Slashdot Mirror
Attacking the Spammer Business Model
Stephen Samuel asks: "Spammers spam because it's an 'easy way to make money'. They send out millions of spams knowing that 99.995% of them will be ignored, but the other 0.005% of responses are pure gold (Andrew Leung at Telus has an excellent report on the economics of spam). Responses to mortage spams are reportedly worth $50.00 each. What would happen if, instead of technical and legal approaches, we simply started attacking their business model? If people
started responding to just 1% of the spam we received, spammers would drown in the responses, and the mortage spam responses wouldn't be worth an email, much less $50. The Nigerian Sweet Revenge is an example of this. The nice thing about this sort of statistical approach is that it would start to reward spammers for sending out -fewer- emails. (fewer emails -> fewer bogus responses). What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?" Of course, the one major drawback to this is the likelihood of more spam, since you'll be giving them a valid email address. However, many of you may be receiving increasing amount of spam as it is (even through your filters) so might an organized spam-the-spammers movement work?
The top 1% of spammers who can afford the bandwidth and the hardware could still theoretically handle the volumes of email they would receive. Then they just have to expand their operations to go after the potential business contacts.
Now what about sending them bogus email addresses and phony information? That would send them on a wild goose chase.
Homestarrunner.net -- It's Dot Com!
Why? Sheesh, I don't know, but whatever story gets posted here, someone always claims it's a good thing, so I figured it might just as well be me this time.
--
What short sigs we have -
One hundred and twenty chars!
Too short for haiku.
"What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?"
Break their fucking legs, and arrest.
evil adrian
Sorry, I don't think it will work. 90% of my spams are either gibberish or are otherwise not selling anything. Passages from shakespeare and the like or blank emails are pretty common for me these days.
I thought it was $1499?
They work by flooding us with crap, hoping that they get one in a million to answer. We could fight them by flooding them so they have to look through a million emails to find the one legit order. Hmmm...
Sorting through a pile of junk to get the stuff you're looking for. Sound familiar email junkies?
Refuse to make a statement in your sig!
what if we sent all the replies through anonymous remailers set up specifically for the task, or even better, had a system that you could foreward all your spam to that would do the replying for you - from an address that would send a random spam back in reply to anything you send it - you would literally spam the spammers.
The best way to get at these spammers, is not to use a spam filter, because even the best aren't always reliable.
:-)
What you should do if you are serious about getting on the nerves of some spammers is create an extra e-mail address for yourself that you send responses to spammers with, and get replies(maybe) in. Eventually, you could take all of those spam messages in that email box to a judge somewhere and win yourself a considerable amount at the pocket of a crass spammer somewhere.
So long as we can outthink them, we can win.
Well, in the short run, loan referrals are STILL worth $50, so spamming a spammer who is doing that will result in an insane windfall for said spammer. And if the reverse attack isn't sustained... well, it just pays for a new boat and house in Tuscany for the spammer. Then it's back to spamming as usual. I vote against this plan unless you guarantee you can sustain it.
This works fine for spam that requires a valid return address, but what about all the spam that is just trying to get you to visit a website. Replying to such a spam just gets you a bounce message.
Does this mean I now have to read all my spam to decide which I should reply to and which I should ignore???
Somebody suggested this in another /. article talking about spam: For those of us with our own mail server, just create a unique email address to respond with.
Once you're done messing with them, just kill the address. Not exactly a foolproof solution, but I don't see why it wouldn't work most of the time.
Dark Nexus
"Sanity is calming, but madness is more interesting."
Here's a link to the article.
http://www.paulgraham.com/ffb.html
Let's do it. Spammers earn easy money destroying one of the most valuables inet tools, the email.
They only will stop if they make no money.
Reply to EVERY spam. Heck, set up a site where a spam is displayed, and every member of said site goes to the spam's link at say 12:00 EST. The resulting delta-function like demand should break their server, and prevent their legitimate customers from entering. So sending spams, or paying direct advertisers will COST your business. 100000 spams won't be worth $50, but $-50000.
Karma: Excellent^(-t/Tau), Tau=Wittiness/Trollishness
A couple of approaches I use are as follows : /.
/. even though I requested he not do so.
1) Any 419s I receive get strung along for as long as possible. After reading the article about this the other day I'm now going to be getting pictures and being more sneaky thanks
2) Penis/Viagra/Porn spam gets a good ole wget 1000 times to whatever link is in there
3) I usually forward any spam I get on my real email address to Cliff@slashdot.org after he posted my address to
Anyway I'm hoping I'm at least costing them a little money I know it's pretty much a lost cause but hey I might as well try right?
Public flogging or removing the right index finger (mouse clicking finger) for first offenders, followed by additional fingers for each further offense.
Or hire a hit man and kill a few spammers. Nobody would really care, just like nobody got outraged about that guy who shot the lawyer who had cheated him out of the insurance settlement he needed for surgery to fix injuries sustained in a car accident. Juries have a way of overlooking some things when they address serious social problems.
Most spams I get are trying to convince me to click on a link rather than reply by email. Perhaps we should all just click the links to confuse the spammers instead?
Think about it! Someone has to be paying the spammers. Track those people down and beat em till they learn their lesson.
I'd say the vast majority of spam that I get is just a vehicle for delivering a URL. The spammers don't want a reply, they want you to go to their website.
Frequently, I get spam that seems to be selling NOTHING. The reply-to is invalid, and they don't bother including any kind of URL.
On the bright side, the vast majority of my spam gets caught in the filters - so I only see it if I check the spam folder. And may the spam rot there...
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
They will just start requiring credit card numbers in the response and putting an invalid credit card number in a response might be illegal in some places.
Spammers make money because people PAY them to send out millions of spams to advertise online drug stores or whatnot.
How about someone set up a few mail servers in China or something and we plug in the e-mail addresses of the spammers and just inundate their emailboxes with ...yes, SPAM!
We should also spam their ISPs after a generous warning.
Spam is out of control, and I think everyone here knows that until some universal SMTP replacement or SMTP extension is implemented, spam ain't going away.
If we could make spamming illegal--
1) Go after the people who employ spammers. Surely the product they inundate us with leads to real people.
2) Prosecute those people to the full extent of the law. Make examples of the first few thousand.
3) Result-- nobody will hire a spammer, and it GOES AWAY.
End of *MY* business model!
It feels good to cost the spammers some money, even if it does waste your time to do it.
The only downside is I don't think many spammers use this approach, but it'd certainly be effective against those who do. I don't think it'd be illegal (as long as each person didn't call more than once) either, but IANAL.
I get lots of ads for things which they don't expect or care about responses. They in fact don't provide any way to respond. They just want you to read the message. If we take to time to read the message how is that hurting them?
...is that the majority of spam I receive has forged headers, so I would in effect be sending the bogus replies to some poor sucker who had no idea their email address was being used as the "From:" header in a major spam operation.
The number of spam emails that get through SpamAssassin because of forged "From:" headers is ridiculous. And worse is the number of bounce messages I get because someone has used my email address as the "From:" header in a massive spam mailout.
Somebody needs to write an spamer-Denial-of-Service application that plugs into your mail reader and collects email addresses, then synchronises up with all the other people in the world on an anti-spam server - and then coordinates a reply flood to the spammer, hopefully crashing their servers.
...for anyone who buys anything as the result of receiving spam. Anyone that fucking stupid doesn't deserve to live.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
If somebody found and posted a spammers server IP/email@address/etc. couldn't we /. it?
Most of the spam I receive doesn't ask me to reply to purchase anything. They simply direct me to a web site of some sort. This eliminates mass-email replies as a possibility. If they use web forms, they can easily tell legitimate orders from phony ones by verifying the credit card numbers, phone numbers, addresses, etc.
They might get paid per impression. Better to use something like lynx and only hit the server but don't download any graphics.
I run several domains and use multiple blacklists. The blacklists are incredibly effective, especially those which are country-wide like taiwan.blackholes.us and china.blackholes.us. I, and the other users of my domain, don't communicate with people in China or Taiwan. If I disable the blacklists, the ONLY thing that comes to us from those countries is spam. It has a tremendous impact on the amount that I get. Because of those punitive "broadlists", many ISPs like AT&T and PSI who used to write "pink contracts" and host spammers no longer will. The broadlisting makes harboring spammers unsafe. AT&T is not going to piss off their entire subscriber base just to get one big pink contract from some spam house. It's not worth it to them. Many ISPs, especially dial-up ISPs have blocked outgoing port 25 so spammers can't use them for throwaway accounts from with to spam. No ISP wants to risk some spammer paying $9.99 for a month of service which will get the ISP blacklisted.
As a programmer working to keep the data flowing smoothly part of my job entails building programatic methods of detecting false data. Some of this is easy (i.e. people who put "I WANT TO RAPE YOUR DAUGHTER" in the first name field). Sometimes this is harder. IP checking helps, but distributed attacks are always a difficult thing to catch. However, all that said I don't know that this would be a significant problem.
One of our upcoming process changes will include an attempt to contact each customer via phone or email to verify their order before following through with it. Futher, automated credit-card checking will automatically drop orders with bogus data in them. CreditCard declined statistics would rise, but ultimately it wouldn't be that much hassle.
If you really want to hurt a spammer, get thousands of people to order a product, then send it back and charge-back the order on their cards. Creditcard merchant accounts have limits on the chargeback rates, and when they get too high the merchant provider will cut you off. Of course you have to front the money and the hassle, and at the end of the day there's only 1 less spammer out of a million (unless he tries to find another merchant provider and succeeds). But for some, perhaps the cost-benefit analysis would still find it worth it.
Total Due: $0.02
...to make a good self-service site for that : As in, you go to the site, where you can choose between your different spammers, er, i mean : 'potential sellers' (maybe even choose more than one 'penis-enlargement-cream-seller' at once) And once you've chosen, you would be able to submit your order : Supplied with random name and address. The costs to uphold this site could offcourse be done by banners ;)
I like the idea of getting back at spammers this way and i think it could potentially destroy some of them.
Hell, if it would mean getting one less spam-email a day, it would be worth it.
Although I like the idea (since we can't really implement my preferred method of dealing with spam, "hunt them down and kill them in the most painful way imagineable"), I see one major flaw with it...
Namely, the very methods we've come up with to avoid spam would work for the spammers.
How long do you think it would take before, in addition to lists of live email addresses, spammers also begin keeping lists of "people wasting our time"? I'd give it a week, if this really caught on suddenly.
For that matter, I believe this would leave them in a better position than now, since they'd not only have a list of people who won't buy from them (allowing them to cull their list of live email addresses a bit), but also a list of people likely to actually take steps to stop spammers.
Think about that for a minute - The few spammers we have managed to put out of business have gotten nabbed by a few small groups of dedicated, annoyed, and technologically-saavy people. Taking action along the recommended lines would give the spammers a way to identify and steer clear of similar groups of people.
While some of us may consider that a win ("they don't bother me anymore"), I think most of us realize that we need to do more to stop spam than unclog our own individual inboxes - We need to permanantly shut down all spammers in general. Or, put another way, my filters already block most of the spam I get (literally over 300/day now). That doesn't do a damn thing to help friends and relatives who don't understand how to maintain a good filter (like it or not, good spam filters require a fairly high level of understanding about the workings of email to properly tune - Not so much to simply block spam, but more importantly, to not block legit email).
I like that people keep thinking about this problem, and eventually look forward to a good solution. This does not seem like "the" solution, though.
You have to sue the agency the spammer is representing.
If you want to make the point across without litigation, every time you get a spam for say, "Salted Seabass Inc", you would farm out a list of email addresses for that company, and subscribe them to 50-odd mailing lists. Then using an anonymizer announce tot eh head honcho of the company since they feel spam is a legitimate buisiness model, you felt you had some offers they would be interested in.
Even the best corporate filters will mess up on blocking a certain amount of spam. And being on that many mailing lists will guarantee a steady influx of this crap.
You have to remeber, shooting the messenger only works until the writer can find another messenger. If enough of these companies learn that using the services of a spammer is not acceptable, the more they will want to steer clear of them.
Sure you will have your non-US entities trying to sell stuff, but you have to admit, 90% of this crep is about US-ran websites, so going after the firm being advertised is the wiser choice.
Actually, I heard of someone being asked to reply to SPAM for pay.
The deal included getting free use of a dialup account.
The basic process was to dial up, read the email of the account, reply to one SPAM in the email box with realish information, disconnect, and repeat.
Sorry to hijack this very interesting broadcast on Spamming. But wouldn't the proposed tactics also be useful with our friends in Utah? Send them a windfall of daily inquiries about their product line from their "ever growing customer base" of Slashdot readers. I mean, aren't you guys interested in getting the scoop on all the latest and greatest offerings that they may have to offer? I have heard that the next version of Uselessware has a built-in posting prioritizer that greatly improves your chances of reaching the ever-more-desirable nirvana of a first post.
Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
Andrew Leung at Telus has an excellent report on the economics of spam
The link seemed to be slow, so here's mirror: Go ahead, slashdot it to your heart's content
Not that I'm advocating not fighting spam. But I read this article a few days ago on kuro5hin, and it strikes me as stupid. If you want to go after the spammer business model, make laws that hold those who advertise for spam liable. Don't waste your own time with this. It's a losing battle.
you could have spammer spamming software :). Imagine if every time your filters tagged a message as spam it could send an auto reply with a forged header (fake email address and stuff like that, assuming this doesn't get ruled illegal). Then the spammer would get a randomly generated email along the lines of:
Yes, I am very interested in your product. Please send more information to my address at fictionalPerson@non-existantDomain.net.
Now that would be funny.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The problem is that with spam we often have no address to send anything to, or the address we have is one that will do any good. It is like those 'work at home' signs on the road. We may think we are attacking the business plan by calling the number and racking up minutes, while what we are really doing is making the business plan succeed by enriching the person at the top of the pyramid.
So, we can't reply by email, because the address is likely either bogus or that of an innocent party. If we go to the web site in an effort to consumer bandwidth, we are likely going to receive a couple ads that will then make the spammer money. For the spammer to make real money, spam has to generate a real contact, which means that we much supply the contracting company with real contact information, which will then likely get sold to many other companies.
The 419 anti-scams work because the people invest a lot of time and money. I suppose if we all get throw away fax number, voice mail number, and PO boxes, we could mess with the spammers. But is the expense really worth while. Sure such things would only cost each of us 10 dollars a month, and would cause spammer and the evil companies they work with a lot of money, but not like the 419 thing, would not likely change much at the end of they day.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
No, the real solution to the spam problem is to identify and prosecute them, then dress them up in pretty frilly lingerie, and drop them into prison cells with hairy-backed guys named Bruno and a bucket of chilled champaigne.
I like the idea of sending stuff back to spammers and I don't mind sending it from an address that I've created for that purpose but, even better I'd like to get other spammer's information and submit that! Perhaps we could create a database of spammers information or create a newsgroup to exchange this information. This way, we could inconvenience them twice, once when they get the bogus reply and once when they are spammed by other spammers!
What other ways can people think of to attack the spammer business models
A spammer can still spam with broken legs, and possibly get out of an arrest. Typing with broken fingers, well... at least they'll be off spamming for awhile until they can toe-type.
Comment removed based on user account deletion
Just look where the links go to copy paste then post there e-mail addresses around, cook, stir, repeat !
2 .c om&next.x=0&next.y=0
http://www.easywhois.com/index.php?domain=aline
Bot food !
yizhewang32@yahoo.com.cn
Yesterday reading another /. article got me thinking. Why not create a p2p network that identifies spam by creating honey buckets that track spam objects (that identify characteristics of messages frequently sent to the trojan horse addresses), for example their total size in bytes and hashes of parts of the message. You could even hook it into spamassassin. But the idea really is that the network should be able to identify spam by having largly the same message but with small modifiers - and do this in real time. When a certain percentage of the machines participating in the p2p honeybucket become annoyed by the spam, the whole network starts flooding the spam relay.
:)
Now a lot of spam relays do not know they are spam relays, and their IPs are just silently black listed without them even caring. Spam is largely a security issue, and it is because it does not cost companies (most of the time) to have this hole in their network that they do not fix the security issue.
Remember back when ip directed broadcasts were enabled and every packet kiddie on irc was smurfing anyone they did not like. Administrators fixed that issue because it cost them not to (when all their bandwidth was being used up by packet kiddies). Spam can go unnoticed by many of these admins, and a ping of death from a 1000 node p2p spam honeybucket may be what it takes to make these admins fix their networks.
Just a thought.
samuel@bcgreen.com is obviously a spammer.
He's like "hey you guys, I've got this great idea. why don't we 'fight' spam by verifying our email addresses with spammers. It's going to be so awesome, c'mon guys!"
sure.. samuel@bcgreen.com, and we'll meet you at the ninth hole at nine p.m. m'kay
most spam points to a website, and this suppossed "solution" is a futile self sacrafice that is not attractive enough for sufficient numbers to participate in. The result-- more spam for those few nobel foolish souls that attempt this strategy. And yes, it definitely is possible to receive more spam than you are right now.
ôó
But that doesn't preclude someone from setting up a private paid email service where you have to pay
Such a thing might work like this:
This could quickly eat up a very large amount of spammer time. And anyone who spams that address in the future alos gets feed into the bot loop!
Any here think they're capable of setting something like that up?
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
I imagine most spammers have some kind of web page where you can order their "product". It would be rather simple to make something that filled in the form with a random name and random credit card number, then submited the form.
: /boot/vmlinuz
This would be rather effective if they paid a fee for each credit card validation and not each succesfull validation, but I'm not sure of the legality of this. (Of course, spam being international it could always be done from abroad)
My second thought is to see the spam as an order of "fill my http log with random binaries":
while
do
for a in
wget http://spam.me/$a
next
done
(or similar)
A more ethical solution would be to start tracking who is the real "product provider" and their banking contact, then go after the banks - It would be very bad PR to have your bank associated with spammers in the media.
funny thing, but pretty similar to a piece on kuro5hin... I'm sure they're not related, though ;-)5 9/720
http://www.kuro5hin.org/story/2003/11/4/1110
This was exactly the reaction to the first Usenet spam back in 1992(?). The advert was for a USA Visa. It was cross-posted to all Usenet groups. The nerd community of the time decided to make their solicitations expensive by contacting the lawyers who put out the ad requesting more information via snail mail. The idea was that $0.23xReply would kill the business -- and also mask legit responses in a clutter of bogus ones.
The response was deliciously diabolical. I thought it kill the profitability of spam in its infancy. Unfortunately, history proved different.
One thing I'd like to see is a public service TV/radio ad campaign on the theme of "Spammers are Scammers". Given all the multimedia talent in the Slashdot community, it shouldn't be difficult or expensive to produce. The ads should attack all spammers as scam artists, and all people who buy things from them as fools. No, a pill won't make a body part larger. No, it's not a bargain price for a prescription drug if it's fake or diluted or contains poisons.
The second idea is to publicly identify the actual spammers and their collaborators and organize protests and boycotts. Yes, I know about Spamhaus and ROKSO, which is why this is only half an idea, because they don't go far enough. I want to see web pages that not only tell me that Alan Ralsky is a major spammer, but tell me which spams he sends, plus his home address, phone numbers, personal email addresses, and car make/model/license number. I want to see photos of him. I very much want to know who provides him with Internet connectivity so that they can be publicly shamed and boycotted. It shouldn't take much money to hire a few private eyes to dig out this information.
Might these ideas provoke lawsuits? Possibly, but I doubt spammers will risk even more public exposure by suing.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
Several of the tools reviewed here are very effective at nuking spam.
almost never asks for a "reply" but presses me into dialing a 1-800#.
Santosh Dawara
No, I don't see any possible problems with that at all......
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Instead of bitching about how bad spam is, why don't you really do something about it. /. is after all the "great" collection of h@x0rz on the internet that does nothing but post comments on their PERL based CMS and complain instead of taking any serious action.
Howabout you all stop bitching about how badly inplemented SMTP is and program it. Howabout someone open a sourceforge project aimed to completely change the sendmail protocol to require authentication and end it all?
Why don't you, because you people like to bitch and blow off crap smoke instead of doing something.
I for one would gladly participate in a new RFC project for SMTP that had some sense about it that removed SPAM.
The Red Condor (www.redcondor.com) spam filter does this. It even fingerprints the images on site. Only drawback is that it is a gateway filter, so you must have control over your own mail server.
Spammers are bad enough, but now TV channels are also doing it with. Latest is the "Australian Idol", 55c a call. Call your favorite 'idol'. Channel 10 has already made $20 million. Great interactive TV. Keep putting coins down your telephone line in the hopes of changing the outcome. Disgusting!
A very significant percentage of spam meets two criteria: 1) it already breaks some existing state or federal law and 2) it ultimately desires someone to supply a US-based credit card (Visa or Mastercard).
The problem with all our wonderful anti-spam laws is that they are not being enforced, and probably never will be, except erratically for 1 or 2 really, really bad repeat offenders. So, instead of using laws to take bad people to court, use laws to make law-abiding people quit aiding and abetting spammers.
Thus, the weak underbelly of many spammers is that some minion of MC/VISA is letting them process cc transactions.
Solution: the FTC should allocate 3 lawyers and 3 geeks, and (the easy part) demand the cooperation of MC/VISA. The 3 geeks maintain emailboxes in all 50 states and a batch of email addresses designed to gather spam. They essentially provide the 3 lawyers with "quality" spam, that meets the 2 criteria mentioned above.
The 3 lawyers select spam that has broken a law, follow the spam-requested transaction to the point where it requires a cc transaction, and do it. At that point, there is a CC transaction involving a broken law. The lawyers provide MC/VISA with the information on what merchant processor handled the transaction and what laws were broken. MC/VISA shutdown that account, or simply dings them $20,000 for each offense.
Note that, unlike the FTC, MC/VISA can penalize any customer they choose to without due process (and they have a record of doing so). They definitely do not want to participate in illegally advertised transaction if a spotlight is shown on it.
The need to process credit cards is the weak link in much of the spam business, and it is very hard for them to work around an inability to obtain the services of a merchant credit card account. MC/VISA have tightened up the requirements for getting CC services in the past, and they can certainly do so again.
MC/VISA might even elect to make the process more automated by issuing the lawyers some "special" credit cards. When they see a transaction for any "special" number come through, they immediately shutdown that processor. (But you better make sure those special numbers aren't as easy to steal as all other credit card numbers seem to be!)
3 lawyers plus 3 geeks could make a bigger dent in spam than any collective effort to date has produced.
Those at the bottom are the mad long articles that actually share insight. And probably wont get modded as high.
So I want to take down yahoo. I send out millions of emails about viagra with a link to them. Down they come. Bad news.
Don't know about you people, but most of the spams I receive don't have a contact e-mail address I can reply to. Many don't even have a web page. Only a phone number.
morcego
Cancel deer hunting licenses.
:P
Issue spammer hunting licences, a 6 pack of Bud, & a bounty.
Save some deer, solve that pesky spam problem.
Spam should cease to exist in about 2 weeks.
fr1st ps0t
by Anonymous Coward on 19:13 Monday 17 November 2003 (#7497894)
w00t!!!!!
I'm replying to this in hopes of "attacking [Anonymous Coward's] business model" by drowning him in responses.
If just 1% of Slashdotters would do this, "first posts" would be worth... wait a minute. Nevermind.
Opinions on the Twiddler2 hand-held keyboard?
Probably the most reliable way to defeat the spammer business model is to use a whitelisting mail filter technique like TMDA. Spammers rely on 1. cheap and easy bulk email delivery (for them, at least) and 2. access to your mailbox by default. That doesn't work if mail is not delivered by default with a whitelisting system -- in that case, their mail waits in limbo for a confirmation response that will never come.
The practice of burdening spammers with insincere replies is likely to reduce spammage. The beauty of this approach is that the ultimate client of the spam is the one who will bear the cost. The mortgage lender or pornographer whose wares are advertised is, ultimately, the entity who will take the time to respond to the (false) sales lead. If this entity gets enough false sales leads, he will take a keen interest in avoiding them.
/. posters have noted, this method is already very popular with spammers.
But this is a labor intensive solution. People who wish to fight spam in this way will have to engage in an exchange of e-mails with the spammer (or his ultimate client). If/when this spam-fighting technique gains traction, spammers will find alternatives to e-mail for replies. The spams will request a visit to a web page, rather than an e-mail reply. As other
In my experience, Bayesian filtering on incoming e-mails works astonishingly well. I use a package called bogofilter, and it has a marvelous property. After a training period, it NEVER classifies "good" e-mail as spam. Thus, I can discard spam e-mails without reading them. For me, this is the holy grail of spam-fighting. I don't even look at the subject line of spam e-mails. My mail client doesn't even notify me when a spam e-mail arrives. The spams just silently disappear, without using any of my time at all. Sure, a few spams per day evade my filter, but the volume of these "clever" spams is not high enough to trouble me.
As far as I'm concerned, the war against spam has already been won. There are other Bayesian filters at sourceforge, including POPFile, spambayes, and crm114. Take your pick.
causes major problems if someone forges.
Example: a disgruntled employeee forges
many emails about his company's products.
When your anti-spam army calls for info,
they overload the company's phone system.
This is called a Joe Job, and is bad and wrong.
Why? Imagine it done to a hospital phone line.
Spam is a real problem. This is not the answer.
If you want ideas, try this overview
Cheers, Joel
Let's all buy the things the spammers sell! If we all do it, they'll be so busy shipping the stuff, they won't have time to email us anymore!
If people started responding to just 1% of the spam we received, spammers would drown in the responses, and the mortage spam responses wouldn't be worth an email, much less $50.
As someone who has suffered through multiple Joe-jobs, receiving tens of thousands of bounces from just the incorrect addresses, I sincerely hope that no one takes this suggestion seriously.
...But I get about 1-2 spam mails per month on my UNFILTERED address. My filtered address receives ZERO. Period. My mail system at work throws away a ton of spam, yet none of it is destined for my mailbox. Ironic? Karma? Who knows.. I'm enjoying it!
Now, if you'll excuse me, I have backups to corrupt.
If we are to progress as a species we must respect Darwin's laws that have helped us evolve to the advanced state that (most) of us are in. I suggest that we all have a go at trying to fight the problem by selling those much-touted "penis enlargement pills", substituting the mystery ingredient for poison. This should rid the world of those stupid enough to use their common sense. Once the word gets around, no-one remaining, who would buy said pills, would trust them. If not, they deserve to die, and surely will!
Anyone with a degree in economics will see that the spammers' business model will collapse from its foundations soon afterwards...
The real interesting question is.. who's responsible for the attack? The person who sent off the mail or the legion of huffing, red in the face computer jockeys who bombarded the site?
Remember, the job of deterring the spammer is that of law enforcement, and the reason why the internet is in such a bad state is from all those cowboy vigilante sysadmins, just shootin' from their goddamned hips. Now I know that our love for vigilantism has its root in our Constitution, because in America we have the (god given) right to arm ourselves for self defense, and possibly respond in a sufficiently violent manner to ward off attacks or any sort of personal affront, but this does not apply to the internet. Sometimes you have to think of the community and respond peacefully.
-- HG Pennypacker, wealthy industrialist and philanthropist
I don't see how it matters. The same number of legitimate replies would likely still be received, but there would be more bogus replies. Let's say the ratio is 49 to 1. That just means that instead of paying $50 per hit, they will pay $1 per hit, and still get the same value for their spam ads. They just have to handle more traffic, which is probably not a significant cost. I don't think this approach will work in the long run.
Finally, your assertion that it would incentivate less spam from individual spammers is wrong, since the ratio of fake to real responses is the same for a large mailing list as it is for a smaller one. In other words, you have "constant returns to spam." The only way it would incentivate less spam is if you managed to drive some of the spammers out of business. More likely, it would lead to more spam, as spammers scramble to find more addresses to offset their lower "spam margin."
I think we all need to stop worring about spam and just put some hot grits down our pants and look at Portman's petrified tities. There, doesn't that make you feel better?
Why? Sheesh, I don't know, but whatever story gets posted here, someone always claims it's a good thing, so I figured it might just as well be me this time.
This is a bad thing. Why? Well, I don't know either, but whatever comments get posted here, someone always claims you're wrong, so I figured it might just as well be me this time.
..for a change ;)
Hows about featuring a link to a spam advertised site every day?
We, the readers click the link, hit refresh 10 times and then get on with our browsing.
I'm just going to keep this short......
/. simply because they deleted half my posts in the past, but I couldn't keep quiet about this one.
WHAT KIND OF LAME BRAIN WROTE THIS....WAIT PUBLISHED THIS?!?!?!
Worse idea I've ever heard. I normally don't bother posting to
The easiest solution to SPAM which also would solve the problems of the RIAA and MPAA would be for ISPs to charge for bandwidth and e-mail. It wouldn't have to be much. If each e-mail cost 2 cents, it wouldn't be that expensive for most of us, but it would make SPAM uneconomical. If ISPs charged according to how much volume you downloaded instead of flat fees, then it would make downloading albums and movies more expensive than buying them in a store. The only reason SPAM mkaes sense is because it costs the same to send out 100,000 e-mails as it does to send out 1. It's silly to SPAM using the Postal Service because of the cost of stamps... The Internet itself needs to change it's business model...
In the short run it helps the spammer, in the long run the pay back for hits just get's corrected by the ratio of good/bad hits. I don't think this method will work.
Not all spam comes from real email addresses. And most messages want you to *click* on a link, not hit the "reply" button. Also, don't they already get 1000's of auto-responder messages? They must have a procedure for dealing with those. But may be if enough of us changed our auto-responders to something non-trivial they'd get confused?
In any case, I guess there should be a way to craft a semi-automaic solution for this. But personally, I like the "turn the tables" strategy.
Actually charge the product on a credit card and claim that you are a victim of identity theft.
Thus, the spammer has to deal with the chargeback fees and the return of the refused refuse ^H^H^H^H^H^H product.
You could only do a few days worth of the 'spam buying spending spree' but what price burning 2 dubious groups.
1-800 numbers get charged extra fees when they are called from payphones. So if you are looking for something to do in the mall/airport....
Finally, where is the collection of 'These people are legit companies, but the spamed' emails? Examples - Pro Engineer on the FreeBSD list and Broadcom FAX on the Amanda backup software list. Such that you could call the sales people, make them jump thru hoops then when its time to have the meeting to sign the contract, you say "Oh, we have a company policy to not sell to spammers" and tell 'em to go take a walk.
The final alternative takes far more time an energy, but sue the spammers in small claims court. Ask for discovery VS *ANYONE* who would know the spammer's identity. Be that the ISP, the bank(s), the credit card companies. Make it costly to do business with "That kind of customer".
As a rule, things like mortgage leads, is that most players work with brokers (BTW: email spam mortgage leads don't net $50/lead). So the spammers are all dumping to the brokers. In general, the brokers combine search engine placement leads, search engine spam leads, legit leads (people that solicit it from financial sites, etc.), into one lead pool that is sold. What would happen, is that over time, you would drive the value of that broker's leads down (although that assume perfect information), but you would INCREASE the percentage of the leads that are from that spammer.
That means that everyone dealing in leads makes less money, but the spammers make more. That would squeeze everyone, until the only ones making money in mortgages are spammers. This would result in rich spammers, plowing more money into spam.
The lead business is much less efficient than you think, with hundreds/thousands of buyers and sellers, so if one company dumps the lead broker, another one will pick up their leads. The leads are mostly unpriced, and buyers are chasing lead sources.
Alex
.....which seem to be getting less-effective with every day, why not meter the traffic - all traffic - from spam-supporting networks.
Mail sent to or from a supporting network would take much, much longer to route that that from cleaner networks.
Same for HTTP traffic.
Limit the number of open sockets to any given subnet based on same.
- on the flip side, from a civics perspective -
When your address is fflagged as a "live" one, and resold for even more money - isn't this really a form of RICO-enhanced stalking?
To have ambition was my ambition.
you could have spammer spamming software :). Imagine if every time your filters tagged a message as spam it could send an auto reply with a forged header (fake email address and stuff like that, assuming this doesn't get ruled illegal). Then the spammer would get a randomly generated email along the lines of:
Yes, I am very interested in your product. Please send more information to my address at fictionalPerson@non-existantDomain.net.
Now that would be funny.
Come on, do it one better: Send them the e-mail of another spammer, who will see the address and spam back. It's foolproof!
warning: This post is likely to contain gobs of dripping sarcasm. Consume at your own risk.
All you would have to do is make it 100%, with spam in hand - to hack the hell out of spammers.
The thrill is in the kill..
Absolutely everyone should use spamcop.
It does a great job of reliably backtracking the responsible ISPs hosting both the original mail servers and any URLs and generates spam reports. It's a lot more tedious than just hitting delete, but I use the RBLs and find a meaningful correlation between the amount of spam I get on day 2 to the expediency with which I reported spam on day 1.
If everyone used spamcop the hosting ISPs would be deluged every time a spam went out, the spammers effectively instigating a self-inflicted DOS attack. I'm rubber and you're glue...
I believe that replying to a spam with unsubscribe or whatever will NOT increase your chances of getting more spam significantly.
Why?
Because if there is no non-deliverable message sent back to the spammer, that email address is already marked as active. The spammer knows which email addresses make a successfull delivery anyway and chances are very good that that email address actually has someone reading it.
Yeah, the spammer may currently earn $1000/week by generating 20 leads at $50 commission each. With the higher volume from the "attack", he generates 1000 leads, and gets $1 each. In the end, the spammer still gets $1000/week.
What makes or breaks this scheme is: what is the fixed cost of processing each of the leads? If it is low, the spammer and commission payer only lose a little profit. If the per-lead processing cost is high, the profits disappear.
So, what resources are required to process each lead?
Reading Slashdot is ruining my spelling and grammar.
Agreed that attacking the business model is the requirement and therein is two ways of doing that. The first is making spam cost more to send or more specifically make each spam sent less worthwhile. Filtering does this. The main problem with filtering is that to few actually do it. Slashdotters being a more technically literate crowd is not the target audience in this regard. The multitudes of the illiterate are. We don't need to block or filter 99.9 percent of spam email to be effective if a universal 50 percent is attainable. Effective spam blocking at a rudimentary level needs to be implemented in the most popular email clients. Microsoft is addressing this. Late perhaps, but addressing nevertheless. ISP's are picking up the slack in an act of self preservation but theirs is not the preffered solution since that method is little more than censorship, yet censorship that many would agree with including this author as long as it is optional.
I personally think we can achive 90 percent spam blockage with few if any false positives at the client side and also believe that alone would drive spammers out of business if the implementation was closer to universal.
The second option that needs consideration is public exposition of those who pay the spammers to spam, so staining their reputations that few would take up the practice. A business that hires the services of spammers have no more ethics than spammers themselves and as such should never be trusted or otherwise dealt with. People need to know who these entities are. And these are the people that are easily found and identified since they cannot function if they are not public. Mark them as such.
In a way this is nothing other than education. We have alot of computer illiterate people that need alot of education and some cannot be saved yet the point must be driven home to those who can learn which is most of them.
While I disagree with the methods of the original post, one aspect hits the nail on the head. Take the profit out of spamming and spam goes away.
count me in
Seriously, you don't know what you're talking about, neither do the three or four geeks who voted you up.
The article suggested that we get together and blacklist the spammer sites that show up high on our filters or whitelist good sites.
I just took the first 3 spam in my box, and 2 of them had 800 numbers - surprising. I called them and let them record for a while while I coded. One of them timed out after a few minutes and said "to replay this message, press 1". So I did that a few times also.
A national leader could tell everyone on Prime-Time TV not to buy from spammers.
Two people are guilty of committing a crime together. There is no proof. They are both suspects, and apprehended. Simultaneously, they are offered a deal: a far lighter sentence if they confess, and thereby turn evidence against the other.
If they both say nothing, they both walk free...the best-case scenario for both. But if one or both of them talk, then things go a bit downhill. That's how this idea seems to me, but in reverse. If lots of us reply, the spammers drown (kind of an email Slashdot effect, obviously) and the average value of a valid reply is outstripped by the cost of getting it. But if an insufficient number of us do this...we get spammed like crazy, and no overall change occurs.
For your security, this post has been encrypted with ROT-13, twice.
Sure, this idea looks good on paper. But in actuality the reason why this would never even be attempted on large scale is as evident as the reason why spam is still here in the first place.
Things like this will always boil down to the lowest common denominator, you will *always* have a signifigant amount of people *always* ignoring the spam they get.
Personally, I'd like to see spam gone. But asking people to take time out of their day to answer all the spams they get (not to mention all the lude and obnoxious spams as well) just wont happen in my opinion..
....move along....nothing to see here....
IANAL, but I do know that for entrapment to be such the law officer must make the overt act first to "lure into performing a previously or otherwise uncontemplated illegal act".In such cases as described, the spammer is committing the illegal act already by sending spam which violates a State or Federal law. He is obviously contemplating as he is already breaking the law. The credit card is merely the tracking mechanism by which he can be identified and charged.
I like this plan.
Slashdotters love their favorite pet project, rewriting the mail protocol.
You want to stop spam? What happens when that mortgage company paying a $50 commission to 2nd, 3rd, and more insulation layers of spam fronts has to pay $50 or $100 for each and every spam in fines, including the spam messages with no response? What happens to all the online pharmacies selling viagra, that find it so profitable to send the spams daily, when they are faced with a $50 fine for every single of the millions of spam mails they send every day?
California adopted something similar (from what I've read) to what I've been saying for a couple of years now. From what I've read, it goes into effect January '04.
You see the people responding to the 419 scams and wasting the scammers' time? How about if you can respond to a spam, and split the fine that gets slapped on the company profitting from the spam response?
You have to hold the company that profits from the spam response accountable, financially, and perhaps criminally. If the headers are forged, if there is no "adv:" in the subject line, make it criminal as well as a civil fine.
I'd be creating email accounts left and right, and responding to everyone of these spams if there was a return on time and investment.
And don't answer that it won't work. In NYC, when the police couldn't catch the dirtbags that were posting movie posters all over the city, they made the movie distributors/makers financially responsible for each and every poster. The problem went away virtually overnight.
You answer that it won't work, and you are just adding useless noise to the problem. As stated in the previous paragraph, the solution works. Incredibly well. And it doesn't matter that the NYC solution had nothing to do with email. What matters is that companies were advertising, and using individuals to illegally post those advertisements (was already illegal to post on city property and construction sites), and they couldn't be touched because 3rd parties (individuals) were actually gluing the posters in place. Yet NYC was still able to nail the business interest profitting from the placement of those posters, and the problem went away.
(Perhaps I can get them talking to each other! :-o ).
And have them hatch some ultimate spamming scheme in one of the most unholy unions to ever occur?
Yeek, no thanks.
The coolest voice ever.
If the 1% of people who have such stupid ideas about how to deal with spam simply responded to 100% of their spam, then the rest of us wouldn't have to respond to any of ours.
Spammer John would send out his bazillion emails, get lots of $50 replies.... and "retire."
Nicole would say, "Spammer John made all this cash. She would possibly buy Spammer John's computers, and go into business for herself. As soon as she makes $100K... Spammer Nicole retires... and sells the stuff to Trent... who sends out a zillion emails...
I am very small, utmostly microscopic.
This may seem kind of odd, but i never receive spam. I have two hotmail accounts and one University account. I just make sure to either supply a bogus e-mail or opt out of any special offers, relying on my own witt to save money when I want to buy something rather than buying something simply because it's on sale and thinking I saved money by spending.
If we all just used digital signatures, and blocked any emails without signatures, our filters could be nearly perfect. Spammers trying to get multiple signatures should be denied, etc. Lets face it, email is a pathetic joke of a technology that should be forced into extinction (or at least updated)
kmail has a function where you can return an email that looks like an error. dunno how good it is anymore since spamware has gotten smarter, ando ften uses fake email addies. and temp accounts that spam about a few thousand emails.. then closes the account up and moves on.. I think the only way to solve this is to redo the smtp protocol, rewrite it and make it more secure to where it can find out where these emails come from, or implement more agressive filtering and prevent abuse.
I've just recveived spam asking to visit this site: www.4inch6.com/as/
/. them!
Does the spam-mail contain an email adress? Not only give it a false order / info request, but add it to all mailing lists you know and whatever you can do to increase their spam income. Does the spam-mail contain an URM for a firm? Look for email adresses on that site - do as above. Might consider DDoS too, but that's probably illegal? =( (sad it's illegal to spam spammers) More severe is to spam them in non-internet ways too. Order for them all kind of trials (papers and other products) etc, just be careful to not do things that harms others: e.g. order pizza (un-payed for pizzas costs the pizza-house) But feel free to make your own pizza with SPAM and give them :) Can be combined with having a group personally telling them in a noisy (but not threateningly) way that people don't like spam.
If you don't get the message through, put up signs at the work place, indetificate the pointy-haired boss (whomever is in charge of marketing, or their boss[es]) and spam them.
If you're a group of 20+ , call them. Send them snail-mail. Ring their door bell. All this 24h/day.
This can be done both to companies buying spam-services and the spammers themselves.
All this should work best if people united in local groups for anti-spamming (who's to organize this?).
We have to be careful about beeing fooled into spamming innocent parties though.
Ok, ok. So some of this is rather extreme, but at least most of it should be doable - as long as people keep from beeing threateningly or destructive? (and keep out of the police's sight :)
IMHO. That's all folks.
This whole idea is nothing but a pipe dream. Populations operate statistically. You aren't going to be able to change how they respond to spam without a massive movement.
Asimov's foundation trilogy may have been science fiction, but the principles behind his Psychohistory is very real.
I like my idea better. Vaporate your spamming problems instantly!
:)
It's a lot more effective then a fine
Browse at -1, because trolls are often the most creative part of
And why are we NOT DDoS'ing these websites?
We? Got a mouse in your pocket?
After reading the articles I am still all for shooting the bastages.
At +300 Spam messages a day from email addrsss harvested from my websites and WHOIS info and the spoofing of my domain as the domains of the spamers I am fed up. Responding to them would be a drop in the bucket and a waste of time.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
Let's look this post a bit and do a little translation:
Part of my companies' income is from sales of various and sundry products sold via soley online "stores." Part of that traffic is via banner ads, text links, etc, and another portion is via bulk mail (spam)
Translation: I am a spammer.
If you really want to hurt a spammer, get thousands of people to order a product, then send it back and charge-back the order on their cards.
Translation: Give me your credit card number.
Spammers are the wise guys and con men of the digital age. DO NOT TRUST THEM. I mean really - if this guy makes his living this way is he honestly going to give you a stick to beat him with???
It's more likely he'll take your credit card number, charge it to the hilt and take off to Zaire.
Give me your credit card number and I'll be hurt. Please!
Weaselmancer
rediculous.
I do believe this is THE answer.
I really like this idea! Thanks to the spammers I already have many addresses under my domain (spam@mydomain.com, msn@mydomain.com, etc) that get hundreds of spams a day.
I'm going to setup an auto-responder, that wget's every URL in the address and sends an email back along the lines of "Wow, I am incredibly interested in your product, please call me at [insert known spammers phone number here] with more information!"
Since it will all happen in the background, this is harmless to my own eyes. Yay!
If we just went around advertising these spam honeypots this really could be an effective tool against spam. I see the spam-funders getting wise to it and requiring a cheque to cash before they pay the spammers for the lead, but at least it would help cut down a little in the meantime.
-- Coward
Since when is spamming considered a business model? It's no more a business model than theft, break-in blackmail, or high way robbery.
ELOI, ELOI, LAMA SABACHTHANI!?
Case in point: for every credit card application I get via snail mail, I seal the return envelope (empty or with trash) and mail it back at their expense. The idea is the company loses money by having to pay for the reply postage and for the labor to open my bogus reply.
But I've noticed lately that companies are designing it so you have to include the application form to mail the return envelope (the city/state are printed on the app, which is viewable through a window on the envelope). Apparently, credit card companies weren't taking enough of a hit to say "fuck it, these people don't want our mailings." Instead, they seemed to have paid some poor schmuck more money to come up with a way to outsmart the scheme many of us have been using.
Doesn't matter, though. I'll tape the city/state info to the envelope if I have to. And soak the envelope in cat piss. Take that.
***
Radio Shack. You've got questions...we've got blank stares(TM).
Take care...
Absolutely the best post in this whole thread. Bravo.
The need to process credit cards is the weak link in much of the spam business, and it is very hard for them to work around an inability to obtain the services of a merchant credit card account.
Weaselmancer
rediculous.
The oft-overlooked part of any business model is the need to be alive to spend the money you make...
I'm not saying anything, I'm just sayin'...
Perfectly Normal Industries
I finally realized that mailblocks was responded to each email with a request to verify you a real person. Many spamers didn't even both to read the email, they just marked the address as valid and sold it to someone else. I "get" a lot of spam on that address but, of course, I don't read it. If this kind of whitelisting catches on (Earthlink is trying it out as well I think), this 1% could easly come true to at least some extent.
I have 3 email addresses designed to catch all my spam (i use them to sign up for things and get passwords or send mail that my filter says is spam to them). If I validate those email addresses so what? I'll just get more ammo.
-Tim Louden
THAT IS THE WORST! Every /.er knows, but none of us know what to do about it!
I'm sure that there are people involved. If mortgage companies need to have people follow up on the leads, then it really slows the company down. To a large degree, the mortgage companies are getting spammed. It'd be just as annoying to them as it is to us. The thing is, people who create these fake leads have to make real looking information. After all, if you were a mortgage telemarketer, would you bother phoning Mr. adsfkl;jdsf;oijsdf@$ 98sdf908ydsf, @ phone number 1234567890?
Ultimately, I'm sure that it's still worth it for every one to keep sending out more spam. So, like I said, I don't know.
Take care...
Several posters have advocated an automatic response with a 'bot to crawl to any URLs in the EMAIL, thus flooding the site and denying a connection. Presumably, the tactic would be more effective if a few hundred expendable addresses posted on the net/usenet were used as bait. It would also not flag your personal account as a live one.
I forsee a countermeasure, though. By using human readable forms (i.e. "Type the word you see in the graphic" type gateways on Yahoo and elsewhere), a Spammer could filter out Spamkiller 'bots, just as larger sites filter the Spambots that attempt to acquire addresses in the first place. While some Spammer site bandwidth would be devoured, a properly coded site would optimize the front end and then refer real customers (suckers) to the secure server for the transaction.
I still like the idea of an automated bot doing this, if only because it would force Spammers to expend resources and also make it more difficult for Spam respondants (again, suckers) to reward the Spammers. I just think it'd be foolish for anyone to develop such a tool and assume it would not be countered in a relatively quick manner.
"Prepare for the worst - hope for the best."
Let us convince out current president that spammers are an attack upon the American way of life, causing the crash of stock markets and forcing businesses to lose untold millions of dollars and that these deeds are tantamount to terrorism.
I mean, we all know that the government actually doesn't care about most of the population until an election year, if we convinced them that it was hurting the people that they do care about then maybe they might actually do something, though what I don't reall know. This was originally meant to be funny.
Why can't we make a better mail protocol? Something that checks the Domain Name and then checks the ip address of the sending server and finally asks the mail server whether or not the mailbox exists.... This would be better than trying to spam the spammers ...
I think they can trace the calls back, which can be a problem when the pissed off spammer Joe Jobs your number.
Can one call the numbers from a pay phone? If this is true, it probably would be the best way to do this.
Hell, I used to order things from spammers. I sent them to 1234 Main Street, East Jesus, TX, 54321. Unfortunately, spammers are getting slightly smarter and actually checking that the credit card numbers I give them aren't bogus up front. Bummer.
Any automated reply system (i.e. lazy) gives the spammers the power to cause trouble. And if it's too much effort, people aren't going to keep it up, so we don't want everyone to have to go through their spam and figure out a counter attack for each piece.
What we need is something like a "daily spam revenge" website - which daily takes a few examples of spam and creates a link for us all to click on to generate an email or bring up a web page or fill in a web form with credible nonsense.
It would only hit those spammers that the website chooses - but it'd be easy and effective.
It couldn't be a single website, since that invites DOS attacks, but maybe if the idea catches on, every website that wants to generate traffic would start including a "Bomb the Spammer" link. And of course, it gives the website owner the added satisfaction of hitting the spammers that hit them.
Maybe this could be merged into blogs - every blogger could daily put up a fresh set of anti-spam bombs. Bloggers who don't want to go to the effort of doing their own might go to a "daily spam bomb source" website - one that doesn't provide the links itself, but does provide the bit of web-code needed for others to stick on their sites.
Since I installed SpamBayes after reading about it on /. I havent had a single false positive OR false negative in the 3-4 months I've been using it. Just some Maybe's every few days. I Get about 30-40 spams a day.
Spam holes are not the answer, but with friend list they sure look a lot saner (c'mon, everyone in
Quack, quack.
The biggest objection to "spam" mail in the first place is the time it wastes. People have too much email to reply to. The last thing most of us will do is spend additional time on spam, sending out fake replies.
Yes, I realize this could be automated, but that still means people have to install the extra software on their computers and get in the habit of using it. It also might not always fills forms out properly or completely - wasting still more time when the pages come back telling you to "Please fill in all of the blanks."
I forsee this type of thing only being undertaken by a few "anti-spam diehards", and some of us techno-geeks. That won't get the number of replies up to where it's putting anyone out of business.
no need to get all rusty at that other place.
The reason we subjugate ourselves to law is to better procure justice. If law does not accomplish this purpose then it m
Note: Using bogus addresses may allow the spammer to filter out the autoreplies, as they just eliminate all replies which come from addresses they did not send to.
Perhaps spammers will deploy Baysian filters in an attempt to detect autoreplies?
I guess there is the danger of ELIZA making an excessive promise on your behalf. How to guard against this?
News -- Spammer Found strangled with 47" dick
News -- Spammer go to jail after opening 198 mortgage loans
News -- Spammer suffer heart attack, found covered with what looks like dermo patches and surrounded weird "New Pa Tch sdogh Here only" messages...
I can see myself following the news more eagerly 8)
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?
One major downside I can think of is that if everyone responded to 1% of the spam they received, you would have a 10% increase in bandwidth consumed by spam-related activities. In addition, I think most spammers would only sell your address to other spammers if they got a response (thus proving the validity of your address) and the end result would be to get MORE spam.
Don't become a regular here, you will become retarded. -- Yoda the Retard
The only way such an approach could work is if everyone were to reply multiple times. Instead of having filters such as spamassasin just delete spam, it would reply automatically with 100 spoof emails. You have to admit, no matter how much bandwidth a spammer may have if they got 100 replies for each million they send that would be a bit overwhelming. However it is doubtful that the masses would change their approach to spam over night. Without mass cooperation it will never work.
well... how about everyone replies, but not with an e-mail.... with 100 tcp/ip packets staggered apart one minute each for 3+ days of duration per e-mail. i'm sure this could be accomplished easily by activating a service in XP through outlook, or by adding a cron job in unix. i wonder if this is legal?
wow, she's hot!
- Get toner cartrige spam
- Get 800 number
- Call 800 number
- Ask about deals for universities
- Place a $300 order
- Give fake name
- Give fake address
- Ask for bill to be sent (they trust you, since you're in a large organization)
- Hang up
Yes, this actually works, and hits them in their pocketbooks. Not sure about the legalities of it, though...A slightly less illegal tactic:
- Get spam
- Get 800 number
- Tell modem to call 800 number
- Leave for the day
Note: works best on numbers where a human answers.Spam as advertisement works. If it were possible to tap into the spam servers and attach a NOTICE: that said "replying to ANY spam is is hazardous to your health", perhaps we could educate our way out of the spam problem.
Ok, I had one mod point left but screw it. I saw a few people hinting towards it.
Let's slashdot spammers. Ya know, someone paste a link up here and we can all click on it a few hundred times. When the spammers hosting provider gets a nice big spike (or gets taken down completely ) the spammer might think twice...
Hell, make it a special part of the site where you can get your daily spam revenge.
FLR
No matter if it comes to you via brazil, argentina, russia, etc, 90% of spam is US sourced.
A HUGE amount of spam is pushing products/schemes that involve fraud, fake drugs that the FDA does not allow, etc, etc.
A HUGE amount of spam is sent by stealing services from legit users (using open relays, etc). Technically bad, not illegal to have. But the spammers take advantage and steal bandwidth.
pre-sendmail 8.9 and when open relays were just becoming bad, a friend had an ISDN line kept open for several hundred dollars of connection time when he was away on vacation and his relay was found (connection would come up periodically to pull down mail). The police and FBI could not have been less interested in this event which cost real money to a real taxpayer.
Were the FBI to go after Joe Schmo Spammer who kicks off 5000 messages to my company to an alphabet list of users from over 200 different relays, and charge him with breaking into his relays' computers and fraud (sorry, Herbal Viagra or Guaranteeed Stock Schemes and Pyramid Schemes are illegal), then perhaps spammers would have a cost associated - JAIL!
Me? I have a fantasy that plays out thusly:
The Judge:
telus is a huge spam haus. They have a huge pile of dsl/dialup spammers on their network, plus they host a bunch more professionally. Here are my current firewall rules regarding the telus spamhaus.
/intopamail.com /fltn.net /centurion
# telus hosted spammers
iptables -A spam -s 207.134.0.0/16 -j DROP
iptables -A spam -s 209.89.0.0/16 -j DROP
iptables -A spam -s 64.180.0.0/16 -j DROP
iptables -A spam -s 216.232.0.0/16 -j DROP
iptables -A spam -s 137.186.0.0/16 -j DROP
iptables -A spam -s 207.81.0.0/16 -j DROP
iptables -A spam -s 209.171.0.0/16 -j DROP
iptables -A spam -s 199.185.220.0/22 -j DROP
iptables -A spam -s 199.185.224.0/24 -j DROP
# telus dynamic ranges
iptables -A spam -s 142.178.0.0/15 -j DROP
iptables -A spam -s 206.116.0.0/16 -j DROP
iptables -A spam -s 66.222.128.0/17 -j DROP
iptables -A spam -s 207.6.0.0/16 -j DROP
iptables -A spam -s 209.121.0.0/16 -j DROP
iptables -A spam -s 209.202.64.0/18 -j DROP
iptables -A spam -s 142.172.0.0/14 -j DROP
iptables -A spam -s 205.206.0.0/16 -j DROP
iptables -A spam -s 208.181.0.0/16 -j DROP
iptables -A spam -s 198.53.0.0/16 -j DROP
iptables -A spam -s 66.183.0.0/16 -j DROP
Lawyers, MBA's, RIAA? A jedi fears not these things!
It's probably a safe bet that most owners of computers that are running as open relays have no idea that they are doing so. So why not use their strength of numbers for something good? In other words, consider writing a virus that does nothing except pop up a window saying "your system is infected, please consider disconnecting from the Internet until you can install one of the anti-spam products. Thank you."
After propogating itself, of course.
Maybe that's one way to drop that 70%.
You're certainly right, but doing something about the problems you mention would require a higher level of responsibility than that which just crusing slashdot and trying for a "Funny" rating requires. And sadly, that really is all that most posters here are looking for.
World affairs? "Run Linux, d00d!!!"
Sure, we could flood the spammers with bogus responses. But then they could use Bayesian filtering to learn to filter out our fake responses, the same way we use it to filter out spam! Using our own tools against us ... oh, the irony!
Cheers,
IT
Power corrupts. PowerPoint corrupts absolutely.
Spammers usually use fake accounts/phished accounts. I used to reply to them and i would recieve a lot of mailer daemon responses
Not really related to the parent; I posted it up here because I think it's a good idea. I don't want to be too associated with it, anticipating the spammers fighting back.
At the very least, I'd like to have a good Windows programmer put together something akin to this:
#!/bin/bash
COUNT=0
while [ $COUNT -lt 2000 ]; do
lynx -dump -traversal -useragent="By sending e-mail to my domain, you agreed to the published Terms of Service of my privately owned domains and servers, including the stipulation that all spam would result in your webserver log being filled with garbage. If you don't like it, don't send e-mail to my domains. I f you don't want me to visit your website, don't solicit my visit by sending me unsolicited e-mail. You do not have a First Amendment right to waste my bandwidth, electricity, CPU time or hard disk drive space with your crap, characteristically illiterate or otherwise."$1?YOU_FILL_MY_MAILBOX_WITH_UNSOLICITED _C
RAP_AND_WE_WILL_DO_THE_SAME_TO_YOUR_WEBLOGS
let COUNT=COUNT+1
echo $COUNT
done
I use this on all my spam.
Such a program would need to have a drag-and-drop interface, automatically replace the user's e-mail address (wherever it appears in HTML bugs) with uce@ftc.gov or something similar, trim serial numbers, cope with obfuscated URLs and hijacked Yahoo/Google redirectors, and eat both image tags and links.
As it is, I open each message, manually extract all the HTML tags, and plop 'em into a terminal window on one of my servers.
The only real worry is a spammer using a GeoCities or other free webpage. But if a few people hit the site with this kind of program, it would get it shut down faster than an abuse complaint.
Of course, if the spammer is being paid per hit, the advertiser is spending a lot of money to advertise to /dev/null, so it's unlikely that they'll continue the current business model.
I've also got it on the advice of a Federal Court judge (who is blind and can no longer read his e-mail in public places because he's too embarrassed by all the penis enlargement spams being read by his screen reader) that, since they've solicited my visit AND been warned on my website, there's very little the spammers can do about it. (Even so, I'd be hauled up in front of him, and I know how he feels about spam...)
Such a program could be very popular with the general public, since there's a definite feeling of satisfaction. But I think it should also be distributed anonymously. Spammers are likely to DoS any download sites and flood any mailboxes.
Sure, this is essentially a denial of service attack against the spammer. But the spam itself is a denial of service attack against MY mailbox, and nothing else seems to be able to stop it.
Any Windows programmers out there?
Sending spam in most places is becoming illegal, however, proving and procuting these ppl is extremely difficult. I'd suggest implimenting large fines [% of total income increasing if they are repeatly caught] (and a public register) for business that employ spammers, either directly or indirectly.
That way if/when they are caught they get:
1) Fined
2) & the Loss of good will because it's publically known that they use spammers.
Should see banks, morgage ppl and others drop them like, like... um spam
I think it's a bit ridiculous to assume that this is actually happening. The original story asserts that it is, but frankly, it sounds like an unsubstantiated rumor to me.
Redsoc33@aol.com4 @yahoo.comr ega@yahoo.com1 964@yahoo.coml .comi nk.net
t mane2@earthlink.netn toche03@hotmail.com
r obert120481@hotmail.comi dK@woodstockcorp.comi c19@aol.comy ahoo.com0 032002@yahoo.coml .com. fml .comh ms.harvard.edut mail.com
yuri_you2003@yahoo.come .d@neu.edu j rma71@yahoo.com2 @yahoo.comi l.comm mernh@hotmail.coma its_in_rhythm@yahoo.come Light@TropicalStorm.comg en1980@aol.comi ty_dream@yahoo.comt mail.com
sealove1o1@hotmail.com
armdoc2
apocalypticnapalm@yahoo.com
chemenef
Tim@PremierPropertiesInc.Com
rp10
davtrip66@hotmail.com
WHOWHATY@ao
ultraAwesomeguy@hotmail.com
zing920@earthl
CFonseca420@aol.com
VelvetList@aol.com
Magicfingers2424@aol.com
fa
BESTVIEWOFBOSTON@webtv.net
aarongc@comcast.net
Dav
delanh2002@yahoo.com
Tmuss
JIMMAKO@aol.com
riskyriskybusiness@
jcoiner@stanfordalumni.org
italian0072
vavery@comcast.net
CAvery74@ao
danielpat2003@hotmail.com
novelat@fastmail
securefedcorp@yahoo.com
petejmitchell@hotmai
selfant@verizon.net
martin_schoen@student.
almostivan@yahoo.com
greg9arl@ho
skenn8@hotmail.com
alon1492@yahoo.com
ironmic463@yahoo.com
war
MIU812@aol.com
barmarlot@hotmail.com
Intern24601DC@aol.com
scboston02@yahoo.com
blw
gmbones@yahoo.com
customcarz200
nhd+cl@andrew.cmu.edu
violanto@hotma
zeede@yahoo.com
Sanjayk10@ureach.com
kle
rickjamesdude@yahoo.com
portr
jezk76@yahoo.com.au
Lim
bigd6789@yahoo.com
Coem
danspendley@yahoo.com
a_serendip
Syost00@aol.com
jrrenolds@ho
I am in the process of starting a legitimate company that has nothing to do with anything sketchy such as spam. In the process as I have to read through all of the legal forms, I am finding that all banks and credit card processing companies are cracking down and won't allow a huge number of services - many of which are arguably very legitimate compared to spammers.
We know that they get their ISP to block them out. We know that the banks and the CC processors block them out.
I think I could probably figure out ways to still do the computer side - but I must say that I'm not sure how these guys are doing the banking side.
I don't know how they are collecting the payments for their services, and I don't know how they are explaining those payments in taxes and the like.
It seems that if you want to stop them - that is the place to block it - but I don't even know what the process is.
There are some odd things afoot now, in the Villa Straylight.
I did see this program in operation but I haven't been able to find it for many years. It was called 'Hand of God'. Give it an email address (such as the reply address to those morgage spammers) and it would register it with 10,000+ pron website mailing lists.
The GEEK shall inherit the earth...
One fellow who frequents news.admin.net-abuse.email duitfully fills out the forms for the mortgage spammers - with a bogus name that will trigger his memory of which spammer it was, but a valid phone number, and a ridiculously high income. Then when the mortgage brokers call, he flips through is file of mortgage spams, finds the one that got this "lead" and explains to the caller that he bought a lead from (pick as many as apply): A proxy abuser, a Chinese spam-gang hoster, a kiddie-porn spammer, a penis-pill/patch spammer, a a convicted cocaine dealer (Eddie Marin, for example), an illegal pharmacy spammer, etc.
Then he explains that he has started publicizing this method, and that any future leads purchased from the same source will inevitably have a higher chance each day of being absolutely bogus - and that the same method is being used on *all* mortgage spammers, so any source of leads that turns up two or more "bad" leads in one day is probably a spammer, and eventually the leads from that source will be more than 90% bogus.
Another approach is for the "prescription drugs" spammers. Simply print the spam, use a "safe" browser to visit the spamvertised Web site and print a copy of it, and snail-mail the spam and the Web site (with whois contact details if you want extra credit) to the US Food and Drug Administration with a short cover note: "Is it legal to sell prescrition drugs over the Internet with a doctor's examination?"
brilliant !!
I think to be truly effective, have to go one step further, place an order, then ask for return on credit card: either they do the return, which is a loss for all the time spent on the original S&H, or they dispute, u go to card company, complain and voila - a small number of complaints, spam no more
Hey! The parent posted a very nice shell script!
Fire and Meat. Yummy.
I just saved $150 on my car insurance by switching to Geico!
http://cltracker.net -- powerful craigslist multi-city search
Then sells the spammers the trick to circumvent it.
Sites would put up paying ads and then flood the company with bogus click-thrus to rack up commissions.
The result:
No more pay per click companies. Those who "pay you to surf the net", have a pool from the advertisers. The pool is then divided amongst participates. You can then only screw over other participants if you don't get caught. Advertisers get the same amount of legitimate click thrus without having to pay out the ass for bogus ones.
If on-line advertising has taught us anything, it's that trying to screw over the advertisers lowers the profit which results in more agressive advertising to make up the difference.
Hence pop-ups, pop-unders, flash ads and click thru ad pages. All in an effort to make up for lower per ad view commissions.
It sounds like a marvelous idea but it will most likely end up biting everyone in the ass.
Ben
Work Safe Porn
>>>What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?
Hunt them down like the dogs they are.
Everyone is aiming at the wrong target. To stop spam effectively, you need to understand the underlining problem.
The underlining problem is that arseholes can send emails to you with complete and total impunity. By the time the email has got to you (or your mailbox) it's already too late. The spammer has won.
The current email system was not designed for the 21st century. It does not have a method of preventing spam.
The solution will only come when a new email system is in place.
The new email system ie. vmail which in my mind works like this.
1) All email senders must have a self generated certificate. IE. private key public key system.
2) When a vmail receiver receives an vmail, the vmail client checks the digital signature of the incoming vmail. Only those vmail whose is signed by a certificate in the vmail receiver's whitelist is allowed. All other vmail is deleted without any reporting to the user.
3) The vmail receiver obtains all the vmail certificates(which are just public keys) of his vmail correspondent and put them in his whitelist. By convention, a person's vmail certificates are available to anybody on their website/homepage.
4) For a (public or private) company, their vmail certificates are also publicly available on the company website. The company may send a (snail) mail to its customers or suppliers asking them to load the company's vmail certificate unto their whitelist
5) In the rarest event where a vmail receiver has received a spam. He may click a button on the spam and find out which vmail certificate allows the spam through. He could then send a courtesy mail to the owner of the vmail certificate to inform them that their certificate has been compromised. He then removes the vmail certificate from his whitelist.
6) To send an vmail to someone who DO NOT have your vmail certificate in their whitelist. You must first buy a once-off certificate from the US post office. The once-off certificate is called a v-stamp and cost US $1 each. Signing your email with the $1 vstamp, you can then send the vmail to that person.
1) Generate 10-100X the number of requests to same URL or URL's
2) If large number of spam messages are sent, the reposnse will be equivalent to a Denial of Service attack. No meaningful response will be possible.
3) If the message was mistakenly identified as spam, then the response will be quite manageable and no harm done.
But...
4)A malicious spammer could send a large spam distribution with URLs that point to 'other' sites, thereby launching a DOS attack on anyone of their choosing.... hmmm.....
Oh. well... I thought I had something there...
Maybe keep an extensive list of 'No big repsonse load (DOS attack) here' sites???
/* No Comment
...in prank format. Today's update (11/17/03) dealt with a lottery bank number scam, but the best one was when Lowtax attacked the Nigerian bank dude. http://somethingawful.com/articles.php?a=411 --Petey
Couldn't we just convince the music industry that spam somehow cuts into their profits, thus leading to many outrageous lawsuits to "fight piracy" ? after all, suing spammers can't be much harder than suing teenage girls... -Kenderific
The point of this is that there are legitimate companies receiving the refferals from spammers, often through many layers. For the life of me i can't find the story, but a reporter created an email address & a fictional persona to go along with it. The email address was seeded in forums and the like relating to home loans and mortgages. They started receiving spam and responded to several with requests for more information (using the fictional name/address and some identifier for that specific email). They eventually received mail from large mortgage companies and thus the process began. The reporter contacted each company and explained what they had done and would they please investigate. I think only one company really did, but eventually the information was traced back through 15 different refferal companies and several countries and eventually ended with the spammer kicked from the refferal program. The big discoveries according to the reporter was 1) This information was making its way to nationally recognized corporations and 2) The amount of money that exchanged hands from beginning to end for these names and addresses.
If you can flood the refferal program with large amounts of innocuous, but bogus information, the spammers will either make a stronger effort to target their mailing lists or companies will pay them jack squat for each refferal.
[Fuck Beta]
o0t!
Why not send out spammer reply-to addresses to other spam lists.
Let the poor creatures work against themselves.
Moo
Since virtually all spam is arranged to prevent automatic replies from working, you have to examine the body of the message in order to find out where to reply.
So, you're telling me that not only do I have to waste time to delete spam, now I have to read them and send a bogus reply too?
And this helps me exactly how?
Plus, spam is a huge drain on network resources. So you're saying the fix for too much bogus mail is -- wait for it -- more bogus mail?
I don't think those strategies are going to work.
Of course, I'm biased. See my sig.
I've suggested this idea before, even submitted it as an Ask Rejectiondot. I'm glad to see others have had the same thought.
The important thing is to generate responses that waste their time: Tie up their customer service lines. Place and cancel orders. Check your bill carefully and do chargebacks for anything that's not cancelled. If they get too many chargebacks, their merchant accounts won't last long.
For spam that simply gathers names that get forwarded to "reputable" businesses (who swear none of their agents are spammers), fair is fair. A barrage of time-wasting calls will encourage them to be more careful about who they accept leads from in the future.
I'm game. The war on spammers starts now.
Spam that.
Spam is a minor annoyance, and the article proposes a minor solution for it. Spamming the spammers is something that can be done in 5 minutes, while I'm sitting on my arse on front of the computer. Solutions to the world's major problems (war, hunger, plague, etc) require a little more time and resources. Do you have any practical suggestions on how one can stop Mideast bombings, avert World War III, end famine, and/or save people with AIDS in Africa? (preferable something that can be done in 5 to 10 minutes/day without leaving one's desk) Or were you just hoping for a "+1, wow man, that's like deep" moderation? If the latter is the case, try posting on K5 next time, that sort of stuff is much better-recieved there.
0 1 - just my two bits
If formfucker doesn't have a good time delay between signups then they could delete the records between time A and B. Finding times would would be obvious with a count(*) group by hour (or minute) type statement. Or maybe I give the spammers too much credit.
FormFucker should probably sleep a random interval between submissions.
The bigger problem which would make it easier to filter out would be IP address. Your spammer gets ten responses from the same IP address, all with different data, and they're clearly bogus. So the usefulness of FormFucker is limited to being once against each spammer from a given IP address.
Many times, I'm seeing the forms have an ID number of some sort which would be passed when the link is followed:
A HREF = http://www.spammer.com/form.pl?recipent@email.com
or
A HREF = http://www.spammer.com/form.pl?ID=666
Again, same problem. Different data from ten submissions with the same ID or e-mail address, and the spammer knows the data is garbage.
Same if the spammer crosses a randomly-generated e-mail address against his list and finds that it's not there. Garbage data, easily culled.
Furthermore, if you run FormFucker, the data would have to include your e-mail address or ID number so the spammer can't weed it out as illegitimate. What's he gonna do when he finds out that it's taken him half an hour to pursue your dead lead? He's got your e-mail address, and because you fought back against his assault on your mailbox, I'd bet money the bastard would pull a joe-job on your address.
FormFucker is a great idea, but I wouldn't use it on the spam that comes into my e-mail addresses.
Fire and Meat. Yummy.
- You have a java application that scans a website, identifies HTML input tags, and figures out how to fill out the form with plausible, although fictitious data.
- That application submits the generated data and ensures success by checking the http response code to the submission. Rinse and repeat.
- The application can pound about 100 submissions per minute on a broadband connection.
- The full source and app are released on sourceforge about a week from now under GPL.
- Anyone who gets some insipid email can run this app without having to create HttpUnit or HtmlUnit scripts.
- App is console based, uses java.io, java.net and java.util packages only to make install easy and ensure cross-platform reliability.
- "Random" string-based data (names, streets, cities, etc.) is contained in text files that users can maintain on their own making it difficult for spammers to identify bogus data and produce countermeasures.
- No site to check for "orders", you control where your app will pound, you are responsible for employing it wisely.
Instead of using humans to respond to computers, let's have the computers do the work, eh? Isn't that what they're for?
grab ch-eap softwares b4 all sold out
Screwing with my filters makes me mad
The URL points to http://www.cdcheap.biz
The server is already running slowly so voice your opinion against spam and visit their page.
http://thespamletters.com/
Sig? What Sig?
The advantage of a method like this is:
- You would not have to waste your time to answer each spam. A single click and it's done.
- Companies that really have to make a budget for handling spam probably already have high bandwidth connections, the idle cycles of which could be used to send these billions of spam-responses.
- It would be done automatically and in incredibly high volumes.
- Spammers would receive so much spam themselves, which they could not filter or distinguish from real responses, that they would essentially be put out of business.
I think such a system would be good.You don't want a filter automatically doing anything, because of joe jobs.
But instead, perhaps there is a solution which works like this:
1) A service is established much like the various blacklists, wherein volunteers manually determine which links from example spams really are spammer websites, as opposed to joe jobs. Once every while, they collate a nice list of spammer links.
2) Zillions of willing slashdotters have eggdrop bots listening in on a previously determined IRC channel(s).
3) Every once in a completely varying while, the Moderated DDoS service sends out a very special message -- there needs to be some encryption for authenticity here -- across that IRC channel.
4) Simultaneously, every one of those eggbots pass the list of URLs to a little script which proceeds to, simultaneously, hit the relevant links.
Participation is wholly voluntary. Humans make sure no joe jobs slip into the system, and only authentic spammers are targetted. The use of IRC means there can be little to no warning to the spammers. Heck, if folks want, they can run their anti-spammer bot silently and not even be bothered by it's behavior.
OTOH, any such app should report periodically to the user how many spammers have been hammered, so they get the rosy glow of satisfaction.
-*- Any technology indistinguishable from magic is insufficiently advanced -*-
I'd love to see some system where you have to pay me to send an unsolicited message (special client sofwtare and central server to keep track of payment/transfer/refund mechanism).
My system would auto generate some email requesting the person to pay because they aren't on something like a white list.
Of course this would require users to register accounts with some real money so that these virtual transactions can occur.
If a freind who is not on my whitelist tries to email, they have the option to forget about it, contact me in person, or make the payment and then allow me to make a refund (yes this could be abused if the party you send to never refunds)
Of course you need some unified system to set up accounts hold money and then allow payments to be made and transferred (with little to no overhead on the transactions). And then new email clients or agents would have to be created (or even runb at the ISP level) to take advantage of the service.
If it cost the unsolicited spammer money to reach me would they be willing to pay lets say even 25cents per bad email? The incentive would be to only target real customers.
But alas, spammers can really only be dealt with if the way in which email is handled globally changed. Good ole pop3 and smtp/imap etc etc in their present form don't cut it. New standards have to be set and companies to get on board to produce new software.
The root cause for these woes are more about email is currently handled. and fundamentally that will be the only effective solution for curtailing spammers.
That could be Bayes filter poisoning. BOT sent spam to spoil Spamassassin scores. It may not work, but they seem to be doing it. MB
I am a viral sig. Please copy me and help me spread. Thank you.
And write 'spammer' with their blood.
That will teach them.
This is stupid. It defeats the whole purpose of hating spam. While replying to one percent of my spam hypothetically would do what the OP claims, in order to do this I would need to read the spam.
I do not like reading spam.
I don't like looking at it at all. It's a huge pain in my ass to reveiw all my messages every day, so I can train my Bayesian filter on what's spam and what's not. Even reading the subject lines is more than I (and others I'm sure) want to do. We want the spam to go away, or at least be hidden from our view.
I think that if you have to interact with the spam, by reading and replying to it, the spammers have won...weather or not you buy anything from them. The bad thing about spam is not the scam that these scum perpetuate, it's the time and effort they make us constantly waste.
"A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
I hope this isn't a quintuple-redundant posting.
I've often marveled at the slashdot effect.
I've wondered what would happen if each of us kept, within the sanctity of our journals (of course) lists of wearisome spam sites, particularly annoying open relays, gross offenders (like the asshole who keeps writing to me on behalf of "irs.gov" via my own freaking email server...).
Thursdays are kind of boring.
DUCT TAPE: The Election Supervisors' Secret Weapon
1) No, the entire argument is completely irrelevant. Why? Hell if I know, but I'm sure it's been rendered obsolete by some J2EE project that Apache's working on, based on something Bill Joy mentioned while shooting hoops in college, but hasn't had time to implement.
/. discussion until someone plays the 'moron who probably can't properly use the word "its" in a sentence, but gets all bent out of shape over a trivial misspelling' card.
2) Nore? What the nell is nore? It can't be a
I think, short of a massive number of hot grits/Natalie Portman/goatse/penis bird comments, we're done here.
ceci n'est pas un sig.
Nuke 'em from orbit, it's the only way to be sure.
Well, this isn't exactly a me to post because you seemed to mention a theory... I actually have gotten angry emails from people telling me that I am an evil spammer. Someone spoofed using my email to send a ton of spam, so all at once I got all this email telling me how evil I was. It was not cool. : Unfortunately, alot of spammers DO use webpages or phone numbers instead of email addresses to sell their chrud.
"Never, never suspect the dreams within the dreams of dreaming children." ~The Amazon Quartet
Imagine a slashdot-like site where concerned members "submit" links to spam/webbot/cc-phisher sites with a short description, and subscribers moderate them.
If it gets enough mods, it gets inserted into an RDF feed.
The same site publishes a series of simple scripts or libraries that download this RDF feed and use a variety of nasty tricks to the servers (real and virtual) them.
By default, we could have the "use any remaining bandwidth to constantly download all images with bogus referrals" mode enabled in the downloads.
Since most techie users are at the end of an assymetric fat pipe, why not put it to use? It's like Folding-at-home, only its used to combat spam or other nasty sites.
I have written a number of scripts that do such things to a list of URLs. The next one of my list a resource-hoggeer that spawns a few tens of threads that open connections to the server, accept data slowly, then cut out halfway through the "Content-Length". With a handful of people running this, soon connection refused messages will be popping up. It'd be light on the bandwidth requirement too.
(has anyone written a "hack" like this? I don't want to re-invent the wheel)
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
counter-attacking won't work, since since it would make it attractive to create apparent spam from good companies or other places.
I don't have to out-sell you, if I can shut you down technically or through negative publicity.
i.e. evil company "Evil Inc." causes spam to be send in the name of "Good Inc.". Counter attacks hit "Good Inc."
"Evil Inc." laughs all the way to the bank.
If you have found infallible humans, please let us all know about the great discovery! The spammers aren't stupid. They will make it harder to figure out if their site is a spam site. They could deliver legit content for 50% of views. So half the humans think the site is fine and half don't. It would take real humans quite a while to investigate a site. And aren't you going to give the ISP time to take action?
Basically with taking vigilante justice like this, how much "collateral damage" are you prepared to accept? What will happen if a mistake is made? What if the ISP was fooled and has cancelled the accounts, but the DDOS happens anyway. What if you were the victim of a mistake?
The site is going to be most useful to the spammer for its first 24-48 hours of existence while the spams get delivered. After that the usefulness decreases. The vigilante justice would have to act really quick in order to have an effect. How will you ensure there are no mistakes?
Far better measures are taking action like the current RBLs. They deny service to others. If someone tries to contact your mail server, you can decide to allow them access or not. You can extend this to the web by disallowing outgoing connections to spammer sites. That will deny them their "customers" just as effectively. And if someone is mistakenly on the list, they can always try and get taken off it. The collateral damage is far less. Each site also gets to choose which RBLs they subscribe to hence being in control of their own polcies.
Another way we might attack the spammers business model is to create new rules for selling email addresses. For example, we could require that every company track where each email address in their mailing list came from. Furthermore, when the spam victim request to be removed from a mailing list, they must pass this request to the upstream mailing list provide. Essentially we are creating a reverse-viral effect.
The effects I see from rules like this are that people selling CDs with 200 million email addresses would go out of business because they could not afford the tracking required, and that people who do sell mailing list would check their customers out carefully, because one bad customer could result in every email address in their database requesting to be removed.
Any thoughts?
And I've noticed a large increase in spam containging random letters, words, etc to throw off bayesian and other filters. I'm somewhat against blacklisting servers. I have come to the conclusion that the content of the email message can no longer easily be checked for spam with things such as bayesian filters. I have started thinking about programming something, perhaps in python, that takes out links at the server, downloads the content of the links and determines the emails credibility through the credibility of the sites it links to. Anyone interested in taking up the task? Or has something like this ever been implemented? If not I'd love for someone to go start up a project on SourceForge, I'd contribute as much I could. I would personally start a project on SF but time is something I lack anymore. Does anyone find anything wrong with this approach? Does anyone receive spam that doesnt have links in it?
-Steve
The first solution may shift the business to off-shore, that only reduces the spam rate. One of the technology which prevents the spam that comes to my mind first is the public/private key exchange. It is a little hassle, but people can get used to it quickly if they have to, with a nice interface. It is the initial forced-switch that makes it hard to realize.
Today, the only way to make one of these happening is making the e-mail COMPLETELY in-useful, that way it may get the attention of those who do not use it often, or who don't use at all, but have the power.
For example, if everybody (say most of us) becomes a spammer, and starts to send (at least try to send) a million spam mails a day, nobody can check the real mails they may get within hundreds of spam mail in their mailboxes. And, due to the load on the internet, all systems start to slow down. At this point a solution becomes ABSOLUTELY necessary, and I am sure that that kind of situation accelerates a search for a better system.
So, the general solution is making the current e-mail protocol out of control to the highest degree possible.
So don't expect too much anonymity, but on the other hand, if you've got a domain name, you might as well have some believably-named subdomain like mail.yourdomain.com or smtp.yourdomain.com or free-email-accounts.yourdomain.net that's strictly a target for spam, with a few attractive-nuisance emails scattered around the web... At that point it becomes another probability game - 99.999% of them will ignore the fact that you're attacking them, and 0.001% will get pissed off and harass you or joe-job you.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Of course, that mainly applies when the leads get sent in directly, like Viagra sellers, as opposed to web page readers or pump&dump stock scammers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If laws were passed that for every deal one could reverse any payments and be allowed to keep the goods, there wouldn't be any spam business.
The only thing I can't solve is that it could entice sick people to send spam themselves: "Hey Apple sent me spam for G5 superclusters and 17" PowerBooks" to get the goodies for free.
Bert
PC manufacturers are guilty of perpetuating monopoly abuse by M$ until they include a partition with Linux pre-installed
As a guy who gets Joe-Jobbed every six weeks or so because I'm only mildly vocal about being anti-spam, I have to ask: What happens if everybody doesn't do it? The vocal few are going to be punished by the spambags.
Don't get me wrong, I don't think we oughta let the bastards win any victory, even the smallest. I believe that the best thing we can do is to convince those within our sphere of influence that there is NEVER a legitimate reason to respond to a spammer.
Warning: This signature may offend some viewers.
On the other hand, credit card companies, who probably don't view spam as much different from junk mail, really don't like chargebacks.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
"reply to this so I know your address is valid" auto-response, or a "type in the number from this JPG" Turing test.
Some of these might become popular, some might not, but they have the advantage that you don't have to enforce them on everybody in the world before they work - you only have to enforce them on people who want to send mail to _you_.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
OK, I didn't quite leave it parked in Manhattan with a big "Steal Me" sign on it, but it wouldn't have broken my heart if my 150,000-mile rusty Ford had gotten stolen back in the mid-80s :-) Actually, somebody did break into it in the train station in New Jersey and broke the dashboard while unsuccessfully trying to steal the Ford OEM boring radio, and the $180 I got from the insurance was more than I eventually got from selling the car...
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
it's running about 98% accuracy with zero good emails getting filtered as spam.
So why didn't you write me back last week about the User Friendly cruise. Are you going or not?
(just kidding)
The truth shall set you free!
You are right, that wouldn't work. But this would: http://ppedriana.homeip.net/blog/SpamScreensaver.h tml
Only true spam sites would be on the list.
has anyone actually clicked on the link saying mortgage spam is $50?
/. posting which was modded as 50% troll.
The link goes to a
Spammers have a 100% method of separating real submissions from bogus ones - the presence of a valid credit card number.
If the check digit at the end of the CC number is invalid then delete the submission.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
Oh great! Where can I get the software that spammers use? I could start sending each spammer 10,000,000 variations of "Sod Off" in individual emails ;) Would that piss them off slightly?
RebateFX.com - Spread rebates for Forex traders
i am always wary of suggestions to fight spam with more traffic.
I must inform you that you are fucking stupid.
Obviously all Nigerian scamsters work with credit cards.
I must pitch in a plug for these guys again. I've been running their Outlook plugin since it was in beta (maybe a year or more ago now) and Spam simply isn't a problem anymore. I see maybe 3 or 4 spams a week on an email account that's 6 years old and has been used in many hundreds of places for registration over that time. It catches 99%+ of all spams with false positives extremely rare.
I've been doing this for years offline. Every single Crapitol One offer I receive in the mail I make 10 photo-copies of the business reply mail envelope and mail them all back. Those freaking bastards.
SCO: 800-726-8649
Verisign: 800-361-8319, 888-642-9675
Diebold: 800-433-VOTE (8683)
What is the source of the info that spam works? That's right, it's the spammers. Spammers tell you that spam works. Bzzzzt! Rule #1: Spammers lie!
Who are the spammer's customers? No, not you who get the spam. The spammer's customers are those who order spam services. And there are enough idiots who buy spam services to make those 180 spammers very wealthy.
Even though the spammer's customer get burnt once and stop, well, some of them are probably stupid enough to try several times anyway, there are enough of these morons to keep it going for a very long time.
They're not making a single sale, not even 0.0001%, but that doesn't matter, because the spammer got his money, and that's why this continues.
So, if you want to end spam, forget the spammers: Go after those who purchase spam services instead.
Well, that's my theory. It may not hold up, but after all, this is /.! :-)
Employee of Inrupt, Project Release Manager and Community Manager for Solid
At first I understood you meant a thing like "Let's answer to their mail, it will make prices fall", but it sounded really too weird for me.
:
:)
But now I read the article twice, it seems to me you wrote something like "To fight the spammers, let's buy their products" ? Sounds still a bit weird for me.
Really, I think that the best way to fight spammers is to
1- Never answer
2- Whenever possible, block their emails to the root, meaning at SMTP level
3- Let the law break their business
Oh and by the way, install PopFile
____
nico
Nico-Live
After playing the game a couple weeks, I reported his banking connection (a real person) to the London Met Police and his email info to his ISP (SIFY of India - *great* customer service!) and had his accounts terminated.That was a laugh and a breeze.
If you look for the lifelines of 419 scammers, they have their email and their banking connection. Shutting down their email account fast makes their spamming futile. Shutting down their banking connection is harder, but very painful for them. Bottom line: MeThinks 419 scamming will stay benign, they're too easy to wipe out.
Looking for the lifelines of the real spammers (the Viagra, Mortgage, Patches etc. stuff), there are three: Ability to send loads of email, ability to recieve responses (web site or phone number) and ability to receive money. Kill any one of these, and the situation is solved.
The ability to send email is tricky to fix. We all want that email can be sent freely, preferably for free. Fixing/replacing SMTP to include authentication would be great! But we're still awaiting news from this front.
Hitting their web sites could be done in several ways. Proper legislation could make it a felony to operate spam-advertised web sites, and they could be taken out. If spam filters included the ability to automatically spider the web sites referred in the mails, they would have to pay for loads of useless traffic to their sites - and their ISP's would look at disconnecting them. It's not a DoS attack per se, we're just making backup copies of potentially useful information :)
And for hitting back on their payment options, there was an excellent suggestion earlier that the FTC take care of this. That looks very cool,. Much better than more laws that are not enforceable anyway :) So clearly an FTC issue if I ever saw one.
Getting the spammers on any one of these three lifelines would be sufficient - getting them on all three would be very, very effective.
I'm in a Unix state of mind.
Just string 'em up and castrate 'em.
There is a better way, the ISP's are really sensitive to spam, so I email the offending IP to the ISP, attach the headers and the account is closed and this user is banned from the ISP, how many ISP's do you think we have here??? :-)
I didn't receive spam for the last month.. works in here..
how about other countries? I tried the same also and didn't receive spam from them too..
There is the propoganda approach to this of course where stories describing the untimely demise are made to appear on trusted news sources like Slashdot (tongue just poked hole in cheek).
Go for it! I have suggested this before, and the www.419eater.com site seems an excellent example. Since law-enforcement seems toothless, it seems that legit computer users have to find a way of giving spammers a taste of their own medicine.
Spam is getting increasingly out of control - blatent cons and scams, child pornography, 419 scams where some people are actually ensnared in schemes and *murdered*..
Spam is ruining the internet for legitimate users, and costs $millions in wasted time and resources.
A single web site would probably just get a DDOS attack, so some large web ring or kazaa type network of anti-spam sites would be needed.
So set up a fake email address and follow the spam through.. Have any old no-longer-used cheque books in a drawer? Or maybe a good, altered, color copy of a Money order? Fine, just write the spammers loads of rubber cheques. Or fake Money-order wires? Or maybe even fake card numbers - until such time the banks/card companies take the problem seriously and stop adopting spammers. Eventually the few legit companies that use spam will stop doing so.
Attack the sources of finance, and spam will crash to a halt..
(well, easier for me anyway)
.htm file. I publish the htm file on the WinXP webserver, then set WebReaper to download that page plus everything linked to it to a depth of 4 servers (the original page, the spammer, the friends of that spammer, and the friends of those twats). Oh, then I shift-Delete the lot, restart WebReaper, and repeat until bored.
A short C program to randomise the identification codes in a spam, a web server, and a downloader such as WebReaper.
From a spam I take the URL, e.g.
http://spammer.com/script.cgi?id=12345 and convert it to
http://spammer.com/script.cgi?id=#####
the C program loops over this N times where N depends on how hacked off with spam I'm feeling, converting the # to random digits and adding the new URL to a
Most of the time it just hits single webpages with nothing but a graphic, but sometimes it hits gold and downloads gigs of stuff. Of course this does nothing for my bandwidth, but it makes me feel better.
I've been getting bounces from these ass^H^H^Hspammers for months:-
i l.de
LIMITED TIME OFFER:
Buy any level 2 or 3 Lead packages starting at just
$25.00 and take your pick... Double the leads, or
we will send your ad to the leads! All at no extra cost
to you!
If you are tired of old, worn out, undeliverable, poor
quality, lead lists than you need to at least look at our
web site (http://www.lastleads.biz) We offer premium
quality optin leads at below wholesale prices! We never
sell any lead more than 3 times and we verify each lead
one by one. If you ever have a problem with any lead for
any reason just contact us and we will replace your
unusable leads with fresh leads! NO QUESTIONS ASKED!
We will also beat any deal our competitors offer and
were not afraid to prove it!
Email Addresses:-
hostmaster@spyproductions.com
lastleads@firema
lastleads@hotmail.com
Phone numbers:-
1-877-667-9622
1-302-369-3060
Vigilante tactics are pointless - why should I pay to have to download their crap in the first place?
The obvious solution is to make THEM pay for the cost of the email. The fact that recipients pay to recieve email is the sole reason why we get spam in the first place:
http://spamtax.gurtlush.com
[Yes, micropayements again.....]Most spam I receive (to the tune of 150-250 per day) seems to revolve around a few subjects:
1. increasing penis length
2. buying porn
3. illegally buying presciption drugs
4. Various stocks and Nigerian scams
5. All the rest
I realize that you can't really protect boneheads from themselves on #1 and #2. However, you'd think that governments would be more proactive about sitting on #3 and #4. After all, if I sat on a street corner and claimed to sell Vicodin and Viagra, I'd be arrested. Why not pursue those idiots online and shut them down? Same thing if I sat on a street corner and fleeced people out of thousands of dollars. Why *isn't* there more action from our governments?
Cheers,
I'm convinced there's a better way to do email.
In short, Only send 80 char max notifications, and make the sender keep the email on their own server for the receiver to go get by himself.
The problem with spam is that once it's in the system, it's totally trusted, and the system bears the cost of transport and storage.
If you shift the cost to the sender, spam won't be economically viable.
If spammers have to hold spam on their own servers, the servers will quickly be found out and blacklisted.
The greatest benefit is that real geeks like us will shutdown or blacklist spam server before grandma and joe q. public do their weekly email check.
Q: What about Spammed Notifications?
A: will still be an improvement over full spam emails, and takes a lot less time to download.
Q: Will mailing list servers require lots of extra space?
A: not if you consider them mailing list archives as well.
Q: How does this work for the average user that has an account with an ISP?
A: You send your email to your ISP via SMTP, just as always. Your email remains there on the server, and the server sends a notification to the final destination. The final destination then chooses when it wants to pick up the mail from the ISP's server.
As for receiving email, your client will need to pick up from many different POP3 servers, rather than just picking up from one as now.
User Stories:
A Spammer registers an account with an ISP, and sends lots of Spam.
Result: That spam remains on the server until the spammer uses up their storage quota and flags the sysadmin (who should immediately kill the account and any non-picked up spam)
Or the public blacklists list the user@host once the first few spams have been picked up, and that user@host is not accepted by clients that check blacklists.
A spammer sets up their own server, and sends lots of Spam.
Result: the server is listed in the public blacklists, and is not accepted by clients that check blacklists.
A spammer tries to forge an email sender.
Result: your client can't pick up an email from a server that doesn't exist.
I'm working on a prototype server that does this, but it's not finished yet... I'd like to hear any responses to this idea.
Shae Erisson - ScannedInAvian.com
The problem is that most of the spammers not advertise their own product , but got paid for number of hits.
People need a service that they forward the SPAM to, marked as SPAM. The service would then generate thousands/millions of fake responses back to the spammer, with valid, in appearance, emails, and other information.
Use your head, can't you, use your head,
You're on earth, there's no cure for that - S. Beckett
That is a very good idea, and just out of my own sick curiosity, I'd like to see this program you speak of hosted right here on /., just to see if anyone would take on the nerd Mecca itself, and if so, what miserable fate would befall them.
Right, and how do you know if the spammer actually wants a reply, or the spammer actually wants to "joe job" someone?
Say you annoy someone enough and said someone finds out your email address (often easy). That someone then sends out tons of spam, using your email address as the contact address and reply-to address.
Have a nice day, thanks for playing.
I think the real problem to this approach is that this would reduce the profit margin on sent emails. That means that spammers would be forced to send even more email to counter the reduced profits.
The spammers would lose some of their borderline legitimate customers (such as the mortgage people) because the increased overhead would be too much for them to cope with.
Unfortunately, although this hurts their current business model, what it would do ultimately is shift their business model. I predict that we'd start receiving a lot of spam for porno sites and the like, who consider any traffic at all to be good traffic, and if nothing else, it would get impressions made on their ad banners. Now (especially if these systems are automated) the spammers are richly rewarded for sending more emails.
I think the appeal of the original suggestion is that it gives us an opportunity to feel like we're actually accomplishing something and taking a personal part in the fight against spam. Too often we feel like no matter how aggressive we are at fighting spam, there are spams getting past our Bayesian filters, and past our SpamAssassin filters, and past our Realtime Black Lists, and past our Hash Spam Checkers. The ability of spam to get past all of these things demonstrates the versatility and willingness to think on their feet of our spamming enemies.
The problem is really and truly one of a fault in the inherrent trust model of the current email system. There is only one answer to spam, and that is an email system with reverse MX lookup capability, where a DNS entry says what server(s) are permitted to send email where the from address is a particular domain. Then we can filter entire from domains in RBL's rather than individual spamming machines, which are more likely than not simply trojaned unsuspecting random individuals.
Slay a dragon... over lunch!
From where I'm standing, a spam email or a reply to one is worth exactly one bullet through the head, each.
...via Unsolicited Commando. It's at www.astrobastards.net/uc. I've been doing this for a month now. And regardless of what many of you think, it's *not* a ddos, so I sleep with quite a clear conscience. Of course, I still hope spammers all get ass cancer and die. *And I never can get url's to work in my posts, so save it.
Charge one penny to send an email.
I for one would gladly pay a penny an email if it meant an end to spam. Legitimate companies have survived for hundreds of years without email advertising, so they don't have to be affected.
Hmmm.
A lot of spam wants you to link to a URL so it isn't possible to fight that
The article says "responding", not "replying by mail".
If you don't know that 99.999% of spam uses forged From: addresses, you've been living under a small rock somewhere deep in the darkest forest for the past few years.
The problem, of course, is that responding by phone or snail-mail takes even more of my time.
That said, responding is the wrong approach.
Spam is a business. So hit them where it hurts: The bottom line. Our current anti-spam laws are misguided at best. They attack the spam mechanics, not the spam business.
Make spamming unprofitable, and it'll go away.
Assorted stuff I do sometimes: Lemuria.org
If I had time to respond to the spam, even 1% of the spam, then I wouldn't really have a spam problem, would I?
Spam is harmful to business because it eats up unbelievable amounts of man-hours already. You're proposing that we dramatically increase the amount of time spent dealing with it, and that's not really feasible in the Bush miracle economy.
how about shrinking thier response to 0%?
if everybody was smart enough to not respond, there would be no market.
besides, spam assassin works great for me
For added fun, you could imply that the spammer is actually paying you kickbacks to submit bogus leads. That'll get them shut down in a hurry.
To get rid of spam you do this ...
1) Send an enticing but OBVIOUS spam to everyone.
2) Deny E-Mail to anyone who bites. (You choose the method).
Soon the percentage return for spammers will drop to near zero and they will stop. Even sending spam has a small finite cost.
Spend some time replying to spam with bogus data but a real piece of contact info, like the phone # or email address of your congressman, local politician or public figure. Help pissing off as many politicians as you can, they'll do something about it. -------
If some spammers get payed per click then which ones. I am willing to make a spammer rich if it involves putting their supporters out of business. Eventually it will cost the supporting company so much that they go out of business and hopefully other businesses supporting spammers will pull out before they get cost alot of money.
I must inform you that you are fucking stupid.
Obviously not all spam is Nigerian scamsters.
I know of several people in Nigeria who could do with a loan - and they could afford to repay it.
Do you think any spammer would be willing to cut me a finders percentage??
As mentioned very briefly above, mailers to a system can be forced to pass a turing test before their mails are passed on. all email inbound to server generates an auto reply to a locally run server (with mysql?) which asks the user to go to a page like the following: /server/page/mail?mailid=XYZ
mailid=XYZ is an id to the mail which has been moved to temp storage on mysql. It is held there until a user visits the site, or maybe for a 30 day holding period, until the sender passes a turing test. Queued mails may be viewed by an admin and marked as 'always allow based on {to|from}' or 'always deny' (to save on bandwidth or allow a mailing list)
The turing test would be a simple 'type the sequence of chars on this jpeg' turing test (as discussed above - http://ask.slashdot.org/article.pl?sid=03/11/17/22 47251&mode=thread&tid=111&tid=126&tid=98&tid=9 9 )
once a user passes the turing test once their from: address is allowed for an administrator-defiend amount of time (30 days, means that even if a spammer goes around manually activating his access to his victims, he has to do it again every 30 days to MILLIONS of addresses, would require an entirely new department to his organisation staffed by humans), or maybe a conversation can also be tagged by the system with a special mail header? :-)
Of course this would generate a lot of heavy volume reply, either back to a spammer, or back to some hapless poor guy/gal who's having their email address abused by the spammer. However, if this system was not in place, these would simply be bounce messages instead in most cases. In the long run it would add very little to the size of a spammer-victims mailbox, and benifit users greatly, as NO spammer is going to develop a program able to read numbers out of jpegs, or go and activate themselves manually every 30 days or whatever on each users system.
I'm thinking of coding this some time, maybe as a public domain or GPL project, youll probably soon hear about it if i get anywhere ;)
http://www.inspircd.org - Modular C++ IRC Daemon
I know it was mean to my ISP and the internet in general, but I just couldn't help myself.
www.clarke.ca
I still think a per-recipient charge for emails would sort all this out. Basically, everyone would get charged some tiny amount per person they send an email to. Something small enough that it doesnt significantly affect ordinary users and businesses, yet adds up to a decent amount of money when sending 10 000 000 emails. Like 1 dollar per 1000 emails. That is tiny enough that even large businesses would not complain about it (remember: most company email is most likely internal email and would be unaffected by this). This sort of pricing scheme would push spammers right off the edge. It would simply not be worth it for the volumes they need to send and the rate of responses they get. 1 dollar per 1000 emails would last most people a very long time. It would hardly be any burden at all for us.
And some other little benefits: auto-responders for people who are away would probably dropoff. Irritating chainletters would decline (probably only slightly, but still).
The downside is that email worms ala MS would be much more damaging with this.
The other day I received a spam. The only thing noteworthy about this was that the sender used my domain as the return address (sales (at) weigel-mohamed (dot) org). This is upsetting, so I wanted to track her down.
I went to the web site -- it offered life insurance brokering. I put in a fake quotation request, assuming that I would here from the life insurance company. Which happened a few hours later.
I then had the life insurance company try to track the spammer from their end -- but the "company" had vanished. If the company isn't in business LONG ENOUGH TO COLLECT, how can they make money?
Out of curousity, I have tried to track some of these companies over the past few years. Most are disconnected before there is a chance to make money. My estimate is that any payoff must come within HOURS of posting the SPAM (3 to 6 hours).
How the hell do they make any money at this?
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
There's also a great tool that goes along with the "expend their resoures" line, though it is a lot less labor intensive. The tool's called Spam Cannibal and can be found at http://www.spamcannibal.com
0 .html
The tool sprouted from an interesting discussion about using LaBrea to tarpit spammers:
http://mail.nl.linux.org/offtopic/2002-10/msg0000
How about a centralized site similar to BBB that would list businesses who use spam, so individual people could query to insure they don't do business with companies that are using spam.
Like a black list repository, but with business contact info (phone number, postal address, domain name, etc.) that a person could check to avoid doing business with people who commonly use spam.
Or better yet, provide a notice to the company when a query is performed to provide feedback like "a potential customer was just informed that your company uses spam."
Perhaps there is already something like this out there?
Suncoast Linux - Sarasota, FL
The biggest problem with this approach is the user intervention. It requires the user to inspect each spam to validate the server(s) (you are traversing) being hit. It this is not done, then the spammers can simply send out spam with hidden links to spamhaus.org turning this approach into a targeted ddos against their enemies.
They would do both, since both require just about no time what so ever to do. They might use an alias or something, but these are spammers, morality hit the fan a long time about.
Internet Retail spaces are wonderful. Get over it!
What if I WANT my penis enlarged, you insensitive clods
1) Your analysis is based on bad assumptions so your result is way off. 2) You're a sick bastard for fucking a horse.
Having tarpit dummy SMTP servers set up posing as open relays might help a bit. Slow down the SMTP protocol for the spammer and suddenly they can not send the volume they need. The problem is that you need to have enough tarpits set up so that the odds of some randomly port-scanned machine being a tarpit is pretty high.
Why not set up your auto-replies with people's numbers from the DNC list? Then once the spammers call them, it will be a phone call, not solicited by the consumer (because someone else solicited it for them) and you could then sue the spammer under that federal law...
Attacking their business model is good, but there are better ways to do it than by replying.
See http://www.slowlists.org for some ideas from the founder of Perforce (http://www.perforce.com).
The sneak preview is that we could break spammers by going slooowwwwwly... There's more to it than that of course, but it's a real way we could eliminate spam.
I've tried a really ugly hacked version of this on one of my mail servers which is a backup MX. By going slowly (a 35 second sleep between SMTP responses) I'm seeing around 4000 connections per day timing out. I don't believe any of those are from regular SMTP servers delivering genuine mail (not least because the primary MX is availabe so why are they using the secondary?)
What's the point of spoofing someone's email address? If no one can respond to buy the product, how do they make money? Do they count of people going to a web site instead?
although this sounds like a good idea at first, it is not, yes most people would like to fight fire with fire, but in this case we all end up losing, why?
;|
well for starters now instead of 40% internet traffic being spam, we up it to 80% since now we are responding with spam, slowing our internet down even further.
second of all most spam doesn't even have a valid reply address to send anything to, wasn't sent from a valid server, and might not even contain a url in the message to get at.
next up the spammers themselves could use the 'remailers' to send spam to us, so now you have a system just sending itself spam in effect, lol.
lastly we are not directly effecting the spammer, they will just grease their response mechanizm to take into account the replies, plus if we can't even make software that filters spam, why would be able to make software that auto replies to it correctly, so now everyone sending emails will get some spam reply by accident.
there's very few ways spam will ever end. a whole new email protocol is what we really need, but who knows when that will happen. fines, suits, and laws will have to save us in the short term, or we could just cut off the spammers ball sacs, i prefer the latter
I think that a a great solution to spam would be digital signatures and encryption. If everyone used, say, GPG to encrypt and/or sign all their emails spam would whither. Here's why:
1) The process of encrypting emails takes a sufficient number of cycles that it is no longer "free" to send out 1 million emails. Suddenly just the process of encrypting the email costs enough cycles that spammers will be limited by a CPU bottleneck. If it was reasonable to reject un-encrypted email because encryption was standard, then voila much less spam.
2) Secondly, even just digital signatures would be an incremental improvement because it gives a good idea (but not guarantee) of who the email came from. It is certainly harder to steal a private key and password than it is to spoof a return address. Subsequently one could black-list the offending digital signatures because unless your friends are spammers, then the signature belongs to a spammer or has been comprimised.
I love KMail from KDE because it makes encryption and digital signatures very close to seamless and therefore makes the solution that I mention above more likely to come about.
1. One message had the entire Bill of Rights (1st through 10th Amendments) scattered throughout the spam, in white font. The message still got a spam score of 99.061171%.
2. Another message just blatantly included the following words (also in white text) to try to lower the spam score. The terms they included are listed along with their spam probability in my corpus. NA=Not Applicable because the term has not been used sufficiently to call it spam or good, so it receives a 40% score. OS=Only Spam has used this term, so automatically 99.9% score.
- rainstorm (NA), lufthansa (NA), officio (NA), lullaby (NA), aspect (22.7%),
democracy (OS/99.9%), hotelman (NA), rhodes (NA), roost (NA), embraceable (NA), chattanooga (NA),
austenite (NA), assess (NA), quail (NA), corvette (NA), curia (NA), degenerate (NA),
takeover (OS/99.9%),
brisk (NA), gully (NA), determine (8.9%), condescension (NA), count (12.8%), chevalier (NA),
contributory (NA), importune (NA), complaisant (NA), godhead (NA), taxpayer (NA),
khmer (NA), clothesmen (NA), forum (0.8%), dispel (NA), afterlife (NA), swart (NA), revenue (43.3%),
crucify (NA), abject (NA), imposture (NA), honduras (NA), newsletter (80.0%), hangmen (NA),
digram (NA), inhere (NA), lawmen (NA), expenditure (NA), lord (38.4%), incomplete (8.5%), bedside (NA), armistice (BA), babbitt (NA), acrimony (NA), patsy (NA), adverbial (NA).
A few observations of the above list:- In almost all cases of NA (which means the term did not effect the Bayesian score for the message), the only usages were in spam--which means after just a few more messages these are going to all convert to 99.9% terms. In which case the use of these terms in a future spam will bury it.
- The only term that was really low (forum at 0.8%) is because I run a forum.
- There were two terms that are *ONLY* used in spam (99.9% score), and 1 term that had an 80% score. So by inserting "innocent" text, this spam actually gave me two more terms that were very much spammy. In this case, the two 99.9% terms effectively canceled out their lucky hit on forum (0.8%) and less lucky hit on incomplete (8.5%).
- Even though they hit a single good term (forum), it is really irrelevant. Bayesian doesn't look at ALL terms, it looks at the most INTERESTING terms. That means the most spammy and the least spammy are considered--nothing in between--I use Paul Graham's implementation (15 most interesting terms). As it turns out, almost all of the 15 most interesting terms in this spam had 99.9% ratings, and all of them were above 90%. So, at best, 2 or 3 of the random terms were considered (forum, incomplete, determine). But even so, they were no match for the overwhelmingly spammy words (and HTML tags) used in the spam.
- Result: The message was caught with a spam score of over 90%.
Statistics are fun, and it'll be interesting to see how long it takes spammers to realize that they can't get around Bayesian. Their attempts to get around it, as shown in the above random example, at best are a wash (no effect on its status as spam) or may even INCREASE the spam score since they may just as easily hit spammy words as innocent words.I tend to fill up their forms as a black female (lesbian, if it's an option) esquimo CEO doing about $20.000.000/year. Curiously, spam from that vector ceases quite quickly. Maybe they have a problem with esquimos ?
Who do people insist on such boneheaded, counterproductive measures to address the spam issue?
I don't know about most people, but I consider my time valuable. One of the major problems of spam is that it wastes peoples' time, so the prospect of wasting more time to jam the spammer's business model seems stupid.
That's not to say that the essense of distributed protest isn't worthwhile. I do think it is, but you have to pick and choose your battles and spammers are all about quantity and noise and acknowledging their existence in ANY form just fuels that out-of-control fire.
The real solution to deal with the spam problem involves two simple steps:
1. Get law enforcement to enforce the laws each and every spammer already breaks - no new laws are needed.
2. Established a formally sanctioned smtp relay whitelist in the same manner the TLD system is administered. If you want to send mail on the net you need to "register" your server, and those that are tired of spam will only accept mail from registered servers. If you spam, you lose your "license". Simple solution and the problem is instantly solved... and along the way, we also wipe out 90% of the worm propagation on the net as well.
This is so easy and simple, no wonder nobody's figured it out.
How long until the Spammers write their own 'spam' filter to take care of all this crap filling up their inboxes? Oh, the irony...
How about setting up our spam filters so that when a spam is detected, an automatic reply is sent - scanning the email for clickable links and response addresses ought to be simple enough, eh?
Great Spirits have always encountered violent opposition from mediocre minds. -Albert Einstein
Set up 42 throw-away addresses at hotmail.
Send him 1 (empty) message every hour from each.
If you have friends who have the same problem with the same asshole, have them join your efforts synchronously.
There. You have given him something to do to waste HIS time which may slow him down from sending out yet more junk.
If time == money, you'll certainly waste his money.
You haven't given him a useful address and, if he doesn't spam these to death, reuse them on the next asshole.
gewg_
Paul Graham already covered this in his page "Filters that Fight Back".
Better yet, all of you plan to do it at once. Bring his server to its knees.
gewg_