Slashdot Mirror
Where Is Spam When You Want It?
Sean writes "In a complete twist to what everybody else is trying to do these days, I need to attract spam to an e-mail address for a research survey I am conducting. I have submitted a few articles to a handful of Usenet groups, and I have signed up to some general mailing lists but so far I have nothing to show for it. How come by personal account gets 100+ spam each day yet when I try to find it I get nothing? Where should I post my address so that it attracts spam?"
I ran an experiment to do just this... Originally USENET (a decade ago I did that one), web pages, etc... Hundreds of trap address' across many of the domains in my control -- harvest and block 'em early has been my general method... :)
I recently took 1 Windows 2K box (SP2) and put it directly online in the DMZ type zone. Do NOT patch it and add no virus software. Load some trap address' (never used before) into the Outlook address book.
It took twelve (12) minutes from plugging it in to getting many, many infections, to the final spam. Typical time is 3-4 hours usually and I've seen the test go for as long as 8 hours.
How many people do you know that use Outlook and may have your email in their address book? The bitch of the matter? No Windows here anywhere, well, except for VirtualPC which makes such tests so damn easy -- too bad Microsoft had to buy them up too...
If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.
Want to survey spam as it effects a normal, real-life, daily-use e-mail address? Get a new address and starting using it as your primary account. Anything less will be irrelevant statistics.
I don't know where Hotmail gets such a bad reputation from. I've had the same account there for 5+ years, and I get hardly any spam at all (5-10 spam messages per day).
Buy a throw-away domain name and post an index page with a email address. you could also use the method where you record the IP address of the spider by generating the email address on the fly. with [IP of spider]@domain.com and then set up a catch all email box. then you are monitoring the spiders ips and the mail servers ips. this idea was posted on /. a few months back but I couldnt find the link.
pretzel_logic
If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.
The relevance of a baited addres depends on how one does the baiting. I'd say that a handful of usenet posts, pasting it to a couple of web pages, use of it to create accounts on websites (e.g. here), etc would be very representative of common patterns of address disclosure.
For the past couple years I've forwarded all emails for a domain to one account. Whenever I give out my email, I give their website/company@my-domain.com and try to insure they will not spam by doing the usual unsubscribing. Classmates was a violator, however I went back through and reunsubscribed and rarely get anything. The worst offenders I found were morpheus-musiccity, iseekyou(icq), and my-domain. Hotmail was pretty bad when I originally signed up because I didn't unsubscribe at passport.net.
I actually tested that not too long ago. I made a hotmail account, did not use it, or publish the address anywhere. After two months, I found I was getting 10-15 spams a day. So, I started using the 'unsubscribe' links in all of them. In two weeks, I was down to 1-2 spams a day.
Finally, after another two months, it was back up to 8-12 a day. So unsubscribing did seem to work, rather than hurt.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Is the account you want spammed provided by the same ISP as your personal account? It sounds like the ISP you are using for the research account might be doing a really good job killing off the spam before it ever gets to you. In order for the research to be uncorrupted you need to verify that your ISP passes all e-mails through to you, rather than spam filtering.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Also they break up words to avoid spam filters, like the following spam I recieved:
"Ge ni tal Enl arge ment - Me dic al Bre akth rou gh F or Me n ! 2 a m azi ng wa ys to e nl ar ge y our man h ood - re ad bel ow..
D oct ors work ed for ye ars crea ting a p il l to en lar ge t he ma le ge nit al ia b y len gt h a nd wi dt h. .
T he ye ars of wo rk p rodu ced a pi l l c al led "V P R X", - V P R X P i l l s inf o c li ck her e
a nd al so a pa tch simi lair to the qu it sm o king pat ch . - P e n i s P a t che s i nf o cl ic k her e . "
I just hope they don't discover this, which is much more readable and still produces the same filter avoiding results. Fortunatly Bayesian filters learn these tactics and significantly reduce their useable lifespan. Expect to see the face of spam change more often and more dramticly with the widespread adoption of such filters by AOL and others.
do questions like this make it to the front page?
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
I used to have a hotmail address that would get bombed with over 25 emails a day. Then just recently i stumbled on a free service called shadango.com. It uses Spamassassin(which so far has worked remarkably better then hotmail's filtering) and it allows me to check multiple addresses all from the same interface. I don't know if services like this are the answer to the spam problem but it's definitely worth checking out.
About 3 or 4 years ago I started buying things on ebay. As a student, I spent much of my day on campus. Many times, if I needed to get on the internet, a workstation wasn't always available or convenient to get to. The school did have many old 386 and 486 linux boxes that did nothing more than ssh into PINE for email. These things were all over the place. So sometimes I need to be notified of bidding while I was out. Without thinking, I had these sent to my school account. Nobody outside of friends, family, or school related people ever got my address besides ebay. In one year's time, I was getting so much spam that my account (60M quota) would overflow up to 3 times a week. I found myself logging on between classes to delete 30-50 messages. Eventually, I paid the school $25 to give me a new name on the network. This time, I still have only given my address to friends, family, and school related people... but no ebay this tame. 2 years later I still have to get one piece. It should be noted that my school has promised to NEVER use any sort of filtering. They cite censorship concerns, but I have some thought otherwise.
Look up FFA on google and submit your E-Mail to thier forms. You should within minutes get a constant stream of spam that will never ever end.
"After all, it's their product that set the stage for all of this."
Microsoft isn't responsible for people's actions. Would you want Redhat to be responsible of an exploit was found in their distro of Linux?
Me personally, I'd want them to be encouraged to fix it (i.e. risk losing sales etc.), but I wouldn't want them liable for somebody else being a shithead.
Liability in a case like this is a double-edged sword. Besides, every time something like this happens, everybody gets stronger. Microsoft (eventually) fixes it, the Linux Community has something they can make sure never happens to them (as well as Apple, etc.), and end users get stung and learn better computing practices. Me personally, I run Windows everywhere. Thanks to all these exploits (though none have hit me yet), I'm much better about making backups and I'm far less dependent on Windows being reliable. If I switch to Mac or Linux, then I'm a smarter user in those cases as well.
So, in short, spare us the 'Microsoft should be responsible' argument. Don't stick Microsoft with a responsibility that you wouldn't want your own favorite OS (developer?) to fall under.
"Derp de derp."
What you're describing is called the attractive nuisance doctrine , and really only applies to the situation with the neighborhood kid, not to an adult upon whom different expectations are placed.
One could argue that the real issue is negligence , but proving negligence turns on the phrase (from the referenced definition) "the care of a reasonably prudent or ordinarily careful person in the circumstances".
It's unclear whether or not you'd be able to point to an "average user" and call them "ordinarily careful", in which case you'd definitely be doing about what's average. It might, instead, turn out that the court would say "you're a professional, a sysadmin, and we hold you to a higher standard of "reasonable prudence" by virtue of your knowledge of the consequences. This would be analogous to the trained fighter or black belt getting into a fistfight and whaling on some poor schmoe. Regardless of who "started it", the fighter is going to be held to a higher standard of control and "carefulness".
Of course, that said, you could also use a defense based on trespass, in which you argue that, because the attacker was not authorized to use your system, as long as you weren't specifically stockpiling "munitions" there :-), you're not liable for the attacks based out of your system. I'm not sure what case law in the real world says about this. If you left your front door open and a sniper walked in, sat down in your living room, and started taking potshots at passers-by, would you be liable? Would the court say that, because you failed to lock your door, or deadbolt it, or whatever, you were negligent?
Tough to say, these days.
Thankfully, I'm not a lawyer, so I don't have to worry about such weighty theoretical issues :-)
I agree with you, but at the same time I also believe the issue is not the same. The machine with Outlook installed is what Microsoft provided. Using your arguments you could argue that installing Outlook on a machine is the same thing as putting a destructive virus on a floppy and leaving it in public place. Wouldn't the creator of the software/virus be held liable?
Actually, this is not necessarily a bad solution, and could provide a useful experiment.
Get spam sent to other people with "opt-out" instructions. The common wisdom has it that a significant number of the opt-out deals really verify your address for spammers. Try asking for your e-mail address to be removed (even though it's not really there), and see what happens....
R David Francis
... 22Megs, because I've been saving it to train Spamoricle.
Post your e-mail address here and I'll send the spam.tar.bz2 file to it.
There, what could be more helpful?
I tried to put up what looked like an open proxy on port 8080, which simulated the right error codes in in case people connected to port 25 out in town.
Within a week I was getting 100.000 spam mails a day. Within 2 weeks I was over 1 million spam mails a day.
So just pretend to have an open mail server, and you can get all the spam you want, and harvest all the addresses you care about.
Here's a neat trick that I figured out for building a "honeypot filter" that identifies and blocks all incoming mail that matches the spam harvested in a honeypot e-mail address before any e-mail is delivered to personal mail accounts. Since the honeypot address is used for nothing else but harvesting spam, using the spam received in the honeypot to identify and block incoming spam guarantees that there will be never be false positives (which is more than most filters can say). If the honeypot is being spammed by the worst offenders, you can be sure the spam that is being received there is being sent to millions of others. This honeypot technique is one of the simplest solutions for reliably blocking spam, but it is contingent on having the honeypot being very thoroughly spammed.
So, here's the hack for getting a honeypot address into the databases of real spammers.
First, you need an existing address that is thoroughly infested with spam. If you look at most spams, they usually have some thing at the bottom that says something to the effect of "click here to be removed from our mailing list."
In some of the spams that I've looked at, the link has CGI script variables in the URL. You'll probably see the e-mail address in one of the fields. Replace this e-mail address with the address of the honeypot address, and go to that site.
The page you go to will usually have two options: "remove me from your list" and "Please continue to alert me of special offers". Select the latter, and submit the form. The e-mail address you substituted into the CGI script will probably start receiving spam real soon.
Some spammers will spam you even more if you click on the "remove me" list, because it just proves that the address is live. Before you click on the link, copy it, and edit the field in the CGI script that looks like an e-mail address, substituting the honeypot address for the one in the link. Then, go to the URL and "remove" yourself. You are likely to just start getting spam in the honeypot, especially from unscrupulous spammers.
hmmmm... this must do something really interesting to the computer or disk to have a warning like that...
Next step would be to see if I could induce what the intent behind the restriction would be. If I couldn't reason it out, then I might be tempted to try to dupe the disc and put it in another computer (*Always* mount a scratch monkey.)
In fact, putting an admonition involving tech in front of a geek is like putting something bright and shinny in front of some people.
but on the other hand you just found a way to physically "tar pit" a geek for a better part of an hour....
______
Once: you're a philosopher. Twice: a pervert.
Hotmail gets a bad reputation because it is attacked FAR more than any other mail server out there, with the possible exception of AOL. The problems with Hotmail are two-fold:
1. There are so many users of hotmail that you can easily end up with a previously used address (so even if you never give out your e-mail address, the previous owner of that address may have signed up to all sorts of crap). What's more, anytime someone puts out their hotmail address with a minor typo (either intentionally or accidentaly), it is usually a real address belonging to someone else.
2. Hotmail is CONSTANTLY being dictionary-probed by spammers. They have been subjected to this sort of dictionary-probe attack for over a year now. This is especially a problem for people with short (6 characters or less) usernames. If you have a username that is in any way related to a word or name and is fairly short, you will be probed.
Another major problem with Hotmail is that until recently it always opened all remote "images" by default. Almost all spam now comes with a "tracking image", which is just an HTML "IMG" url that points to a script to record your e-mail address. End result, if you open the message, the spammers know they have a live address even if you don't click on anything. Hotmail now has the option to disable remote image loading, though I don't know if it's turned on by default or not.
General wisdom suggests that some of those companies do unsubscribe you, but then they sell your email as a verified good address. By unsubscribing you they can claim in court that they are honest and ethical, afterall they can prove they unsubscribe everyone who requests it. Selling that address is sleezy, but they figgure they have a better chance of getting away with things, plus make some money.
Online sweepstakes are a great spam generator. Sign up for Publisher's Clearing House and opt-in to everything.
Your fantasies contain the seeds of important concepts.
Easily the three best ways to collect spam are to create a hotmail account. Then register a brand new domain with that address publicly available. Then join match.com (I think they still offer a free trial of some kind) and watch the spam pour in.
My wife created a unique (with numbers) hotmail account when she joined match.com (we met on matchmaker.com) and used it only for that purpose. Today she gets hundreds and hundreds of spam on it even though it's been entirely inactive for 3.5 years!
Match customer service claims they don't sell addresses and that it's hotmail's fault. Either way, the two together seem to be a quite effective spam trap
Of course, if you're just looking for a corpus of spam to test against, there's plenty out there. Google for +"spam corpus" to find several good sites.
Hope that helps....
--D
Seriously, I ran in 2002 and made the mistake of giving my prefered email address to anyone who wanted to contact me, of course, every newspaper in my district posted it on their website, leagues of voters same, etc.
I now get about 50+ spams a day... nicely controlled with spamassasin.