Slashdot Mirror
From Artist To Spam-Hunter
I am Kobayashi writes "Wired has a story about Andy Markley, a graphic artists, whose business domain name was spoofed by infamous spammer Eddy Marin and used to spam thousands of people. After the incident recurred at a new ISP, and at the risk of his business and sanity, Markley fought back. He tracked down Marin through several spoofed email addresses and several hi-jacked servers, and eventually was successful in getting Marin's current ISP to shut down his account. Too bad he was a graphic artist and not a professional bounty hunter...."
Get 10,000,000 more of these guys and major domains will start accepting mail from innocent bystandards like me that are unlucky enough to be on small subnets again.
You can't judge a book by the way it wears its hair.
Here we see the Spammer in his native environment, lets pull his network connection and see if we can get him rialed up. Crikey, look at em dial tech support!
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Qualified candidates must be professional bounty hunters with verifiable experience and verifiable references.
Yes, my name is Boba Fett and I worked for a Hut called Jabba -- this was a long time ago and in a remote galaxy. During my tenure with Jabba, I successfully tracked and captured Han Solo, wanted for failure to pay back a sizable loan.
I'm fully familiar with the use of various weaponry, grappling hooks, and personal rocket packs. I have also done consulting work for Mr. Vader, a well known businessman who spearheaded the creation of a large spherical space station.
References available upon request.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
So, this is identity theft. Why cannot spammers be prosecuted for assuming somebody elses "identity" and doing business/making money at the expense of others? This practice is illegal and there must be a legal precedent, yes?
Visit Jonesblog and say hello.
> Their character is rarely that of a saint.
Maybe not, but I've seen spam from monks selling laser toner.
Seriously, someone should tell the monks that spamming is not good.
"And there be unix which have made themselves unix for the kingdom of heaven's sake." - Matt. 19:12
No one does spam filtering at routers.
There are filters and blocklists, but they have nothing to do with
routers. Long ago particularly egregious spammers were blackholed at the
router level, but that hasn't happened for years.
No ISP can stop all spam, but given enough resources we can stop most
of it. The problem is usually somewhat like you allude to, that there
is a certain set of people with an absolute horror of a non-spam
message being bounced. They claim "loss of email", and thereupon close
their ears.
But there is a more insidious foe, the scan-and-delete error.
Most admins today have two basic ways to stop spam -- blocking and user-
based filtering. Blocking rejects spam detected (via filter or
blocklist) and puts the onus on the sender to re-establish the
communication. User-based filtering puts the onus on the recipient to
review their spam folder and look for "false positives".
And there are three ways to play your two tools.
1. Little or weak filtering or blocking means communications are lost as
people have scan-and-delete errors due to battle fatigue from their
daily fight with spam in their mailbox. Much legitimate email is
lost, and it is lost and *neither party knows it was never read*.
This collateral damage is spread over every part of the net,
spam-friendly or no.
2. Aggressive filtering and tagging for dropping in the user's "spam"
folder means that legitimate communications are tagged as false-
positives. People usually don't scan their spam folders carefully,
because such a high percentage is spam. Again, legitimate email is
lost and *neither party knows it was never read*. This collateral
damage is spread over every part of the net, spam-friendly or no.
3. Aggressive rejection of email via blocklisting causes some legitimate
email to be rejected. However, that collateral damage is limited to
spam-friendly parts of the Internet. The sender knows full well it
was not read and can re-send the message via another channel if it is
important. This knowledge also allows them to take action to correct
blocking errors; and heightens awareness of who is not doing their
part to fight spam.
To me, selecting #3 is a no-brainer. When legitimate email gets lost,
the sender knows it was not received. And it is almost all lost from
networks participating in the massive denial of service attack on the
Internet at large that is spam.
AOL, for example, does a simply outstanding job of making sure spam is
not sourced from their network. They don't allow spam hosting of any
kind. I *never* want to lose mail from them. Same with Earthlink, MSN,
and Hotmail. They deserve that consideration due to their effort. If my
users lose mail from them due to scan and delete errors, I have not done
my job. I would much rather have them lose email from the people who pay
the spam-friendly providers. (And no, folks, those fake hotmail.com
addresses in the From line don't mean they source spam.)
You can do filtering at the MTA level too with rejections, but I don't
do that except with filter settings that have a near-zero false-
positive rate.
The spammer was forging mail from one of my domains. Since the domain name was a registered trademark, I had some extra leverage. ISPs have a "safe harbor" for E-mail content, but not for trademark infringements.
I ignored where the mail was coming from, and concentrated on where the money went when you placed an order. The spammer had two phony "billing companies", with phony addresses. Accepting credit cards without providing a valid business name is illegal in many states, so, by sending appropriate letters to the ISPs that hosted his billing sites, I was able to turn off his income stream. The sites reappeared on other ISPs, but with some work, I was able to get his domain registrar to lock some of his domains.
This is an effective tactic. If you file an "incorrect whois data" complaint with the Internic, and the registrar can't contact the domain owner, the domain goes to "locked" state. Then, if you get the hosting company to dump them, they can't move the site. In this case, the spammer operated his own DNS servers (triply redundant, on different ISPs), so I had to get all of them kicked off various ISPs.
By now, I'd had this guy kicked off ISPs from Dallas to London to Sao Paulo. This was made easier by the fact that he was paying for much, if not all, of his hosting with stolen credit card numbers. Since his porno sites generated credit card numbers, he could keep signing up for new hosting accounts with his customer's credit cards. That doesn't work once the ISP knows who to look for.
Finally, the guy retreated to his home ISP in St. Petersburg, Russia, where he apparently felt safe. That took a while to crack. I found out that the upstream provider used by the small St. Petersburg ISP was a larger telecom company in Moscow. That company was in the process of doing an initial public offering on NASDAQ. I talked to their investment people in New York, and eventually received a call from the Russian telecom's CEO. It turned out that we had some friends in common, and that he knew about the small St. Petersburg ISP as a known problem.
With that connection, I had some discussions with the St. Petersburg ISP, which kicked off the spammer. He came back with new accounts the next day. I got those accounts closed. This went on for several weeks. Finally, after some additional prodding, the St. Petersburg ISP shut the guy down and kept him shut down.
It's been months now, and the spammer's content is nowhere that Google can find it, so he seems to be out of business.
The key to dealing with spammers is to follow the money. While dealing with this problem, I talked to bankers, the people who developed his billing system, and a company to which he'd outsourced web design. Eventually, a picture of the spammer emerged. This was basically a one or two person operation devoted to stealing credit card numbers. Once I knew that, getting cooperation in shutting the guy down was reasonably easy.
Trademarking your web site name gives you some additional legal options, and is definitely worth the $450 or so it costs. When you raise a trademark issue, the problem escalates to the ISP's legal department, and you're no longer dealing with the customer service people.
Once you get to the legal people, and fraud is involved, you can point out that the ISP, once informed of the problem, is knowingly aiding and abetting a fraud scheme. This usually results in quick action.
It's always useful to check business license and corporate filing data. If you find a Whois entry for Phonycorp, Inc. at a Mail Boxes Etc. address, find out whether the company has a business license (where required) and is registered as a corporation in the state. If they don't, they're doing business illegally. So report them to the IRS, the state tax authorities, and the local authorities. ("Hello, City Assessor's Office? I'm trying to locate the offices