f7a97d66d9aec0e1582c15578ac5815. I think they know otherwise I can do this, by hand:
>GET /image.png?uselessaddr1@hotmail.com

That's when you reverse-engineer the URL. If it's for beastiality or incest pr0n (yeah, we all know what Dallas-Ft. Worth spammer I'm talking about), you then punch in some URLs that "validate" some addresses at fbi.gov ;-)

Yep, make them pay

[bleeeeck]

and any earnings they do make won't come close to paying their bandwidth or phone bills.

You can usually make the top 10 spammers on this list pay between $1 and $10 by clicking their link.

On AT&T cell phone too...

[2Bits]

The cell phone that my company provided us has the service from AT&T (that would not be my first choice if I could choose). And I received all kinds of spam pages on the phone every week (it's not as crazy as email spam, but still...)

Some of them are from AT&T itself (I really can't understand why they spam their own already-service-subscribing customers!). Otheres are from who-knows-whom. Some with messages like "Call this number to make more money", or "Call this number for a free home loan consulting", or some idiotic messages like that.

Re:spider traps, Elcomsoft and SPAM

[Alioth]

Hmmm. Some of you may be interested to know that our favorite "cause celebre" company, Elcomsoft, sells spamming software.

Their spam-software site is here. Scroll down to the bottom to see the (c) Elcomsoft.

Of course, the Slashdot editors rejected this story :-)

about legislation

[clarkie.mg]

As many posters wrote, many UCBE emails come from servers outside US and EU, so I don't see how a legislation could help for those cases.

That doesn't mean nothing can be done, but no solution will make spam disappear instantly.

Re:spider traps, Elcomsoft and SPAM

[nathanm]

That's been common knowledge on /. almost since Dmitry got arrested. Most of the comments were along the lines of: yeah, spammers suck, but getting arrested for talking about Adobe's poor encryption is criminal.

Spam filtering -- dictionary based effort?

[swb]

I'm far from a sophisticated programmer, but I can bang out the odd script in Perl and I use procmail.

I've been actually collecting Spam for an idea that I have -- Spam can be identified by the subject matter based upon the vocabulary. This weekend I hacked out a script that goes through a spam mbox and builds an index of words and two-word phrases.

I ran it against my main inbox and it generated an entirely different vocabulary than the one generated by my spam mailbox. This leads me to believe that a new mail message could be judged by subject alone to see if contained a lot of spam vocabulary, and if it did its words could get added to the dictionary.

The virtue of this is that its self-learning -- the more you get, the better it gets at finding them since the spam vocabularly gets even better defined.

Of course, I haven't worked out the scheme for matching new mail against the dictionary yet (either in a logical sense or an implementation sense), so it may prove much harder than it seems -- but the fact that Spam is spottable in the subject by me just reading it vs normal mail shows me that the vocabulary is significant.

It might have been but...

[Colin+Smith]

Who says you have to checksum the entire body of the message?

You can pick bits of the messages to checksum, say the 5th to the 10th from last line. Exactly the bits the spammer wants you to read.

Re:spider traps, Elcomsoft and SPAM

[cyberformer]

Dmitry didn't write the spam software. He simply worked for the company part-time, doing something entirely unrelated.

It isn't really fair to blame interns who happen to work for [insert name of evil corporation] for the company's possibly unethical behaviour. I doubt that many people here agree with everything their employer's does. (I know I disagree with my employer's decision not to promote me and give me a big fat pay rise...)

Spam Assassin - without a doubt the BEST

[helloRockview]

A group of colleagues and I have had an email server of our own for almost 7 years now and have always had the same email addresses. Between years of USENET post and webpages with our email addresses on the, our SPAM intake got out of control. In a sampling taken in October of last year, we were getting about 350 pieces of SPAM per day between only *4* people with account on the box.

We had previously tried a number of anti-spam solutions, including combinations of RBL, ORBS, locally-maintained blacklists and lots of Sendmail hacks.

We had very little luck until November, when we implemented Spam Assassin on all of our mailboxes. After turning on Spam Assassin, the SPAM seemed to just go away. In the first day alone, we caught over 300 pieces of SPAM with ZERO false-positives with less than 10 pieces of junk making it through to the end user's mailbox. The program is, simply put, amazing.

It's multi-faceted approach works very well. It uses a combination of simple logical string checking, in addition to things like distributed databases like RBL and Razor.

The program can also place SPAM's in a dedicated mailbox file so you can see what got rejected. Each piece of rejected mail contains a report that includes the reasons that contributed to the rejection. Each reason has a weighted value that contributes to the final "good" or "bad" disposition. All of this is highly customizeable, but it does work very well out of the box without any tinkering.

I highly recommend this program. Take the time to sit down and install it on your mail server.

I do similar but it can be even more effective.

[Colin+Smith]

Typically the aliases point to my account, but as soon as they abuse the address and start spamming, and most do, I repoint the alias to my Razor trollbox.

Spam's gone from my box and anyone else using Razor is also protected.

Re:Checksums are fine and dandy until..

[Colin+Smith]

Remember that the spam still has to be readable to the end users so they can't chuck in random garbage all over the place.

The checksum routines can pick parts of a message to checksum, they don't have to do the whole thing, say the 5th and 25th lines of the message so the spammer will have to generate changes all over the whole file.

The modified spam will end up in the checksum database just like the original spam. The end users will be just as protected.

The checksum database is transient, the checksums age and are removed.

What the spammer actually has to do is clean up his mailing lists and remove the poison addresses. Otherwise every time he hits one, the rest of his mail run is wasted, but this means hard work and checking harvested addresses individually. And they have to continue checking them as they harvest them.

I don't care as long as I don't get the mails

[Colin+Smith]

Seriously, I don't particularly care about the bandwidth as long as the mails don't get to my mailbox.

Re:I don't care as long as I don't get the mails

[NiftyNews]

Yeah, but guess who's router is in the middle of all that transmission?

The one you get your Email and HTTP off of, slowing down your performance slightly as well.

Um, nope

[Colin+Smith]

You're assuming that they checksum the entire message. No need to do that.

telemarketing tricks

[Rev.LoveJoy]

Don't waste your time on the phone and don't allow your anger to get the better of you. Do something quick and constructive as outlined in the Telephone Consumer Protection Act.

The page you want to read is Junkbusters Telemarketing Headlines.

A quick how-to to reduce the amount of telemarketing calls you receive. Yes, I have followed these steps. Yes, over time (say, 90 days) they work.

Cheers,
-- RLJ

Locks and Rocks

[fm6]

A rock will let you enter a locked car, but you still lock your car.

Depends on where you park it. Where I live, thieves are nervous about making noise. But some people who live in rough neighborhoods think more in terms of replacing broken windows, and leave their cars conspicuously unlocked.

A filter doesn't need to be 100% effective to be useful...

I don't know about you, but I find non-100% spam filters worse than useless. It's not just that they let some spam through -- I can live with that. But I also need to see all the email that I don't consider spam. These include various mass mailings that I opted into, or that are from product support people or others that I need to hear from.

Yeah, I can tweak the filtering rules -- if my provider will let me. That's still gonna block important email, like when I don't know the exact return address in advance.

Re:Locks and Rocks

[AnotherBlackHat]

I don't know about you, but I find non-100% spam filters worse than useless. It's not just that they let some spam through -- I can live with that. But I also need to see all the email that I don't consider spam.

I too consider false positives (claiming something is spam that isn't) much worse than false negatives (letting spam through).
I assume almost everyone does.

Checksumming, when done right, has an extremely low false positive rate (near 0) which makes it useful in my opinion even if the false negative rate is 90%.

-- This is not a .sig

Re:Locks and Rocks

[fm6]

Checksumming, when done right, has an extremely low false positive rate (near 0) which makes it useful in my opinion even if the false negative rate is 90%.

Well, a service provider might consider a filter worthwhile if it cuts the spam traffic by 10%. An individual user would want a lot more.

"Close to zero" is pretty vague. How close? We're talking log scale here. I get maybe 10,000 emails a year. Missing more than one of these because of a spam filter false positive would be unacceptable.

Even that one makes me nervous. Murphy's law dictates that that's the one I'll regret missing. That's what makes me wary of spam filtering. I'd much prefer to see an approach based on improved sender identification.

Re:Locks and Rocks

[cduffy]

Whatever that one is you'd miss would near-certainly be non-unique (ie. a mailing list message that somehow was misclassified as spam). The only other cause is a hash collision, and for a suitably long hash those are tremendously unlikely. For a 128-bit perfect hash, one could have (say) 16 million spams in the database and the chance of a false collision would be one in one in about 2.0*10^32 (for 2**24 spams in the database, the chance of a collision would be 1 in 20282409603651670423947251286016). That's pretty friggin' big.

Re:Web Applications that Require Confirmation

[Tony+Hoyle]

No need for multiple accounts, just use '+' instead...

spam+real@you.com
spam+ebay@you.com
etc...

All get delivered to spam@you.com, but you can check the 'from' to find out who doesn't get your business any more.

telemarketers was:Re:Since the dot.bomb happend

[fanatic]

My father's trick:

You say: "Yes that sounds interesting ... Ooops, someone's at the door, hold on..." and then you put the phone down on the table and go back to what you were doing. 5-10 minutes later, go back and hang up the phone.

Spider traps good with Teergrubes IF coordinated

[billstewart]

Teergrube is a category of systems designed to "accept" mail from spammers, v e r y s l o w l y , and some of the implementations are designed to hold 10 connections from spammers open simultaneously (you could do a lot more.) Some of them can be run on machines with working SMTP servers, others are a substitute for a SMTP server that you run on some spare machine. If you know who's sending you mail, you can do a variety of things, ranging from notifying your real machine not to accept email from the spammer's IP address, simply holding the connection open (if enough people do that, the spammer's stuck waiting for timeouts instead of sending spam), submitting their address to block lists, or robo-generating complaints to the spammer's ISP, to doing mean nasty ugly things that probably violate your ISP's AUP. Some of the programs (see Raphael's posting encode the IP address of the harvester in the bogus addresses, which is nice for tracking down the real culprits as opposed to just blocking some open relay in Korea.

Spider traps are good at handing out bogus email addresses. If some of those addresses belong to teergrube machines, anybody who harvests them and then uses them to send spam to the "users" gets stuck in the tar pit for a while. If you're only doing that for your own machines, that's nice, and slows down the amount of spam you get from a given spammer, and maybe lets you track them down, but it's a pretty unfocused attack. The way to make these things really effective is to coordinate a bunch of honeypots with a bunch of spider traps, so a spammer gets totally mired down in a few hundred honeypots at once instead of just one or two. Is anybody running a project like this?

Running a network of honeypots properly isn't trivial - it helps to keep the list of cooperating honeypots semi-private, because otherwise spamware vendors will start avoiding them, and you need to make sure that every machine on your honeypot list *is* really a honeypot, and not some poor sucker's machine that's suddenly DDOS's by tons of spam because 500 Sugarplums are handing out his address to spammers. If you're going to automate this sort of thing, you should probably require at least confirmation-mail from postmaster@targetdomain.org or possibly a digital signature. One convenient method for coordinating it could be an IRC channel or similar IM server, though you could just use email. An entertaining technique to use would be to have the bogus addresses all belong to domains that you control the MX records for, so you can use DNS to load-balance the spam among machines that have spare cycles for teergrubing (e.g. spammer asks for bogus1.bogusdomain.com, bogus2.widgets.org, bogus3.slashdot.org, etc.) Too bad Napster's dead - most machines running Napster were clients that didn't run their own Port 25 SMTP services, so adding teergrube features to Napster clients wouldn't have interfered with real email, wouldn't have added much bandwidth because it doesn't actually accept messages very fast, and would have made the Napster folks anti-spamming heros. Any other Peer-to-Peer services such as ICQ/Jabber/etc or for that matter IRC clients want to jump in?

Legal, Feasible, Safe things to do to spammers

[billstewart]

There are lots of mean nasty ugly things you could do to incoming spammers you catch with address bait, but shouldn't, for a variety of reasons that are ethical as well as self-protective. The most critical one is that somebody who knows you run a honeypot on your machine can fake email from you to a victim, causing them or their machine to send email to one of your boobytrapped addresses, tricking you into attacking them, which is bad for both of you. You really don't want to do that.... especially once spammers find out you're running an attack machine, because some of them will try to get revenge - especially if lots of people are running them.

But there are still entertaining things you can do that are within the bounds of propriety, legality, and sometimes even good taste.

• You can trace the IP addresses of the spammers, and traceroute to find their ISPs. You can autogenerate complaints, though it's probably worth waiting until you have a couple of messages to be sure it's not just a misdirected email message (or you can hand-inspect them to be sure they're really spam.)
• You can block all email from their IP addresses to your real users - especially convenient if you're running your spam-trapping on the same machine as your real email, or at least on a cooperating machine. (Be careful, and you may want to whitelist some machines, such as big email providers, and return good error messages so that any mail from real people can be resent using some other method or simply at a different time.)
• You can run Teergrube which doesn't do anything destructive to the spammer, but responds v.... e..... r.... y.... s.... l.... o..... w..... l.... y.... , tying up resources that could otherwise be used to annoy other people.
• You can run open relay checks on their machines - even though the RBLs of the world have cut down on real providers allowing open relays, there are lots of misconfigured open relay machines that spammers abuse. You can send them to the RBL people so they get cut off, but you can also quickly cut them off from your real email servers.
• If the machine does have an open relay, and you've got a few thousand close friends running teergrube, you could use the relay to drop each of them a note. Do be careful not to cause infinite loops when you do this, though... Exponential growth is easier to cause than to recover from, and you don't want to shut down all the teergrubes you know.
• (Also, be careful not to engage in defensive action for every message from a given source - you only need to traceroute and relay-check a given address once....)
• Spam from China gets the additional letter to the spammer and also the ISP about "Dear Postmaster@btamail.net.cn, I'm having trouble reaching your subscriber AmyWilson@btamail.net.cn. Please let her know that the arms shipment will arrive next Thursday. Long live Falun Gong!" :-)
  

False Positives vs. political/legislative solution

[billstewart]

Suppose you get email saying

From: clueless-open-relay@btamail.net.cn
Subject: Make Money Fast

Send your $31337 to Not-networkguru@Not-sloop.net
and I'll pay you 50% interest by Tuesday if you follow my 31337 PlanZ.

followed by the payment address for Not-networkguru@Not-sloop.net. Your proposed legislative solution, while well-meaning, makes it easy to cause lots of problems for someone by forging spam from them - a few hundred thousand emails from that cybercafe near their house through an open mail relay in Korea leading to a few thousand people each going to their nearest small claims court to collect their $200 nearly-automatic bounty, and most of them costing money to contest in court, especially in courts not near the framed-non-spammer's home. Big companies have an easier time defending themselves against this than individuals, but many anti-spam activists are good targets. And defending yourself means subpoenaing that open relay in Korea, and the ISPs supporting that relay - it just isn't practical.

Meanwhile, arranging payment is simply not hard. The most convenient payment mechanisms are credit cards and paypal, and sometimes you can get those providers to block payments to the spammer, but it's usually difficult to block *everything* - at best you can block the payments that *you* made to them. So they probably collect at least some money through their storefront check cashing / money laundering store in Taiwan, and *you* can't trace them easily.

The legislative problems that are easier to solve are the anti-hacking laws, which make it somewhat harder to track down spammers and much harder to stop them. While obviously you don't want some cracker to break into your machine, send themselves backdated spam claiming to be from you, and use that as their get-out-of-jail-free card, there may still be some middle ground that makes self-defense actions legal.

How much information do Overture's customers get?

[billstewart]

On the surface, that looks like fun - Overture's customers bid for how much they'll pay per click-through, all of them get listed on Overture's own search engine, and the top three bidders get listed on the commercial search engines. Overture's site says they do carefully tuned techniques to prevent multiple clickthroughs by the same person (they've figured out that attack already), but that doesn't prevent single clickthroughs from a quarter million slashdot users, and that'd be a fun and community-minded thing to do.

My question, though, is how much information their customers get from my click-through. I assume that the long ugly URLs they generate encode the search terms, and maybe my IP address, and that their customers' web pages will use their favorite combinations of cookies, web bugs, and other images to find out more. But can they get my email address? If I'm checking out most sites that advertise there, I'm not too worried, but obviously clicking through to a spammer's web page has some inherent dangers. Should I be checking them out using the anonymizer, or is it ok to use my work network connection, which goes through a load-balancer-selected proxy server which probably looks a bit less like me?

It's somewhat amusing when spammers leaves holes

[caferace]

highspeedmailer.com HAS to be one of the worst cuplrits out there. Amusingly enough, they leave web-based spam stats on their mail gateways open to the public.

mailer1
mailer2
....etc. I stopped at looking at mailer10. Nice of them to show off their spamming efforts, I suppose. It'd be even nicer if their upstream provider would pay some damn attention to complaints.

Professional vs. Newbie spammers.

[billstewart]

Some spammers are professionals - they've figured out how to get enough responses to continue making money. Sometimes that's Ponzi schemes, sometimes it's porn spam, but often it's selling Spamware Kits to newbie spammers who think that they too can Make Money Fast. Newbie spammers are like the dumber end of script kiddies - they're going to run whatever formulas their spamware kits give them and then be disappointed that they didn't Make Money Fast, unless they actually happened to do so, but they're not doing any scientific measurement about what's going on. The important thing for them is to make their scam fail and hope they drop out, disappointed that their several-hundred-dollar investment flopped. Ideally, it's nice to also scare them off and have their ISP charge them a hefty Throwing-Spammers-Out fee and inflated lawyers' costs so they go away and never come back again and tell all their remaining friends how bummed they were, but it doesn't matter much.

The harder problems are professional spammers, and spamware kit makers. Professionals do some level of measurement, and busting their numbers is important. If they think they've used up their supply of 42 million email addresses and 14000 open relays, great. If you're doing a fake open relay, you want them to think it's succeeding, so they keep using it instead of stopping, though that may not be very effective if they're doing good measurement (e.g. sending a mixture of test addresses along with spam victims.) But they're especially the ones you want to kill off, hunt down, and feed to wolves.

And then there are the spamware vendors. You want them to *think* their warez work, so they can be completely hosed without knowing it, but if you can get the spammers who buy their product to sue them for selling defective spamware, that'd be fun too :-)

Can you set up your honeypot to detect spamware versions, and post to Usenet alt.make.money.fast and freebie web pages about how terribly disappointed you are that Spambozo 3.2 didn't work for you and was eaten alive by anti-spammers and caused your PC to halt and catch fire, your girlfriend to leave you, and your dog to run away from home? (Surely you can find some way to promote that on a search engine? :-) Some of the products include self-promotion in their email headers, but by now probably most of them have figured out that it's an easy target for filters.

Pobox.com marks suspected Spam in Subject:

[billstewart]

I use pobox.com as a mail forwarding service, so mail to myname@pobox.com gets forwarded to my current ISP. One of their spam handling services is to mark suspected spam with a rating
Subject: [ spam 7.43/10.00 -- pobox.com ] original subject
if it exceeds whatever threshhold you set. They've gotten better - a large amount of my obvious spam gets marked 10.00/10.00, and I've seen so few false positives with that rating that I'm now discarding the 10's automatically. Lower ratings are sometimes wrong, especially for mail that someone's forwarded to a real mailing list I'm on, especially if the mailing list messages have a how-to-unsubscribe footer, but probably 95% of the stuff that's tagged as some kind of spam is spam, and the 10s are all spam.

Also, as an ISP, you usually know addresses at your site that aren't real users (but might be from spambait you've left around), and can safely discard any email messages matching those messages and those IP addresses.

Doesn't need legislation

[billstewart]

You can implement it in software - set up mail filters so mail from bogus domains gets bounced. if you don't want to do it yourself (either to avoid the configuration and maintenance, or to get the spam tossed on your server instead of after downloading), find an ISP or email filtering/forwarding service that will. Pobox.com does a good job of spam-filtering, and a number of ISPs have various aggressive options, and then there are the spamcops and brightmails of the world that run services.

Important missing information

[darkonc]

The article pointed to forgot to mention that one thing you need to do is make sure to set the Queue Load Average to 0.
# load average at which we just queue messages
O QueueLA=0 on in the .cf file, or '-OQueueLA=0' on the command line. If you don't do this, sendmail will (usually) not queue your email and you WILL be an active open relay.
This can also be set in an mc file as:
define(`confQUEUE_LA', `0')dnl
(For RedHat users -- remember to delete the leading dnl if you start with the redhat.mc file).

One .mc configuration snipit that might be usefull would be:

define(`confTO_QUEUEWARN', `4000h')dnl
define(`confTO_QUEUERETURN', `5000d')dnl
define(`confQUEUE_LA', `0')dnl
define(`SMART_HOST', `nohost.nosuch.domain')dnl
define(`QUEUE_DIR',`/var/spool/devnull')dnl
define(`confDAEMON_OPTIONS',`addr=external.inter fa ce.ip.addr');

This'll mean that you won't be generating (useless) non-delivery messages for email (spam) less than 10 years old, and any attempt to forward queued spam with an ETRN will fail. It also puts this outoging mail in a segregated queue directory.
for the last define line, 'external.interface.ip' should be replaced with the IP address of the interface where you'll be running the honeypot.

If you put this into a new mc file (say honeypot.mc), and use it to build honeypot.cf, then you can run a spare sendmail that only accepts network connections... (and trashes them)

/usr/honeypot/sendmail -bd -C/etc/honeypot.cf -ODaemonPortPotions=Addr=$external_IP_address

This does, however, run into one reall nasty bug in the sendmail config... The sendmail.pid filename is hardwired into sendmail... (that's why I use the path /usr/honeypot/sendmail). You have to recompile (or patch) the sendmail binary so that it doesn't use /var/run/sendmail.pid).

According to the sendmail book, this is done with
ENVDEF = -D_PATH_SENDMAILPID=\"/var/spool/honeymail.pid\" in the makefile.

(guh!)
(( You can, of course, always do a hot patch to the binary ))

Re:Important missing information

[darkonc]

OK: Hre's a patch that should change sendmail.pid to honeypot.pid.. put the output in a file in your path and make it executable....

# By Stephen Samuel (samuel at bcgreen dot con )
# Reads from standin, writes to standout
# (will need to change permissions on the output)
# changes string $original to $replace
# sendmail.pid -> honeypot.pid
# Note: strings need to be the same length.
# (null padding should work)

$original="/var/run/sendmail.pid";
$replace ="/var/run/honeypot.pid";

die "strings are not the same length\n" if ( length($original) != ($replen = length ($replace)) );

(binmode STDIN )|| die "binmode ARGV failed";
(binmode STDOUT) || die "binmode STDOUT failed";

while( ( $len=read(STDIN,$segment,1024)) >0) {
$line .= $segment;

$line =~ s/$original/$replace/g;

# keep enough of the line to handle a string broken over input blocks.
$output=substr($line, 0, 1-$replen );
substr($line, 0, 1-$replen ) = '';

print $output;

}
print $line;

Re:False Positives vs. political/legislative solut

[GSloop]

How about a "test" for actually receiving funds in said account or method for any spam?

If you havn't received any spam funds, it shouldn't be too hard to prove, and thus would exempt you from the judgement.

There are some difficulties, but I do think, that in most cases, the link from spam to advertising to actual revenue should be fairly easy to prove or disprove.

Lets try this on for size...

Take your example from above. I get sued. I provide documentation showing the court (not the plaintiff) that revenue in my account is from other transactions unrelated to spam. (This keeps my privacy intact, as the hostile plaintiff doesn't get this material) The plaintiff then has to go another step to prove I'm the spammer. They would be left to subpoena the Korean relay.

Could this work? How about some refinement... It does presume some level of guilt until proven innocent, but this is civil not criminal, so that could work at least in a constitutional sense.

Someone with more knowledge of banking laws could tell you more, but I believe that most companies operating here in the US - i.e. doing business probably have a bank account here to bring funds into, then the funds are swept to the home country account... No?

Cheers!