From Artist To Spam-Hunter

I am Kobayashi writes "Wired has a story about Andy Markley, a graphic artists, whose business domain name was spoofed by infamous spammer Eddy Marin and used to spam thousands of people. After the incident recurred at a new ISP, and at the risk of his business and sanity, Markley fought back. He tracked down Marin through several spoofed email addresses and several hi-jacked servers, and eventually was successful in getting Marin's current ISP to shut down his account. Too bad he was a graphic artist and not a professional bounty hunter...."

glad for one positive hit

[SHEENmaster]

Get 10,000,000 more of these guys and major domains will start accepting mail from innocent bystandards like me that are unlucky enough to be on small subnets again.

Not surprising that his previous ISP did nothing..

[Dimensio]

Verio is notoriously spam- and crime-friendly. So much so that I wouldn't be surprised if their management sold their children out to child pornography websites.

As for convicted coke dealer Eddy Marin, he deserves horrible and painful death for his actions. It's sad that no one has taken him out yet.

Wrong

[segment]

And most ISPs will do anything to keep a spammer off of their bandwidth

Most can't do anything about it coming into their networks. Going out yes, but coming in, there is nothing that can be done unless every single customer agrees that spam should not reach their mailbox. See in order to add those kinds of rules to a router, it has to correspond to all. No ISP is going to update multitudes of routers to add one rule for one person.

Governments Should Track Down Spammers

[thinkerdreamer]

It would be great if governments like the U. S. gave 15 million dollars to a new force to track down spammers. The penalty for spamming is now 5 years in federal jail. 50 million people signed up for the national no-call list. I bet millions would back such a SPAM squad. It is too bad the government doesn't seem to care.

Re:Governments Should Track Down Spammers

>The penalty for spamming is now 5 years in federal jail. 50 million people signed up for the national no-call list

Not really, Telemarketing firms will just close down facilities in the US and set up shop overseas where the do-not-call list cannot be enforced. I give the do not call list 6 months before it fails.

By signing up for the do-not-call list you have all but guarenteed to receive a swarm of telemarketers operating overseas. It will work just like the spam "opt-out" lists. Signing up for a opt-out is guarenteed to double the amount of spam you receive.

Legal question

[Michael+Woodhams]

A scenario: Someone damages you, but it is hard to figure out who it was. You spend money and/or time and track them down. You succeed, and sue them.

Can you include the cost of tracking them down in the damages you are suing for?

Can you sue for more than your actual costs, to account for the risk you took that you'd be unsuccessful in tracking them down (hence your time/money would be gone with no possibility of being repaid)?

How to track faked messages to a source.

[donsaklad]

How might people who receive faked messages track the messages to a source with minimal effort?...

Another vote for "SUE HIM"

[ChangeOnInstall]

IANAL, but if this guy has as much evidence as he claims to against this spammer, he needs to sue the spammer. The spammer is knowingly committing an act that he knows will cause damage to the business that he is effectively "impersonating". He is doing it to turn a profit from an illegal activity. If proof of this act is available, the victim here could be looking at a pretty stout judgement. If this guy made $750,000 spamming people last year, there's a good chance he'll be able to find an attorney who will pursue this on a contingency basis.

And IIRC, I'm pretty certain the victim can sue the spammer from his home state (especially nice since the spammer is on the opposite end of the country).

Hardcore Revenge on a Spammer

[dmaxwell]

Check this out.

Re:solution to spam

[ScrewMaster]

This is from my previous post on the subject, and outlines my plan for eliminating spam, worldwide.

Offer a reward of, say, $50,000 for every bona-fide spammer brought in alive, and double that if he has already assumed room temperature. The beauty of my scheme is that it, like the Internet itself, knows no borders. If someone successfully manages to capture or whack outright a spammer in, say, Nigeria ... no problem. Just give us your email address and we'll PayPal you the money. Don't have Internet? No problem: we'll get you the money. My research indicates that, if my plan were to be implemented on a sufficiently wide scale, we could expect to see the end of Spam by next Friday. Now, fifty to one hundred thousand dollars per spammer may seem excessive, particularly as these people are already intrinsically worthless. However, if you look at the numbers, the worldwide savings that will accrue from not having to accommodate spam will be dramatic, and will far outweigh the actual disposal costs. Furthermore, I am sure that once the ball is rolling, we can count on additional help from our friends and allies around the world. Of course, some of our {ahem} less-enlightened neighbors might object to our putting out what might appear, at first glance, to be a "hit", or contract, on their nationals. But as soon as senior bureaucrats, heads-of-state, industry leaders and their secretaries begin to notice the comparative emptiness of their in-boxes, I firmly believe that they will quickly come 'round to our way of thinking.

Re:Identity theft

[k12linux]

I have cannot remember the last time I received unsolicited marketing material where email headers and the email itself was not fraudulent.

Just today I got an e-mail for a service I actually could have used. But as is my policy, I wrote back that I would have liked to discuss thier product, as it appears to meet a current need. Then I said that I could not, however, do business with a company who chose to use spam to advertise.

Very quickly I got a reply stating "if it was spam would I have time to reply" and that I should "cool down" and then get back to them. That prompted a close look at the mail logs and headers of the initial message.

Ok, finally to the "fraudulent" part:
My next reply asked what type of legitimate "non-spam" e-mail has a forged source server name that is the same as my mail server (including domain.) And why, if it was not spam did the logs have a string of e-mails from his domain to a list of users which looked something like cabrams cadams cbernstein chinkle chobledorf... an alphabetical list of our user's e-mail addresses. And why, if these "non-spam" messages were not just a blanket spam, did the list include e-mail addresses that exist only on one of our web pages and never existed on our mail server? And by they way, "we still will never be doing business with your company."

So (SURPRISE) that the guy wasn't overly worried about ethics when he replied to my first message.

Never did hear back after that 2nd message.. bu then again mail from thier domain is blocked now.

Reverse MX would have solved it..

[FattyBoeBatty]

So what ever happened to that great idea of including RMX records in zone files? It would 100% eliminate spam like this (which accounts for the vast majority). I haven't heard anything frome either qmail or sendmail implementing it.. which sucks.

See, the reason I'm so big on this, is because I consulted at implementing this at Shadango.com (a new, free, filtering service). We started performing reverse lookups and you would NOT believe the filtering success. It was like day and night. So seriously.. try implementing that on your mail servers and see what happens. And if you're just curious and want to see how effective it can be, check out the implementation at Shadango.com

-Fatty

Coke Cover

[_Sprocket_]

As for convicted coke dealer Eddy Marin...

Not that I would dispute the accuracy or honesty of someone who makes a living from such activites as spamming and (apparently) dealing coke... but...

Ya suppose all this money Eddy likes to gush about in interviews comes from an activity other than spamming? Wouldn't spamming make a great way to launder income. Its already a shady, though not entirely illegal business. It wouldn't be too odd to have a customer base that's a litle difficult to trace. And it would explain a solid income without any apparent labor, contacts, or business partners.

(not that this little conspiracy theory has plenty of holes - but hey, that's not the fun of it)

Re:SpamCop will help with backtracking headers

[Phroggy]

What has your experience with SpamCop's system been?

Nothing but good things to say about them, and I've been on the other end too - I've worked in the abuse department at an ISP, and the vast majority of our spam complaints came from SpamCop. They put all the most important info in the subject line and the reports are all formatted consistently, making it very easy to deal with them. We were understaffed for awhile, so the SpamCop reports were the ones I dealt with first, because I could get them out of the way faster.

I also use the service myself. There have been some occasional glitches, which have almost entirely been due to denial of service attacks. These glitches have not caused me to lose mail, but DDoS attacks have caused mail to be delayed on occasion - normally it's delivered in seconds, but I've seen it take a day or so.

The way I have it set up, mail to my domain is forwarded to my SpamCop account, and anything that doesn't get stopped by their filter is forwarded on to my server at home. If I have any problems with my server at home, I can disable the forwarding and use SpamCop's webmail temporarily.

Depending on how you have things set up, if SpamCop thinks something doesn't look right, it is possible to report yourself to your own ISP's abuse department. They don't like that much. When submitting a complaint, be sure to review the list of addresses the complaint will be sent to before sending it.

SPF, Sender Permitted From

[joostje]

I haven't seen SPF being mentioned yet.

It's a sistem whereby you, the domain-owner, via DNS records, explains what SMTP-servers (their IP adresses) are allowed to send email with your domain in the From: header.

To me it really does look like a way to kill spam, if it were adopted.

Verio Are *STILL* hosting spammers

[JohnFred]

One spam arrived as I was reading this! And they are still abusing whois/dns. Nice, but this guy has managed to do sweet FA

Relevant supporting evidence attached (my account is hosed, anyway..)

News Story.
-----------
http://www.internetnews.com/b us-news/article.php/3 _531911

Spam Headers
--
Return-path:
Received: from punt-3.mail.demon.net by mailstore
for johnc@yagc.demon.co.uk id 1A4cHz-0006dB-Fh;
Wed, 01 Oct 2003 08:25:56 +0000
Received: from [24.128.200.166] (helo=h000ae62be489.ne.client2.attbi.com)
by punt-3.mail.demon.net with smtp id 1A4cHz-0006dB-Fh
for johnc@yagc.demon.co.uk; Wed, 01 Oct 2003 08:24:52 +0000
Received: from lcs.mit.edu [59.95.222.125] by h000ae62be489.ne.client2.attbi.com (Postfix) with ESMTP id EDA4562DFCBD for ; Wed, 01 Oct 2003 09:28:33 +0000
Date: Wed, 01 Oct 2003 09:28:33 +0000
From: Tofikequf
Subject: Johnc Receive your Dip1oma 1965936
To: Johnc
References:
In-Reply-To:
Message-ID:
Reply-To: Jolisojap
Sender: Juleka
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit

Traceroute results
--
3 130.152.80.30 10.121 ms isi-1-lngw2-pos.ln.net [AS226] Los Nettos origin AS
4 198.172.117.161 163.950 ms ge-9-3.a01.lsanca02.us.ra.verio.net [AS2914] Verio
5 129.250.29.136 2.821 ms xe-1-0-0-4.r21.lsanca01.us.bb.verio.net [AS2914] Verio
6 129.250.2.11 6.288 ms p16-7-0-0.r00.lsanca01.us.bb.verio.net [AS2914] Verio
7 129.250.9.210 9.905 ms p4-1.att.lsanca01.us.bb.verio.net [AS2914] Verio
8 12.123.28.130 9.913 ms tbr1-p012201.la2ca.ip.att.net (DNS error)
9 12.122.10.25 13.635 ms tbr2-cl3.sffca.ip.att.net (DNS error)
10 12.122.9.137 12.811 ms tbr1-p012501.sffca.ip.att.net (DNS error)
11 12.122.10.5 54.916 ms tbr1-cl1.cgcil.ip.att.net (DNS error)
12 12.122.10.1 78.542 ms tbr1-cl1.n54ny.ip.att.net (DNS error)
13 12.122.9.130 76.257 ms tbr2-p012501.n54ny.ip.att.net (DNS error)
14 12.122.10.21 81.463 ms tbr1-cl1.cb1ma.ip.att.net (DNS error)
15 12.122.11.194 80.896 ms gbr1-p40.cb1ma.ip.att.net (DNS error)
16 12.123.40.97 80.612 ms gar1-p360.cb1ma.ip.att.net (DNS error)
17 12.125.39.214 81.116 ms DNS error
18 24.91.0.42 81.131 ms bar02-p6-0.wobnhe1.ma.attbb.net
19 24.91.0.154 81.628 ms DNS error
20 24.128.190.57 82.081 ms bar02-p4-0.lwllhe1.ma.attbb.net
21 24.147.0.38 82.124 ms ubr01-p2-0.lwllhe1.ma.attbb.net
22 24.128.200.166 97.001 ms h000ae62be489.ne.client2.attbi.com

Re:solution to spam

[scambaiter]

I already had an idea quite like this after reading the story on that spammer from .nz who left the industry after getting harassed because his real identity was made public in some local newspaper... Set up some fund which will pay bounty for accurate and valid information on proven spammers, and set up a directory just like rokso at spamhaus.org. Dont really harass them, just give them the bad feeling that we know who they really are...

SomethingAwful???

[Eggplant62]

Anyone who reads somethingawful.com knows that this isn't necessarily the nobrainer that you think it is. They had a particular problem where people would be able to sign up for their forum accounts, but they could not be mailed back with the activation because of the SPEWS blacklist determining that the part of the internet SomethingAwful belonged to was Spammerville, USA. This meant that 10-20% of the people who tried to get a forums account couldn't be mailed back, and SomethingAwful could even mail them back to explain why!

Here's a nice link for the angry rantings of Zack "GeistEditor" Parsons on the subject. Yes, we should fight spammers at every turn we get, but the "collatoral damage" means that some people can't even find out why they never get a reply from their girlfriend/grandparents/long lost friend.

SomethingAwful is a poor example to use in this case. Zack Parsons, in my own hog-fucking opinion, is a child who doesn't understand the basic functioning of email and blocklists and incited the flooding of newsgroup news.admin.net-abuse.email by his idiot subscribers. We saw Zack on the newsgroup and on the above-mentioned page whining like a little girl about his problems.

Oh fucking well. Hosting with a spam-friendly provider could have been avoided. He could have contacted his hosting provider and gotten things straightened out on his own. Inciting his readers to harrass the spam fighters because he got his panties in a bunch over his mail not getting through was a bad move, and I'd think it would be an embarrassment for him.

SPEWS and the "collateral damage" concept are one of the few things that have gotten providers off their asses to remove spammers from their networks. Just because some kid's little chat site gets their mail blocked is no reason for the site's readers to act just like spammers, and probably resulted in somethingawful's mail being even more widely blocked than it had been when only SPEWS was listing it.

Re:Been there, done that.

[Rinikusu]

Indeed, but what about a smaller business that can't afford to go through those lengths? What I'm kinda getting at would be, where's an organization that could do this PROFESSIONALLY for people willing to pay? Think of it as an internet legal strongarm. I would think there would be a demand for a company that specializes in tracking down domain spoofers, contacting the correct people (and after you do it for awhile, you quickly learn who to contact at various ISP's for problems, etc, rather than having to "reinvent" the wheel as we have to do now), getting local authorities involved if there's criminal activity, etc etc, as well as providing a mechanism for "self-policing" member companies. If member A isn't holding up to the group's TOS or Acceptable conduct (for instance, they allow spammers to reside on their network knowingly), the other groups could then collectively pressure that member to yield (you know, backbone issues.. Kinda hard to sell internet service when you piss off Member J who owns your backbone...)