Slashdot Mirror
Where Does Spam Come From? No, Really?
jnazario writes "The Center for Democracy and Technology has recently put together a really neat paper studying the methods by which spammers get your email addresses. The report posted otherwise unused email addresses in a variety of locations, using different techniques for visibility (ie HTML encoding vs plaintext) and then watched what accumulated after six months. They generated some interesting results into the methods by which spammers can track you (with publicly available websites containing your bare email address being the most popular method) and even some techniques to stop spam, such as HTML encoding your email address. A very interesting read."
From those damn Spamers I'd guess.
:)
No wait, better - it comes from those companies who profit from the utilisation of bandwidth. People who sell email servers marketed as coping with massive volumes of email too. Oh, and lets not forget the people spam filters!
Cynical? Me?
But what explains the amazing spectrum of sources?
Even with a black-list implementation, spam has been through the roof lately, almost too much to keep up with submitting even.
Maybe SlashCode should be set up to look through the links for the past X days/months/whatever and see if there are any duplicate links. Then it could bring up a little warning saying that the link has already been posted so somebody can do a quick check. It wouldn't keep all of the dupes out but it'd help. Of course, thats a rough idea and I'm not going to code it... dupes don't bother me all that much...
I liked the quote from AOL: America Online says the amount of spam aimed at its 35 million customers has doubled since the year started and now approaches 2 billion messages a day, more than 70 percent of the mail its users receive. I make that 2000 spam messages per user per day! (even if you use the American Billion, and not the British).
Thank god for ISP filters, I don't quite feel so bad about the 20 or so I get per day now. (not that I use AOL, so I don't know if those spams get through to their users).
I've been creating one-off email addresses for pretty much anything that requires an email address for almost a year now. At this moment, I have almost a hundred email addresses made specifically for anything ranging from Slashdot to job-sites to mailinglists. So far, the only addresses that generated any spam at all have been de one I used for Google Groups (well, DUH) and one that was published on a website in plain HTML. All the other ones, so far, have not generated a _single_ spam email. All in all, it seems like the companies and websites that require you to give them your email really do keep it confidential.
He who laughs last, thinks slowest.
Home of SPAM
The problem with this is that sometimes the spammer will say the same thing. like "no I didn't send you the email about my amzing penis enlarging pills, but if you want to by them click here". It is just another level spammers will shrink to.
Some of these guys think that saying this will protect them from the lawsuits they so richly deserve.
Oh and it happend to me too.
I used to have a cool sig, back when I cared
Ok, I am not a coder, so don't flame me much. I am just curious about something. People write programs that hunt through the entire web, parse the pages, and find email to record for spam. This does not seem easy to me. So, why are there not effective, agressive counter measures? It seems to me there is a vast and bright talent pool on slashdot. Why are there not programs that spam the spamers with email adresses or something like that? Take the fight to them. In the old west, there was no law until the people stopped helplessly looking around and saying why me? My two cents, -Iowa
"He who laughs last, didn't get the joke."-Cap
Heh...
Before the days when SPAM was a big problem, my Mom already didn't like getting physical "junk mail" through the USPS. She knew different organizations were selling and trading her address, but she decided to track it to see who was passing what info. She started using false middle initials when she subscribed to magazines, bought things from catalogs, etc.
So when she subscribed to Cosmopolitan (I know, but it was the 70s and she's a woman. What can you do?), she used the name "June C Cleaver" (well, except that I've replaced my Mom's real name with "June Cleaver" here to protect Mom's privacy). When she subscribed to Games, it was "June G Cleaver," and so on.
When she would call some magazine or other company to demand to know why they had sold her address to others, their denials were quickly slapped down when she revealed that "C" or "G" or whatever wasn't her real middle initial and she had used the fake initial to determine who was selling or passing her address to whom.
My Mom rules.
--Mark
"It is nice to know that the computer understands the problem. But I would like to understand it too." --Eugene Wigner
Seems to be the case. Her's a reply to an email I sent Malda a few weeks ago:
The answer to spam is to automatically load whatever site is spamvertised. I cannot believe that noone has written a prog to do this yet. It only would take a few cable users to bring the avg. spamsite to its knees -- and UNABLE to accept any orders, legit or otherwise.
By the way it would not be DDOS. The email is BEGGING us to hit the site. So let's hit the site.
As a precaution, the prog would have to strip any identifying information out of the URL -- and hopefully replace it with gibberish (THANK YUO spammers for giving us access to your email database).
ROBOGUN
I think they should be eligible for a snail mail DOS.
Net Global Marketing Inc.
18375 Ventura Blvd
Suite 326
Tarzana, CA 91356
USA
3238459660
2069841344
aahdoot@yahoo.com
If you are concerned (angry, assigning blame, whatever) about spam through open relays and open proxies you might like to know how they find the systems to abuse. If you are concerned and know how they do it you could do something to make it harder for them.
I noticed that idea on an earlier post. It looks helpful, but I see three 'flaws':
- It would be useless for text-only browsers.
- Loss of 'send me email' automation.
- The address is still being publicized.
On the first point, one can argue that there are very few people visiting websites that use text-only browsers. That may be the case but, that logic can be extended to advocating HTML that works only for IE and screw the minority browser users - which is a rather unpopular view onOn the second point, people misspell - often. And sometimes accounts are named rather oddly. The loss of automation functionality may be a big loss, depending on who's talking.
On the last point, using an image still publicizes the address. It may be much harder to extract the embedded text, but easy/moderate image processing is capable of shape recognition. The use of images reminds me of one-way functions such as the one used in RSA encryption: it's way easy to generate a product while it's practically impossible to factor the product. In this case, it's way easy for the user to visually read while it's way hard for the computer to read. This also reminds me, you'd also exclude blind people.
All this aside, I would like to mention that the use of images in this context is a VERY good idea for general use. If everyone were to create unique images for email addresses, then it would be impossible for spammers to grab addresses in an automated fashion.
Again, it's a good idea but I'm lazy and, for now, the payoff isn't as great as just using the HTML encoding. Once that technique starts getting noticed, then I would look into the use of images.
This is not my sig.
On a related note:
I currently am suffering from somebody pulling a joe-job on an account at my company. Somebody is sending out e-mail ads for a penile enlargement scheme and forging one of our addresses as the sender.
Legally, where would I stand if I started scripting 1000 e-mail complaints a day to the advertiser?
I wonder...
Hot Damn! It's the Soggy Bottom Boys!
The problem with this method is that bulk spammers also send to all possible names@domain.com hoping to get a few through.
:-)
I use a similar method, but without the wildcard address. I specifically add the address(s) to the forward list [yes, zoneedit also lets you do that]... Just be sure to be rfc compliant... {postmaster, abuse, etc to forward to your ISP box as well}
--
Time is on my side
I'm using POPFile at home to filter mail to 4 POP accounts, one of which is flooded with as many as 100 pieces of spam per day (my Hotmail account, of course). It uses Bayesian filtering to learn what spam looks like, neatly handling the various tricks spammers use.
So far, on more than ten thousand messages its been better than 99.8% effective.
Of course, this isn't a solution, since I'm still paying something like $8 a month for the priviledge of receiving all this crap in the first place.
Does anybody know of any good filters to block "dictionary" (brute force) attacks on an SMTP server?
Could be on application level (like Postfix) or at firewall level. I guess there's a solution out there, but Googling didn't help me this time.
DMCA regulates something that is strictly my own business, like do I watch my DVD under Windows or under Linux? If you send spam, you are making it a million people's business.
I tend to talk to people I know on the phone and just check my e-mail once per week to see if anyone sent a message about my programs. Even if you are right, I have to sit for 14 minutes doing nothing except deciding which messages with "Hi, Oleg" subject to open. And I deleted quite a few legitimate messages because I didn't recognize the address.
By the same token, if I went to sleep at 4am I won't want to have a chat with a telemarketer at 9. So I end up turning off my phone until I wake up and possibly missing calls from friends. And I don't want my physical mailbox to overflow just because I went on a one week trip during the holiday season. But spam is definitely the worst.
Communication between people is good. I should be able to publish my postal address, my phone number and by e-mail on the web and invite people to contact me if they looked at my stuff and want to chat. Remember when shareware came with a README file with all kind of contact information to send $15? I actually got a few nice snail mail letters with checks.
Spam has destroyed our ability for this kind of casual communication. People sending it or selling the products advertized make very little money compared to the value of our time or forced changes in our behaviour. It's time to stop them using technological, political or cultural methods, whatever works best.
You want to get back at a spammer? Here's a trick I recommend. If spammer has a forms page on their site, copy the forms page and place on your own server. Change the "Action" tag to point to your own CGI, but save the "Action" URL for later. Add a textfield to the forms page (so you can enter some extra info), and a button, call it "spam". In your own CGI, extract the text box info as the number of times you want to post the CGI. Use large numbers like 10,000,000 In your CGI, extract the forms data, and use it to substitute data to put into the form data to send to the spammer. Loop through submitting each page over and over, extracting the forms data from some database somewhere. Spammers will be rewarded with a huge amount of forms page submittals, and if you can generate "honeypot" email addresses, you can poison their mailing lists.
It's really quite gratifying to know that you can turn spammers techniques back on them.
"So Ms. Sachs, tell me, what kind of "legitimate business" necessitates hiding the true sender of those email?"
To be fair to Ms. Sachs, she's right about this one. This legislation wouldn't affect the policies of ISPs, who uniformly ban ALL spam in their Terms of Service. If she were forced to identify her REAL email address, people would complain to her REAL ISP and get her kicked off even faster. If she was forced to put ADV: in her subject line most end users would never even see the mail because ISPs would block it at the servers, etc.
Of course, she's making the assumption that any business based on spamming, junk mail, junk faxes, etc. is "legitimate".