Slashdot Mirror
The Story of "Nadine"
Guinnessy writes: "We've all accidentally typed in a wrong email address sooner or later. But can it all go horribly wrong? On http://www.spamresource.com there is the story of Nadine, an account of what happened after an Internet user accidentally gave a wrong email address when she visited a web page and signed up for a sweepstakes. Live in fear...."
http://www.honet.com/nadine/
Apparently the story is about a slashdotted webserver...
We've all accidentally typed in a wrong email address sooner or later.
Classic Slashdot grammar!
Several years ago, I made a typo in my email address when I was updating the contact info for a domain name. Without double-checking I sent the confirmation back to InterNIC. It wasn't till the next day that I realized the mistake. In order to get things back under control, I actually had to register the typoed version of my domain name, so that I could receive InterNIC's mail there.
:)
It's the kind of expensive mistake you only make once!
I kept the typo'd domain for esoteric value, and yes, I now get plenty of spam there. Some things never change.
What you say?!?
Come on, give it up, that's
That also prevents your email address from being maliciously signed up to these sorts of lists, so it's the sort of thing every reputable mailing list should do.
Of course, no spammer is going to bother with confirmed opt-in, so we need to go after ISPs that allow these non-confirmed lists to remain on their net-space.
--
--
I have taken more out of alcohol than alcohol has taken out of me - Churchill
Nadine -- The Story Begins Once upon a time, there was a senior citizen in one of the Southeastern United States who was apparently confused about what her email address was. Because I have no desire to cause this lady the slightest inconvenience, I will call her "Nadine", which is not her real name. I'm also going to change her surname to "Smith", which is likewise false. (NOTE: Because I have no desire to avoid inconveniencing any of the other players in this tale, hers is the only identity that has been altered in any way.) On or about the second day of March in the year 2000, Nadine visited a web site belonging to an outfit called delivere.com. While there she apparently entered a sweepstakes, gave delivere.com some personal information and (I presume) agreed to receive email advertisements from various parties from time to time. The email address she gave them consisted of her first name and the domain honet.com. What the actual email address should have been is something about which I can only speculate. To confirm (to Nadine) that she had signed up, delivere.com sent a message to nadine@honet.com. (This was the First Big Mistake: the message should have asked the real owner of "nadine@honet.com" to confirm that the sign-up was genuine.) A semi-automated process at honet.com noticed the message and sent a "No such user" message to the appropriate addresses (at least one of which was bogus). Normally, that is all it takes to stop any further traffic. Such was not to be the case here, however.
We had to destroy the sig to save the sig.
Lets start slashdoting spammers!
Read it off the Google cache
(Note to people accusing me of karma-whoring: The search formatting above is non-obvious)
Sig: What Happened To The Censorware Project (censorware.org)
A bit OT but...
If you made a mistake in your contact info, you could've rectified the problem by voice phone and fax. That's what I did when the contact info for a domain I registered had to be updated because the email was an expired domain for a now-defunct company. Network Solutions had surprisingly good customer service and once they verify the credentials via fax (or even snail-mail) they will make any changed required without the use of email.
That way seems low-tech and backwards, but you don't need to register an otherwise useless domain and it costs nothing more than your time (certainly mot much more than the trouble of registering a domain and setting up the DNS).
Us techie types should be careful not to overlook the most simple solution because it is low tech...
OTOH, the useless domain could be useful to keep track of how many OTHER people make that typo...kinda like the Slashdor site...
Perhaps I'm confused (or maybe it is because I got bored and only read 10 of the many links on that page), BUT, I don't find the story of Nadine all that unique or interesting. I get piles of spam everyday and I haven't opted-in to anything. My most spammed address gets over 100 messages a day.
In my experience, trying to follow up or research these spammers is generally a useless waste of time. Bounce them, sue them or further change the law. Doing more is just going to frustrate yourself, IMO. Remember when you call around and get put on hold and follow the paper/isp trail you are wasting a lot more of your time than theirs.
-Sean
Sign up for a Yahoo email address and use that address when signing up for anyting. Dont most people do this? I know i do and it keeps my real address relitivly clean where my "sign up" address gets hundreds of emails a week.
The real point of the Nadine story is demonstrating how spammers are reselling and distributing spam lists.
Some of the spammers hitting Nadine's Email address are trying to act as responsible members of the bulk emailing industry, while at the same time blatantly violating online privacy policies (their own, and their list suppliers') left and right.
The point of the story is to point out how effective "industry self regulation" really is.
Proletariat of the world, unite to kill spammers
In Soviet Russia, I ruled you
You mean, like SPEWS? http://www.spews.org
I am not SPEWS.
Specialization is for insects. - R.A.H.
It's not perfect, but Spamassassin is pretty damn close.
I'm using spamcop.net and it's cut down on my spam by about 85%. Cost is $30/year for having your email filtered. Some spam (15%) still gets through but you can submit that to them to ensure others don't get the same spam as well.
(I have no affiliation with spamcop.net except as a satisfied customer.)
Sure, some of it could be from spammers sharing addresses and lists, but some of it might not be.
Free Mac Mini
I purposely have done this.
/.), some legit commercial businesses, some obvious spam. The mailbox fills up roughly every 30 hours. I plan to continue this for a few months, until it will be impossible to distinguish my real name from the fake names. Whomever picks up the account next will be in for a treat as they open their account and start getting thousands of messages a day, random names, and all.
See, I signed up for a hotmail in it's early stages ('97). I used it for everything, including online purchasing, friends, family, you name it. At some point something happened-- one of the forms I filled out, or someone sold my same, and I started to get mail addressed to my real name, at that address. This semi-scared me.
So recently I went to cancel the account. Hotmail by default will consider your account "cancelled" after inactivity of 90 days. I cannot click something that says "Forever, never use this e-mail" My fear is that others will get this e-mail after I have cancelled it, and they will see my real name.
The best solution I have come up with is to fight fire-with-fire. I now sign up for every mailing list I can, each with a different real name. I now belong to over 400 mailing lists(including
It's so sad it's come to this.
fslg503-985-8686503-985-8686503-985-8686503-985-8
I have a domain that's ONE LETTER OFF from Yahoo. (Well, it has one extra letter).
Very often, wise-asses mutate their email addresses when posting to USENET with this additional letter, thinking they've stopped their spam. They haven't. *I* get it.
Of course, I don't see 99% of it--it's thrown in the bit bucket. However it is disturbing how much I get. Not only from email address grazers on USENET, but from people who use fake email address--often in my near-miss domain, and sites that gladly add it to their mailing list without a confirming email. Some of these are otherwise "reputable" companies, too. (This is so they can claim they have 4 billion registered users--easy to do if you don't verify!)
--
Ask the Ya-Hoot Oracle Anything!
Years ago, I registered the email account crawdaddy*AT*hotmail*DOT*com. Since then, several other "crawdaddy" accounts have been opened on hotmail. Many of these people forget to tell their friends/services they're signing up with that there is a number that follows their name, ie. crawdaddy69@hotmail.com. I have gotten several misdirected emails, including personal invitations to join someone on a trip, details of someone's personal life, two very detailed accounts of someone's sexual exploits, and one highly suspicious email that indicated something very illegal and fraudulent was going on somewhere and that the "crawdaddy" that should have received it is involved somehow. Of course, I also get exponentially more spam on this account that I do on any other account that myself or my friends have had for the same period of time. I now check my inbox twice a day just to clean out spam so that my hotmail account isn't temporarily disabled because it's reached its limit!
Make you wonder just how many *millions* of trash email addresses and fake names are in many databases that collect info from web forms.
How often does a person enter false info because one *has* to to download, proceed, etc.
- Post "test" posts to a few newsgroups, I suggest alt.test and alt.business.multi-level, using your new spamtrap address as the From and Reply-To address. (Technically, test posts are not appropriate in alt.business.multi-level, but if you want a fast track to spam, that's the place to go.)
- Visit the "remove" links in spam you already get at your existing mailboxes, and type your spamtrap address into the remove box. If you have the time or patience, you can do the same thing with spam which contains a remove address instead of a link; send remove requests from your spamtrap. Removal is spammerspeak for opting in, so this will grow your spam collection quickly.
- Embed a mailto link to your spamtrap address on a couple of webpages you control. Make the mailto visible only to web-scraping robots by linking to a 1x1 pixel black image file in place of a period on your page; human viewers will see it as a period, harvesting programs will see it as fresh meat.
Whatever you do, don't give your spamtrap address to anyone for legitimate email, and don't sign up for anything using that address. If you follow those two guidelines, every single message that mailbox receives is guaranteed to be spam. This will give you the ability to archive, auto-report, etc. the incoming mail without fear of false positives.Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Better. I collect spammer phone numbers. Anybody want a copy of my list ?
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
The thing that I find amazing is that these spammers are flat out lying. They claim that ficticious entities "opt in" when they clear could not have done so. Doesn't this constitute some kind of fraud? Is there no legal recourse?
"Your superior intellect is no match for our puny weapons!"
Now, if you really want to impress us, come up with a search that returns all pages in the correct order.
:)
- DoubleClick
- Direct Marketing Association of America
- Open Relays
And remember. If you give porn sites your email address, the spammers have already won.-- Ken Kinder ken@_nospam_kenkinder.com http://kenkinder.com/
I prefer nemo@hotmail.com
I doubt that anyone would actually be silly enough to use that address for real, even if their name WAS nemo. Sometimes that character says his name is Odysus, or Odeysus (or some other variation).
I think we've pushed this "anyone can grow up to be president" thing too far.
That was the biggest Karma whoring I've ever seen. Not necessarily a BAD thing, but something that shouldn't be modded up to +5 informative/ interesting on EVERY post. +3 is fine, but more than that is the guy beating the system. Good idea though.
No sig for you.
Yes, it's true -- the very single-opt-in mailing lists that are used by spammer scan be used to fight back.
Spam Can Be Fun
Whenever I am asked for an email address from an non-reputable site, I simply give a fake one such as wigglebroggle@frogtoggle.com. My friends do the same thing, except they always do randomaddress@hotmail.com. I know a lot of people who do that. Hotmail must be swamped with invalid emails... Also, I bet some of the "fake" addresses turn out to be real and some poor people start getting spam they don't deserve. "Accidently" type the wrong address...ha!
Please, don't pull domain names out of a hat. There is an official fake address that you can use:
me@privacy.net
See their website for more info.
A friend of mine runs a domain that happens to be used a lot by people who think they enter a non-existant domain, and it's driving him nuts. Well, there is some amusement value in noticing how many variations people come up with, but still...
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
my employer owns sackmail.com ... for some reason we have been getting a lot of spam to lickmyhairynuts@sackmail.com.
But why doesn't someone do this deliberately? That is, create a domain for the sole purpose of receiving spam only, and automating a banned email list to other servers.
[Details on how to set up the TRAP deleted.]
That answers the first part of the question...
But how about the second part? Is there an existing tool to automate the conversion of the collected spam-trap mail into denials of future mail deliveries (and perhaps also to purging of still-enqueued letters to real addresses earlier in their mailing list order)?
Better yet: It could also modify the behavior of the SMTP server so it spawns a (limited nubmer of) "sticky TCP connection" child process to hang the spammer's bulk-mailing tool. Deploy a bunch of these puppies around the net and spamming becomes impractical once the spammer's mailing list has acquired a few addresses on spam-trapping sites.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Uh, aren't being you a little paranoid? So what if someone gets your real name in a spam mail? I don't see why they would find that so interesting.
True warriors use the Klingon Google
Spammers are very apt at verifying that their address lists actually work. Ever get a spam that seems really outlandish? A spammer asking for assistance in time travel? A kook that proclaims the end of the world is nigh? A totally empty message body?
Chances are they were just checking to see if the mail bounced.
If you have your own domain, try this experiment. Create an e-mail account, say: john.doe@your.domain. On your home page, publish the e-mail addresses john.doe@your.domain and jane.doe@your.domain. Make sure mail for your virtual jane is bounced with a "no such user" error. Watch how long it takes for john.doe to start getting spam. Check your logs for attempts to deliver to either john or jane.
If your experience matches mine, spam for john will be at least tenfold of what jane gets after about a month. After about a year, the relative difference will level off, but if by that time you create jane.doe@your.domain you will probably notice that she is very popular with spammers who do not speak your language.
One can debate which is worse, the bombardment of spam in a language you can read or the bombardment of spam in a language you can't, but feeding spammers fake addresses will only "hurt" the extremely stupid ones.
Not that there's any shortage of those. I get spam advertizing piano lessons in South Buenos Aires or airco repair in Hong Kong, and I own no airco or piano.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
Say I receive a spam mail from spamcompany.com, I could go to alsospam.com and register to receive mail at doesnt.exist@spamcompany.com. Do that a couple times and you endup with spam companies using their resources to spam eachother...
Opus: the Swiss army knife of audio codec
I really hope that the author of the article implied sarcasm when he was "not worried" that the spam sender had a "privacy policy" registered with that TrustE or whoever the authority of the week happens to be. I can't believe people actually believe any site's privacy policy. Sure it says all the BS about how they won't sell your info, but of course it also says they can change it at their discretion, which is how they get around it. Call it the "Darth Vader" rule of contracts.
This reminds of a friend of mine who was outraged that her supposedly private email address (which she only gave to 3 friends and never posted it online anywhere) received spam. I told her it must have been her ISP that sold her email address to a spammer, if none of her friends indeed didn't give it out. She told me it couldn't have been them because it was "illegal" for the ISP to do that. Of course its "illegal"... doesn't mean they won't do it though!
IMHO, no privacy policy is worth the paper on which it is written (which is true because most are not printed out). No matter what any site's policy says, it is safe to assume that they can and will sell all of your personal information to the highest bidder (along with everyone else). We need to stop being naive enough to believe that companies actually care about our privacy. As long as its profitable for companies to sell information, it will always happen.
I hope I didn't come off as a troll, but this cynical view is based on many years of experience dealing with online and offline vendors. None of them has ever respected my privacy, and none ever will. But knowing this, I can adjust my buying habits to ensure my privacy isn't compromised too badly.
In case of fire, do not use elevator. Use water!
The trick of creating company specific addresses works if you have full control of you e-mail domain. If you don't, it's possible that plussed addresses do work. If your e-mail address is john.doe@company.com, enter john.doe+evilcompany@company.com when Evil corporation wants your e-mail address to download, say, their Evil Player.
If plussed addresses don't work at your provider, bug them.
A really sophisticated way of doing this is to use TMDA, which extends this concept into time-limited addresses as well as more classic notions of "tagging" an e-mail address.
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
I read the whole thing and I still don't know if she won the sweepstakes and then the poor dear didn't even hear about it or get her oodles of cash.
-pyrrho
I'm a firm believer in Sneakemail and customizing email addresses for each site you visit. This shows that, unfortunately, even non-existant email addresses still get spammed. That drags down their resources. What we need to do is get rid of the open relays and the like. Its obvious that MAPS and RBL will only be able to do a certain amount of blocking. Spammers are very creative and have minimal costs.
70%???
That's terrible. We should be doing a lot better than that. Please let us know where we might be going wrong for you. For other people we're doing around 90 to 95%.
Matt - one of the SpamAssassin developers.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I've been the technical editor for Maximum PC magazine for almost two years. Before I worked here, I worked for Ars Technica. At some point or another all of my email addresses have been posted on high traffic, public websites. Heavy spam has been a part of my day-to-day life for the past 4 years.
It's gotten much worse lately. On any given day, I get about:
20 viagra sales pitches
20 penile/breast enlargement ads
20 get rich quick schemes
30 different porn ads
10 you've won something messages
and another 20 or so messages that don't fit a category
Add anywhere from 3 to 20 assorted virus infected messages, the 20 or so press releases that come in every morning, and I don't know why email's even worth fooling with for the four or five messages that I actually read every day. Most of the repeat spam gets filtered and stored in a special folder, but I still end up seeing 25% of the total spam in my inbox every day.
Does anyone actually think that spam control legislation would help at this point? Most of the stuff I receive comes from the Pac rim countries or Russia. Anyone know any Congressmen or Senators who are pro-spam control?
As a short term solution, does anyone know a spam-filtering good POP3 client, or preferably a proxy I could use to filter spam that uses the MAPS or SPEWS lists?
///Will Smith
There are some e-commerce sites that don't work right behind a WebWasher proxy, but most do, and I buy from the ones that work, so there's no problem there.
Even more Damaging would be this inventive scheme.
.forward that uses this aforementioned spam-legit-list and forward all spams to them, as well as the randomly generated email addys at the spammers domain.
All it would take would be a couple of bogus addresses run by a few people in different locations. Let these things become well-known spam-sluts.
Collect the addresses of the spammers for the first few months. Then, change the account so that, with each spam it recieves, it sends an email out to a well-known usenet spam-harvest list with emails of the spammers, as well as randomly generated addresses from the spammers domain.
To further make this evil, though it might cost you that account, have a
Linux - Because Mommy taught me to Share.
When I first started this, I thought I'd "catch" a huge number of companies selling or using my email address without their permission. But what I've noticed over time is that I almost never receive any spam at these addresses. That is, probably 95-99% of the companies that I've signed up with have respected my preferences and have not sold or spammed my email address. Nearly all the spam that I receive (and I get a lot, though switching to the fastmail IMAP mail service has cut my spam significantly) is sent to:
an old address that I used 10 years ago to post on usenet
the address that I used when registering my domain
I think it's somewhat heartening that most companies that I have any real business or interaction with have properly protected my email address, the spam seems to come almost entirely from various types of harvesters.
"To be absolutely certain about something, one must know everything or nothing about it." -- Olin Miller
Maybe some are, but plenty of them are not. I've received a fair amount of spam at my "af.mil" account. A short note to the owner of the spamming domain or advertised service, including some mumbling about misuse of federal government computer systems constituting a federal crime, usually shuts them up, without even needing to point out the fact that they're sending spam to an organization with precision GPS-guided munitions!
"To be absolutely certain about something, one must know everything or nothing about it." -- Olin Miller
Geez, back in 1998, I consulted for MatchLogic on their email system. They seemed on the up-and-up, but of course that was four years ago.
-russ
Don't piss off The Angry Economist
The email talked about their time together and how she was having second thoughts when she called his house and his wife answered.
I responded that she must have the wrong email address.
You could have told her that your, that is his, wife was interested in a threesome and watch the sparks fly instead.
If you feel like a little mischief, mistaken identity can be a beautiful thing.
Some people have a way with words, and some people, um, thingy.
I move my spam to the "spam" folder on my imap server. So it never even wastes bandwidth coming down to my workstation (over a dialup).
/,$buf); # split on message header
Then I use this script to fire it all off to spamcop once a day:
#!/usr/local/bin/perl
$reporting_addr = 'submit.yourspamcopidhere@spam.spamcop.net';
$/ = undef; #slurp mode
$buf = < #slurp
@spams = split(/\nFrom
for ($i=1; $i<=$#spams; $i++) {
open (MAILER,"| mail $reporting_addr");
$msg = "From " . $spams[$i];
print MAILER $msg;
close MAILER;
}
Not perfect, and you still have to visit the spamcop site to finish the reporting thing, but it's semi-automated at least. And forgive my clunky perl idioms.
My grandmother is 75; her birthday was in October. Just prior, she suffered a heart attack, and I decided to resurrect an old Performa 6360 for her so that she could email and ICQ with my mother and aunt. I provided her an email address at a domain I own. The address had never been used prior. My grandmother had never used a computer, and even getting her to be comfortable turning it on was a challenge. I don't believe she EVER successfully sent my mother a message by herself...although I could be wrong. I would bet that she used that computer a grand total of ten times.
A few months had passed, and I had a sneaking feeling that she wasn't using it. I would ask her, and she'd sheepishly admit that she "didn't have time" to sit and work on it. (Yeah, right. She's 75.) So one day in February I decided to peek into her mailbox to see if there was any mail in there that MIGHT be important...I was FLOORED by what I found.
I now have a mail folder sitting in Entourage that consists of 767 (!!!) unread messages. I simply can't bare to get rid of them. The first is from September 20th, 2001, and the last was sent on February 21, 2002, when I killed the account. None of them were "for" her (from people she knows). And some of the products being offered would probably cause her to keel over.
I am currently simply /dev/null-ing any mail incoming for her address...and I'm sure that if I'd remove that filter, the mail would still be flowing. If anyone (say a reporter, member of Congress, or FTC) would like to have a copy of this archive, I'd be happy to pass it along.
767...I love the internet!
Scott
"Hokey religions and ancient weapons are no match for a good blaster at your side, kid."
IHDAOS (I have done analysis of spam)
It is very likely not the ISP- the money they spend on help-desk complaint people would outweigh the cents received from a spammer.
Spammers will make up lists of names. If you are a john smith, you will get spam. period. Because their lists will have john.smith@X, johnsmith@, jsmith@, johns@... they take lists of the most common names and put together all possible variants. I've seen many cases where they forgot to BCC the list... "asmith, bsmith, csmith...aasmith, absmith..."
Unless your friend's email address is unguessable. Then its likely someone cracked into their system and got the list. Selling it? they'd have to be desparate idiots.
The FTC has an email address for people to report spam (uce@ftc.gov). Anybody see any reason why they shouldn't create virgin email addresses, wait for spam to them that says "this was sent to you because you opted in" , and then haul the bastards in for fraud?
Private citizens can create spamtraps and use them to report the spammers to the authorities - why not cut out the middleman?
To a Lisp hacker, XML is S-expressions in drag.
To make a long story bearable... I managed to send mail on behalf of the president - to a legitimate address.
...
The whitehouse actually tracked it back to me (Not difficult as I was not trying to hide - just stupid).
Oh, c'mon, they always bring Krispy Kremes and coffee when they interrogate you. So long as you show them the id barcode on your neck, they usually let you go after a couple of hours
-
--- Will in Seattle - What are you doing to fight the War?
LOAD?
Holy cow, I haven't seen those commands in a while!