Russian Minister Gets Spammed, Spams Back

elhim writes "According to an article in the Moscow Times: 'Spammers last week got on the wrong side of the wrong man, and quickly found themselves with a taste of their own medicine. The man? Deputy Communications Minister Andrei Korotkov. Tired of the endless spate of unsolicited messages that clog e-mail systems everywhere, [Korotkov and others devised] ...an audio message to be volleyed nonstop to the telephone numbers listed in the... [email] spam messages.' Sometimes Russia reminds me of the Wild West."

Spam

[LCookie]

Oh well I did the same multiple times.. Spamming back is a viable alternative to getting angry I think.. Plus it hits the spammers where it hurts them most...

Re:Spam

[Picon]

Well if i was a Spammer and i get "Spam back attack", i will modify my "viable command return address" into the attacker address. Say for one day or two days.

Of course it is a loss of money, but an efficient way to fight against "Spam back attack" :)

But i'm not a Spammer :P

Give this a guy a medal

[vlad30]

Now if we can get our enlightened western leaders to do the same or better

Re:Give this a guy a medal

[BrokenHalo]

What middle-east spammers? I don't recall *ever* having had spam mail from a middle-eastern IP (with the rare exception of Israel).

To date, my stats indicate that 98.3% of the spam I get originates from the US.

Spam must contain a real contact method

[jurasource]

Otherwise it would be totally useless right?

Sure the from address is generally bogus, to skip past the basic anti spam methods out there, but something in the email must contain a valid phone number, web site, or address, otherwise how would the spammers make any money (and I suppose they must as they don't do it just to piss everyone off)

Entertaining, yes.

[aerojad]

It really is too bad that there continues to be no legal recourse to fight spam though. An arms race of annoyance between spammers and spam-ees probably wouldn't be the best solution though, but something does have to be done eventually. It would be nice to go back to having one e-mail address instead of various "spam" addresses and then my personal e-mail... which of course still gets spam.

Re:Entertaining, yes.

[johannesg]

It is true there is no legal recourse *yet*, but we now know beyond doubt that a highly placed russian government official is aware of the problem. This raises the hope that a law against spam could be in the works too.

Of course, being the russian government, they do have other options, like sending in the special forces for example. It wouldn't have to cost them anything - spammers are not likely to fight back, and I'm sure people would pay to see footage of a swarm of Hinds obliterating a spammers hideout ;-)

The biggest cost to them is toll free fax

[FredThompson]

At one time I had a small software company. We outsourced all the phone and fax messages since we didn't have people to work 24/7/365.

One of the things I learned is an incoming toll-free fax cost me a lot more than a voice call because a single page fax was completed very quickly and the charge was per call/per page.

So...if you're getting hit with crap like junk faxes, fax it back to them on their toll-free fax number about 30 times.

It took about a month of this but I don't get lots of junk fax anymore, except for the a**holes that block caller ID and don't list a number to get off their list.

Another fun trick was to use a standard fax machine with a continuous loop of paper. Let that baby run for about 10-15 minutes and you'll create a lot of clutter on the receiver's end.

Re:Beware the Joe-Job

[afidel]

Sounds like on of my pranks from the BBS days, when someone would piss me off I would post an ad for a hot car at an unbelievable price on all the local BBS's and put down their phone number and contact hours of like 1am-4am, then I would go to the stores that had index card ad boards and do the same =)

I once tried something similar

[Sara+Chan]

I once tried something similar. I got the telephone number, which turned out to be in Uzbekistan. Then I set up my fax program to repeatedly dial the number, whenever I wasn't using the phone line for the internet. Thus, every time they answered the phone in Uzbekistan, they got a fax machine trying to get through--hence effectively disabling their phone line. And because this was in a different country, they couldn't trace me.

I didn't worry about the cost of the calls, because the people in Uzbekistan soon figured out that the calls were almost all faxes. I reckoned that even if they picked the phone up 10 times a day (to check to see if I'd stopped), it was worth the cost. Calls are only charged when they pick up the phone, right? So I let this go on for over a month.

Then I got my telephone bill. It was in the thousands. It turns out that there are three countries in the world where, if you phone there, you get charged even if no one answers the phone. And Uzbekistan is one of those countries!

I didn't know about that, and I complained to the phone company about the bill. But my case seemed weak because I was, it's fair to say, abusing the phone system. The phone company ended up splitting the bill in half, and I paid the rest.

I don't know if my attempts had any long-term effect on those nice folks in Uzbekistan. But at least I tried.

UK Spam

[jbrw]

Two days ago I got a spam from a local (London, UK) company trying to get me to go to their event. It had a 378Kb attachment to it. Thanks.

The kicker was that the disclaimer said it was impossible to unsubscribe, as it was a carefully crafted one-time mailing list. I imagine i'll be on all future carefully crafted one-time mailing lists for them in the future too.

The email was sent with a from line of "[something]@noreply.com" or similar (which breaches their ISPs AUP), and if I was to contact them via their email address listed on their website, by their logic i'd have contacted them, thus allowing them to continue to spam me (since we'd then have an existing relationship).

So - best course of action? The Advertising Standards Authority, whose standards they ahve breached, seems to be a toothless tiger set up by the industry to pay lip-service to the general public (any ruling against an advertiser seems to result in a ruling of "we advised them to contact us in future before undertaking a similar campaign"). I'm not aware of any specific legislation to stop this (although i'd like to know where they got my email address from. Should I unleash the Data Protection Act?).

So, what's the best way to hit back? Complain to the ISP? File an ultimatetly useless complaint to the ASA? What?

Re:UK Spam

[Rogerborg]

Give the ASA a try. They bitchslapped Telewest for me for repeatedly "forgetting" that I'd unsubscribed from their spam. The response was rapid, but they were fairly clueless - I sent full plain text headers, and they got back to me asking what the recipient email address was. D'oh.

Best case, I never get spam from Telewest again. Middle case, they spam me again and I get to find out what the ASA does to repeat offenders. Worst case, I get the spam, the ASA does nothing, but at least I get to piss off them by forwarding the spam. I have a vague hope that swamping the ASA with UK spam might get the problem addressed.

I don't believe that contacting someone to tell them to cease and desist constitutes having a business relationship. I'm sure that J. Random Spammer would assert otherwise, but you do need a record of telling them to get lost. What have you got to lose?

Hit them in the pocket.

[aaaurgh]

I recently got on the mailing list of a surf company in Sydney, I've no idea how since I'm in Perth and can't surf (Ex-pom).

I started receiving almost weekly newsletters and updates and, despite numerous phone calls and e-mails with the usual promises to comply, I just couldn't get off the list... then they sent the 2.5 Mb Word document, you know the type!

I e-mailed back and told them that they'd filled up my e-mail account and caused me to miss some important e-mails, plus cost me time and money due to the download costs. I advised them that, as they were now affecting my business, I'd be invoicing them $25+GST administration fee for each and every e-mail I received from then on and that if they didn't pay, I'd hand the account to a debt collection agency - one that takes a cut of the recovery value.

I cautioned them that it would not concern me if I received nothing from the agency but that such action could affect their credit rating. What a surprise(!), I've received nothing since.

If you can justify charging a fee to the spammer for administration or storage or anything like that, sufficient to stand up reasonably in a small claims court, then you should threaten to invoice the spammer and use a debt collection agency - it just might work for you too.

Go for the source

[zornorph]

This is the avenue we should be pursuing when trying to stop spam. Instead of trying to stop the spammers themselves, go after the source (advertiser) instead. If enough advertisers are convinced/shamed/etc that spamming is a bad thing, they will go elsewhere to get their message out, and the spammers will magically disappear.

Exploit!

[skinfitz]

...cut to spammers setting up premium rate numbers to put in their SPAM messages in the hope that people will spam them back by calling them all the time.

SETI-style spammer bamming

[G4from128k]

How about an open source software project that creates a piece of software that attacks spammers using a SETI-style approach. Using spare bandwidth and CPU time, the software would repeatedly send requests to the links found in spam.

Repeatedly loading the homepage of some spam-spawning viagra sales site would hurt the viagra sales company. Companies that advertize with spam would find their bandwidth charges skyrocketing and their conversion rates plummetting. The key is to create disincentives for the e-commerce sites that try to flog their products and services using spam. While spammers can be anonymous, the e-commerce sites that use spam to get eyeballs need more permanence. Eventually, these companies would even penalize the 3rd-party spam sending companies for using email lists that generate too many spurious requests or that have low conversion rates (the spammer's pay drops if they send emails that lead to long streams of spurious requests).

Re:SETI-style spammer bamming

[mangu]

However, such a concerted effort to melt a webserver is actually a crime.

Why is that? If the spammer sends you a link to his site, it means that he wants you to see his site, right? Why would it be illegal to click in a link someone sent to you? Even if you click a million times, there isn't any legal limit on how many times you can access a site, is there?

Turnaround is fair play: SQL injection

[TheMidget]

Another method of turnaround: Sql injection!

It's crazy how many spam websites are running on IIS with .asp scripts (or even better: .aspx!) as a frontend, and Microsoft Sequel Server as a backend .

Just type a spare single quote into the "remove me from your list" box, and watch as parts of the SQL query are displayed. Experiment a bit, and transform this into a query that clears the entire subscribers list, or that changes their spam messages to something funny, or that keeps the subscriber list but replaces all e-mail addresses by their own whois contact (or better: their upstream provider's whois..), etc.

For starters, the following string often removes the entire list when entered into the remove me box:

' or '' = '

(that's two single quotes between the or and the = sign).

If the site has an "affiliate program" (look around a bit...), the same string entered as a user name into the affiliate programme's login box might let you in, with a little bit of luck. If not, try the following instead (again, there are only single quotes in the string, no double quotes):

' or ''='' or ''='

If it still doesn't help, try to repeat the same string in the password box.

If still not ok, you may need to use a union statement:

x' union all select top 1 null,null,null from sysobjects;--

Start with one null, and keep adding more until the "parameter number mismatch" error disappears. Patience may be needed, certain login scripts require more than 40 nulls! Then start replacing the nulls with your desired password string, and attempt to find a combination which doesn't give you a type mismatch error.

Example:

x' union all select 'zozo', null, 'zozo', null

Then enter zozo into the password box. With a little bit of luck, this method may let you in.

Once you're in, you've access to the affiliate's (i.e., the spammer's) account:

• home address: always nice for a baseball bat expedition, or to pull an Alan Ralsky on the spammer.
• phone number: on your way to work, give your friend a call! One from each phone booth that you encounter! Write the number on bathroom stalls! Post it to slashdot!
• bank account number: well, just change it to your own!
• website URL: change it to you know what
• social security number: post it to as much places as you can
• ...

The benefit of such actions is twofold: not only does it teach the spammer not to spam, but it also tells him that Windows (and especially aspx + Sequel Sewer) is not a very secure technology.

Have fun!

Re:Turnaround is fair play: SQL injection

[TheMidget]

As long as the webmaster has an ounce of brain,

You forgot that we are talking about spammers here. And Windows administrators. Neither of which are known for their smartness.

they have most likely configured their server to automatically replace a single quote (') in a query string with two single quotes (''),

You'd have a case if that was a PHP server. By default, PHP escapes all input (i.e. ' is replaced with \'), which pretty much defeats most of such attacks. However, if there are some places where the web-app expects numbers (such as affiliate id's) it may still be vulnerable (no need to close a quote to slip SQL code into a number).

which will escape it to MSSQL server.

With ASP, the admin has to specifically set up his rig to do this escaping. With PHP, it is the default setting. However, an admin dumb enough to run sequel sewer in the first place would probably not even know about the issue.

Which means no matter how many single quotes you type, you won't be able to doctor the query. Sorry.

Try it out. Just search for aspx news.admin.net-abuse.sightings on google groups and try out the links. Sort by date, or you'll find that most spams are too old and the site already has been closed. Or if you are in the habit of keeping your spam, just search your own collection for .aspx links. You'd be astonished at how many of these the SQL injection works! (I'd say one out of 3). However, for some weird reason, probability of success is much higher for .aspx than it is for .asp (For .asp it indeed takes quite a bit of patience to find anything worthwhile...)

What about anonymizer?

Is it still dangerous to do this if you go through anonymizer?

There is no place like localhost

[Mr.+Arbusto]

I've always filled in my address as root@127.0.0.1

Damn people using Microsoft

Fight fire with fire?

[DaveTibet]

The fun part is that while spam is technically legal in Russia, flooding somebody's phone number isn't, and is classified as a minor criminal offense.

On the other hand, the American Language Center is THE evil spammer of the .RU net and completely deserves such treatment. Their spam volleys are regular, annoying, and use all sorts of clever tricks to circumvent spam filters. By contrast, a lot of russian-originated spam (at least spam that I receive) is very business-oriented and largely contains honest-to-God offers to sell you tires, or electric cable or some other commodity, or seminar invitations; stuff you wouldn't show to your kids is extremely uncommon.

In fact, more than once incoming spam had left me thinking that had I been involved in commerce, I'd probably even react to those offers.