Slashdot Mirror
Where Does Spam Come From? No, Really?
jnazario writes "The Center for Democracy and Technology has recently put together a really neat paper studying the methods by which spammers get your email addresses. The report posted otherwise unused email addresses in a variety of locations, using different techniques for visibility (ie HTML encoding vs plaintext) and then watched what accumulated after six months. They generated some interesting results into the methods by which spammers can track you (with publicly available websites containing your bare email address being the most popular method) and even some techniques to stop spam, such as HTML encoding your email address. A very interesting read."
This seems familiar.
that Spam comes from a 'SPIG'. Cousin to the pig, but has to be mechanically seperated before being canned and served.
Is it April Fool's again? I'm waiting for the story on the evil bit now.
I pick it up in the canned meat section of my Super Wal-mart.
Where ever you go, there you are.
dupetastic!
You go to the spam, the spam does not come to you
From those damn Spamers I'd guess.
:)
No wait, better - it comes from those companies who profit from the utilisation of bandwidth. People who sell email servers marketed as coping with massive volumes of email too. Oh, and lets not forget the people spam filters!
Cynical? Me?
But what explains the amazing spectrum of sources?
Even with a black-list implementation, spam has been through the roof lately, almost too much to keep up with submitting even.
If Slashdot posts the same report three times, is that slashspam?
What bothers me is where it goes to - my Inbox!
SLAM: An unsolicited duplicate Slashdot story.
April 1st again?
4 9&tid=111 (dupe 1)
0 6&mode=nested&tid=111&tid=95 (dupe 2)
http://slashdot.org/article.pl?sid=03/03/19/17362
http://slashdot.org/article.pl?sid=03/04/12/14422
This article is a duplicate of one posted on March 19 back when the CDT report was released:
CDT Releases New Report on Origins of Spam
Mirror
Right here
--sig fault--
Hormel Foods Corporation
Sig ?
use the word "spam." it will get run no matter WHAT
tripe n.
1. Stomach tissue of a ruminant and especially of the ox used as food
2. Something poor, worthless, or offensive
Toronto-area transit rider? Rate your ride.
When mommies and daddies love each other very much, they get together and.......................
- I hate spam spam wastes my whole day!
- spam eats up 999.99999% of my companies bandwidth!
- I use spamassassin! It gets 9999999.9 9 9 9 23 % of all spams!
- I think the government should make people pay for email, that'll end spam!
- People who send spam should go to jail forever
- Why dont you all just relax and accept spam as a downside of a free internet
- I never get spam because I dont sign up for free porn at every opportunity
I don't need no instructions to know how to rock!!!!
Dupes are Evil too!
!
^_^
Duplicate
Why do I h8 apple?
Yes....
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
Just need to vent a bit anger.
:(
Just had one of my domain names used in the fake from address (you know, siusd3874@mydomain.com) kind of thing, where the bit infront of the @ changes in an attempt to combat filtering.
Pain in arse - i've even had to put a page up on the website trying to explain that the SPAM is nothing to do with me.
Noticed a sharp rise in non-referred hits to the www.mydomain.com - which I can only assume is people trying it - probably to find out who spammed 'em.
This is despite the SPAM body having a URL that is obviously nothing to do with me.
I've had to put a page up saying "Look, this SPAM you've receive is nothing to do with me."
Aggghhhh
"'These antispammers should get a life[...] Do their fingers hurt too much from pressing the delete key? How much time does that really take from their day?"
S PA M.html?pagewanted=print&position=
s s/ 1877197
"By contrast, she said, '70 million people have bad credit. Guess what? Now I can't get mail through to them to help them.'"
The whole story is available at:
http://www.nytimes.com/2003/04/22/technology/22
Also available at
http://www.chron.com/cs/CDA/ssistory.mpl/busine
Is Alyx Sachs the female Alan Ralsky?
I saw this story floating in the mysterious future and tried to warn Malda. I would theorize that he needs to make "The Mysterious Future" a little larger window if he really wants to get help in preventing dupes. Or are there really THAT few subscribers seeing pre-post stories?
RudeDude
Perl/Linux/PHP hacker
It's an IT guy's job to stay on top of current trends and technology. Any spammer would be remiss in not reading articles like this. I can't help but wonder how many of them actually do.....
Iraqi Information Minister Mohammed Saeed al-Sahhaf (aka Baghdad Bob). He's always telling us that:
"Americans are not in Baghdad"
or
"Loose wieght in just 2 weeks"
or
"Make money fast"
or
"Requested information"
Karma: The shiznight, mostly because I am the Drizzle.
the readers of /. are being spammed with reports about spam...
/. editors come on guys make up and start talking to each other again.
Spam should clearly have the Evil Bit set to on.
Where do duplicate slashdot articles come from? No, really?
third times the charm
Wouldn't the same damn story posted multiple times on Slashdot be considered spam???
I like to have fun with this one. Make sure that you take out any "serial numbers" which might be embedded in the link. Call as many dynamic scripts on the page as you can.
#!/bin/bashCOUNT=0
while [ $COUNT -lt 2000 ]; do
lynx -dump $1?YOU_FILL_MY_MAILBOX_WITH_UNSOLICITED_CRAP_AND_
let COUNT=COUNT+1
echo $COUNT
done
Okay, it's ugly. And who knows if they actually check their weblogs? But it makes me feel better.
Besides, they were warned on my webpage, which outlines all the policies with regard to sending e-mail to my domain.
A really neat extension would be to have a script which parses the e-mail for links, de-fluffs them (to remove redirects through Yahoo and obfuscators like that) and automatically hits each and every one of the URLs given... but I haven't gotten around to it yet.
Fire and Meat. Yummy.
Maybe SlashCode should be set up to look through the links for the past X days/months/whatever and see if there are any duplicate links. Then it could bring up a little warning saying that the link has already been posted so somebody can do a quick check. It wouldn't keep all of the dupes out but it'd help. Of course, thats a rough idea and I'm not going to code it... dupes don't bother me all that much...
About half my spam comes to the email address that I use on slashdot, most of the other half to the email address I use on google groups. There's a small amount that comes to my main email address that is on my web site, and a small amount to email addresses that I registered in other places that I expected might spam me.
Conclusions
1. E-mail addresses harvested from the public Web are frequently used by spammers. By an overwhelming margin, the greatest amount of spam we received was to addresses posted on the public Web.
When an address has been posted on the public Web, it can potentially be viewed by hundreds of millions of users. People who develop spam lists exploit this feature by using address-harvesting programs to surf across thousands of web sites, collecting any e-mail addresses that they encounter. Most users have no idea that their addresses have been harvested until they begin receiving spam.
2. The amount of spam received by an address posted on the public Web is directly related to the amount of traffic that Web site receives. The more visitors a Web site has in a given period of time, the greater the likelihood that an address-harvesting program used to send spam will scour it. As a result, addresses posted on high-traffic Web sites are likely to receive a greater amount of spam than address posted on smaller sites -- popular Web sites are more frequently "harvested," and addresses posted on those Web sites are added to a greater number of spam lists.
3. E-mail addresses harvested from the public Web appear to have a relatively short "shelf life." When e-mail addresses we posted on the public Web were removed, there was a pronounced drop in the amount of spam they received each day. The change was not absolute -- on a given day, an address might receive a few spam messages even months after it had been removed from the public Web. But such spam was on the order of 2 or 3 messages per day, compared to the thirty or more messages received by addresses still on the public Web.
4. Addresses posted in the headers of USENET messages can receive significant spam, though less than a posting on the public Web. Like most Web sites, USENET postings are publicly accessible and may be targeted by e-mail address-harvesting programs. When a user includes his or her address in the heading of a USENET message, that address can be harvested and used to send spam. Our preliminary data indicates that some USENET newsgroups are more frequently harvested for e-mail addresses than others.
5. Obscuring an e-mail address is an effective way to avoid spam from harvesters on the Web or on USENET newsgroups. Even when posted in publicly accessible areas, none of the addresses we obscured -- whether in English ("example at domain dot com") or in HTML -- received a single piece of spam. Users who want to avoid spam should consider obscuring their addresses when possible.
6. Sites that publish their policies and make choice available to users generally respected those policies. A major element of the CDT project was to submit e-mail addresses to a number of popular businesses and other organizations on the Web. Many of these sites had privacy policies describing how they handle e-mail addresses and other potentially sensitive pieces of information. While the terms of these policies varied, we found that almost all sites followed their policies. In addition, when consumers were offered choices about how their personal information would be handled, those choices were respected.
7. Domain name registration does not seem to be a major source of spam. Despite the fact that the WHOIS database is publicly accessible, our project received just a single spam message to an address that was in WHOIS for six months. This leads us to believe that, at least for some people registering new domain names, listings in the WHOIS database may not be a major source of spam. However, because our project had a relatively short duration, we were not able to examine whether additional spam would be received as a domain name approached its renewal date.
8. Even when an e-mail address has not been posted or shared in any way, it is still possible to receive spam through various "attacks" on a mail server. In our study, a "brute force" attack on the mail server generated a t
...now that it's slashdotted...
Google cache is great. Here's the article.
This is a consumer document meant to tell folks how to stop getting as much spam.
Useful insofar as it goes, but what would be much more helpful is an objective take on how spam gets to the end-system. It's very hard to generate this information. You can come up with the list of final-hop relays, but that's not as useful as you might think, since most of the really crappy spam software out there finds open relays dynamically and routes through them.
Slightly smarter software is now making it out there that performs some simple testing to determine how / if a given relay of choice can reach other sites. So for example, AOL's recent blocking of Commcast customers will help them in the short term, but over time they'll find that spammers simply stop using those relays and start using the ones that can get through. As new relays pop up, they will be used... eventually you would have to simply stop accepting mail in order to correctly prevent spam.
Like I say, it would have been useful to have the data on where spam is actually originating, but even without it, you can block spam with a very high degree of certainty based on the sender and relays with a much lower false positive (failure) rate than any of the bogus blacklist schemes out there. I'm about to add a module to SA to do just this, so stay tuned....
I was getting 500 spam a day. Hot damn, that is a lot. I have a bunch of URLs and I was promiscuous with my e-mail address(es). I had them up in newsgroups, message boards (even slashdot), I subscribed to crap, I bought things online, I registered at countless sites... and never with a condom. I have a paypal account, and I have registered at a few casinos (not to play, but to look for security holes - but that doesn't mean they don't still spam the hell out of me). And then my friends and I go through periods of signing each other up for things when we are asked to fill out forms - so it is hard to say how much of that has happened.
The bulk of what I was getting was from the URLs that I have registered - those URLs were setup to forward all mail at that address that didn't have an actual e-mail address to my address. So I disabled that feature to some extent, and it dropped my daily spam count down to a little over 120 or so a day.
So I then got curious and went through and "unsubscribed" from a bunch of them just to see what happened. My spam went down to about 30 a day. Hot damn, it worked.
But then it came back up over time - not sure if the unsubscribing just got my name on other lists, or if it just grew over time.
So I installed spamassassin, at the time 2.5 was in devel, so I used that. Various builds were better than others, and it got me down to about 1 or 2 spam that snuck through everyday.
Since then I have installed 2.6 and haven't kept up with the development builds as often since the changelog wasn't... well, wasn't changing much over the time that I was watching it.
I run it as the perl script, not the faster c daemon. I am on a shared server and scripts have to time out after 30 seconds of cpu time. So if the perl script is doing a lot of stuff, it gets killed, and the mail gets sent through.
So that was the bulk of the spam I was getting - not that spamassassin mistagged it - but that it was dying and letting it through that way.
So I went in and changed my settings. I disabled all of the blacklist checks (score RAZOR_CHECK 0 and score RAZOR2_CHECK 0). I raised the autolearning threshold to be higher so that it would do that less frequently. I have my good contacts on a whitelist. I made the required_hits spam score to be 3.5 instead of the default 5. I went in and made the 90% bayes score 3.5 and the 99% score to 4. I skipped the rbl checks and made the max attempts on anything that would try multiple times if there was any failure to be low (1-2).
As a result, it rarely kills the process now unless the server is under a lot of load - and now I get about 1 or 2 spam in a week instead of in a day.
I am a very big fan of spamassassin.
There are some odd things afoot now, in the Villa Straylight.
Is daddypants routed to
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
From the article:
CDT received the most spam just by placing an e-mail address at the bottom of a webpage. Spammers "harvest" these addresses with computer programs that collect and process addresses and add them to spam mailing lists. If a user must post his/her e-mail address in a public place, it is useful to disguise the address through simple means such as replacing "example@domain.com" with "example at domain dot com"
Then, at the bottom of the webpage:
For further information, contact Ari Schwartz at the Center for Democracy & Technology, 202-637-9800, ari@cdt.org.
hmm.. I'll be interested to know how much spam that generates for him/her....
-- -- Warning. Do not stare directly at the sun.
... is that slashdot only posts 10-15 stories a day. Some days we see two or three dupes so maybe over time that averages out to a little less than a story a day.
What I find impossible to believe is that out of all the submissions that enter into the possible queue these are the ones that stick out so well they end up getting posted. That almost 9% of the time we see the same article get put up.
Think of it this way, if your department at your company, hell if your company, messed up 9% of the time what would happen to you? In the case of slashdot nothing happens because no one is accountable and anytime anything shoddy happens everyone clamors about with "it's rob's personal site!@#!@#!@ he can post whatever he wants!@#". Except that isn't the case anymore and hasn't been for years. This is a FOR-PROFIT site with readers who create the value, yet time and time again we are shown and told (Hi Michael!) how little we are valued or mean to the staff at slashdot. Answer me this Rob, do you care so little about your creation now? Where is your sense of pride?
Unfortunately just departing is a hard thing to do because of the absolute power in the meme of "/.". It is a lot like CNN, you know the news sucks, you know it is biased, but it is always there so in a moment of weakness you give in.
--- I do not moderate.
Dear Friend:
Thank you for joining our opt-in list to receive this survey. This is not a
SPAM. If you prefer to be excluded from our surveys, feel that this email has
reached you in error, or if someone submitted your email address to us by
mistake, please see "exclude" instructions below.
The hottest issue on the Internet today is unsolicited email, also referred
to as SPAM.
Some people believe that stopping SPAM would be an infringement on one's
right to free speech, as well as freedom of the press. The guarantee of
these rights outweighs the elimination of SPAM they receive in their email.
People on the other side of the issue say that unsolicited email is an
invasion of privacy and a nuisance. They also believe that SPAM should be
illegal, as technically, they are paying the cost to receive it (via hourly
ISP charges and increasing monthly charges) every time they log into their
email.
Which side are you on?
Most of you are aware of the battle in the US Courts involving the legality
of this issue. It is our intention for this survey to have an impact on the
outcome of those decisions. The results of this survey will be published in
national publications, submitted to the major commercial servers like AOL and
CompuServe, submitted to television media for broadcasting, and submitted
directly to legislators in Washington, DC.
By taking part in this national survey, you will be helping to decide what
outcome the law will have on this issue and help to offset the cost of
publishing these results. Let your opinion be known!
To participate, call:
1-900-737-0034 to vote "Yes" to SPAM, and
1-900-737-0035 to vote "No" to SPAM.
You will be charged $1.99 for your call (which will help offset the cost of
publishing the results) and you must be at least 18 years old to participate.
VOTE - VOTE - VOTE - VOTE - VOTE - VOTE - VOTE - VOTE - VOTE
Survey brought to you by the Internet Polling Committee, Miami, Florida
Now, I'm not saying they do this, But wouldnt google be able to generate one hell of a spamlist? Both from googlegroups usenet feeds, and just the google http cache picking up email addresses. Would be a lot more evil than paid placement, and you'd never know.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
Mirror
- you are sofa king weed todd did
You see, there's a mummy spam and a daddy spam. When they love each other very much they, well, sort of, get together, you know, and they make a new spam.
Stick Men
Theory 1: Hormel
Theory 2: A mommy SPAM and a daddy SPAM, well...um...are you old enough to hear this?
Theory 3: Giving out a real email address, or replying to SPAM.
Sorry, that's all I can think of for now.
Sometimes I doubt your commitment to Sparkle Motion.
...why not put up crawlable web pages with just buhzillions of fake emails for the content. Let the email harvesting bots try to send spam to undeliverable domains. Wouldn't that clog it up on their end with bounces? And maybe change the pages every few days with a new list, maybe there's a random email generator thing to come up with fake domains, like a password generator?
Not a coder, no idea if this is any good, I am all for taking the anti spam measures to active offense instead of trying to defend from them.
We could do it here for another example, if everyone put some fake email addys inside every post, like kjfhgirtughfwuh@kjfdghtigut.com
http://www.hcdonline.com/jobs/DisplayJob.asp?ID=3
Category: New Media
Job Title: eMail ad designer
Job Description: Need a techy or ad person who can jam out killer ads using front page for eMail campaigns. Easy gig for someone who knows how to write and cut and paste. Good op for freelance, college, or veteran Internet or Advertising guru
Job Location: Los Angeles
Phone Number: 323-871-2000x11
Fax Number: 323-871-0625
Email: yurontv@netglobalmarketing.com
Enjoy!
--rhad
Slashdot needs to interview Natalie Portman.
Most e-mail addresses available on the web are harvested by spiders, nothing new here. If your site gets listed on slashdot or indexed by google, you're toast.
A good way to not get trivially spammed is to write your e-mail address on an image (jpg, png, whatever) and *not* provide a mailto: link with it. It's kind of painful for people who want to mail you (no point & click and MUA opens), but again, it would probably discourage some people that send flames as well.
You could as well supply your PGP key only, but that's even more painful as most people don't have PGP. When (and if) they add your key to their keyring, your e-mail address will show up and then people can happily send you mail. In practice this doesn't work very well.
I've noticed that most of my spam comes to the account I use for MSN messenger. Maybe some spammers run bots which monitor MSN, checking who's online, and from that get a list of valid email addresses.
-- Wibble
Everyone knows that spam comes from dusty tin cans that are from Iowa. :)
"Is this heaven?"
"No, it's a spam factory..."
Do they even have broadband is Iowa?
Iraqi Information Minister Mohammed Saeed al-Sahhaf (aka Baghdad Bob). just hired by slashdot
"THIS STORY IS NOT A DUPE! IT IS NOT A TRIPE! IT IS ORIGINAL AND YOU WILL READ IT YOU FILTHY INFIDELS!!!
I am still alive!!
This battle for email addresses will 'never' end. In order to use an email address, you need to publicize its existence. There lies the weakness that spammers exploit.
;'.
;'s all over the place within a webpage. That way, there would be too many false positives for them to work out. People are lazy and won't bother with such garbage. The irony of this would be that spammers would need to use anti-anti spamming filters. Then we'd need anti-anti-anti filters, etc.
Even the HTML encoding of addresses can not stand up to this exploitation. When scouring a website for addresses, everyone knows you look for all occurrances of '@' in the source. Encoding it with HTML merely substitutes one search character with the short string '@
Probably the best defense is to randomly insert undisplayed '@'s and '@
Like I said, as long as addresses are advertised, this battle will 'never' end.
This is not my sig.
No, spam comes from terrorists.
HEY! thats what we need to do, we need to convince our politicians thats where spam is from, that spamning is terrorist attacks on the US.
I mean, they are technologically inept enough to get suckered into accepting DMCA, this ought to be nothing. If all spammers are terrorists, then spammers can be hunted down with terrorists.
The slogan could be "When you spam, you spam with Saddam!"
SCO to Hell
FrontPage? Email? GAAAAARRGGGHHHHHHHHHHHHHHHHHH! HULK SMASH!
Damn spammers. Oh and YES MY FINGER HURTS damnit!
I know there are alot of archives of spam out there that are used to filter emails with.
What if every company set up a short email address that automaticly forwards to these spam databases.
Then you take this email and plant it where Spamers harvest there emails from. then every time they send a spam out there is a good chance it will hit the spam DB before it hit's many mail boxes.
And because the name for these email addresses are short they will be among the first hit if the spammer sends them to all possible addresses at a domain.
if it is happening, oh well, if not maybe this will add a bunch of work to find the email addresses in there database that go to the DB's
Spam comes in a can,
It was put there by a man,
In factory downtown.
And if I had my little way,
I'd get spammed every day!...
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
"By contrast, she said, '70 million people have bad credit. Guess what? Now I can't get mail through to them to help them.'"
Tough luck. I pay for my Internet connection, you have no right to cost me money. Does telemarketers call collect? Does the postman demand cash for delivering me mail? No. Why the hell should I let you run a business at my expense?
Kjella
Live today, because you never know what tomorrow brings
From the nytimes article: ...he hooked up with Ms. Sachs, a former producer with Geraldo Rivera who later worked in marketing at several Internet companies.
That was kind of refreshing to read. It indicates that the scuzz at the bottom of the gene pool isn't getting bigger, it's just recirculating. That's my delusion and I'm sticking with it!
He should have turned himself in.
Think of the millions he would have made in America doing commercials, game shows, stand-up, etc.
Here they are.
Mouse powered Chips, Open source Processors and Lego
I think I might be the one of the few people posting on topic. And I do this only because I missed my change on the previous articles. Like they say, "If you haven't seen it, it's new to you."
It seems to me the reason the obscured email addresses, e.g. normalforcekills at hotmail dot com, haven't been spammed is because a small portion of the internet savvy do this. For it isn't hard to modify a spider to grab these. Given time these spiders will start grabbing these addresses.
If anything, obscuring email addresses will only delay the inevitable from entering inboxes. Finding the spammers and stopping them (read: tar and feather them) should be the focus.
I've been creating one-off email addresses for pretty much anything that requires an email address for almost a year now. At this moment, I have almost a hundred email addresses made specifically for anything ranging from Slashdot to job-sites to mailinglists. So far, the only addresses that generated any spam at all have been de one I used for Google Groups (well, DUH) and one that was published on a website in plain HTML. All the other ones, so far, have not generated a _single_ spam email. All in all, it seems like the companies and websites that require you to give them your email really do keep it confidential.
He who laughs last, thinks slowest.
uh, from /. of course.....
I usualy put a link to this on my web pages: link I be interested to know how effective people think it is... Thanks..... Got it from rootsecure.net if you want to try it to. I have only had it up for a few days so I havent had a good base line from my logs to check who is hitting it (besides people clicking it)
Julius Caesar - Act I, Scene i: "What mean'st thou by that? Mend me, thou saucy fellow!"
Just remember, SPAM doesn't kill people
People who get spammed, kill people.
Use your head, can't you, use your head,
You're on earth, there's no cure for that - S. Beckett
tripe n.
1. Stomach tissue of a ruminant and especially of the ox used as food
2. Something poor, worthless, or offensive
Hmm, apparently the editors think that we are "Grade A morons" who graduated from "Bovine University".
My beliefs do not require that you agree with them.
Increase your browser history size. Now... Before clicking "submit" look at the little linkies in your article. Purple linkies = BAD. Blue linkies = GOOD. ;-)
What we need is a snail mail address so we can sign her up for a bunch of unsolicited snail mail like we did for Alan Ralsky... ;-)
Home of SPAM
Jeez, can't the idiot who posted this find something new? This was already posted back in March - over a month ago! To wit: http://slashdot.org/article.pl?sid=03/03/19/173624 9&mode=nested&tid=111
kick it to the curb and let the recyclers pick it up.
Perhaps, perhaps not... The 'blah at blah dot com' is a real easy one to fix in a spider (at=@, dot=., you're done), but there are quite a few ways to do it that are either human-parseable only, or require a LOT of coding...
F0r 15stanc3, rand0m numb3r/l3++3r r3p1ac3m3n+ ki115 dic+ionary program5.
rO, er-ev-sr-e ve-re-y ap-ri fo el-tt-re-s (reverse every pair of letters... include human readable directions, and you're set)
Some of the set ones we see on slashdot - bob@hotmailBOHR.com remove physicist, etc.
Computers are great at quick calulations... but even untrained humans can do pattern recognition many millions of times faster and better (hence the reason face-recognition technology is so primative).
-T
Give her heck!
.signature
echo "I think the Slashdot \"Offtopic\" moderation choice is completely unnecessary. " | sed -e "s/unnecessary/redundant/" >
sed 's/commun/terror/g' mccarthy > bush; sed 's/terror/saddam/g' bush > bush_wacked
TheInformationMinister.com Slashdot really needs to hire this guy. (Note: Opera seems to have a problem with the way the Flash on the site works, but Netscape or IE seem fine.) Worth seeing at least once.
I thought it came from the icky bits o' pigs?
"If, therefore, any be unhappy, let him remember that he is unhappy by reason of himself alone."
~Epictetus
To find out which sites actually sell your mail adress, fill in the name of the site (or a name that is obvious enough to know on which site you filled it in) in the real name part of the form.
When you get mail adressed to Mr./Ms. Real Player then you know who is doing what with your e-mail, so far i received quite some e-mail this way, apperantly the sites that actually state promises about not sellign addresses seem to be doing just the opposite. More so than sites which don't state promises.
The problem with this is that sometimes the spammer will say the same thing. like "no I didn't send you the email about my amzing penis enlarging pills, but if you want to by them click here". It is just another level spammers will shrink to.
Some of these guys think that saying this will protect them from the lawsuits they so richly deserve.
Oh and it happend to me too.
I used to have a cool sig, back when I cared
* Short e-mail addresses are easy to guess, and may receive more spam.
For further information, please contact Ari Schwartz at the Center for Democracy & Technology, 202-637-9800, ari@cdt.org.
Did anyone else find that rather funny?
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
So let's beat them with their own weapons. Sugarplum is a WWW spambot poisoner feeding them with lots of email addresses which are faked, spam traps or addresses of known spammers and spamfriendly people - collected from spam emails or experience with spamfriendly ISPs. As a motivation, a lot of spamfriendly institutions don't see the problem "spam" as serious until they get a really high dosis of unwanted email per day.
My Sugarplum installation gets scanned really often. At the moment, the French superspammer Artmarket is coming back almost every day, harvesting my Sugarplum site and dumping about 100 spams each time into my spam trap box. My ratio between spam trap and spammer is 1:50, so each time Artmarket will spam about 5000 spammers.
Some German dialer operators who had a really big spam problem half a year ago are actually trying to hire people to fight against spam they are getting on their own - no wonder, their domains were about the first to be spambaited massively in Usenet newsgroups and on WWW sites. Some 419 scam gangs who spamvertise their email addresses have to change them about once a month, as they will get flooded with "counterspam", and what is worse, they rely on the availability of their email addresses to get replies from their victims - that's why they spam.
This happened to me a few weeks ago to. My inbox suddenly had an influx of delivery failure notices. I'm not sure if this is going to be hard to filter against yet as I want to see genuine notifications. There's absolutely nothing I can do about it... when I can, I report the original message to spamcop.net.
These arseholes are ruining the internet as we know it... I predict that major ISPs will eventually start blocking mail where the domain in the MAIL FROM: (and implicitly FROM: header due to the way most mail clients work) doesn't match the rDNS for the originating IP address. That will be a real pain as then I would have to use Yahoo's SMTP or web interface to use their address.
mirrorMirrors, because the graphs are quite important.
Mouse powered Chips, Open source Processors and Lego
Been there... The spam was written to bounce off my mail server, to the intended receipent list. Where it automatically replied back to the original sender. Whose mail account filled up, and his account was frozen. Then the auto-replies bounced back from the spammers frozen account to me.
What a mess.
Fortunately, we have bogofilter for UNIX email. All the bounces, even the original went there.
Only one FSCK YOU mail to me from another victim.
- High Tech workers, please say NO to Union Carpenters, their Union sees fit to control our compensation.
Here is my mirror in case of extreme slashdotting.
Yo Taco! Drink more coffee!
This is getting to be a habit...
The spam was written to bounce off my mail server
You were running an open relay?
Hate to tell you, you're part of the problem.
This morning my local NPR station had a
call-in show (I guess the RealAudio file will be up later):
We'll talk with TED GAVIN, of Spam-Con an group that fights Spam while still trying to protect the role e-commerce. and we'll hear from BRIAN HUSEMAN, an attorney with the Federal Trade Commission about what few tools the Federal Government has to fight spam.
I only heard part of the show, but one of the callers was a spammer who claimed to be virtuous because she only purchased "opt-in" addresses, and she was complaining that the spam filters were preventing her spam from getting through. And Ted Gavin (I think it was) bought this and ended up calling her a "responsible marketer" who was an unintended victim of the anti-spam tools.
I wanted to call and point out that (a) those people on the opt-in lists probably opted in under some deceptive scheme and aren't aware they opted in, and (b) If they are using an anti-spam tool, then THEY CHANGED THEIR MIND!!!
Ok, I am not a coder, so don't flame me much. I am just curious about something. People write programs that hunt through the entire web, parse the pages, and find email to record for spam. This does not seem easy to me. So, why are there not effective, agressive counter measures? It seems to me there is a vast and bright talent pool on slashdot. Why are there not programs that spam the spamers with email adresses or something like that? Take the fight to them. In the old west, there was no law until the people stopped helplessly looking around and saying why me? My two cents, -Iowa
"He who laughs last, didn't get the joke."-Cap
Heh...
Before the days when SPAM was a big problem, my Mom already didn't like getting physical "junk mail" through the USPS. She knew different organizations were selling and trading her address, but she decided to track it to see who was passing what info. She started using false middle initials when she subscribed to magazines, bought things from catalogs, etc.
So when she subscribed to Cosmopolitan (I know, but it was the 70s and she's a woman. What can you do?), she used the name "June C Cleaver" (well, except that I've replaced my Mom's real name with "June Cleaver" here to protect Mom's privacy). When she subscribed to Games, it was "June G Cleaver," and so on.
When she would call some magazine or other company to demand to know why they had sold her address to others, their denials were quickly slapped down when she revealed that "C" or "G" or whatever wasn't her real middle initial and she had used the fake initial to determine who was selling or passing her address to whom.
My Mom rules.
--Mark
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
Other Weaknesses:
No incremental cost to Spammer. Paying postage is what keeps paper junk mail in check, somewhat.
Too easy to forge headers. This strikes me as fraud, pure and simple. Legislation and enforcement should concentrate on this.
Open Relays (read: ignorant third parties). Pick your RBL.
I know I have seen something like this but does anyone know if work has been done on a spam trap that displays random bogus addresses for the crawlers (web component) to reap while making a blacklist of servers (SMTP server component) that actually mail to these bogus addresses?
.... Spam Fairy!!!
Jaysyn
There is a war going on for your mind.
.. on Slashdot. I made a throw-away address and set it to my profile here. Then, I disabled the 'Spam Armor Plating'. Sure enough, within a couple of posts I had unsolicited mail coming in.
The bizarre thing was that one of the messages I got was for a volunteer FireFighter meeting in California. I'm in Oregon. Heh.
I want email to work like ICQ. I want to have an authorization list. When somebody contacts me, they have to request permission first. Right now, I'm manually doing that.
"Derp de derp."
Works for me, anyhow.
The Department of Democracy and Technology? Shouldn't that be Democracy of Technology?
I was reading those lines, copying it over to post it, and saw your posting, so posting it again would be really redundant, but it is indeed pretty funny, and that poor Ari is receiving his 100 penis enlargement offers a day really soon I guess ;)
Never underestimate the relief of true separation of Religion and State.
When an inedible piece of meat and a can love each other, they make spam.
If you are concerned (angry, assigning blame, whatever) about spam through open relays and open proxies you might like to know how they find the systems to abuse. If you are concerned and know how they do it you could do something to make it harder for them.
Do you realize how much money they make?! Mailmen/women make GOOD money considering that it's unskilled labor. Hell, the average mail courier makes $15/hr or more in a backwater place such as Little Rock, Arkansas. You know, we're all barefoot here....
Good grief, moderator. It's not Interesting, it's Funny. RTFC.
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Maybe they should take their own pills and rise to the occasion instead :-)
I think a much better, and more truth revealing, study would be to find out the statistics on the spammer's own email habits.
Among others, some simple stats:
* How many email accounts do they own
* How much spammer do they receive per day
* How much of it do they actually bother to read and not just immediately delete
* How often do they use bogus email address when filling out forms
But, more importantly:
* What have they done to opt-out of receiving mail from lists
* What filters/blocks do they implement and why when it is such a good legitimate business
* What are their opinions on spammers vs. telemarketers
WPoison
Lacking <sarcasm> tags,
...well, shoot, don't want to gum it up worse, guess we should switch to Plan B, which includes but is not limited to the following dependecies
louisville slugger
black ski mask
rubber gloves
fake license plates
earl scheib paint any car for xx.99$ (whatever it is now)
oh well, probably we'll see more jurisdictions making fake headers illegal, then they start to get taken down one after another. That would sure help and seems to be the main problem. I wish all the ISPs would just DO that now. If it gets to the point of blocking top level domains from offshore I honestly don't care, eventually those nations will get hip that having spammers coming from there gets them booted off the ole intarweb, the authorities there will then have enough clues on how to deal with it. Doubt it would take more than a week or two once some nation realises that spam costs, it doesn't pay.
Me personally I get so little spam (down to just a half dozen or so a day) that it doesn't matter, just wondering what would work that is not so complicated and involved as all this other stuff proposed. I don't run a server so can't run any spam honeypot traps to help out.
comic book guy --> best_reply_ever!
sorry man, shoulda checked first!
You might well wonder where the white dog shit went.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Several years ago I set up a spam account, spamforchris@yahoo.com. Everytime that I register for a web site, register software, subscribe to a newsletter, etc, I use the spam account. And when I give a friend or family member my personal email adress, I ask that they do not include me in their chain-emails. I have had less than 20 spam messages in any of my real email accounts since college.
Moral: If you are careless with your email adress, expect spam.
Simple people talk of people, better people talk of events, great people talk of ideas.
"Slashdot needs a new story topic: Dupes! Suggestions"
Thats a job for the Department of
Redundency Department.
I was at least hoping that this dupe they had found a way to get my name OFF the spam lists...now THAT would be news.
Denver Isuzu Suzuki
I'm using POPFile at home to filter mail to 4 POP accounts, one of which is flooded with as many as 100 pieces of spam per day (my Hotmail account, of course). It uses Bayesian filtering to learn what spam looks like, neatly handling the various tricks spammers use.
So far, on more than ten thousand messages its been better than 99.8% effective.
Of course, this isn't a solution, since I'm still paying something like $8 a month for the priviledge of receiving all this crap in the first place.
an easy way to display an e-mail address on a web page with worrying about spam robots now, or spam robots in the future that will look for "at"s and "dot"s and encoded html chars and whatever else:
instead of text, insert a bitmapped image of the text showing the address. small downside that a user won't be able to cut and paste it, but you can't do that with "at"/"dot" anyways.
yay bitmaps.
Does anybody know of any good filters to block "dictionary" (brute force) attacks on an SMTP server?
Could be on application level (like Postfix) or at firewall level. I guess there's a solution out there, but Googling didn't help me this time.
DMCA regulates something that is strictly my own business, like do I watch my DVD under Windows or under Linux? If you send spam, you are making it a million people's business.
I tend to talk to people I know on the phone and just check my e-mail once per week to see if anyone sent a message about my programs. Even if you are right, I have to sit for 14 minutes doing nothing except deciding which messages with "Hi, Oleg" subject to open. And I deleted quite a few legitimate messages because I didn't recognize the address.
By the same token, if I went to sleep at 4am I won't want to have a chat with a telemarketer at 9. So I end up turning off my phone until I wake up and possibly missing calls from friends. And I don't want my physical mailbox to overflow just because I went on a one week trip during the holiday season. But spam is definitely the worst.
Communication between people is good. I should be able to publish my postal address, my phone number and by e-mail on the web and invite people to contact me if they looked at my stuff and want to chat. Remember when shareware came with a README file with all kind of contact information to send $15? I actually got a few nice snail mail letters with checks.
Spam has destroyed our ability for this kind of casual communication. People sending it or selling the products advertized make very little money compared to the value of our time or forced changes in our behaviour. It's time to stop them using technological, political or cultural methods, whatever works best.
So according to the article, HTML-encoding the email addresses on your web pages can keep them from being harvested by spammers. E-Cloaker is a nice little free utility to do this for you.
It was difficult to handle the image without actually looking at it. I figure I'm now qualified for hazmat duties and possibly archiving the necronomicon.
The goatse guy is ideally qualified for the position, don't you think?
Iraqi Information Minister
No, seriously. I used to frequent this site EVERY DAY, MULTIPLE TIMES A DAY a couple years ago. Now I'm lucky if I hit the frontpage once a month.
Why did I leave? The editors are a fucking joke. how many submissions weren't even proofread for spelling? How many stories get posted twice or three times? How many complaints have been posted?
Nice to see that absolutely nothing has changed in the three years since I left. Shit, we're still using this ugly webpage design from, what, 5 years ago? What the hell have they been doing all this time?
I think the two worst traits of people have to be laziness and arrogance. The editors seem to have plenty of both traits.
At least they finally removed Old Man Murray from the "quick links" box. And it only took them 2 years to figure out that the site went down.
Who else thinks we need to send in THOUSANDS of applications for that job. What do yo know - my cat needs a job!
Then I am going to call her in about 85 days to verify that they kept his resume on file.
I have great faith in fools - self confidence my friends call it. - Edgar Allan Poe
...then watched what accumulated after six months
If they asked me I would have told them.
Interesting. You break it up and sort of fake a domain in between. The only drawback I see is requiring scripts enabled.
< P><A HREF="'
If you're going that far, why not play with string variables to at least get rid of the _'//_? It'll fake the address COMPLETELY. Using substring(), just use the valid parts.
(modifying your code)
<script LANGUAGE="Javascript">
var goodDom = "realdomain";
var fakeDom = "mailto:chad6107@spambait.org";
document.write('
+ fakeDom.substring(0,16)
+ goodDom
+ fakeDom.substring(24,28)
+ '"><IMG BORDER="0" WIDTH="14" HEIGHT="10" SRC="images/mailto.gif">'
+ 'Mail us!</A></P>');
document.writeln('<P><A HREF="'//http://www.spambait.com">javascript error!</A>
+ 'contacts.html">Family Addresses and Links'
+ '</A></P>');
</SCRIPT>
Oh well,
so much for me calling myself lazy...
This is not my sig.
Most address grabber tools do not write their own web browser/html interpreter. They simply link using IE's APIs, so anything IE can decode / unobfuscate, so can most email harvesters. The best solution is to not post email addresses on the web.
When the spammers finally do teach their bots to recognize the increasingly common "myname at domain dot com" techniques or the masking tricks, we will still have another method of defense: dispensing with text for listing email addresses. We can avoid detection by posting the names in graphic form, inserting a GIF of the email inline with the rest of the page's text.
If the spammers ever respond with OCR, we could hold them at bay (where practicable) with slightly distorted text in the gif, like what you see in the PayPal registration screen.
Net Global Mktg. (323) 871-2000
6464 W Sunset Blvd, Los Angeles, CA 90028
How the hell is this informative? You left out "information" like the spamload already doubling every three months BY ITSELF. Like personal messages ALREADY BEING LOST in the noise. Like the fact that spammers ALREADY have HUGE lists of invalid addresses that they don't bother/cannot check and don't care about the bounces!
Like it or not, there is going to be some collateral damage in this battle. You must be one of those peacenik types that find damage inflicted by the spammers acceptable, but not damage inflicted by retaliation.
People like you -- those who do nothing -- are a part of the problem.
I feel compelled to share this with you. It's absolutely beyond any form of explanation.
SPAM Green is people!
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
What I want to see is a study explaining who is buying stuff from spammers.
hi!
;)
...
:(
if we take the web-email idea down a level, we could get riede of spam (maybe).
idea:
[A] wants to send an email. [A] server sends a request to test@nospam.org.server [B].
[B] checks his email and sees a request from [A] to send him an email.
if he choses YES his SMTP server sends a request back (just like a bit or so).
The server from [A] was waiting (yes?) and so [B] gets a real email from [A].
of course no is no
now if it works once just (i don't know) hock up [B] smtp server to a database, and future emails from [A] will get through.
[B] email server is set up to block EVERYTHING! unless its in the database or he actually lets it through.
[A] server is something like web-email. go fetch.
something like that
too bad i dont know any perl
-
7:25 PM 4/23/2003
Argh! I click on this story on the right hand side of the main page (because I only read /. once a day, so half the new stories are off on the right margin). It sounds interesting -- "Where Does Spam Come From?". What could it be -- a case study of a spammer? An analysis of SMTP traffic, a breakdown of which countries send the most, or a review of tools and tricks used by spammers to work around the fact that there aren't as many open relays these days?
No! Sorry, Greg, thanks for reading -- it's just a list of ways that people harvest addresses from web sites.
Gee, thanks for nothing. I know they have my e-mail address! Here it is again, for all the spammers that couldn't find it: greg@wooledge.org. I don't hide it. I'd like to go back to the 1990 Internet where I didn't have to hide it. I refuse to stick my head in the sand to try to hide from the spammers. Munged addresses are worse than spam.
What I'd really like to see would be something a bit more useful, and less trivial, like the recent Stopping Rumpelstiltskin Attacks (these are particularly vicious against qmail, since qmail-smtpd doesn't look up local users during the SMTP conversation; it accepts all messages to the domain, and then if they aren't valid during delivery, they're supposed to bounce -- guess what, they can't bounce, so they go to postmaster -- me). Or how to work around spam that comes to me as postmaster when someone uses a bogus user address in my domain as the envelope sender address when they're spamming someone else (illustration: spammer A sends a message to luser B but puts randomname@wooledge.org as the envelope sender. B accepts it because wooledge.org is a valid domain, but then when it's not deliverable, it tries to bounce it to randomname@wooledge.org, which my MTA of course accepts, but can't deliver, so the fucking thing ends up in my mail box, with about 3 levels of error messages prepended to it. Fortunately, spam is almost always HTML these days, so I'd actually have to exert effort to read through the markup.)
Why do some companies rely on spam to advertise their products ?
It's hard to believe that some user will really buy something of these.
Maybe this is the root of the problem, and solution could be to make clear to them that this marketing strategy is useless.
wah wah wah, my life is fucking worthless now because you guys posted something that had previously existed. I might as well go fucking kill myself now because you've rendered my life worthless.
I'm certain most slashdot readers can wipped up there own (and there is probably a better way), but here is a quick script which will HTML encode all the email addresses in a file.
n et|gov)/ ){n et|gov)/\&\#064;$x\&\#046;$y /;
//, $str );
#!/usr/local/bin/perl -pi.bak
while( m/(\@|\&\#0?64;)([\w-\.]+)(\.|\&\#0?46;)(com|org|
my $x = encode($2);
my $y = encode($4);
s/(\@|\&\#0?64;)([\w-\.]+)(\.|\&\#0?46;)(com|org|
}
sub encode {
my $str = shift;
my @str = split(
foreach my $c (@str){
$c = sprintf( "\&\#%03d\;", ord($c));
}
return join('', @str);
}
They are far too clever and resourceful to ever be fully stopped.