Slashdot Mirror
Attacking the Spammer Business Model
Stephen Samuel asks: "Spammers spam because it's an 'easy way to make money'. They send out millions of spams knowing that 99.995% of them will be ignored, but the other 0.005% of responses are pure gold (Andrew Leung at Telus has an excellent report on the economics of spam). Responses to mortage spams are reportedly worth $50.00 each. What would happen if, instead of technical and legal approaches, we simply started attacking their business model? If people
started responding to just 1% of the spam we received, spammers would drown in the responses, and the mortage spam responses wouldn't be worth an email, much less $50. The Nigerian Sweet Revenge is an example of this. The nice thing about this sort of statistical approach is that it would start to reward spammers for sending out -fewer- emails. (fewer emails -> fewer bogus responses). What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?" Of course, the one major drawback to this is the likelihood of more spam, since you'll be giving them a valid email address. However, many of you may be receiving increasing amount of spam as it is (even through your filters) so might an organized spam-the-spammers movement work?
The top 1% of spammers who can afford the bandwidth and the hardware could still theoretically handle the volumes of email they would receive. Then they just have to expand their operations to go after the potential business contacts.
Now what about sending them bogus email addresses and phony information? That would send them on a wild goose chase.
Homestarrunner.net -- It's Dot Com!
Why? Sheesh, I don't know, but whatever story gets posted here, someone always claims it's a good thing, so I figured it might just as well be me this time.
--
What short sigs we have -
One hundred and twenty chars!
Too short for haiku.
Sorry, I don't think it will work. 90% of my spams are either gibberish or are otherwise not selling anything. Passages from shakespeare and the like or blank emails are pretty common for me these days.
They work by flooding us with crap, hoping that they get one in a million to answer. We could fight them by flooding them so they have to look through a million emails to find the one legit order. Hmmm...
Sorting through a pile of junk to get the stuff you're looking for. Sound familiar email junkies?
Refuse to make a statement in your sig!
what if we sent all the replies through anonymous remailers set up specifically for the task, or even better, had a system that you could foreward all your spam to that would do the replying for you - from an address that would send a random spam back in reply to anything you send it - you would literally spam the spammers.
The best way to get at these spammers, is not to use a spam filter, because even the best aren't always reliable.
:-)
What you should do if you are serious about getting on the nerves of some spammers is create an extra e-mail address for yourself that you send responses to spammers with, and get replies(maybe) in. Eventually, you could take all of those spam messages in that email box to a judge somewhere and win yourself a considerable amount at the pocket of a crass spammer somewhere.
So long as we can outthink them, we can win.
Well, in the short run, loan referrals are STILL worth $50, so spamming a spammer who is doing that will result in an insane windfall for said spammer. And if the reverse attack isn't sustained... well, it just pays for a new boat and house in Tuscany for the spammer. Then it's back to spamming as usual. I vote against this plan unless you guarantee you can sustain it.
This works fine for spam that requires a valid return address, but what about all the spam that is just trying to get you to visit a website. Replying to such a spam just gets you a bounce message.
Does this mean I now have to read all my spam to decide which I should reply to and which I should ignore???
Somebody suggested this in another /. article talking about spam: For those of us with our own mail server, just create a unique email address to respond with.
Once you're done messing with them, just kill the address. Not exactly a foolproof solution, but I don't see why it wouldn't work most of the time.
Dark Nexus
"Sanity is calming, but madness is more interesting."
Here's a link to the article.
http://www.paulgraham.com/ffb.html
Reply to EVERY spam. Heck, set up a site where a spam is displayed, and every member of said site goes to the spam's link at say 12:00 EST. The resulting delta-function like demand should break their server, and prevent their legitimate customers from entering. So sending spams, or paying direct advertisers will COST your business. 100000 spams won't be worth $50, but $-50000.
Karma: Excellent^(-t/Tau), Tau=Wittiness/Trollishness
Most spams I get are trying to convince me to click on a link rather than reply by email. Perhaps we should all just click the links to confuse the spammers instead?
I'd say the vast majority of spam that I get is just a vehicle for delivering a URL. The spammers don't want a reply, they want you to go to their website.
Frequently, I get spam that seems to be selling NOTHING. The reply-to is invalid, and they don't bother including any kind of URL.
On the bright side, the vast majority of my spam gets caught in the filters - so I only see it if I check the spam folder. And may the spam rot there...
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
It feels good to cost the spammers some money, even if it does waste your time to do it.
The only downside is I don't think many spammers use this approach, but it'd certainly be effective against those who do. I don't think it'd be illegal (as long as each person didn't call more than once) either, but IANAL.
...is that the majority of spam I receive has forged headers, so I would in effect be sending the bogus replies to some poor sucker who had no idea their email address was being used as the "From:" header in a major spam operation.
The number of spam emails that get through SpamAssassin because of forged "From:" headers is ridiculous. And worse is the number of bounce messages I get because someone has used my email address as the "From:" header in a massive spam mailout.
...for anyone who buys anything as the result of receiving spam. Anyone that fucking stupid doesn't deserve to live.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
Most of the spam I receive doesn't ask me to reply to purchase anything. They simply direct me to a web site of some sort. This eliminates mass-email replies as a possibility. If they use web forms, they can easily tell legitimate orders from phony ones by verifying the credit card numbers, phone numbers, addresses, etc.
I run several domains and use multiple blacklists. The blacklists are incredibly effective, especially those which are country-wide like taiwan.blackholes.us and china.blackholes.us. I, and the other users of my domain, don't communicate with people in China or Taiwan. If I disable the blacklists, the ONLY thing that comes to us from those countries is spam. It has a tremendous impact on the amount that I get. Because of those punitive "broadlists", many ISPs like AT&T and PSI who used to write "pink contracts" and host spammers no longer will. The broadlisting makes harboring spammers unsafe. AT&T is not going to piss off their entire subscriber base just to get one big pink contract from some spam house. It's not worth it to them. Many ISPs, especially dial-up ISPs have blocked outgoing port 25 so spammers can't use them for throwaway accounts from with to spam. No ISP wants to risk some spammer paying $9.99 for a month of service which will get the ISP blacklisted.
As a programmer working to keep the data flowing smoothly part of my job entails building programatic methods of detecting false data. Some of this is easy (i.e. people who put "I WANT TO RAPE YOUR DAUGHTER" in the first name field). Sometimes this is harder. IP checking helps, but distributed attacks are always a difficult thing to catch. However, all that said I don't know that this would be a significant problem.
One of our upcoming process changes will include an attempt to contact each customer via phone or email to verify their order before following through with it. Futher, automated credit-card checking will automatically drop orders with bogus data in them. CreditCard declined statistics would rise, but ultimately it wouldn't be that much hassle.
If you really want to hurt a spammer, get thousands of people to order a product, then send it back and charge-back the order on their cards. Creditcard merchant accounts have limits on the chargeback rates, and when they get too high the merchant provider will cut you off. Of course you have to front the money and the hassle, and at the end of the day there's only 1 less spammer out of a million (unless he tries to find another merchant provider and succeeds). But for some, perhaps the cost-benefit analysis would still find it worth it.
Total Due: $0.02
Although I like the idea (since we can't really implement my preferred method of dealing with spam, "hunt them down and kill them in the most painful way imagineable"), I see one major flaw with it...
Namely, the very methods we've come up with to avoid spam would work for the spammers.
How long do you think it would take before, in addition to lists of live email addresses, spammers also begin keeping lists of "people wasting our time"? I'd give it a week, if this really caught on suddenly.
For that matter, I believe this would leave them in a better position than now, since they'd not only have a list of people who won't buy from them (allowing them to cull their list of live email addresses a bit), but also a list of people likely to actually take steps to stop spammers.
Think about that for a minute - The few spammers we have managed to put out of business have gotten nabbed by a few small groups of dedicated, annoyed, and technologically-saavy people. Taking action along the recommended lines would give the spammers a way to identify and steer clear of similar groups of people.
While some of us may consider that a win ("they don't bother me anymore"), I think most of us realize that we need to do more to stop spam than unclog our own individual inboxes - We need to permanantly shut down all spammers in general. Or, put another way, my filters already block most of the spam I get (literally over 300/day now). That doesn't do a damn thing to help friends and relatives who don't understand how to maintain a good filter (like it or not, good spam filters require a fairly high level of understanding about the workings of email to properly tune - Not so much to simply block spam, but more importantly, to not block legit email).
I like that people keep thinking about this problem, and eventually look forward to a good solution. This does not seem like "the" solution, though.
you could have spammer spamming software :). Imagine if every time your filters tagged a message as spam it could send an auto reply with a forged header (fake email address and stuff like that, assuming this doesn't get ruled illegal). Then the spammer would get a randomly generated email along the lines of:
Yes, I am very interested in your product. Please send more information to my address at fictionalPerson@non-existantDomain.net.
Now that would be funny.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The problem is that with spam we often have no address to send anything to, or the address we have is one that will do any good. It is like those 'work at home' signs on the road. We may think we are attacking the business plan by calling the number and racking up minutes, while what we are really doing is making the business plan succeed by enriching the person at the top of the pyramid.
So, we can't reply by email, because the address is likely either bogus or that of an innocent party. If we go to the web site in an effort to consumer bandwidth, we are likely going to receive a couple ads that will then make the spammer money. For the spammer to make real money, spam has to generate a real contact, which means that we much supply the contracting company with real contact information, which will then likely get sold to many other companies.
The 419 anti-scams work because the people invest a lot of time and money. I suppose if we all get throw away fax number, voice mail number, and PO boxes, we could mess with the spammers. But is the expense really worth while. Sure such things would only cost each of us 10 dollars a month, and would cause spammer and the evil companies they work with a lot of money, but not like the 419 thing, would not likely change much at the end of they day.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
What other ways can people think of to attack the spammer business models
A spammer can still spam with broken legs, and possibly get out of an arrest. Typing with broken fingers, well... at least they'll be off spamming for awhile until they can toe-type.
One thing I'd like to see is a public service TV/radio ad campaign on the theme of "Spammers are Scammers". Given all the multimedia talent in the Slashdot community, it shouldn't be difficult or expensive to produce. The ads should attack all spammers as scam artists, and all people who buy things from them as fools. No, a pill won't make a body part larger. No, it's not a bargain price for a prescription drug if it's fake or diluted or contains poisons.
The second idea is to publicly identify the actual spammers and their collaborators and organize protests and boycotts. Yes, I know about Spamhaus and ROKSO, which is why this is only half an idea, because they don't go far enough. I want to see web pages that not only tell me that Alan Ralsky is a major spammer, but tell me which spams he sends, plus his home address, phone numbers, personal email addresses, and car make/model/license number. I want to see photos of him. I very much want to know who provides him with Internet connectivity so that they can be publicly shamed and boycotted. It shouldn't take much money to hire a few private eyes to dig out this information.
Might these ideas provoke lawsuits? Possibly, but I doubt spammers will risk even more public exposure by suing.
Q: What does the "B." in Benoit B. Mandelbrot stand for? A: Benoit B. Mandelbrot
A very significant percentage of spam meets two criteria: 1) it already breaks some existing state or federal law and 2) it ultimately desires someone to supply a US-based credit card (Visa or Mastercard).
The problem with all our wonderful anti-spam laws is that they are not being enforced, and probably never will be, except erratically for 1 or 2 really, really bad repeat offenders. So, instead of using laws to take bad people to court, use laws to make law-abiding people quit aiding and abetting spammers.
Thus, the weak underbelly of many spammers is that some minion of MC/VISA is letting them process cc transactions.
Solution: the FTC should allocate 3 lawyers and 3 geeks, and (the easy part) demand the cooperation of MC/VISA. The 3 geeks maintain emailboxes in all 50 states and a batch of email addresses designed to gather spam. They essentially provide the 3 lawyers with "quality" spam, that meets the 2 criteria mentioned above.
The 3 lawyers select spam that has broken a law, follow the spam-requested transaction to the point where it requires a cc transaction, and do it. At that point, there is a CC transaction involving a broken law. The lawyers provide MC/VISA with the information on what merchant processor handled the transaction and what laws were broken. MC/VISA shutdown that account, or simply dings them $20,000 for each offense.
Note that, unlike the FTC, MC/VISA can penalize any customer they choose to without due process (and they have a record of doing so). They definitely do not want to participate in illegally advertised transaction if a spotlight is shown on it.
The need to process credit cards is the weak link in much of the spam business, and it is very hard for them to work around an inability to obtain the services of a merchant credit card account. MC/VISA have tightened up the requirements for getting CC services in the past, and they can certainly do so again.
MC/VISA might even elect to make the process more automated by issuing the lawyers some "special" credit cards. When they see a transaction for any "special" number come through, they immediately shutdown that processor. (But you better make sure those special numbers aren't as easy to steal as all other credit card numbers seem to be!)
3 lawyers plus 3 geeks could make a bigger dent in spam than any collective effort to date has produced.
So I want to take down yahoo. I send out millions of emails about viagra with a link to them. Down they come. Bad news.
causes major problems if someone forges.
Example: a disgruntled employeee forges
many emails about his company's products.
When your anti-spam army calls for info,
they overload the company's phone system.
This is called a Joe Job, and is bad and wrong.
Why? Imagine it done to a hospital phone line.
Spam is a real problem. This is not the answer.
If you want ideas, try this overview
Cheers, Joel
Finally, your assertion that it would incentivate less spam from individual spammers is wrong, since the ratio of fake to real responses is the same for a large mailing list as it is for a smaller one. In other words, you have "constant returns to spam." The only way it would incentivate less spam is if you managed to drive some of the spammers out of business. More likely, it would lead to more spam, as spammers scramble to find more addresses to offset their lower "spam margin."
Why? Sheesh, I don't know, but whatever story gets posted here, someone always claims it's a good thing, so I figured it might just as well be me this time.
This is a bad thing. Why? Well, I don't know either, but whatever comments get posted here, someone always claims you're wrong, so I figured it might just as well be me this time.
As a rule, things like mortgage leads, is that most players work with brokers (BTW: email spam mortgage leads don't net $50/lead). So the spammers are all dumping to the brokers. In general, the brokers combine search engine placement leads, search engine spam leads, legit leads (people that solicit it from financial sites, etc.), into one lead pool that is sold. What would happen, is that over time, you would drive the value of that broker's leads down (although that assume perfect information), but you would INCREASE the percentage of the leads that are from that spammer.
That means that everyone dealing in leads makes less money, but the spammers make more. That would squeeze everyone, until the only ones making money in mortgages are spammers. This would result in rich spammers, plowing more money into spam.
The lead business is much less efficient than you think, with hundreds/thousands of buyers and sellers, so if one company dumps the lead broker, another one will pick up their leads. The leads are mostly unpriced, and buyers are chasing lead sources.
Alex
Yeah, the spammer may currently earn $1000/week by generating 20 leads at $50 commission each. With the higher volume from the "attack", he generates 1000 leads, and gets $1 each. In the end, the spammer still gets $1000/week.
What makes or breaks this scheme is: what is the fixed cost of processing each of the leads? If it is low, the spammer and commission payer only lose a little profit. If the per-lead processing cost is high, the profits disappear.
So, what resources are required to process each lead?
Reading Slashdot is ruining my spelling and grammar.
Who would be the ISP? In a tiered market like the internet, everyone always buys internet from someone else, or peers with someone else. That's why it's a World Wide Web. What's to stop someone from setting up a dialup account in Brazil and just spamming through it instead of using the ISP's mail system? Sure, you can not allow SMTP traffic on your network, but then how do you support business customers that want to run their own mail server?
Why read the article when I can just make up a snap judgement?
I just took the first 3 spam in my box, and 2 of them had 800 numbers - surprising. I called them and let them record for a while while I coded. One of them timed out after a few minutes and said "to replay this message, press 1". So I did that a few times also.
Let's look this post a bit and do a little translation:
Part of my companies' income is from sales of various and sundry products sold via soley online "stores." Part of that traffic is via banner ads, text links, etc, and another portion is via bulk mail (spam)
Translation: I am a spammer.
If you really want to hurt a spammer, get thousands of people to order a product, then send it back and charge-back the order on their cards.
Translation: Give me your credit card number.
Spammers are the wise guys and con men of the digital age. DO NOT TRUST THEM. I mean really - if this guy makes his living this way is he honestly going to give you a stick to beat him with???
It's more likely he'll take your credit card number, charge it to the hilt and take off to Zaire.
Give me your credit card number and I'll be hurt. Please!
Weaselmancer
rediculous.
Since when is spamming considered a business model? It's no more a business model than theft, break-in blackmail, or high way robbery.
ELOI, ELOI, LAMA SABACHTHANI!?
Case in point: for every credit card application I get via snail mail, I seal the return envelope (empty or with trash) and mail it back at their expense. The idea is the company loses money by having to pay for the reply postage and for the labor to open my bogus reply.
But I've noticed lately that companies are designing it so you have to include the application form to mail the return envelope (the city/state are printed on the app, which is viewable through a window on the envelope). Apparently, credit card companies weren't taking enough of a hit to say "fuck it, these people don't want our mailings." Instead, they seemed to have paid some poor schmuck more money to come up with a way to outsmart the scheme many of us have been using.
Doesn't matter, though. I'll tape the city/state info to the envelope if I have to. And soak the envelope in cat piss. Take that.
***
Radio Shack. You've got questions...we've got blank stares(TM).
Absolutely the best post in this whole thread. Bravo.
The need to process credit cards is the weak link in much of the spam business, and it is very hard for them to work around an inability to obtain the services of a merchant credit card account.
Weaselmancer
rediculous.
Spam holes are not the answer, but with friend list they sure look a lot saner (c'mon, everyone in
Quack, quack.
No matter if it comes to you via brazil, argentina, russia, etc, 90% of spam is US sourced.
A HUGE amount of spam is pushing products/schemes that involve fraud, fake drugs that the FDA does not allow, etc, etc.
A HUGE amount of spam is sent by stealing services from legit users (using open relays, etc). Technically bad, not illegal to have. But the spammers take advantage and steal bandwidth.
pre-sendmail 8.9 and when open relays were just becoming bad, a friend had an ISDN line kept open for several hundred dollars of connection time when he was away on vacation and his relay was found (connection would come up periodically to pull down mail). The police and FBI could not have been less interested in this event which cost real money to a real taxpayer.
Were the FBI to go after Joe Schmo Spammer who kicks off 5000 messages to my company to an alphabet list of users from over 200 different relays, and charge him with breaking into his relays' computers and fraud (sorry, Herbal Viagra or Guaranteeed Stock Schemes and Pyramid Schemes are illegal), then perhaps spammers would have a cost associated - JAIL!
Me? I have a fantasy that plays out thusly:
The Judge:
Not really related to the parent; I posted it up here because I think it's a good idea. I don't want to be too associated with it, anticipating the spammers fighting back.
At the very least, I'd like to have a good Windows programmer put together something akin to this:
#!/bin/bash
COUNT=0
while [ $COUNT -lt 2000 ]; do
lynx -dump -traversal -useragent="By sending e-mail to my domain, you agreed to the published Terms of Service of my privately owned domains and servers, including the stipulation that all spam would result in your webserver log being filled with garbage. If you don't like it, don't send e-mail to my domains. I f you don't want me to visit your website, don't solicit my visit by sending me unsolicited e-mail. You do not have a First Amendment right to waste my bandwidth, electricity, CPU time or hard disk drive space with your crap, characteristically illiterate or otherwise."$1?YOU_FILL_MY_MAILBOX_WITH_UNSOLICITED _C
RAP_AND_WE_WILL_DO_THE_SAME_TO_YOUR_WEBLOGS
let COUNT=COUNT+1
echo $COUNT
done
I use this on all my spam.
Such a program would need to have a drag-and-drop interface, automatically replace the user's e-mail address (wherever it appears in HTML bugs) with uce@ftc.gov or something similar, trim serial numbers, cope with obfuscated URLs and hijacked Yahoo/Google redirectors, and eat both image tags and links.
As it is, I open each message, manually extract all the HTML tags, and plop 'em into a terminal window on one of my servers.
The only real worry is a spammer using a GeoCities or other free webpage. But if a few people hit the site with this kind of program, it would get it shut down faster than an abuse complaint.
Of course, if the spammer is being paid per hit, the advertiser is spending a lot of money to advertise to /dev/null, so it's unlikely that they'll continue the current business model.
I've also got it on the advice of a Federal Court judge (who is blind and can no longer read his e-mail in public places because he's too embarrassed by all the penis enlargement spams being read by his screen reader) that, since they've solicited my visit AND been warned on my website, there's very little the spammers can do about it. (Even so, I'd be hauled up in front of him, and I know how he feels about spam...)
Such a program could be very popular with the general public, since there's a definite feeling of satisfaction. But I think it should also be distributed anonymously. Spammers are likely to DoS any download sites and flood any mailboxes.
Sure, this is essentially a denial of service attack against the spammer. But the spam itself is a denial of service attack against MY mailbox, and nothing else seems to be able to stop it.
Any Windows programmers out there?
If formfucker doesn't have a good time delay between signups then they could delete the records between time A and B. Finding times would would be obvious with a count(*) group by hour (or minute) type statement. Or maybe I give the spammers too much credit.
FormFucker should probably sleep a random interval between submissions.
The bigger problem which would make it easier to filter out would be IP address. Your spammer gets ten responses from the same IP address, all with different data, and they're clearly bogus. So the usefulness of FormFucker is limited to being once against each spammer from a given IP address.
Many times, I'm seeing the forms have an ID number of some sort which would be passed when the link is followed:
A HREF = http://www.spammer.com/form.pl?recipent@email.com
or
A HREF = http://www.spammer.com/form.pl?ID=666
Again, same problem. Different data from ten submissions with the same ID or e-mail address, and the spammer knows the data is garbage.
Same if the spammer crosses a randomly-generated e-mail address against his list and finds that it's not there. Garbage data, easily culled.
Furthermore, if you run FormFucker, the data would have to include your e-mail address or ID number so the spammer can't weed it out as illegitimate. What's he gonna do when he finds out that it's taken him half an hour to pursue your dead lead? He's got your e-mail address, and because you fought back against his assault on your mailbox, I'd bet money the bastard would pull a joe-job on your address.
FormFucker is a great idea, but I wouldn't use it on the spam that comes into my e-mail addresses.
Fire and Meat. Yummy.
- You have a java application that scans a website, identifies HTML input tags, and figures out how to fill out the form with plausible, although fictitious data.
- That application submits the generated data and ensures success by checking the http response code to the submission. Rinse and repeat.
- The application can pound about 100 submissions per minute on a broadband connection.
- The full source and app are released on sourceforge about a week from now under GPL.
- Anyone who gets some insipid email can run this app without having to create HttpUnit or HtmlUnit scripts.
- App is console based, uses java.io, java.net and java.util packages only to make install easy and ensure cross-platform reliability.
- "Random" string-based data (names, streets, cities, etc.) is contained in text files that users can maintain on their own making it difficult for spammers to identify bogus data and produce countermeasures.
- No site to check for "orders", you control where your app will pound, you are responsible for employing it wisely.
Instead of using humans to respond to computers, let's have the computers do the work, eh? Isn't that what they're for?
What is the source of the info that spam works? That's right, it's the spammers. Spammers tell you that spam works. Bzzzzt! Rule #1: Spammers lie!
Who are the spammer's customers? No, not you who get the spam. The spammer's customers are those who order spam services. And there are enough idiots who buy spam services to make those 180 spammers very wealthy.
Even though the spammer's customer get burnt once and stop, well, some of them are probably stupid enough to try several times anyway, there are enough of these morons to keep it going for a very long time.
They're not making a single sale, not even 0.0001%, but that doesn't matter, because the spammer got his money, and that's why this continues.
So, if you want to end spam, forget the spammers: Go after those who purchase spam services instead.
Well, that's my theory. It may not hold up, but after all, this is /.! :-)
Employee of Inrupt, Project Release Manager and Community Manager for Solid
After playing the game a couple weeks, I reported his banking connection (a real person) to the London Met Police and his email info to his ISP (SIFY of India - *great* customer service!) and had his accounts terminated.That was a laugh and a breeze.
If you look for the lifelines of 419 scammers, they have their email and their banking connection. Shutting down their email account fast makes their spamming futile. Shutting down their banking connection is harder, but very painful for them. Bottom line: MeThinks 419 scamming will stay benign, they're too easy to wipe out.
Looking for the lifelines of the real spammers (the Viagra, Mortgage, Patches etc. stuff), there are three: Ability to send loads of email, ability to recieve responses (web site or phone number) and ability to receive money. Kill any one of these, and the situation is solved.
The ability to send email is tricky to fix. We all want that email can be sent freely, preferably for free. Fixing/replacing SMTP to include authentication would be great! But we're still awaiting news from this front.
Hitting their web sites could be done in several ways. Proper legislation could make it a felony to operate spam-advertised web sites, and they could be taken out. If spam filters included the ability to automatically spider the web sites referred in the mails, they would have to pay for loads of useless traffic to their sites - and their ISP's would look at disconnecting them. It's not a DoS attack per se, we're just making backup copies of potentially useful information :)
And for hitting back on their payment options, there was an excellent suggestion earlier that the FTC take care of this. That looks very cool,. Much better than more laws that are not enforceable anyway :) So clearly an FTC issue if I ever saw one.
Getting the spammers on any one of these three lifelines would be sufficient - getting them on all three would be very, very effective.
I'm in a Unix state of mind.
(well, easier for me anyway)
.htm file. I publish the htm file on the WinXP webserver, then set WebReaper to download that page plus everything linked to it to a depth of 4 servers (the original page, the spammer, the friends of that spammer, and the friends of those twats). Oh, then I shift-Delete the lot, restart WebReaper, and repeat until bored.
A short C program to randomise the identification codes in a spam, a web server, and a downloader such as WebReaper.
From a spam I take the URL, e.g.
http://spammer.com/script.cgi?id=12345 and convert it to
http://spammer.com/script.cgi?id=#####
the C program loops over this N times where N depends on how hacked off with spam I'm feeling, converting the # to random digits and adding the new URL to a
Most of the time it just hits single webpages with nothing but a graphic, but sometimes it hits gold and downloads gigs of stuff. Of course this does nothing for my bandwidth, but it makes me feel better.