Russian Minister Gets Spammed, Spams Back

elhim writes "According to an article in the Moscow Times: 'Spammers last week got on the wrong side of the wrong man, and quickly found themselves with a taste of their own medicine. The man? Deputy Communications Minister Andrei Korotkov. Tired of the endless spate of unsolicited messages that clog e-mail systems everywhere, [Korotkov and others devised] ...an audio message to be volleyed nonstop to the telephone numbers listed in the... [email] spam messages.' Sometimes Russia reminds me of the Wild West."

So the numbers is real?

[dizzy_p]

I've always thought everything was bogus.

I'll order the penis enlargement pills right away.

--dpr

Phone numbers?

[minghe]

First of all. A spam message with real, working means of contacting the sender? Why din't I ever get that? Only in Russia, I say.

And second, that guy is hereby my god.

Re:Phone numbers?

1. That **ing American English Center send out its REAL phone numbers. It's Runet's curse for months now - all civilized attempts to get them down failed. They change mails everyday writing something like 'Tsent rAmerican sko goAngliy skogo' instead of 'Tsentr Americanskogo Angliyskogo' or 'Amer icanEngli shCen ter' to get the filters fooled.

Still I don't expect broken windows, masked armed men in their office and Militia (our local police) officers showing them a prescription to 'clean out' from there... It is a dream of almost everybody here, but it is not going real any day.

And their management which is 'very far, too far from here to get phone calls' - these people seem to be just insane i-net villains, striving not for business, but to 'show these Russian swines' who is the king of the hill around.

2. Read the article more accurately: even Andrey Korotkov had to confirm: that resounding measure didn't bring much good. God or not, but the problem remains.

Re:Phone numbers?

[AndroidCat]

Miscrosoft could send out porn spam and put Mozilla's phone number

So by getting a huge number of people angry enough to call (or wanting to buy) this would be an .. MS-DDOS .. ?

Spam must contain a real contact method

[jurasource]

Otherwise it would be totally useless right?

Sure the from address is generally bogus, to skip past the basic anti spam methods out there, but something in the email must contain a valid phone number, web site, or address, otherwise how would the spammers make any money (and I suppose they must as they don't do it just to piss everyone off)

Re:Spam must contain a real contact method

[BiggerIsBetter]

Yes and no. Spam almost never contains valid automatible contact information for the Spammer, but the Advertiser absolutely has to have some way of being contacted. It's hard work chasing spammers, so there's my usual anti-spam technique - piss off as many "Spammer Customers" as I can. I appear to have been removed from spam lists several times just for hassling a few CEOs...

IN SOVIET RUSSIA

[Jucius+Maximus]

... victims spam YOU!

Please let me be the first one to have said that ...

China?

[Jucius+Maximus]

"..an audio message to be volleyed nonstop to the telephone numbers listed in the... [email] spam messages.' "

Wasn't there an article some months ago about something simimlar happenning in china? 'Entrepreneurs' would illegally put up advertisements (i.e. posters) all over the place where you have to phone a number to get the product. (Typically these would be mobile phone numbers that were prepaid so there was no name on the account.)

The law enformenet officials would leave an endless loop of messages on tht moble's answering machine that they must turn themselves in and such. I doubt that they actually expected anyone to turn themselves in, but it made all those posters with the number on them useless and thus discouraged putting them up in the first place.

I wonder if this russian fellow was inspired by that action.

The biggest cost to them is toll free fax

[FredThompson]

At one time I had a small software company. We outsourced all the phone and fax messages since we didn't have people to work 24/7/365.

One of the things I learned is an incoming toll-free fax cost me a lot more than a voice call because a single page fax was completed very quickly and the charge was per call/per page.

So...if you're getting hit with crap like junk faxes, fax it back to them on their toll-free fax number about 30 times.

It took about a month of this but I don't get lots of junk fax anymore, except for the a**holes that block caller ID and don't list a number to get off their list.

Another fun trick was to use a standard fax machine with a continuous loop of paper. Let that baby run for about 10-15 minutes and you'll create a lot of clutter on the receiver's end.

Re:Beware the Joe-Job

[afidel]

Sounds like on of my pranks from the BBS days, when someone would piss me off I would post an ad for a hot car at an unbelievable price on all the local BBS's and put down their phone number and contact hours of like 1am-4am, then I would go to the stores that had index card ad boards and do the same =)

This is a Public Service Announcement

[tankdilla]

For those of you new to Slashdot and fellow veteran Slashdotters, this is a PSA. As we all know there are many running jokes around here, i.e. the CowboyNeal option, 1. stupid action 2. ??? 3. Profit, beowulf clusters of everything, insensitive clod, and of course the most recently added SCO jokes, as well as many others I'm forgetting. By far, one of the most annoying of the running gags is IN SOVIET RUSSIA! Being that this story is about Russia, be warned that a veritable slew of IN SOVIET RUSSIA jokes follow this post. Any and everyone has come out of the woodworks with bat in hand for the communal beating of a dead horse. So for those with bats, swing away, today is your day. For the rest of us, strap in and enjoy the bumpy ride of redundancy.

I once tried something similar

[Sara+Chan]

I once tried something similar. I got the telephone number, which turned out to be in Uzbekistan. Then I set up my fax program to repeatedly dial the number, whenever I wasn't using the phone line for the internet. Thus, every time they answered the phone in Uzbekistan, they got a fax machine trying to get through--hence effectively disabling their phone line. And because this was in a different country, they couldn't trace me.

I didn't worry about the cost of the calls, because the people in Uzbekistan soon figured out that the calls were almost all faxes. I reckoned that even if they picked the phone up 10 times a day (to check to see if I'd stopped), it was worth the cost. Calls are only charged when they pick up the phone, right? So I let this go on for over a month.

Then I got my telephone bill. It was in the thousands. It turns out that there are three countries in the world where, if you phone there, you get charged even if no one answers the phone. And Uzbekistan is one of those countries!

I didn't know about that, and I complained to the phone company about the bill. But my case seemed weak because I was, it's fair to say, abusing the phone system. The phone company ended up splitting the bill in half, and I paid the rest.

I don't know if my attempts had any long-term effect on those nice folks in Uzbekistan. But at least I tried.

UK Spam

[jbrw]

Two days ago I got a spam from a local (London, UK) company trying to get me to go to their event. It had a 378Kb attachment to it. Thanks.

The kicker was that the disclaimer said it was impossible to unsubscribe, as it was a carefully crafted one-time mailing list. I imagine i'll be on all future carefully crafted one-time mailing lists for them in the future too.

The email was sent with a from line of "[something]@noreply.com" or similar (which breaches their ISPs AUP), and if I was to contact them via their email address listed on their website, by their logic i'd have contacted them, thus allowing them to continue to spam me (since we'd then have an existing relationship).

So - best course of action? The Advertising Standards Authority, whose standards they ahve breached, seems to be a toothless tiger set up by the industry to pay lip-service to the general public (any ruling against an advertiser seems to result in a ruling of "we advised them to contact us in future before undertaking a similar campaign"). I'm not aware of any specific legislation to stop this (although i'd like to know where they got my email address from. Should I unleash the Data Protection Act?).

So, what's the best way to hit back? Complain to the ISP? File an ultimatetly useless complaint to the ASA? What?

Re:UK Spam

[MythMoth]

If there's a phone number, then leaflet all of the phone boxes in the Kings Cross area with it advertising their "services"...

D.

Since when is sci-fi defined by films?

[SubliminalLove]

In Soviet Russia, the dead horse beats you.

In Soviet Russia

[Rogerborg]

Just shut the fuck up, already. It wasn't funny six months ago, it's not funny now.

In Soviet Russia...

[poptones]

we already ate the horse - and we don't HAVE bats, you insensitive clod!

Re:Russian Rules of the Game

Very arrogant putting Russia among the communistic dictator countries it is a democratic country with free elections just as US.

Very arrogant to put the US among democratic and free countries such as Russia.

Hit them in the pocket.

[aaaurgh]

I recently got on the mailing list of a surf company in Sydney, I've no idea how since I'm in Perth and can't surf (Ex-pom).

I started receiving almost weekly newsletters and updates and, despite numerous phone calls and e-mails with the usual promises to comply, I just couldn't get off the list... then they sent the 2.5 Mb Word document, you know the type!

I e-mailed back and told them that they'd filled up my e-mail account and caused me to miss some important e-mails, plus cost me time and money due to the download costs. I advised them that, as they were now affecting my business, I'd be invoicing them $25+GST administration fee for each and every e-mail I received from then on and that if they didn't pay, I'd hand the account to a debt collection agency - one that takes a cut of the recovery value.

I cautioned them that it would not concern me if I received nothing from the agency but that such action could affect their credit rating. What a surprise(!), I've received nothing since.

If you can justify charging a fee to the spammer for administration or storage or anything like that, sufficient to stand up reasonably in a small claims court, then you should threaten to invoice the spammer and use a debt collection agency - it just might work for you too.

Go for the source

[zornorph]

This is the avenue we should be pursuing when trying to stop spam. Instead of trying to stop the spammers themselves, go after the source (advertiser) instead. If enough advertisers are convinced/shamed/etc that spamming is a bad thing, they will go elsewhere to get their message out, and the spammers will magically disappear.

SETI-style spammer bamming

[G4from128k]

How about an open source software project that creates a piece of software that attacks spammers using a SETI-style approach. Using spare bandwidth and CPU time, the software would repeatedly send requests to the links found in spam.

Repeatedly loading the homepage of some spam-spawning viagra sales site would hurt the viagra sales company. Companies that advertize with spam would find their bandwidth charges skyrocketing and their conversion rates plummetting. The key is to create disincentives for the e-commerce sites that try to flog their products and services using spam. While spammers can be anonymous, the e-commerce sites that use spam to get eyeballs need more permanence. Eventually, these companies would even penalize the 3rd-party spam sending companies for using email lists that generate too many spurious requests or that have low conversion rates (the spammer's pay drops if they send emails that lead to long streams of spurious requests).

Turnaround is fair play: SQL injection

[TheMidget]

Another method of turnaround: Sql injection!

It's crazy how many spam websites are running on IIS with .asp scripts (or even better: .aspx!) as a frontend, and Microsoft Sequel Server as a backend .

Just type a spare single quote into the "remove me from your list" box, and watch as parts of the SQL query are displayed. Experiment a bit, and transform this into a query that clears the entire subscribers list, or that changes their spam messages to something funny, or that keeps the subscriber list but replaces all e-mail addresses by their own whois contact (or better: their upstream provider's whois..), etc.

For starters, the following string often removes the entire list when entered into the remove me box:

' or '' = '

(that's two single quotes between the or and the = sign).

If the site has an "affiliate program" (look around a bit...), the same string entered as a user name into the affiliate programme's login box might let you in, with a little bit of luck. If not, try the following instead (again, there are only single quotes in the string, no double quotes):

' or ''='' or ''='

If it still doesn't help, try to repeat the same string in the password box.

If still not ok, you may need to use a union statement:

x' union all select top 1 null,null,null from sysobjects;--

Start with one null, and keep adding more until the "parameter number mismatch" error disappears. Patience may be needed, certain login scripts require more than 40 nulls! Then start replacing the nulls with your desired password string, and attempt to find a combination which doesn't give you a type mismatch error.

Example:

x' union all select 'zozo', null, 'zozo', null

Then enter zozo into the password box. With a little bit of luck, this method may let you in.

Once you're in, you've access to the affiliate's (i.e., the spammer's) account:

• home address: always nice for a baseball bat expedition, or to pull an Alan Ralsky on the spammer.
• phone number: on your way to work, give your friend a call! One from each phone booth that you encounter! Write the number on bathroom stalls! Post it to slashdot!
• bank account number: well, just change it to your own!
• website URL: change it to you know what
• social security number: post it to as much places as you can
• ...

The benefit of such actions is twofold: not only does it teach the spammer not to spam, but it also tells him that Windows (and especially aspx + Sequel Sewer) is not a very secure technology.

Have fun!

Re:Spam

[Lord+Dimwit+Flathead]

It probably doesn't make a huge difference these days, as most spam seems to be HTML email embedded with webbugs (1x1 image tag pointing at a logging script) so they know your address is valid as soon as you open the email if your client renders HTML. It's still a good idea not to reply, but it's a better idea not to open it in the first place.

In this case though, the article was about calling phone numbers listed in the spam, which if nothing else, at least increases the cost of doing business for the spammer. I'd imagine the parent poster was talking about the same, as email replies aren't likely to impose much of a burden on the spammer. It's a lot cheaper to glance at an email and hit shift-delete than to have an inbound phone circuit and operator tied up while somebody rants at them about the evils of spam.