Slashdot Mirror
CDT Releases New Report on Origins of Spam
Carnth writes "CDT has released a new report based on a six month project entitled "Why Am I Getting All This Spam?" The results offer Internet users insights about what online behavior results in the most unsolicited commercial email and also debunk some of the myths about spam." A very good report - read it. There's also a story about yet another sleazy spammer in Ohio.
Spam comes in the form of unrequested text, right? So saying "FIRST POST" every time there's a new topic is simply a way of spamming Slashdot?
Chuck
I'm still wondering why when I have my hotmail filter set to "exclusive" (only recieve from those in my address book, which contains 10 addresses), I continue to get loads of spam each day in my inbox, including some very embarassing things that would cause my mom to faint if she walked in.
In other news, it was announced today that after careful study, researchers confirmed that fire is hot and pointy objects hurt.
I browse Slashdot at +3, Funny
I never saw anything in their methodology about how the spam was analyzed. It would have been interesting to see what effect actually opening spam e-mail in a web enabled browser had on the recurrence rate.
I bet the web bugs would have kept the recurrences high even for addresses that were removed...
"I'm just here to regulate funkyness." - James Gandolfini, as Winston in The Mexican
I am sorry, smack me down if you must, but... Aaaahhhhhhhh!!!! Die Spammer, Die! Friggin White Trash sonsabitchin spammers. I feel slightly better now. Ready for Karma extraction.
If this article confuses you, don't worry. It was posted yesterday in a much clearer fashion.
I just got a new domain. ;-)
Which means that every email to that domain goes to me.
Every time I give my Email online I give a diff name, for instance if I buy at yahoo I give "yahoo-shopping@mydomain.com".
If I get spam to this address I know who gave it to the spammers.
- only been doing this for a week, no spam so far but there is still hope
Note: I am not actively looking to be spamed, just doing my usual stuff.
As of Postgres v6.2, time travel is no longer supported.
1) Sign up on an internet gambling site.
2) Register a domain name.
I have multiple domain names and I know for certain that much of my spam originated from either scanning the whois database, or someone selling the e-mail addresses from there.
I don't gamble, but I noticed that the java applets that were used for 99% of the gambling sites were all from the same place. In other words, if you want to start a gambling site, but you don't want to write software - you can pay to use the java applets of this one company. There is some rebradning that goes on - but in the end, it all goes through their servers and uses their code.
Because of that, I figured if there were any holes in the software, that would mean a whole crapload of open spots out there. So out of curiosity I registered at a gambling site and then looked at the source (you can get the source from a java applet).
After that, my spam increased exponentially - the immediate group was spamming me, as well as selling off the address - which then gets repeated over and over.
I use spamassassin now and I have it tweaked to the point where out of over 100 spams a day, I only have 1 get through - and that is because the code times out and lets it through, not because SA hasn't caught it.
I first installed it in January and in that time have only had it once grab mail that it shouldn't have - from my mom. I added her to the whitelist and have never had a problem since.
I use one of the more recent 2.60 versions, have the spam threshold lowered to 3.5, and I have tweaked a few of the score settings. Workds great for me.
There are some odd things afoot now, in the Villa Straylight.
Because your penis is small, you'd like to work from home and everybody loves baklava?
Weaselmancer
rediculous.
In the debate over how much spam really costs, one factor that almost never gets discussed is the impact on behavior and openness. How many of us refrain from using our real email addresses in public forums or in correspondence with companies because of a fear of receiving more spam? There may not be a direct economic cost, but it makes the Internet less useful to all of us. Spammers have essentially driven all of us to have unlisted phone numbers on the Internet, which reduces the usefulness of the medium. Off with their heads, I say.
Actually, I was trying to be Insightful, not Funny.
I was considering moving into the spam market, but decided that was too controversial. I opted to start pornography business instead.
The FTC already filed a complaint and had a preliminary injunction against Childs back in April. See the press release for more information. The article mentions he lives by Riverside drive in an apartment, could be with Linda Lightfoot, the woman mentioned in the complaints with him?
Life shrinks or expands in proportion to one's courage. - Anais Nin
Argh, Slashdot ate my link.
http://www.visi.com/~rwglynn/030319spamreport.pdf
Let's all go register for online lotteries with our new Hotmail accounts. Then we'll give our e-mail address to the airport on that little frequent flyer card because I know they're going to send me only useful info. Oh yeah, let's not forget Kazaa registration, seedy computer retailers, and mail-in rebates.
I participate in none of these activities. I have my email address on my website, but I spell it out instead of using the at@symbol.com . I've had two e-mail addresses since Summer 2001 and the only spam I get is from Windows e-mail viruses, which aren't compatible with my operation system. Yes, it *is* possible to have a public e-mail address that doesn't get spammed.
In the long run, we're all dead.
The promised junk mail control for Mozilla is finally here and I'm loving it. The wait was almost unbearable because all the other guys in the office have had spam filters with their OSX email client for months. I was tempted to switch. But now mail comes in and gets whisked away to the junk folder almost immediatly. It's a beautiful thing.
Oh god, here we go with the old "waah why isn't everyone as tough as I am" complaint.
I wonder, does he have children? If not, would he relish the idea of them constantly being hit with sex ads? How about elderly relatives?
The above CDT finding is mildly surprising to me. Is there a reason people haven't built 'smarter' Web scrapers that filter and convert character encodings of things like the '@' sign in email addys? Doesn't seem too difficult, but if the report is to be taken at face value, it seems a simple precaution to take (still). I had always considered it a low-tech defense easily overwhelemed. Guess I was wrong?
Childs blamed the mix-up on a programming accident and said he has since apologized to Smithson [for using her site as an open relay].
Reminds me of the old saying, "I might have believed it was an accident if you hadn't stopped twice to reload and once to chug a couple of beers."
Someone you trust is one of us.
Geez, I sure hope he's right. It sure would be a shame if his physical mailbox overflowed with a gazillion free catalogs.
Did anyone explain to him what happened to Alan Ralsky?
My amazing wife - Artist, Author, Philosopher - Laurie M
I don't want to get myself into any possible legal trouble, so please excuse me if I'm somewhat vague in some respects. IANAL.
About 2 or 3 years ago, my wife visited a store in the Lansing, Michigan area and gave them my email address. From time to time, I would receive email from them. Eventually, I asked them to stop. They stopped.
On November 21, 2002, I received an email from them asking me if I would like to begin receiving advertisements and marketing offers from them again. There was a link to click on, if I didn't want to opt-in. I clicked on that link.
Approximately 2 months later, I received an email from them. They had an option to unsubscribe by sending an email to their unsubscribe address. It said I would be removed immediately. I even received a confirmation stating that I had unsubscribed. For the next month, I continued to get 2-3 emails from them per week. Each time, I clicked unsubscribe and was told that I had indeed been unsubscribed.
After the 2nd email, I contacted customer service and reported the problem. No response. After the fourth time, I contacted them again, and threatened legal action, if they didn't stop. No response. I called customer service, talked to a live person, and was told that I would be removed from all their lists. But the email continued to come.
I filed a lawsuit in Michigan small claims alleging violations of the "junk fax" law, having heard about a Michigan man who had won by doing so. 6 violations for $500 each, resulted in $3,000, the maximum allowable under Michigan Law for small claims. As evidence, I have nearly all of the advertisement emails as well as my requests to be unsubscribed, and their acknowlegements stating that I had been unsubscribed. Additionally, I have the emails I sent to customer service, which never received replies.
About 2 weeks after filing suit, I received an email from their customer service stating that they were finally looking into the problem. I haven't received an email from them in the last 2 weeks, so I assume that I'm finally off their list, and it only cost me $36.50 ($32 small claims, $4.50 certified mail).
However, now their attorneys have demanded that the case be removed from small claims and placed into general civil court (which is their right). Unfortunately, I plan to do just that.
The FTC has publicly stated that not honoring removal requests is illegal. However, I'm not sure I have a private right of action in this situation. Using the Junk Fax law in general civil court is probably a bad idea, and I think I would likely have to claim actual damages in order to pursue it in general civil court.
I don't really want to get in over my head. I'm sure they realize this, which then makes me WANT to get in over my head. However, I'm still not sure that I have a legal basis for my case. Even in a state like Washington, where anti-spam laws exist, half of the cases get dismissed by the judge.
I called a local attorney and was told that I should dismiss, or risk being counter-sued for a frivolous lawsuit. Essentially, what they did is illegal, but there really isn't much I can do about it other than contact the FTC and the state attorney general, and if I pursue my case against them, I could wind up paying them.
--
Slashdolt
Yeah, this guy is a real success story to be immitated.
"Enough of this wretched, whining monkey life." -- Marcus Aurelius, _Meditations_, Book 9, 37
Obscuring an e-mail address is an effective way to avoid spam from harvesters on the Web or on USENET newsgroups... ("example at domain dot com")
I thought for sure by now spammers would have figured out regular expressions and e-mail address verifying modules, and I'm glad they haven't.
But doesn't that prove that there's never been a smart programmer who's worked on an e-mail harvester?
I think that says alot about the profession.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
When i registered my domain, I gave the address archos@myprivacy.ca. Any mail sent to this address is is held while a challange is sent to the sender. The sender just has to reply to the challange email, and the original will be sent to me. Automated spammers won't reply to the challange. myprivacy.ca is a free service provided mainly for .ca domains, or for domains registered with a participating registrars.
Does anyone know of any other services like this?
Spam needs legitimization. Hear me out, now, before you add that -1, Troll. By legitimizing spam we put ourselves in control. We need laws on a national level defining exactly what is valid spam and what is illegal.
We need the ISPs to work WITH the spammers ( or vice cersa). Make it trvial to filter, and only send it once. Give everybody a shared "Spam box", as place to go and see if they really need to acclerate their dialup to new levels, or a vacation, or whatever (I'm assuming 18" Penis and XXX TEEN LESBIANS will not be considered legit). We need stiff penalties to those who violate the law. We can't enforce the law in other spammer friendly countries, but we can enforce the law in our own. The company marketing should also be held responsible for violations, preventing American companies from just outsourcing their spam. Any spammer friendly ISP's either deal with their spammers or risk the entire range being blocked (voluntarily) by American ISPs. I know 99% of service providers would have no problem blocking out spammers voluntarily, especially if they are being good Americans while they are doing so. Let's not forget that as rapidly as it's changing, a majority of popular sites are American based. I know all you Norwiglians out there would probably drop your ISP if you couldn't get to slashdot just because your ISP supported spam.
The DMA has too much money to let spam die, and apart from the slashdot crowd a majority of people don't find spam to be a big problem in their daily lives (albeit mostly thhanks to us busting ass). Some people actually enjoy getting spam. I don't understand it either, but to each his own. As an option in a recent poll said, grey areas definately exist.
I think spam is a fact of life. Sometimes I get emails from business friends who include a small ad as their sig. We can't kill spam but we can change the face of it to be ever os less intrusive. We're going to have to compromise our "FUCK YOU AND YOUR GOD DAMN SPAM" attitudes if we plan on giving our credibility to our cause.
We want complete restriciton, and they want no restriciton. Somewhere in the middle there's a feasible solution for both of us.
Everyone is entitled to their own opinion. It's just that yours is stupid.
A good way to prevent spamming is to use javascript to generate your address. So rather then writing "me@wherever.tld" you write
<script>
document.write("me");
document.write("@");
document.write("wherever");
document.write(".tld");
</script>
It works pretty well, I've found.
autopr0n is like, down and stuff.
Yes, I've posted to usenet, and with only a couple of instances excepted, I've munged my address both in the from header and in the sig.
Yes, I've used the address when shopping online, registering shareware, signing up for other services, etc. Some of these actions have been followed by noticeable increases in spam.
One of the things that really bugs me is web services who solicit email addresses for their service (such as a greeting card or "e*kiss"), and then sell those addresses to spammers.
My ex-girlfriend once sent me an e-greeting using some unknown service, and addressed it to my earthlink account. I strictly use the ".net" tld when I give out that address, but for some reason, my ex used the .com tld for this greeting card. Before I even viewed the card, my inbox was flooded with spam addressed to me "@earthlink.com"
Needless to say, I was pissed. I sure wish I could remember which e-card website she used. Bastards.
I can see the fnords!
On my PC (win 2k, using MS Outlook (not express)) I've managed to get almost all my spam filtered out. I still get 1 or 2 a day, but that's way better than the 30+ I used to get. All it took was spamassassian (to catch most of the spam) and cloudmark spamnet (which catches many/most of the viruses that seem to find their way to me). Works great.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Here's what I presume to be home address of the spammer named in the article.
ABUSERS: C. Fielding Childs
cf_childs@yahoo.com
Bulker's Paradise
4132 Pompton Ct.
Dayton, Ohio 45405
FAX: (937) 275-3741
ALSO: Charles Fielding Childs, Jr.
"MAIL ORDER ALLIED COMPANY"
2936 Melbourne Ave.
Dayton, OH 45417
I have the same email address that I've had since 1994 (basically firstname@lastname.com). Unfortunately I used it on the Usenet many years ago, before this was considered to be a bad idea. Nowadays, Google Groups (and perhaps others?) have my postings, and email address, forever immortalized.
I imagine that harvesting software would crawl Google groups regularly. Is there anything I can do about this? This study makes it clear that after an email address is removed from the web, the amount of spam it receives drops off dramatically. It makes sense that removing my email address from google groups (the last remaining place it exists on the web) could help substantially.
So the question is, will Google remove my email address from their site if I ask them? Has anybody else tried this?
- j
Sure, spammer X knows that someone who spells out their email address in an attempt to avoid spam is not going to buy anything.
.003 cents for the email address for each spammer they sell to and buy a silk kimono and leather slippers and sleep until 1 PM. Bastards.
But, many spammers exist solely to sell other spammers email addresses. So, an obscured email address is just as valuable to such a spammer as any other email address.
Of course, they won't tell their spammer clients that the email address is for a spam-averse user, they'll collect their
My amazing wife - Artist, Author, Philosopher - Laurie M
One of the funnier (to me - others likely hate it) things I've seen are those "somebody has a crush on you" sites. you then have to "guess" who sent you the thing, so you put in emails and it collects them. I don't think that anyone ever really sends you anything, it just says that, then collects all the emails that generates and then tells those people that someone has a crush on them, etc etc.
Then that list can be resold.
I have my email address up on slashdot, I have it on my webpage (current and an old school one). I have posted to various discussion boards, yahoo groups, newsgroups, mailing lists, etc. I have purchased online from literally hundreds of online stores (I pretty only buy anything aside from dinner online).
Our of all of those, I definitely saw increases in spam coming in - but it wasn't huge increases until the two things that I mentioned up there - the online gamling and the domain registration.
There are some odd things afoot now, in the Villa Straylight.
The Dayton Daily News article discusses Charles F. Childs, an Ohio native. Last year I testified before the Ohio Senate Commerce Committe regarding a proposed spam bill. That bill was later passed into law . Among other things, the bill has opt-out requirements, requires a pre-existing business relationship, and makes it a feleny to forge headers and/or abuse open relays or proxies to send email. I would imagine that Mr. Childs, and another Ohio spammer, Tom Crowles, are in violation of some or all of the provisions of the Ohio spam law. Here's a new get rich quick scheme for you: hire an attorney and start collecting damages from these scum (up to $100 per email plus legal expenses).
It's possible that some government fiat could ram this new standard down everyone's throats, but I don't think anyone would be happy with that.
Boobies never hurt anyone. - Sherry Glaser.
That doesn't change the fact that you're still getting spammed!!! So what if you know who did it? Great, you won't do business with them again because they sold your address.
Your still getting spammed because in most places, it's perfectly legal for them to do so. Your bandwidth is still absorbing spam. Your mail server still deals with the spam/bounces.
Just making a cute address doesn't solve the problem.
Ahem.
I represent the Cetacean Fecal Matter Anti-Defamation League. Please retract at once your defamatory comments against whale dreck.
I have also been informed by the Head Maggot of the Fly Larva Anti-Defamation League that although his members will gleefully chow down on any form of cetacean poop ranging from Dolphin Doo to Blue Whale Bombs, they'd definitely draw the line at Ralsky's carcass. They've got standards, y'know.
I've also noticed that lately spammers have been putting a 1 pixel wide image in the email message itself. (I.e. img src=spammers_server/pixel.gif?email=youremailaddre ss )
If the message gets opened or previewed - the pixel is pulled from the spammers server and a web log is created with your email address in it. Even viewing a potential spam email can verify your email address to the spammer as a valid account.
A man, regardless or age, is old when regrets of the past replace hopes of the future.
I read the report and was immediately struck by the fact that email addresses posted to us.jobs newsgroup received ZERO spam. Don't try this in alt.sex.erotica, however, as that newsgroup received the most spam. Further proof that pr0n really is the driving force behind the internet... p.s. now you know where to post email addresses of thy enemies
pot.kettle(black);
I have posted an HTML version of the report at http://www.cdt.org/speech/spam/030319spamreport.sh tml . Thanks for your interesting comments, I am collecting them for ideas for future research projects. Mike
Oh, say, no more stressful than pulling the trigger on a high powered rifle...
Some people just don't get it. Spam is an invasion of a personal space - it's the intrusion into our personal lives by a stranger that we resent, not the fact that we have to hit the delete key.
Quite frankly, I'm surprised that these guys are still alive. Spam is something that really angers people, and I can imagine someone unfamiliar with the 'net getting scammed and taking a high powered rifle to some spammer's house. Not everyone believes in the sanctity of life, you know, and if you blanket email the U.S., you're bound to put spam in the inboxes of criminals... But hey, the risk is up to you.
The society for a thought-free internet welcomes you.
--- BEGIN QUOTE ---
A friend and I had an idea one night that the best way to seek revenge on someone is to post their personal information on the internet, for everyone in the world to see, and let everyone seek revenge on that person for us. Thus, The Dox Depot was created. If you want to get revenge on someone and ruin their life, post their personal information on our page. Put their phone number so they get thousands of calls. Click here to get revenge
http://www.doxdepot.com/
To be removed from our mailing list please send an email to us admin@doxdepot.com
--- END QUOTE ---
1. E-mail addresses harvested from the public Web are frequently used by spammers. By an overwhelming margin, the greatest amount of spam we received was to addresses posted on the public Web.
They have forgotten to mention the very mailto: tag in their research. IMHO this might have been a crucial factor to their research.
Although on the majority of web pages you have the mailto: link to be the same as your email address (duh), for research purpose it would have been interesting to separate the visible email address and the one in the mailto: tag. I am confident that whatever is in the mailto: link is what attracts spiders, and the email address displayed on the page gets less.
Can someone with knowlege of harvesting get back to us and tell me if this assumption is correct ? Better yet, does someone has any data ?
Tired of your legislators not doing anything about spam? Then perhaps they need to see just how much fun it is... send an email with their return address to several of those "remove me from your mailing list" links, and see how long till they come around. Of course, you should only do this where it is legal to do so, but I'm sure if you repeat this many times over, that should change soon enough :)
http://bike.stu.ph/rides - free GPS routes available for Garmin, Magellan, GPX and Google Earth
This article tells you how to set up a rule that will detect HTML mail in Mail.app:
Add an HTML filter to catch more spam in Mail.app
It works great!
At least some harversters decode the page before searching it for addresses, and several advertise the ability to get through the "bob at domain dot com" subterfuge.
But, we also have several domains that have no mail address set up, except those required by RFC. They routinely get spammed, even when no email address was used in creating the domain.
Lots of good advice, though!
In version 1.3:
Edit > Preferences > Privacy&Security > Images: Do not load remote images in Mail & Newsgroup messages (check!)
also, in Preferences >Advanced > Scripts & Plug Ins: Enable Javascript for News & Newsgroups (uncheck!)
This, along with whitelisting sites with popup windows and Bayesian email filtering should make your life easier.
Cheers
-- Andre
Ok. I may not have beleived this myself...
BUT! Just before resorting to a filter, I went ahead and tried the 'opt out' link at the bottom of a spam message that was part of a 4-5 message a day flood from a service calling itself "Opt-In" email service. After a couple of days, I never heard from them again.
Funny thing is, tho: the very next day, a new flood began from a company calling itself "YourMailServer"...
CONSPIRACY?!