Slashdot Mirror

← Back to Stories (view on slashdot.org)

Where Does Spam Come From? No, Really?

Posted by CmdrTaco on from the researching-the-devil dept.

jnazario writes "The Center for Democracy and Technology has recently put together a really neat paper studying the methods by which spammers get your email addresses. The report posted otherwise unused email addresses in a variety of locations, using different techniques for visibility (ie HTML encoding vs plaintext) and then watched what accumulated after six months. They generated some interesting results into the methods by which spammers can track you (with publicly available websites containing your bare email address being the most popular method) and even some techniques to stop spam, such as HTML encoding your email address. A very interesting read."

13 of 306 comments (clear)

  1. What gets me about all these dupes... by juuri · · Score: 4, Insightful

    ... is that slashdot only posts 10-15 stories a day. Some days we see two or three dupes so maybe over time that averages out to a little less than a story a day.

    What I find impossible to believe is that out of all the submissions that enter into the possible queue these are the ones that stick out so well they end up getting posted. That almost 9% of the time we see the same article get put up.

    Think of it this way, if your department at your company, hell if your company, messed up 9% of the time what would happen to you? In the case of slashdot nothing happens because no one is accountable and anytime anything shoddy happens everyone clamors about with "it's rob's personal site!@#!@#!@ he can post whatever he wants!@#". Except that isn't the case anymore and hasn't been for years. This is a FOR-PROFIT site with readers who create the value, yet time and time again we are shown and told (Hi Michael!) how little we are valued or mean to the staff at slashdot. Answer me this Rob, do you care so little about your creation now? Where is your sense of pride?

    Unfortunately just departing is a hard thing to do because of the absolute power in the meme of "/.". It is a lot like CNN, you know the news sucks, you know it is biased, but it is always there so in a moment of weakness you give in.

    --
    --- I do not moderate.
  2. Html encoding doesn't solve the problem by Tired_Blood · · Score: 3, Insightful

    This battle for email addresses will 'never' end. In order to use an email address, you need to publicize its existence. There lies the weakness that spammers exploit.

    Even the HTML encoding of addresses can not stand up to this exploitation. When scouring a website for addresses, everyone knows you look for all occurrances of '@' in the source. Encoding it with HTML merely substitutes one search character with the short string '&#064 ;'.

    Probably the best defense is to randomly insert undisplayed '@'s and '&#064 ;'s all over the place within a webpage. That way, there would be too many false positives for them to work out. People are lazy and won't bother with such garbage. The irony of this would be that spammers would need to use anti-anti spamming filters. Then we'd need anti-anti-anti filters, etc.

    Like I said, as long as addresses are advertised, this battle will 'never' end.

    --
    This is not my sig.
  3. Re:why not by testify · · Score: 3, Insightful

    Problem is, the spammer probably isn't getting bounce messages. They fake a reply-to or stick in someone else's address, so all the error messages go to /dev/null or some innocent person's mailbox.

    There are a bunch of scripts out there that will do what you are looking for. To wit:

    Sugarplum: SPAM poison

    Searches for stuff like "spam harvest poison script" should turn up more. There are also honeypots and tarpits designed to mire SPAMmers attempts to pump out spam by acting like an open relay, but sending back fake success messages with delays to slow down their progress.

    The thing that gets me is that SPAMmers know everyone hates them, and they do all this underhanded harvesting, address spoofing, attempts to get around filtering, etc. If they would simply put "ADV:" at the start of their message header, we could all set up filters and not get so annoyed. I know since my annoyance level has increased I report each and every SPAM I get via SpamCop, and cackle with delight when I see their websites shut down in short order.

  4. Re:3rd time: charming by Anonymous Coward · · Score: 1, Insightful

    Considering that the vast majority of us don't pay for slashdot and read it on a regular basis, Y'all do a hell of a lot of bitching about it.

    I swear it's like listening to people bitching about how bad Reality TY is, then scurry home in mortal terror of missing Fear Factor.

  5. At my expense... by Kjella · · Score: 4, Insightful

    "By contrast, she said, '70 million people have bad credit. Guess what? Now I can't get mail through to them to help them.'"

    Tough luck. I pay for my Internet connection, you have no right to cost me money. Does telemarketers call collect? Does the postman demand cash for delivering me mail? No. Why the hell should I let you run a business at my expense?

    Kjella

    --
    Live today, because you never know what tomorrow brings
  6. Re:On a related note, Alyx Sachs, spammer, says... by JaredOfEuropa · · Score: 4, Insightful

    Nice...

    "The legislation introduced recently in the Senate would try to make many practices used by spammers illegal. It would force commercial e-mail to identify the true sender, have an accurate subject line and offer recipients easy removal from marketing lists. And it would impose fines for violators.

    For her part, e-mail marketer Sachs says that any such move will only end up making it harder to run a legitimate business."

    So Ms. Sachs, tell me, what kind of "legitimate business" necessitates hiding the true sender of those email?

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  7. Re:Obscured email addresses by sudotcsh · · Score: 3, Insightful
    Well, thinking about what you said, or what the article said:


    But none of the addresses that were obscured, whether in "human-readable" or "HTML-obscured" form,
    received a single piece of spam, leading us to conclude that e-mail address "harvesters" are not presently
    capable of collecting such addresses. While this may change as time passes and technology develops, for the
    time being it appears that obscuring an e-mail address is an effective means of avoiding spam.


    It's not that the harvesters can't figure out obscured email addresses. Searching for the @ sign isn't
    that much easier than searching for the HTML equivalent. I think the reason obscured addresses don't get
    spam is this:

    The spammers realize that anyone smart enough to obscure is someone who hates spam really bad.
    Obviously someone like that isn't going to be an easy sell, and may already be filtering for spam. What's
    the point in targeting that demographic? Waste of time.


    That is why you should obscure your addresses.

  8. Pattern recognition by Theaetetus · · Score: 2, Insightful
    It seems to me the reason the obscured email addresses, e.g. normalforcekills at hotmail dot com, haven't been spammed is because a small portion of the internet savvy do this. For it isn't hard to modify a spider to grab these. Given time these spiders will start grabbing these addresses.

    Perhaps, perhaps not... The 'blah at blah dot com' is a real easy one to fix in a spider (at=@, dot=., you're done), but there are quite a few ways to do it that are either human-parseable only, or require a LOT of coding...
    F0r 15stanc3, rand0m numb3r/l3++3r r3p1ac3m3n+ ki115 dic+ionary program5.
    rO, er-ev-sr-e ve-re-y ap-ri fo el-tt-re-s (reverse every pair of letters... include human readable directions, and you're set)
    Some of the set ones we see on slashdot - bob@hotmailBOHR.com remove physicist, etc.

    Computers are great at quick calulations... but even untrained humans can do pattern recognition many millions of times faster and better (hence the reason face-recognition technology is so primative).

    -T

  9. A tip for to find sellers... by jimius · · Score: 2, Insightful

    To find out which sites actually sell your mail adress, fill in the name of the site (or a name that is obvious enough to know on which site you filled it in) in the real name part of the form.
    When you get mail adressed to Mr./Ms. Real Player then you know who is doing what with your e-mail, so far i received quite some e-mail this way, apperantly the sites that actually state promises about not sellign addresses seem to be doing just the opposite. More so than sites which don't state promises.

  10. Re:Mysterious Future by CerebusUS · · Score: 2, Insightful

    Sometimes I wonder if the novelty has worn off for the admins and they just really don't care anymore. Sad, because some people would give their left foot for a chance to run the show.

    I'm now convinced this is the case. If Rob and crew don't even bother to read the headlines on their site, then maybe they should remove themselves from the day-to-day and focus on the backend. At one point in the distant past, Rob and Neal lent some personal flavor to slashdot, I'm not sure that's the case anymore.

  11. Spam-Con/Ted Gavin interview by Anonymous Coward · · Score: 1, Insightful

    This morning my local NPR station had a
    call-in show (I guess the RealAudio file will be up later):

    We'll talk with TED GAVIN, of Spam-Con an group that fights Spam while still trying to protect the role e-commerce. and we'll hear from BRIAN HUSEMAN, an attorney with the Federal Trade Commission about what few tools the Federal Government has to fight spam.

    I only heard part of the show, but one of the callers was a spammer who claimed to be virtuous because she only purchased "opt-in" addresses, and she was complaining that the spam filters were preventing her spam from getting through. And Ted Gavin (I think it was) bought this and ended up calling her a "responsible marketer" who was an unintended victim of the anti-spam tools.

    I wanted to call and point out that (a) those people on the opt-in lists probably opted in under some deceptive scheme and aren't aware they opted in, and (b) If they are using an anti-spam tool, then THEY CHANGED THEIR MIND!!!

  12. Re:Advice for Taco... by 1u3hr · · Score: 4, Insightful
    Purple linkies = BAD. Blue linkies = GOOD. ;-)

    except that the other articles were posted by Cowboy Neal and Michael, respectively.

    In any case, part of the problem is that in reading the submissions they will undoubtedly see the same story many times, so a link would show as visited if you'd scanned through a bunch of those, published or not. The same goes for just trusting your memory, there must be a serious deja-vu problm. But there's no fucking excuse at all for such unprofessionalism. Just type "spam" into the search box on the Slashdot front page and you see the earlier stories (along with both "AOL sues spammers" of a few days ago). More specifically, typing in "cdt.org" shows all three dupes at the top of the list.

    I can't think of any explanation except serious drug abuse in the workplace.

  13. Beat spambots harvesters with email GIFs by Speequinox · · Score: 2, Insightful

    When the spammers finally do teach their bots to recognize the increasingly common "myname at domain dot com" techniques or the masking tricks, we will still have another method of defense: dispensing with text for listing email addresses. We can avoid detection by posting the names in graphic form, inserting a GIF of the email inline with the rest of the page's text.

    If the spammers ever respond with OCR, we could hold them at bay (where practicable) with slightly distorted text in the gif, like what you see in the PayPal registration screen.