Spamfighters Get A Hold Of Spammers' Incoming Mail

Karin Spaink writes "On July 3 2003, cyberangels.nl was obtained by Spamvrij.nl, a Dutch foundation fighting spam. Previously, the domain was owned by the infamous Cyberangels, who are majorly involved in spamming. Cyberangels felt forced to drop the domain when the ground under their feet got too hot after BBC journalist Andrew Bomford connected Dutch ISP Megaprovider to Cyberangels. Since the MX-records for cyberangels.nl now point to spamvrij.nl too, they get all Cyberangels' incoming mail: bounces, spam complaints and what have you. Have a peek: what kind of mail does a major spammer receive in the course of three days? By now, they have a very precise answer: 6305 mails. Spamvrij.nl published an analysis of those mails on its site."

Errr...isn't this illegal?

[PhysicsGenius]

Or at least immoral? I don't think "the end justifies the means" is really a valid defense, especially as there's no "end" in this case. They are just reading someone else's email. And "White hat hacking" doesn't apply either, as that refers to people who are asked to break in to a computer to test it, not vigilantes like our own Fyodor, who use their skills to merely harass people that annoy them.

Re:Errr...isn't this illegal?

[AndroidCat]

They own the domain. There is possibly an analogy with getting smail for the previous occupant, but it's a very bad analogy. The Post is prepaid and government regulated.

If they wanted their email, why did they suddenly drop the domain and run?

Re:Errr...isn't this illegal?

[bishopi]

Or at least immoral?

I'd go with Immoral more than illegal - since they ARE the registered owners of a domain that was voluntarily dropped, they are technically the "owners" of that mail at this point in time.

Mind you, there's probably a few hundred lawyers out there who were spammed previously who'll defend them if it becomes an issue ;)

Ian

Re:Errr...isn't this illegal?

[Nfnitloop]

If you move into a house somebody just moved out of and receieve their junk mail (which is really all that they're getting here) do you think they're really going to care? It doesn't appear to have any personal emails or anything - just spam for the spammers. The nature of email doesn't put it in an "envelope" - it's synonymous with a postcard. If the postman or the person who received the card at their newly aquired address end's up reading it, big deal. There's no expectation of privacy.

Re:Errr...isn't this illegal?

[ClickNMix]

Sending an email is much more like sending a mail thats labled 'The Current Occupier' or some such, rather then a named person at a postal address. They have every right to read it and do what they like with the contents...

Unless there were particularly sensative contents in the emails, acompanied with the disclaimers a lot of businesses append to emails about if your not the rightful recipient, you should and shouldnt do X, Y and Z.

Re:Errr...isn't this illegal?

[AftanGustur]

They own the domain.

Yes, but not the email that is sent to the domain.

The owner is the author of each email, and the mail is not intended for them.

I completely fail to see how on earth it could possibly be legal to not only set up the domain to receive mail for all (nonexisting) addresses (knowing you are going to receive far more than just *your* email) but also to publish said email on a website.

Re:Errr...isn't this illegal?

[AftanGustur]

There is no law in any country that affects e-mail with regard to who actually owns it. You're "theory" (at best) is completely without merit. Since these people bought the domain, it is their right to do whatever they want with the incoming mail.

You are horribly wrong.

Re:Errr...isn't this illegal?

[geekee]

"If you move into a house somebody just moved out of and receieve their junk mail (which is really all that they're getting here) do you think they're really going to care?"

Who do you think you are, that you can make that decision for the actual mail recipient?

Re:Errr...isn't this illegal?

[Petter3]

US laws still don't apply outside the US. Well, most of them don't. Not yet, anyway.

Re:Errr...isn't this illegal?

[Noofus]

Are you sure email follows the 'Current Resident' labelling? I see it more like a cell phone number. Your email is protected by a password (at some level), so it would be safe to assume nobody else would read it. sure, root@localhost can see it, but in a large networked environment you need to assume root doesnt peek, or you dont send anything sensitive that root may see.

To me, your analogy seems more like some apartment landlord sold the property to someone else. And that new owner is going around to all the mail slots and opening them to see whats inside, in case something interesting arrives even after the original tenant was evicted.

Re:Not in three days.

[Yosemite+Sue]

Until now - 06-07-2003, 23:00 GMT+1 - we have received a grand total of 6305 mails. The oldest is dated Tue, 24 Jun 2003 01:10:17 GMT+1, and the bulk of the mail was sent between 01 July and 04 July 2003.

It kind of depends on how you count the mails ... received or sent?

YS

Re:Not much success there...

[mccalli]

6305 incoming emails and not one of them contained an order or anything else positive.

You know, I was just putting together a response that said this too. Then it dawned on me - of course there weren't any positive responses via email, all the reply addresses on spam are faked anyway.

Sadly, this encouraging count of zero doesn't actually reflect the number of potential respondants to spam. For that, we'd need to know if anyone called any of the telephone or fax numbers they list.

Cheers,
Ian

Interesting autopsy

[Migraineman]

They've done a nice job of analyzing the residual influx of email, while not airing all the dirty laundry. They didn't post a complete session log, so there's no information that may get folks upset. The last business email listed as "1 other" is probably sensitive, and shouldn't be posted on the web (though sending them a "we know who you are" message may make them think twice about using spam in the future.)

Address spoofing.

Since the header shows a return email address that doesn't belong to the spammer, the bounces go to compromised servers like yours was and people who get sent the spam usually can't figure out who to complain to. There's little reason for a spammer to accept incoming email, so they probably don't have any email addresses on their websites and email harvesters don't send them spam.

I looked, three days

[magicianuk]

Friday morning, when the NL-zonefiles were updated: the MX-records of cyberangels.nl were now pointing to us. (We made a catch-all for all adresses.) The first few hours, literally thousands of mails reached us: 5919 mails, most of them bounces. By now, the avalanche has dwindled to a trickle.

Until now - 06-07-2003, 23:00 GMT+1 ...

Friday was 04-07-2003, 6305 messages received on the 4th of July, the 5th of July and the 6th of July ... that looks like more than two days and less than four to me!

Re:I don't either!

[nordicfrost]

It might be that the domain was not a priority for brute force attacks. A brute forcer would probably target a more known and populated domain.

Follow the Money

[mobileskimo]

I have a question. What occurs to credit cards and payments that scammers receive from their customers?

Spammers are by no means stupid. Above all things they MUST get their money, otherwise none of this is worth doing.

So if the scammers are getting their money, the credit card companies pay them. If the credit card companies pay them...

[1] We have a breach of trust between the credit card companies and the customers. CC companies are not doing their due diligence in brokering payments for product/services. CC companies are issueing clearance of charges to unscrupulous people. We are entrusting them with our financials (whether we choose to "fraud-notify" them or not). They have all the information, both the consumers and the scammers.

[2] The customers complain they never got their product. Report fraud. The credit card companies remove the charge, investigate it or not. This increases cost/risk for the CC companies. Higher interest rates? More cooking the books?

Why is nobody investigating the money side (IMHO the lifeblood of this business) of this problem? As long as we concentrate on the technology, we'll always be distracted from the real solution. It's all about the money in the end.

Anonimity
+ Privacy, Sharing, Voice
- Scams, Theft, Hit/Run

We asked for it.

Re:Yes, that's fine.

[Norwolf]

Pretend you moved into an office, and got mail delivered to the previous occupant... it's still a federal crime for you to open that mail if it's not addressed to you. Now, I'm not saying it's necessarily as clear cut with email, but it's the same general thing, and it is immoral.

Federal crime? Please keep in mind that this is about a .nl domain, not in the USA, 'federal' has little or none importance.

But anyways, many countries do not see electronic communiction as "regular" communication. Let me give you an example: many people in corporations add silly "by reading this e-mail, you agree to blablabla and delete it if it isn't addressed to you." One problem: it's impossible. You haveto read it in order to know the content of the signature, and you automatically agree to it? I think not - invalid at least in Norway.

Addressing of post in the real world is much simpler - you haveto have a name. On the net, you can simply address 'webmaster', a handle/nickname, etc. I just checked with two friends of mine studying law here at the University of Oslo, and in norwegian law you have committed a crime by opening (or destroying) a letter not addressed to you. But there are no current cases that confirm that this is valid for electronic communication.

Morally, it's a grey zone also - by my point of view. I currently use 5 different domains. All incoming e-mail to those domains are redirected to one of my inboxes. If I forget to renew one of those domains, it's my fault. I wouldn't care what happens with e-mail to that domain then.. and yes, it's happened :-) If you want to protect your incoming e-mails, the least you need to do is to make sure that your domain is registered and has a proper MX :-)

Re:Only 6000?

[jonadab]

> 6000 emails in 3 days? That doesn't sound like nearly enough
> for a serious spammer.

Read the article. Those are just the bounces that got *forwarded*
correctly. The vast majority of the bounces were directed back to
the (faked) From addresses; a small percentage of technically savvy
victims figured out where the junk originated and set up automatic
forwarding back to there; this is the 5880 number.

I don't know exactly what percentage that would be of the total
bounces. It would of course be a very small percentage of the
victims who would figure stuff out and set up the .forward --
certainly less than 1%. However, 5% of the people get 95% of the
spam, so it might be a somewhat higher percentage of the bounced
messages. It's hard to say. 1% is probably a fair bet, in terms
of being within an order of ten (that is, the true percentage is
very likely between .1% and 10%). Which means between 58800 and
5880000 bounces -- rounding, we can guess between sixty thousand
and six million bounces were generated by this outfit's activity
during a 1-3 day timeframe. We do not know whether this is a
typical amount or an outlier, or how much variance there would be.
All numbers courtesy of Jonadab's Flagrant Guesstimation, except
for the initial 5880.

If we give them a heaping passle of benefit-of-the-doubt, we can
imagine that during a three-day timeframe only fifty thousand
bounce messages resulted from their activities *and* that this
was a very active period for them, perhaps ten times normal, so
that in an average day we can imagine that they would only cause
around 1500 bounces netwide. That's a VERY conservative estimate,
yet it's obviously enough that any responsible ISP ought to revoke
their access first and ask questions later. Translation: spammers
are scum. As if you didn't already know that.