Russian Minister Gets Spammed, Spams Back

elhim writes "According to an article in the Moscow Times: 'Spammers last week got on the wrong side of the wrong man, and quickly found themselves with a taste of their own medicine. The man? Deputy Communications Minister Andrei Korotkov. Tired of the endless spate of unsolicited messages that clog e-mail systems everywhere, [Korotkov and others devised] ...an audio message to be volleyed nonstop to the telephone numbers listed in the... [email] spam messages.' Sometimes Russia reminds me of the Wild West."

Spam must contain a real contact method

[jurasource]

Otherwise it would be totally useless right?

Sure the from address is generally bogus, to skip past the basic anti spam methods out there, but something in the email must contain a valid phone number, web site, or address, otherwise how would the spammers make any money (and I suppose they must as they don't do it just to piss everyone off)

The biggest cost to them is toll free fax

[FredThompson]

At one time I had a small software company. We outsourced all the phone and fax messages since we didn't have people to work 24/7/365.

One of the things I learned is an incoming toll-free fax cost me a lot more than a voice call because a single page fax was completed very quickly and the charge was per call/per page.

So...if you're getting hit with crap like junk faxes, fax it back to them on their toll-free fax number about 30 times.

It took about a month of this but I don't get lots of junk fax anymore, except for the a**holes that block caller ID and don't list a number to get off their list.

Another fun trick was to use a standard fax machine with a continuous loop of paper. Let that baby run for about 10-15 minutes and you'll create a lot of clutter on the receiver's end.

Re:Beware the Joe-Job

[afidel]

Sounds like on of my pranks from the BBS days, when someone would piss me off I would post an ad for a hot car at an unbelievable price on all the local BBS's and put down their phone number and contact hours of like 1am-4am, then I would go to the stores that had index card ad boards and do the same =)

I once tried something similar

[Sara+Chan]

I once tried something similar. I got the telephone number, which turned out to be in Uzbekistan. Then I set up my fax program to repeatedly dial the number, whenever I wasn't using the phone line for the internet. Thus, every time they answered the phone in Uzbekistan, they got a fax machine trying to get through--hence effectively disabling their phone line. And because this was in a different country, they couldn't trace me.

I didn't worry about the cost of the calls, because the people in Uzbekistan soon figured out that the calls were almost all faxes. I reckoned that even if they picked the phone up 10 times a day (to check to see if I'd stopped), it was worth the cost. Calls are only charged when they pick up the phone, right? So I let this go on for over a month.

Then I got my telephone bill. It was in the thousands. It turns out that there are three countries in the world where, if you phone there, you get charged even if no one answers the phone. And Uzbekistan is one of those countries!

I didn't know about that, and I complained to the phone company about the bill. But my case seemed weak because I was, it's fair to say, abusing the phone system. The phone company ended up splitting the bill in half, and I paid the rest.

I don't know if my attempts had any long-term effect on those nice folks in Uzbekistan. But at least I tried.

UK Spam

[jbrw]

Two days ago I got a spam from a local (London, UK) company trying to get me to go to their event. It had a 378Kb attachment to it. Thanks.

The kicker was that the disclaimer said it was impossible to unsubscribe, as it was a carefully crafted one-time mailing list. I imagine i'll be on all future carefully crafted one-time mailing lists for them in the future too.

The email was sent with a from line of "[something]@noreply.com" or similar (which breaches their ISPs AUP), and if I was to contact them via their email address listed on their website, by their logic i'd have contacted them, thus allowing them to continue to spam me (since we'd then have an existing relationship).

So - best course of action? The Advertising Standards Authority, whose standards they ahve breached, seems to be a toothless tiger set up by the industry to pay lip-service to the general public (any ruling against an advertiser seems to result in a ruling of "we advised them to contact us in future before undertaking a similar campaign"). I'm not aware of any specific legislation to stop this (although i'd like to know where they got my email address from. Should I unleash the Data Protection Act?).

So, what's the best way to hit back? Complain to the ISP? File an ultimatetly useless complaint to the ASA? What?

Hit them in the pocket.

[aaaurgh]

I recently got on the mailing list of a surf company in Sydney, I've no idea how since I'm in Perth and can't surf (Ex-pom).

I started receiving almost weekly newsletters and updates and, despite numerous phone calls and e-mails with the usual promises to comply, I just couldn't get off the list... then they sent the 2.5 Mb Word document, you know the type!

I e-mailed back and told them that they'd filled up my e-mail account and caused me to miss some important e-mails, plus cost me time and money due to the download costs. I advised them that, as they were now affecting my business, I'd be invoicing them $25+GST administration fee for each and every e-mail I received from then on and that if they didn't pay, I'd hand the account to a debt collection agency - one that takes a cut of the recovery value.

I cautioned them that it would not concern me if I received nothing from the agency but that such action could affect their credit rating. What a surprise(!), I've received nothing since.

If you can justify charging a fee to the spammer for administration or storage or anything like that, sufficient to stand up reasonably in a small claims court, then you should threaten to invoice the spammer and use a debt collection agency - it just might work for you too.

Go for the source

[zornorph]

This is the avenue we should be pursuing when trying to stop spam. Instead of trying to stop the spammers themselves, go after the source (advertiser) instead. If enough advertisers are convinced/shamed/etc that spamming is a bad thing, they will go elsewhere to get their message out, and the spammers will magically disappear.

SETI-style spammer bamming

[G4from128k]

How about an open source software project that creates a piece of software that attacks spammers using a SETI-style approach. Using spare bandwidth and CPU time, the software would repeatedly send requests to the links found in spam.

Repeatedly loading the homepage of some spam-spawning viagra sales site would hurt the viagra sales company. Companies that advertize with spam would find their bandwidth charges skyrocketing and their conversion rates plummetting. The key is to create disincentives for the e-commerce sites that try to flog their products and services using spam. While spammers can be anonymous, the e-commerce sites that use spam to get eyeballs need more permanence. Eventually, these companies would even penalize the 3rd-party spam sending companies for using email lists that generate too many spurious requests or that have low conversion rates (the spammer's pay drops if they send emails that lead to long streams of spurious requests).

Turnaround is fair play: SQL injection

[TheMidget]

Another method of turnaround: Sql injection!

It's crazy how many spam websites are running on IIS with .asp scripts (or even better: .aspx!) as a frontend, and Microsoft Sequel Server as a backend .

Just type a spare single quote into the "remove me from your list" box, and watch as parts of the SQL query are displayed. Experiment a bit, and transform this into a query that clears the entire subscribers list, or that changes their spam messages to something funny, or that keeps the subscriber list but replaces all e-mail addresses by their own whois contact (or better: their upstream provider's whois..), etc.

For starters, the following string often removes the entire list when entered into the remove me box:

' or '' = '

(that's two single quotes between the or and the = sign).

If the site has an "affiliate program" (look around a bit...), the same string entered as a user name into the affiliate programme's login box might let you in, with a little bit of luck. If not, try the following instead (again, there are only single quotes in the string, no double quotes):

' or ''='' or ''='

If it still doesn't help, try to repeat the same string in the password box.

If still not ok, you may need to use a union statement:

x' union all select top 1 null,null,null from sysobjects;--

Start with one null, and keep adding more until the "parameter number mismatch" error disappears. Patience may be needed, certain login scripts require more than 40 nulls! Then start replacing the nulls with your desired password string, and attempt to find a combination which doesn't give you a type mismatch error.

Example:

x' union all select 'zozo', null, 'zozo', null

Then enter zozo into the password box. With a little bit of luck, this method may let you in.

Once you're in, you've access to the affiliate's (i.e., the spammer's) account:

• home address: always nice for a baseball bat expedition, or to pull an Alan Ralsky on the spammer.
• phone number: on your way to work, give your friend a call! One from each phone booth that you encounter! Write the number on bathroom stalls! Post it to slashdot!
• bank account number: well, just change it to your own!
• website URL: change it to you know what
• social security number: post it to as much places as you can
• ...

The benefit of such actions is twofold: not only does it teach the spammer not to spam, but it also tells him that Windows (and especially aspx + Sequel Sewer) is not a very secure technology.

Have fun!