Honeypot For Identifying Email-Harvesters

Cheese Man writes "Mark Pilgrim describes a simple way to identify email-harvesters: "In each page I serve, I include a bogus email address, encoded with the date of access as well as the host IP address ... This has allowed me to trace spam back to specific hosts and/or robots." There's even a simple one-line example done with PHP. (Thanks to BoingBoing for the links.)"

I say...

[JoeLinux]

That there should be email addresses that the big companies "float" out onto spamming lists. When a mass email comes back with these email addresses, it's a flag that its spam, and block the whole message from going into the system. Of course, security on what those email addresses are would have to be pretty tight...

But what can you do about it?

[Tuxinatorium]

Unfortunately, there is still no law against email harvesting, so there is nothing you can do to them unless you want a little vigilante justice.

Nothing new

[Rosco+P.+Coltrane]

Lots of people, including me, use different middle names or initials when applying for something in writing, by snail mail or by telephone. When junk mail comes back in the mailbox, it's easy to know what company sold your information to whom, or at least which company was the initial recipient of the bogus info and which was the last.

Old new ...

wpoison

[Gothmolly]

Try wpoision, it's a CGI script to generate a random set of email address, infinitely deep. Very fun.

Re: wpoison

[Black+Parrot]

> Try wpoision, it's a CGI script to generate a random set of email address, infinitely deep. Very fun.

I'm trying to invent an e-mail address that explodes if anyone tries to use it.

Spammers are pretty simple (for now)

[brejc8]

I am plesently suprised that my anti-spam encoded email address still has not been spammed. And even a recent spam study found that only normal email addresses got spam.
It wouldnt take much to find and decode most of the simple spam-protected email addresses. And I dont think it would take long for the spammers to detect a system such as this and bypass it, but I dont think they will bother at the current climate.
But pretty soon I suspect we will get much cleverer email collecting tools and the problem is going to get to the scale of the virus/anti-virus stage.

Re: Spammers are pretty simple (for now)

[Black+Parrot]

> I am plesently suprised that my anti-spam encoded email address still has not been spammed. [...] It wouldnt take much to find and decode most of the simple spam-protected email addresses. [...] But pretty soon I suspect we will get much cleverer email collecting tools and the problem is going to get to the scale of the virus/anti-virus stage.

Then we'll start putting "nospam" in our real addresses!

Re: Spammers are pretty simple (for now)

[mistered]

Then we'll start putting "nospam" in our real addresses!

I do. I use myid-nospam@my_domain.org for news groups, dubious web site forms, etc. In several years, I've received exactly one spam at that account. It looks like many of the harvesters remove any address with "spam" in it, because they think it's likely fake (or at least harvester-proofed).

By far most of my spam comes to my old eBay account. Luckily that was myid-ebay@my_domain.org, which will soon be removed in favour of a slightly different permutation.

So you found the harvester...

[anubi]

Its been my experience that even though you find out which IP the harvesting spider operated from, they only sell their harvested stuff to mass marketers, which proceed through several layers of people before ending up in the hands of those doing the mass mailings.

These guys come like a thief in the night. They load your page like any other search engine spider. Its like knowing the face of the guy who went through your neighborhood, trying every door knob in the guise of distributing an advertising flyer, then later he disclosed to other thieves, unknown to you, whose at home during the day and who is not.

Yes, its helpful in building a case, like knowing who is going through a neighborhood trying all the doors, but catching the actual guy in the act is not as easy.

Some of this spam is really getting nasty. Just two days ago, I received this spam in my box purporting to be from the fraud department of Best Buy regarding CD players some guy in New York is trying to buy with my credit card. It seemed a really professional email, except they didn't know my name, and apparently had to get my email addy from a national credit bureau agency. When the links did not point as shown, I really became leery. The whole thing was apparently a ruse to get me to log into their site and disclose all sorts of personal information, playing on my fear that if I did not do so, the fraudulent transaction would complete.

Watch out, guys. There's a lot of deception going on out there.

Any tools and techniques we make to help us find out who these little rascals are is really welcome. Being some students just got nailed for their life savings for just their involvement in sharing a few songs, I trust this same environment can be used for those involved in internet scams which often cost not just a few record sales, but often substantial, I mean really substantial, grief for the victim.

fighting spam

[daserver]

The only email address I have on my site is blockme@mydomain and if anyone sends an email to that one they get blacklisted. Easy but effective.

You can do the same with a lot of addresses

[wheany]

You can often do this even without a throwaway domain. Many addresses can be tagged by adding a "+" (plus-sign) and anything between the user name and the @-sign.

For example wheany+sd@iki.fi, wheany+SpamTastesGood@iki.fi, wheany+glahglahglag@iki.fi, wheany+spammer.com_on_06_22_2003@iki.fi all go to the same mailbox.

Its called a false dichotomy

[gad_zuki!]

> Come on, you can't have it both ways.
> You're either pro government control or against it,

Why not?

Things are rarely polar opposites. You can't just say, "Well kid, are you a communist or for a lassiez-fair market." There's tons of middle ground.
The formal name for this is the False Dichotomy. More
Extremes only really exist as abstract concepts.

Advocating regulation or laws to protect against abuse is hardly pro-DMCA.

Payback pages

[NewtonsLaw]

Why bother with honeypots when a Payback Page is far more satisfying :-)

Giving credit where it is due...

[darkpurpleblob]

It wasn't Mark Pilgrim that described a simple way to identify email-harvesters. The link shows it was George A. Theall in a comment on Mark Pilgrim's weblog.

How Cheese Man got mixed up is beyond me, as comment by George A. Theall is clearly displayed at the bottom of the comment.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:I don't know if this would work but...

[utd-blaze]

I don't think a list of phony e-mail adresses is going to put a dent in an industry that will send an e-mail to every possible adress on a popular domain in the hopes that a small fraction of those adresses will belong to real people.

mod_spam_die

[c_g_hills]

Another tool to throw a spanner in the works for spammers is mod_spam_die for Apache. It generates a random page with recursive links and fake addresses, thus causing the spammer's database to fill up with useless addresses. There's an example at chaz6.com/spam_die.

Better PHP code

[Sanity]

Here is some PHP code that will do something similar - it just encodes the IP address, but it does so much more efficiently - resulting in email addresses as short as "fwAAAQ@blah.com". The fwAAAQ can then be decoded using base64_decode to get back to the original IP address.

$remaddr = $_SERVER["REMOTE_ADDR"];
$ips = explode(".", $remaddr);
$bst = "";
foreach($ips as $b) {
$bst = $bst . chr(intval($b));
}
$out = str_replace("=", "", base64_encode($bst));

echo("<a href=\"mailto:$out@blah.com\">email me!</a>");

Let's combine some ideas here.

[The+Monster]

1. Set up one or more machine names on your domain specifically for spam traps.
2. All email addresses on your page are munged thusly: When a computer at 123.45.67.89 requests a page containing the email address

   Dr. John Q. Doe <john.doe@isp.com>

   it becomes

   Dr. John Q. Doe (john DOT doe A-T isp DOT com) <16552.IP.123.45.67.89@spamtrap.domain.org >

   where the exact formula should be a bit vague, so as not to be easily defeated by bots, but obvious to humans
3. The email server for spamtrap.domain.org is Teergrube (tarpit) that locks up the spamming computer AND sends notification back to the web site to serve that IP links to a world-wide tarpit ring, so as to get the spammers as many tarpit email addresses as possible