Slashdot Mirror
What You Get When You Buy a Spam CD
defender writes "Recently over here in The Netherlands, the spam versus anti-spam 'war' has hardened. More professional spamming coming from a handful of hard-core spammers utilizing bulletproof hosting in India, chained open proxies, more and more false whois information, etc. One of the more known anti-spam people has been sent one of the subjects of those spams: a CD with millions of e-mail addressess of 'individuals' and hundreds of thousands of 'businesses'... Rejo Zenger has done an analysis of such a CD, which is fuelling new debate as to why the recent EU anti-spam directive was weakened because of businesses complaining or indicating that spam wasn't a big issue for them."
It's been reported that SpamCop is paying upwards to $30K / year for bandwidth as a direct cause of the continous DDOS attacks on it.
The spammers are doing everything they can to squeeze the anti-spammers out. They use frivolous lawsuits (aka Mark Felstein and his porn spamming backers) or DDOS attacks that either knock the anti-spam resources off completely or increase the costs so that no hobbyist can run them.
And while all this is going on, the law enforcement agencies are doing nothing to counter the clearly illegal acts of the spammers.
And ISPs are doing NOTHING to reduce the number of zombies on their networks. So the DDOS attacks continue.
Nice going.
It's only a matter of time when someone (Al Queda?) will use the zombie network for something that will truly be noticed.
Why aren't such CD's outlawed? I mean, contries go after drug suppliers... why not go after those supplying an individuals email address?
That's right, E-mail is the best way to advertise your product. IF you send me $300 USD I'll give you a CD packed with email address that have been generated using the latest technology. The /dev/random method is world reknown for unique addresses with no repeats. I gaurantee that they are ALL ORIGINAL email addresses!
/dev/null E-mail address CD at no additional charge!
And if you act now, I'll send you the
In the future, I would want to not be isolated from my friends in the Space Station.
Is anyone surprised that the 10 million promised addresses boils down to less than 7 million after removing duplicates? The article is interesting in terms of statistical analysis of the data (especially the fact that a number of abuse and postmaster addresses are in the email database), but I don't think anyone expected quality email lists from spammers.
On the other hand, why would someone sending spam care too much about the integrity of the data? You're still getting over 6 million email addresses. So several million messages bounce...does the spammer care?
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Any CD that is sold containing email addresses invariably has some that work, but the vast majority are just generated. I once knew someone (and I no longer communicate with that person) who insisted that spam was the only way to sell his products. He paid $400 to some marketing company, and they sold him a CD with a million addresses. He asked me to look at it, and my conclusions were that he got ripped off. He didn't want to believe me, but the sheer number of addresses that were obviously generated proved to me that someone had written a quick script to create addresses. A good portion of the addresses were also old-school, with lots of "71532.4532@compuserve.com" type addresses.
Spammers aren't just evil for selling addresses, they are evil for making up about 3/4 of the ones that they do sell, and anyone who buys a CD with email addresses on it should be aware of that.
libertarianswag.com
Bulletproof hosting in India? Gee, now I know what we can do with the variety of Kevlar-penetrating bullets in the US. Maybe your servers can survive a Slashdotting, but can they survive a barrage of 7.62mm armor-piercing bullets? I think not.
And if there are a few bullets left over, I'm sure someone can come up with some creative spammer-related uses for them...
Well, I heard only a week or so ago that the European Union was going to make sending spam illegal in the near future, or has already done so.
Unfortunately, as this article on the Register points out, most spam comes from outside of the EU, or turns out to be untraceable anyway... so the question is if this new legislature would have any noticeable effect.
A quote: Anti-spam software outfit, Brightmail, says the legislation only affects European registered companies and they're unlikely to flout the legislation. However, it claims nine out of ten spam emails are either untraceable or come from operations outside the European Union. Either way, professional spammers - whether inside or outside the EU - are unlikely to heed the new legislation. So in effect, this new law will make bugger all difference to the amount of spam we get in Europe.
IMHO this new law certainly is a step in the right direction, since the ISP's would be legally obliged to take action against spammers on their network. Now if only the rest of the world would go in the same direction...
can they also please test one of those penis enlargement pills? I'd like to know if they work...
what would happen if a spammer got a cd with their own email address in it 14 times?? that could be funny.
A governing body that only cares about serving big business and not its citizens.
Email used to be a good tool for keeping in touch with people before spam. It's probably more useful for individuals than many businesses.
He refers to addresses ending with a dot as "unregular syntax", then later as "no TLD". However, the address with a trailing dot is the canoncial form of a domain name - the final dot refers to the "root" domain, the one that Verisign gets to play with.
I can't say that I don't give a fuck. I've just run out of fuck to give.
...AOL CDs, Compuserve CDs, Prodigy CDs, Earthlink CDs. Now I just get AOL CDs.
What I really miss are the days of spam floppies, now I never seem to have a floppy when I need one.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
kuro5hin.org link in parent
stupid trolls..
One of the email addresses on the CD: ikautostelen@van.jouw
which translates from dutch to english to something like: me-steal-car@from.you
Hi, Just curious about something. Spam is usually CC'd or BCC'd, and the Subject Line is some general Statement. One Email is sent, which goes to millions. How bout putting the email address in the Subject Line? That would limit the way the Spammers could send Spam. Unless they actually did send out a million emails?
Yes, its great that people embed "remove-this" and so on into their email addresses at Slashdot and other places (like Usenet), for example to make it harder for bots to parse and detect valid email addresses..
But one wonders if tools cant easily be written to remove basic patterns of that sort ... a simple substitute (or regex, whatever) would cleanse quite a few addresses, especially on UseNet..
Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?
Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..
It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..
I can't stand spam and won't use it in business practices, but I don't thin kit should be any more illegal to sell a CD with aggregated e-mail address than it should be to sell a phone book CD with telephone numbers. There is value added in the indexing and providing of tools to manage so many addresses.
... organ" and patronize the spammer, then the spam will continue.
What should be illegal is selling generated, known to be false, addresses. This is basically false advertising.
What should also be illegal is bulk mailing to people who do not subscribe to a service. We need better mail servers that optionally require a "key" to receive mail, otherwise it goes straight to "File 13".
Sadly, all this bulk mail, even if "bounced" back to the sender, uses tons of bandwidth and is ultimately a tremendous waste of everyones time.
Unfortunately, all this Spam would stop is people STOPPED BUYING FROM THE SPAMMERS, but even if 0.0001% of recipients say "yeah, I DO want a larger
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
A while ago I heard a proposal to stop spam using a falsied "From" address. This would add to the DNS MX entries an "authorized relayer" record. if the Email did not come from an authorized relayer of the return address, it would be rejected. (Default, no authorized relayers but the Email must be coming from the original server).
The Email "From" address would have to originate from an Email server that matched its DNS entry. You could still fake the IP address or the DNS Service, but this is not as trivial as faking the "from" address.
I suppose we'll see this when ISP's care about spam.
If no one purchased products which used e-mail spamming techniques we would quickly see the volume of spam reduced. I wonder if my e-mail is on any of these spam CD's and if there is any way to have it removed. As their site said- for a spammer the work "remove" means "confirm".
my cube has a window...
I'm getting really tired of hearing spammers painted with this huge brush. When SCO gets DDOSed and they blame it on the open source community, everyone drops an angry turd.
When anti-spam pages get DDOSed suddenly it's ok to talk about how the spam community is this huge group of lawless, horrible people. Tying it into terrorism is icing on the cake.
I work in the hosting industry and I've met small to big time spammers, and they're all fucking idiots. Most of them have a basic understanding of the internet, but i would say the vast majority have no idea what a DDOS is and have never forumlated a crazy scheme to take down spamcop/spews. In reality, things like SPEWS are such an everyday occurance to people who spam it bugs them way less than legitimate users who get thier ips listed.
Spammers are dumbasses and annoying, but then again so are the people who post in news.admin.net-abuse.email. I really i could round up both groups and make them knife fight, it would solve so many of my problems.
Pointing out spammer's mistakes and helping them evolve/correct the problem.
I'm not sure what the secret to success is, but the secret to failure lies in trying to please everyone -Bill Cosby
Edit the CD to include the email address of every politician the wolrd over, along with known spammers and the editor of every media outlet. If you can, use addresses that forward a notification to their mobile phone via SMS, then sell the new CD.
We'll soon see a change in the law.
Ahh I can dream.
MOD DOWN
Over here, the rule is opt-in. The recipient of the spam has to have consented to it beforehand. (for the Norwegians here - markedsforingsloven 2 b).
I used to have a job where I had to deal with different kinds of questions from the public that dealt with, among other things, spam. After contacting various Norwegian spammers to lay down the law, I found that a lot of them bought CDs or whatever with e-mail addresses. They seemed to (usually arrogantly) think that because they bought these lists, they were fully legal to use. This is not the case.
I don't know if these CDs were sold with the implication that their use was legal. Hindsight is 20-20 and I realize now I should have told these spammers to demand their money back from the people who sold them the CDs.
People say I'm crazy, I got diamonds on the soles of my shoes...
I think the assumption that they are maliciously giving out bad e-mail addresses overstates their intelligence. It is more likely that they just don't know what they are doing. But...thanks to this wonderful (and free) tutorial, they can now vastly improve their own spam e-mail lists! The tutorial was even kind enough to provide the appropriate regex patterns at the bottom. How Thoughful.
Jens Wessling
why the recent EU anti-spam directive was weakened
Because like prOn, spam produces hugh amounts of money from the internet. Getting 100+ spam/day assures me that there is still a lot of money to earn from spam. And where a lot of money is to earn there is a lot of power involved (lobbying, etc.).
Deal with it. Spam will never go away. Spam might increase the infrastructure of the internet (well in india, etc.), but it will never go away.
Just install Mozilla and give the Junk Mail feature a try. Every other action is a laugh.
As for the author's assertion that the "bulletproof" spam hosts are in India, I give you ... China, Brazil, most of the Pacific Rim, as well as clueless/malicious providers such as Level3, Wanadoo.fr, etc. I can count the number of spams I've received from Indian sources recently on one hand, while the Chinese/Brazilian spam numbers in the tens of thousands.
No mod points, no meta-moderating/Firehose/all the other free work Slashdot wants me to do.
We offer reliable bulk email friendly web hosting services. You can now have the
peace of mind knowing that your web site is secure during your email marketing
campaigns.
[...]
You can use the server for any of the following:
Direct Bulk Mailing or Proxy Mailing
Web Site Hosting
Proxy, Relay or Port Scanning
If only there was some way to deprive "ContactHosting@tom.com" of peace of mind
Sleazy people making sleazy products. Shocking.
Slashdot: when news breaks, we give you the pieces.
From the linked article, they found 10,996,629 total addresses, with 6,220,454 unique addresses. 56% unique, by the numbers presented.
So could someone explain how, with 56% of them unique, only 1,795,633 addresses appear only once on the list? Does appearing "1 time" not mean the same thing as "unique"?
I though perhaps those numbers might mean "once more than unique", but that still doesn't add up - Just looking at the "1 time" and "2 times" columns, I see 1,795,633 + 4,107,246 = 5,902,879, while 10,996,629 - 6,220,454 = 4,776,175. Still doesn't add up.
Does anyone see something I missed that would explain these discrepancies?
Not a complete solution, but doesn't a valid WhoIs record make spam-killing easier and more practical? Doesn't registering a DNS domain require a valid WhoIs record (at least in theory)? It seems systematic verification of the existing WhoIs records, with consequences like loss of registration for unreachable or deceptive offenders, would help. This could even be done on an open source basis by volunteers. We scan the publicly available WhoIs database, find what we think are invalid records and flag them for double checking and possible enforcement with the registery companies. Tracking and publishing how they handle the reports then puts some pressure toward having an accurate, public, maintained, verified WhoIs database.
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
I'm glad that this bill is unlikely to pass
Did you miss something? The current bill is already opt-out, and was already signed into law two weeks ago.
See here for details.
You know, it would only take the publicity from thirty or forty mid- to large-scale spammers being kidnapped, having their fingers removed with rusty tin can lids, being beaten to a pulp and then each cadaver ground into fertilizer for trees in newly planted ecologically managed forests, to scare off many of the potential next generation of spammers.
... guys...?
I mean, it may *seem* extreme to begin with, but the collective sigh of relief around the world might usher in a new age of understanding and peace.
Go with me on this...
Sorry but I read this 3 times and it makes no sense.
try to use little words that your little brain can understand.
Who is the one that read it three times and was still not able to understand?
I find it doubtful that the erroneous e-mail addresses are malicious. That would suggest that these spammers have vastly higher intelligence they evidence indicates.
But...thanks to this new and wonderful tutorial, they can vastly improve the quality of their spam e-mail lists. The tutorial was even kind enough to provide the appropriate regex patterns at the bottom. How thoughtful
Jens Wessling
Part of me is wondering if this is necessarily a bad thing. Why not sell CD's containing bogus addresses to "poison the well" of spammers as it were? The ideal situation would be one in which 1.) every address was invalid, and 2.) the spammers paid for every bounce via bandwidth charges.
To be honest, this might be the most effective way of reducing spam. Simply register a large number of TLD's with the same IP address, make up bogus email addresses using said TLD's, and sell it on CD. Use the money from the sales to support the hardware and infrastructure costs. As an added bonus, one could sell several "levels" of lists - one CD would have a bunch of email addresses, another would have a mix of valid and invalid addresses, and for a premium, a spammer could buy a list of guaranteed valid addresses. Of course, just because the address is valid doesn't mean a human has to read it - a script could be used to set up and clean "valid" email accounts on the sacrificial server.
It would work out well for everyone, except the businesses who hire spammers. Spammers would be able to rake in cash by charging by the mailing. The email addresses would be legitimate, but nobody would actually have to read the spam. And those of us who hate spam wouldn't have to deal with it as much.
I don't know... Something about taking money from a spammer just warms my heart, even if it is a rip off...
The society for a thought-free internet welcomes you.
Isn't 4-5 million less than 7 million? :-)
spammers use the envelope address
you should read the SMTP rfcs
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Syphilis, hopefully. :)
/obvious
Avoid rip-offs send 20$ to po box....
"Better buy 2, we'll be double protected"
apologies to D.Miller.
Well, as a consultant/technician, I feel more job security in this new year. I received 70 spam emails today. The greatest amount in 1 day so far. This article confirms my prediction that 2004 will see an exponetial growth of spam, zombies and open relays. Thats not necessarily a bad thing. Now I can sell my services to companies who are looking to implement strategies for managing email privacy. For example, you could simply go to a companies web site and show them that they have a flaw in listing their email addreses on the site. The best method is to post them as a graphic. Simple and effect. Now if I can just get hired.
Care to back up your statements with facts? While their may be ISPs hosting spammers, a statements like this with out any data to backup is just like saying americans are stupid idiots, probably partially true, but a careless flame bait.
raj
Sarovar.org Hosting for open source projects in Indi
Don't you think the war on spam should be fought as aggressively as the war on terror (ok, I know iraq did sidetrack us from that war, but still). After all,
1. just like terrorism, the spam mainly affects western countries...most of the uneducated masses do not have computers
2. the spammers do not care if our life becomes hell...they are interested in their 72 virgins...or money in this case
3. the harder we fight them, the more workarounds they find
4. any time you turn to news, you find terrorism. any time you turn to computer, you find spam. does not matter whether it is a child's email account or a grownup's.
5. it is a relatively low cost business. any tom, dick and harry can get up and start spamming. you never know when your next door neighbor is a spammer.
If only the government and industry made it a mission to kill spam. The only way it can be killed is with collective will to do so. Prosecute the spammers at par with felony or higher. Kick the industry to find workable solutions without introducing proprietary protocols.
what does "bullet proof hosting" mean ???
Spammers making outrageous claims? Who woulda thought!?!?!?
Every spam message contains a link to somebody who is trying to make money. Why not go after the companies that the spam links to, instead of trying to trace down the spam? In other words, investigate it from the other end.
For example: I receive a spam which suggests I link to XYZ company's website. Obviously, XYZ company is responsible for sending out the spam. Why not go after XYZ company?
Is this too simple?
Bittorrents, for example, must have a seed site out there somewhere. This site can be taken out, and any other "offical" site that mirrors it. If the data is signed, then the offical sources of such signed data are vulnerable (if you need to revoke the key). The general problem of anonomizing traffic, while being able to trust the data on it at the same time, is Hard.
The wheel is turning, but the hamster is dead.
Yeah, and then some guy gets the idea and runs with it and says they are from M$ or some other corp. I am not sure if half the spam I get actually originates from the company. This trick has been played before.
What would happen if somebody registered a domain and set the DNS to resolve as 127.0.0.1? Let's say the domain spammersbiteme.com were so configured then a million email addresses within that domain were allowed to be harvested. What would happen if a campaign were launched?
Does it mean the ISP won't cancel them for such uses? Or that these servers are immune to attacks through the Internet and/or physically on the hardware?
And how does this affect India's reputation as they try to attract more IT outsourcing?
My point is this: Follow the money. The spammers aren't doing this just for fun, are they?
Granted, it won't do much for pr0n, as pr0n customers know a bit of what they are getting into (although a tip about their credit cards being coopted might help.) How about a nice little piece, such as, "SPAM is Fraud, .." and sending it out using their own network?
Make the golden geese a bit wiser and maybe the goose eggs won't produce as much gold for the spammers, thus hurt their own methods and markets.
A feeling of having made the same mistake before: Deja Foobar
But the analysis shows that the raw lists are not all junk but still have value. What we now need to do is now polute the status of these.
This can be done by actually visiting every link that a spam offers to you and checking the content of that page.
It sounds like this would alert the spammers to your email being alive and unique and as an individual this would be a bad thing BUT what if EVERYONE did this ?. The web site would be hit (err just like a /.) in proportion to how much they supported spam.
Especially effective if done at a Brightgmail/ISP level where is behind the scenes and hasn't even hit your account. And no one can say that visiting a link is something illegal.
The analogy is shouting into a room of people and saying IS ANYONE HERE. If just 1 person replies then thats information. If everyone yells back then thats NOISE. Effectively what would happen is that a spammer sends out 1 Million emails and is say 250,000 replied back and visited their web site then they would have to seriously question if that was an effective campaign. Traditional media people would say yes BUT those 250,000 visits are in fact robots looking like humans. Aint no sales from robots and just left with a large bandwidth bill.
What its saying is we need a co-ordinated community to effectively stop spam. Just a thought. What I haven't worked out is how to stop spammers using this as a DDOS attack. I suspect a robots directive but haven't worked out the logic yet.
If you worked for SCO or something and wanted to destroy another business. You simply email millions that the other company is selling something. We don't know who the original email originates from. I have seen email sent trying to destroy the reputation of some people/companies that way.
Okay, set up a site for potential spammers to buy one of these CDs. Require they give correct contact information to purchase.
Once lots of them have purchased, send out the CDs with the list of people who purchased the CD.
Profit and the joy of justice, all in the same business plan!
"Oh yeah."
- The Duffman
"Evil's no good. Ya just don't cotton to it. You've gotta whack it on the nose with the rolled-up Newspaper of Justice, and say, 'Bad dog...bad dog!'"
- The Tick (as best I can remember)
I'm a lawyer with excellent karma. Something's gotta be wrong.
Yes, because you sure haven't made that much karma from the small number of posts you've made. I tend to suspect that both halves of your statement are pure delusion.
If sperm is spam then I plan on spamming LOTS of mailboxes.
Mike Conner's *IS* Mannix.
He changed his sig now.
How come a spammmer doesn't send out a 20 Meg File to millions of people, thus screwing up the net?
Have a key that is like a public key, but isn't published to the world; only give it out to people from whom you authorize email to be delivered to you. If your incoming mail doesn't contain that key, delete it.
Then, have a specifically formatted message type to handle key requests. Say if Betty wanted to email Veronica to request her private-public key, it would have to be in a strict format, say with the subject line: KEYREQ . For example: KEYREQ veronica@archie.com Hi it's veronica. ?? Then your email client could have a button called "Reply/Authorize".
"Would it kill you to put down the toilet seat?" -- Maya Angelou
How about faking such software. It shouldn't be too hard to rewrite some of that so that it sends mail to abuse@(local.isp) informing them that this spamming program is running on this address, attempting to send this spam to so many addresses, through these open proxies... Cc to local law enforcement, press, and politicians. The program would have to send enough spam to make sure the culprit has committed the crime, but those could include the full path the mail has taken, and other interesting info.
Sell these doctored CDs over the net, just like the real McCoy. Custom code them to include all available information on the buyer, his address, and credit card number.
In Murphy We Turst
But why isn't this under YRO?
mattdev@server$ touch
cannot touch `/dev/genitals': Permission denied
Why aren't these sites listed, real-time blacklisted, and DDoS'd by the good guys? If there is a SETI screensaver, why not a Pitchforks-and-Torches (my name for the angry mob of ordinary folks) one that, say, once a minute sends a query to known spam-friendly ISPs. A million of these would be a million messages a minute. Hard to call that a real DDoS attack from any one person since all I wanted to see if their page has updated.
From the article:
One thing that I haven't included in my analysis is the number of addresses of individuals as opposed to the number of addresses of non-individuals (but not limited to just the role accounts). If you have a good idea on how to tackle this problem for over 10,000,000 addresses, I would be more than grateful.
Pick, say, 1000 of the addresses at random. Then classify them manually. Unless you've got very few addresses in each class the distribution will mirror the real one closely. (You could perhaps do with just doing 100 addys manually). Just make sure the selection is truly random.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
While most e-mail users are digusted @ companies who spam and have business relations with spammers or spam-friendly ISP's; Google has not been mentioned yet as a part of that group.y +web+hosting+services&sourceid=mozilla-search&star t=0&start=0&ie=utf-8&oe=utf-8
By doing some searching on google - http://www.google.com/search?q=bulk+email+friendl
It's evidently that would-be spammers can easily find spam-friendly ISP's with the help of Google's Sponsored Links.
Google profits through the Spam-Friendly ISP's sponsorships and advertisements.
Does anyone see anything ethically wrong with that ???
You know, sometimes people have gone past the point at which the "troll" mod is appropriate and reached a stage at which we really need a "seek help, for your own good more than ours, please seek help" mod. Maybe give it a score of +5 just to give the poor creature a moment of happiness.
I think I am gonna copyright my email address . . . then I can bill any company that is being advertised for whatever amount I please when they use my address in an email header. Most won't pay, but those companies that paid sco probably will send me a few bucks :P
Those odds approach 1 at the speed of light if you send me your address and you are within 100 miles of where I live.
My beliefs do not require that you agree with them.
Slow down buddy, you made a huge assumption and ran with it.
Most lists are sold through contacts. If a contact distros your nice pretty new list you harvested from a big fat casino site, then you no not to trust them again, or to give them dirtier lists.
If you receive email from a spam run, and the guy in charge of the run tries to sell you a list that just hit your dummy emails, you know that most of those addresses are off a previous list you had, and that the list is mostly worthless to you.
Spammers don't sue. Spam relationships/status is based on trust because it's an incredibly unregulated industry. You piss off someone big enough and you're fucked.
and require a documented verification process and waiting period before granting a domain.
.biz domain. And very few valid .us domains.
Heck, we force one in the US for guns, among other things - a misused domain can be just as dreadful in terms of consequence.
And while we're at it.... wipe Neulevel from the face of the earth. I've never, ever seen a valid
To have ambition was my ambition.
When all doubles (and tripples, and ...) are removed from the lists, only 6,220,454 unique addresses remain. Which is 57% of the number of addresses the spammers claims.
..
...
Over 60% of all addresses appear twice, while only 28% appears only once.
If only 28% of the names on the CD appear once, then why is it you still have 57% of the names on the list after you remove doubles, triples etc..
Is my lack of sleep affecting my arithmetic?
Acar
So now we know that there's at least one guy who receives 14 times more spamming than I do!!
Poor kid!!
Or maybe is it that this guy has been an active buyer of the things offered through spam all these years?
I wonder if he'll start receiving anti-spam ads from rejo/spamvrij.nl 14 times a day. X-D
Yes, it a joke!! Go ahead and screw my karma!!
One way to take proactive measures against spammers...esp the mortgage spammers!
http://www.astrobastards.net/uc/
As the spammers are selling the addresses by volume, you can't poison the list by adding to it. The CD are only generated for those suckers willing to pay for it, and the more the better. None of the spammers are concerned about data quality of their products, I guess.
And most likely, they generated some of the email addresses themselves anyway.
Anyone have anything similar?
-cp-
President Bush to Liberate Alaska!
Come now, this is the best dutch scam i have ever seen. Anyone who buys these disks must be eighter nuts or completely retarded LOL.
;-).
More of these articles would be nice.
So much for dutch enterprice spirit
Man, were becomming the worlds best ever marketing country...
Spam away.
Interestingly enough, if everyone who received spam clicked on the links, we'd see the volume of spam reduced as well.
Why would such a counter-inuitive method work? Spammers are paid by the number of people who click on the ads, whether or not a purchase is made. Since sending spam is relatively free (as in beer), even a low return rate (e.g. 0.25%) response can net a spammer thousands of dollars, and somehow the spammer is able to count those mouse clicks (like you're going to otherwise trust the accounting of the sleezy companies that sell through spam? Count those clicks yourself.) THe more free messages sent, the more people who can click on an ad to reward the actual spammer.
But won't this just enrich those dirty, rotten spammers? YES!
And just why do you want to enrich dirty, rotten spammers? Because it raises the cost of doing business for the companies that employ the dirty, rotten spammers.
Make it expensive for companies to use spamming. Too expensive. As long as they use the current payment model, click on the links and don't buy anything.
The results will have to be:
1: More targetted spamming (which reduces the amount overall compared to the current random system)..
2: A different payment model that is tied to sales (at which point spammers have to trust the sleezy people they deal with, and we can stop with the clicks)
3: Companies that quit using spam for marketing (Yeah!)
...over the years I've recieved exactly TWO Norwegian spams - from "Trondelag Teater" and "freewave.no" Of course, I'm pretty careful with my "official" mail, I keep various other junk accounts for other stuff. But the US spam (presumably) keeps coming in, viagra, 411 scams, mortgages, gambling, whatever. They still fill up my inbox.
I think the only way to do it is to have
a) hashcash payments (CPU time) OR
b) cryptographic pass-through "token"
The former for all the low-volume mail, where you can "afford" to burn a little CPU. The latter for mailing-lists and similar high-volume stuff, which would allow it through without paying any hashcash, but must be specifically issued (by the server, at the user's request).
The server wouldn't need to keep a database of them, it would simply have to verify them. Yes, this is my own signature, a valid user@mydomain.tld token with the name "Slashdot". They could also be time-limited. Furthermore, the token email address should be different from the non-token email, so that I can issue them "anonymously". (e.g. the SHA hash of the real email...)
Compromised token? Reject any further mail from that token, preferably at server (revocation database, wouldn't be that large). By default, mailing lists should take a rejected token as an "unsubscription".
That would also allow for degrees of "blocking", not simply black&white lists.... these semi-spammy domains get higher hashcash, these highly no-spam areas get lower hashcash.
So how would this work. Let's say I want to sign up for a slashdot newsletter:
Subscribe
1. Send subscription email to server, check box for "Issue token", and call the token "Slashdot".
2. Server recieves requests, generates a cryptographic token, and sends it to the list from the TOKEN address (say e.g. a hash of the real email, server has a hashmap).
3. Server recieves mail from mailing list, looks up real email based on token, verifies token, and pass it on (with proper "X-Token" header or soemthing like that). Replies to messages with an X-Token also sent over token address.
Unsubscribe (either due to compromised/SPAM/leaving list):
1. Revoke token
2. Mailing list tries to send mail, but fails on invalid token. Removes you from list. They could try again but the result would be the same.
What information does slashdot have now? Nothing. No valid token, no valid address. No matter how hostile/compromised they got, they can't do any more damage. They can't even sell my real address to spammers.
Having removed all "high-volume" automatic lists from the equation, we can jack up the hashcash requirement high enough that it really hurts spammers. You can finally have a SPAM policy without directly rejecting mail.
Hell, you could even have a two-stage hashcash deal. One based on origin (before wasting bandwidth) and one after retrieving mail and passing it through spam-assasin, with higher hashcash the more "spammy" the mail is (wasting bandwidth, but saving space in inbox).
The only ones hurt by this are those sending mass amounts of unsolicitated mail. Which are, in approximately 99,99% of the cases, spammers. If it isn't, it's mass requests to sign "save futurama/the rainforest/whatever" campaigns or similar. That much collateral damage, I'm willing to take.
Kjella
Live today, because you never know what tomorrow brings
It would be like having a cell phone over a land line. Direct marketers are not allowed to call people who have to pay by the minute to receive calls.
How about this... some whitehat could make and market a CD of millions of mail addresses. But they'd all be fake except a few for monitoring, spamer tarpits and a few of abuse@ISP and the feds ;-)
Besides cutting down spam you'd be tranfering month
directly from the spammers to yourself.
This is just a more complicated form of a "white list" of authorized recipitants.
How about a patch to sendmail that includes various blacklists as part of the HELO?
The blacklists could be compressed with gzip/bzip2 and signed by Spamhaus (or whatever blacklist we trust these days) and automatically transferred when a higher version number is detected. Spamhaus would just have to seed a single high-traffic sendmail instance anywhere on the internet to flush the whole global network with a new list.
Sendmail, Inc. could put an end to Spamhaus' bandwidth requirements.
This blocking list is somewhat experimental and should not be used in a production environment where legitimate email must be delivered. It is growing more stable and is used by many large sites now. However, SpamCop is aggressive and often errs on the side of blocking mail - users should be warned and given information about how their mail is filtered. Ideally they should have a choice of filtering options. Many mailservers can operate with blacklists in a "tag only" mode, which is preferable in many situations.
If people use Spamcop's blacklist in some other way than the one recommended by Spamcop, how is that Spamcop's fault?Installed the Bubblemon yet?
A nice example of spambot poison. But obviously hand-generated. The automatic kind is much more effective!
This may qualify as flamebait but ...
If some idiot, with or without govt sanction, is polluting the local drinking water you stop them - by any means.
Once a few hardcore spammers are disfigured by slashing or burned by gasoline bombs they will start weighing the true cost to society.
In the western US, many of us carry guns. It's time to use them.
Consider this, legal drinking age in country A is 18, in B 21. Person D goes from Country B to A to drink. Doing the activity in country B is still illegal, but the activity is not covered by B's laws.
In the case of spam, Spammer uploads programs and data to server in an unregulated country (UC) A, sets up site in UC B, sets up accounts in UC C. Part of this set up includes a web interface to UC A server. From country D, spammer visits site in UC A and initiates spam with a few clicks. The spam originates in UC A and all the others lines of responsiblity end in unregulated jurisdictions. Regulation ends at the border and the unethical spammer remains untouched.
The key is to create a uniform international law and jurisdiction. However, getting such cooperation is well nigh impossible.
The potato it is uninformed.
The problem with the "friendly virus" approach: you're trying to install software on zillions of strangers' computers, blindfold. Assuming this is windoze we're talking about here, there are scads of different versions and subversions and patched and hacked OSes. It's a certainty that your "upgrade" will fry the OS in a fair percentage of cases, even if you wrote it without a single bug. Which you won't have done, because its first real test-run will be live.
The first "great internet worm" was a friendly program that went haywire.
Above post wholly copied from one posted in October by another poster.
The facts:
Spamhaus SBL record
SPEWS record
This particular spammer (Patrick de Bruin) used IP-address 202.9.156.34 for a while, in Dishnet netspace.
Promote your business to millions of fictitious addresses!!! Waste your bandwidth!! Guaranteed 0.000% clickthrough rate!
Whatever you like. I have added a link that will take you to the Dishnet's entry at spamvrij.nl. You can see that Patrick de Bruin (the spammer selling these CD's I have written about) has been able to host his website at four Dishnet IP's for quite a long time and quite a lot of spamruns. They didn't react at all. More proof (exact IP's etc) can be found at other pages at spamvrij.nl.
Rejo.
If a spam message has a link to an image, let it go through and view it lots and lots of times. It's trivial to make a simple browser app that you feed URLs and it repeatly grabs the data from that URL. Most spammers use affiliate programs so if you want to be really mean you can call the affiliated link a few million times so that they get paid nothing (or even kicked off the program for cheating) or you bankrupt the affiliate company if they don't have rules against such things. (pay per click and not pay per sale). 1 million click thrus times a few pennies per click really adds up.
A 25KB image sent to 25 million people takes around 667GB of transfer. So if lots of people just sacrifice a few hundred megs of transfer, the spammer's servers will choak and die or the bandwidth costs will put them out of business.
And there's nothing illegal about it.
Ben
Work Safe Porn
Your fp is almost as good as fp45.
Almost.
Suppose I own my domain (or at least have full access to it).
#1. I post a few fake addresses to sites.
#2. The spammers pick up those addresses and start sending spam to them.
#3. My email system spots the faked names and drops any further connections from those servers or my firewall drops the connection.
Does anyone see any problems with that approach? Other than the time needed to check through the list of evil addresses.
The only flaw I can see would be if the faked names were somehow sent from legitimate servers. But I don't see how that could easily happen.
The entire analysis boils down to one thing, which I call Rule #5, the King of All Rules: Spammers don't give a shit.
They don't care who you are, what you think, what you would or would not like to receive, what sex you are, if you are a minor or not, if the address they are sending to is valid or malformed, or if you are dead. All the lying that they do and the rationalizing of their behavior exists soley because -- lets chant together -- "Spammers don't give a shit"
The notion that a spammer should clean up a spamming CD to remove duplicate addresses or to remove role addresses at ISPs is simply ridiculous. Why spend the time? It will have zero impact on the number of sales that they make and -- chant it -- spammers don't give a shit.
So forget all the other rules. It is a waste of time to assign qualitive analysis to the behavior of sociopaths. They want money, and they don't give a shit about how they go about doing it. Once you realize that, you will see that all the other "Rules" for spammers are superfulous and stem from Rule #5.
yea - but this enormous amount of money has to somehow be transferred from the stupid idiot with the miscroscopic dick to the entity selling the stupid enlargement thingie.
Who handles this money transfer... banks do. Who processed the credit card transactions.... Credit card companies do.... Who do we have to blame? The ISPs? perhaps.... Obviously we should blame the naive public for wanting this crap. but what about the financial institutions responsible for transferring the money into the spammer's coffers? can't they also be blamed? I see very little indication that Financial Instatutions (FI's) are being pressured to clamp down on this usage of their systems and networks. Then, we have the shipping companies (which, by the way, are most excellent in tracking down the spammers).
Then, there is all this opt out fiasco.... it's never going to work.... never will....
Think about it.... we have these bozos selling CD's chock full of Emails, dispite the claims they have about how clean they are... if I were a self respecting spammer, how much of an effort am i going to do, to clean out all the opt out's I get? No way! Jose! it just aint going to happen. Even if it's a reputable company that actually honors opt outs (Do they really exist?)
Do you really believe they are going to be inplementing a managed system of emails for their maiings?
have you any idea of what it would cost to implement something like this?
This is why the CAN SPAM act is seriously flawed. but i didn't vote for the "schrub-man".
Melior Inc.'s solution to combat network abuses and intrusions, especially DDoS, seems quite interesting. It's a physical device you place before your network, that just sits there and examines incoming packets and attempts to throw-away junk. it's transparent, meaning it doesn't have an ip address, stuff just kinda flows thru it.
i know that at least one anti-spam entity uses them.
Extraordinary Vacations. Exceptional Prices
I really don't know why this is so hard for people to understand, but it "shouldn't" be that hard to create a peer-to-peer, fully trusted spam blacklist system.
1) Take a well known provider of such lists and have him generate himself a PGP/GPG (etc) key.
2) Create a hashing algo that can be applied to email addresses and domain names and produces (about) 60 or so distinct hashes.
3) Coordinate the email blacklists into N files where N is the number of hash results from item 2. These are the N components to the complete list. IF you have an address X and its hash is Xn then if the address doesn't apear in file N the address isn not blacklisted.
4) Construct (or use an existing) P2P app to distribute these N files. Ideally the P2P system in question can "bias" the fetch operation to favor retrevial from "previously known good" sources.
Here are the fine points:
A) The GPG secret key, and not the "location fetched from", is the magic that marks the list valid. You can not DDOS a secret key, just an originator.
B) A first-order web of trust, instead of a simple key, could also be used. That is, instead of requiring a signature from the master key, require a signature from a key signed by the master key. This way "the one key" can stay relatively unused while persons need to attack the rotating and regularly expiring frontage keys if they want to game the transfer for any reason.
C) The master key and the frontage keys don't have to equate to any real nor active network facility. They only need to be unique in key space. You simply *CANNOT* attack a namespace that isn't backed up by a physical facility. (For instance, if the master key were "master@control.spamcop.org", spamcop.org itself could be pointed at Geocities or something or nothing at all.)
D) While a current (Kaza-esque) P2P app would probably be less than ideal for the actual transport, it wouldn't be dificult to design a P2P style distribution mechanisim. It wouldn't need to be any more subtle than a bunch of http mirrors really, as long as the mirroring system (rdist/wget alike) would only put the files in the public directory if they passed a frontage-key/master-key signing test.
In practice you would probably want to distribute a signed known-mirrors (root) file too.
[Then again, a shite load of ptr records in a "spamcop.org" dns table could function as the analog of an MX table for this rooting purpose. Those sites would tend to become targets, but only for as long as the list size were small.]
If a "real" P2P app, or even a well designed friend-of-friend http-based network were put together and reached a core complexity of a at least a couple dozen known base points, it would be unquenchable. The target density would be too diverse to attack effectively. It would be like trying to DDOS "all the bloggers on the net".
Heck, set a pseudo standard: Every doman that wants to join the P2P network "backbone" should issue itself a "spamcop@my.domain" key and then do a challenge/response signing (on connection each party sends the other a challenge, gets the challenge back signed, checks the signature as valid) when it comes onto the backbone. Organize the thing like IRC but with records kept for keys used. Add some throttling (like IRC flood protection) and you are off. Abusers can be tracked down to their hosts and keys.
Then you can devolve. Regular users don't have to have keys to join the net and request information. Keys and domains can be blacklisted (possibly together?).
Heck, use the haxors techniques. Actually get permission to stake out some IRC channels to act as the root seed broadcast-style distribution system (list of known good core hosts, again, such lists are signed).
All you have to do is get some distribution without losing authenticity. That is what public keys are all about. The anti-assailable nature of P2P and the semi-chaotic nature of IRC have their legitimate purposes. Now all you need is to use these systems for good instead of evil.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
hard-core spammers utilizing bulletproof hosting in India
I did RTFA, but didn't find anything about hosting in India? Is the author taking a cheap shot at India?
They probably can. And they are probably already in use by some spammers. No big deal here.
Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?
This isn't how spam works. You only care about target groups when it costs you money to reach people. The cost of sending spam is, for all practical purposes, zero. Thus, you don't care about target groups, instead you spam as many addresses as possible.
And as proven by the article, spammers don't care much about duplicates, abuse-accounts, etc.. either. By the time you have spammed a zillion people, your ISP will know about your spamming, regardless of whether you spammed their abuse-account yourself, or someone else notified them.
Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..
That would raise the cost of spamming enormously. The high-school kid would want $10/hour, and could proabably be expected to do 5-10 addresses/minute, meaning you'd pay up to 3 cent per address. This is 4 orders of magnitude higher cost than the CD in the article.
It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..
There are all kinds of silly models for spammers to get their money. But if anyone is stupid enough to pay spammers per mail sent, they can expect to get bankrupt soon. As a spammer, I could then send emails to dummyacct000000001@hotmail.com, dummyacct000000002@hotmail.com, and so on, and still get paid.
I've wondered why some of the anti-spam sites aren't run from countries with nonexistent extradiction policies like Aruba (home of internet gambling sites). Get rid of the legal aspect at least, concentrate resources on running the site and fighting DDOSs
-Looking for a job as a materials chemist or multivariat
I doubt that, at least to the extent you likely intend it. The great thing about Bayesian filtering is that it's adaptive. So they would have to dramatically increase the rate at which they discover and use filter-killing tricks for this to work.
I'm running Mozilla, and in the last 8 months (roughly) I've gotten 10,000 spams - modest, but a great library for catching spams. I catch about 97% or more of them. And I can tell when they come out with a new trick - my catch rate will drop to say 80% for a day, after which my filter catches up to the new trick. In fact, when they don't have new tricks, my catch rate is about 99+%. Most of what gets through is new tricks.
I'd say now, they come out with a filter-busting trick maybe once a month. For spam to become a problem to my client, they'd have to do it better than once a day. I don't think they have the resources to do that.
-Looking for a job as a materials chemist or multivariat
(nt)
How about something working with SpamAssassin/Razor.
You don't really need a centralised list of targets. Let each host decide for itself what is a valid target, based on SA scores and perhaps Razor scores. The host could then upload to something like a Razor server to announce it's intention to attack.
This would be highly efficient because the attack would then happen as the SPAM was going out, bringing the proxy/zombie/bullet-proof host to a standstill.
----
The real "Libtards" are the Libertarians!
Normally, you wouldn't expect a product like this to be very good, and you'd expect it to have lots of bad addresses, as well as mostly containing addresses of people who don't want to receive spam. But in this case, having a high fraction of actual duplicate addresses seems to be the kind of bogusness that some purchaser could take to court, claiming fraud, because the product claims to have 10 million addresses and only has 6 million plus repeats, and because the seller is known and identifiable, as opposed to some random entity on the net.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Besides, anybody who gives spammers bogus addresses is doing a public service :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Gates' Law: Every 18 months, the speed of software halves.
You get extra points if some fraction of the bogus addresses you feed harvester programs let you trace the spammer's sources, e.g. feeding addresses like 001002003004@mydomain.com to a web request from 1.2.3.4.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
http://killaspammerforchrist.com/therules.html :-D, normally Jesus is against kill those that wrong us but maybe he'll make an exception for spammers :-D.
in my life God comes first.... but Linux is pretty high after that
Francis Smit
And in many cases it is EASIER to get an address blacklisted than to get the damn list admin to unsubscribe someone.
We have people who work here, who sign up for lists, who then leave the company AND THERE IS NO WAY TO STOP THE DAMN LISTS.
I put lots of them in my email scanner, but each entry adds a little more time to the scanning process.
List admins need to focus FIRST on making it ULTRA EASY for someone to UNSUBSCRIBE.
Particularly if the person who did the subscribing is no longer at the address that is receiving the list.
With paper mail, that means that letters with money attached get attention, letters with large amounts of money attached get personal attention, letters without money attached get counted or weighed and may get read by the staff if the subject is interesting or timely. Mail that takes more work to send gets more attention - it's how you tell "grassroots" from "Astroturf". Handwritten mail that appears to be unique gets more attention than identically-worded mail from the National Rifle Association or Gun Banners Incorporated, and either one of them get more attention than pre-printed postcards with some special interest's message. Telegrams cost money, so also get more attention; faxes are cheap and easier to automate, so they get less.
Email requires much less effort to send, even if it's not spam, so there tends to be more of it. Therefore, politicians who do use email for their work keep separate addresses from the public side, which may only get autorespondered, or may get robo-sorted, or may sometimes get scanned for Subject: lines by staff, but rarely gets read by the politician.
It's not uncommon in the US for people to filter out whitehouse.gov addresses from mailing lists, just to prevent annoying someone who has a staff that goes psycho about perceived threats, real or not. Some spammers filter out all of .gov, others don't.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
lets assume we're not going to validate URLs before commencing the highest click thru rate of all time and then pretend we have an argument.
If spammers can DDoS sites the nasty ways by corrupting packets, I don't think clicking on a link sent to me in an e-mail excessivly is going to raise any eyebrows.
Ben
Work Safe Porn
Of course, "Rule #1" is "Spammers Always Lie", so "India" may really be somewhere else. On the other hand, India and China have had heavily regulated telecom markets and histories of corrupt business/bureaucracy practice, so while it may be a bit difficult to do high-bandwidth highly-reliable communications there, you can still get bulletproofness is the hosting center's manager's brother is politically connected and pays off the right people.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I've noticed something. I have a Hotmail account I use for people I don't want to have my real e-mail address. It use to get bombarded with SPAM. It was like bob50303, so I got nailed by every single dictionary attack. Then, Microsoft implemented something -- spam dropped off. And now its GONE. I get something like 1 or 2 spam messages a week. Inbox is spotless.
I think the time is getting close to where spam won't pay anymore, the filters are obviously getting better and if SMTP gets revamped or replaced by something with any sort of authentication -- Spam's done.. Stick a fork in it.
Why would this be a surprise. All spammers are basically criminals, consider the essence of criminality is, that the criminal is some one who takes an immoral sort cut towards wealth/income, which is exactly what a spammer is doing, so in essence they are criminals, even if the law where they live doesn't specify this yet. I suggest some additions to the rules:
in my life God comes first.... but Linux is pretty high after that
Francis Smit
Thats interesting.
The spammer must have visually mined for that information!
Dam there is just no end to it.
> getting such cooperation is well nigh impossible
This is quite true and it'd be a waste of time trying. A better approach, surely, is to come up with a new approach (technically) and to get a nucleus of support for it and then extend this, with incentives.
For a country to join the EU it has to be democratic and meet certain standards in laundry list of areas, from human rights to food processing, corporate accounting, data protection and many other standards. EU accession is a BIG incentive for countries to clean up practices that are not up to par internationally. Compatibility and reciprocity are the guiding principles here and in many other arenas, including IP routing. So why not email?
A new technical standard that would make spam harder to send--some proposals have been publicised recently--and incentives for adoption (such as slowing or dropping all traffic from jurisdictions that haven't adopted it) would suffice.
Post crytographically signed backlists to usenet.
Use a throwaway account and post via google.
Need Mercedes parts ?
I've emailed the admin and, when that failed, I've deleted the user and the list receives "user unknown" messages.
Neither of those work with the lists I am talking about.
The problem isn't the extra $2-$4/month that might represent the cost of spam. That's less than six minutes of my salary per month. I probably don't spend six minutes per day dealing with spam - but I spend a *lot* more than six minutes per month between deleting the stuff and maintaining my filters and being pissed off at stupid spammers and having the volume of spam interfere with seeing my most important email quickly.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
... imagining what you could do with a larger penis....
You can be open-minded and only discard mail from tags that get abused, or paranoid and only accept mail from tags you've specifically whitelisted. You can be obvious about the tags - betty@veronica.archie.com, or subtle about them - orggl@veronica.archie.com is "betty" in rot13, or cryptographic (use tags with the correct hash, so you can robo-check them, or longer tags with elliptic-curve signatures), or creative (Annalee Newitz uses a different username at techsploitation.com on each of her newspaper columns). And of course you can seed your web pages with spammer bait, so any person or machine that sends mail to stupidharvester@username.domain.com gets blacklisted.
My comment about crypto being overkill comes from a perspective of ten years of hanging out with the Cypherpunks, and doing crypto for years before that. There are other ways crypto can be useful - Adam Back's Hashcash work (and Microsoft's recent Penny Black stuff), Digital Signatures on email to reduce forgery, or simply requiring all email to you to be digitally signed or encrypted or both because that's too much work for most spammers. You could use it to build traceability, but that's not always good, and making it mandatory, centralized, and universal is very very bad from a civil liberties perspective as well as probably unworkable.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I have a small non-profit website, and for the past year or so HotMail and AOL have refused to accept mail from it because I use dynamic DNS.
I understand the reason for them to be suspicious of dynamic DNS address ranges, but a complete blockade of all such e-mail is a big PITA.
And, yeah, I have good reason for not using a real hosting company - every one I chose went out of business. At this point, I'm still waiting for the other shoe to drop on FeaturePrice.
Clear, Dark Skies
You're not going to sell this CD to Alan Ralsky or his ilk, the professional Florida ROKSO members or the newer mafiosi who run their own harvesters (you'll leave attractive-nuisance web pages around for them :-) This kind of product is designed for the Gullible Bottom-Feeder spammers, the anklebiters who think they'll Make Money Fast by buying a CD from the big professional spammers. That means they'll either see your ads and believe them, or they won't, but they won't have the clue about how to ask around for other spammers who've bought your fine product and are now in jail or court or bankruptcy or buried in paper junkmail or keep getting their single-wide trailer windows broken, plus you'll have had fun taking them for $39 and any other optional services you've sold them, like "bullet-proof hosting" and "spam-free bulk email delivery ISP services" .
For the slightly brighter potential spammers, word may get around faster (e.g. it shows up in Google next to your ad), but that's ok - any meme that says buying cheap spamware is dangerous is a Good Meme. The problem is making sure that *you* are hard to trace, because the guy in the singlewide trailer may have a doublewide baseball bat, and the slightly brighter spammer may have a kid brother who's a 31337 Skr14t K1dD13 who can annoy you as well.
The other problem, of course, is how to reach your potential customer base, other than by spamming... Google's a start.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I tried to use evite.com to send out invitations to my holiday party - and either people are making lame excuses or a full third of them never got the invite.
I can only assume that spam filters blocked the invitations before they ever saw them.
Clear, Dark Skies
But the real purposes of the whois information are working contact information when you're system's broken or spewing. Phone numbers are helpful because if your DNS or email is broken, then sending you email often doesn't work. Street address information is useful if the registrar wants to send you paper bills, but that doesn't need to be public.
ICANN has been pressing for whois information to require True Names, ICBM addresses, and Subpoena-delivery addresses because they want anybody to be able to drag you into court over domain name trademark issues, and if there's no way to determine _your_ legal jurisdiction, somebody might try to sue them or the registries or registrars instead, plus different jurisdictions have different rules about trademarks. (Remember that the only IP that ICANN cares about is Intellectual Property, not Internet Protocol.) But that's just tough - they could just as well make a rule that says that you need to provide a working email address, and that if you don't respond within X days, they can give away your domain name to any reasonable-sounding claimant, and tell you what court or arbitrator to go to if you want it back.
RIAA and MPAA are pushing ICANN to include True Names and legal jurisdictions because they want to sue your ass if anybody thinks about sharing music on anything you own. The US Department of Homeland Security wants the whois records to include your blood type, DNA records, retina scans, fingerprints, and US Not-Known-To-Be-A-Terrorist-Or-Democrat-Yet permission slip, because John Ashcroft wants to be able to burn *you* at the stake and not just your domain name contract, just in case your web site has pictures of that Department of Justice statue with the bare breasts that he covered up. Lots of other people have reasons they'd like to get your marketing information from your whois records.
But that's not what domain names are about. Domain names are about giving ways for you to publish information on the Internet where people can find it, and to provide contact information for people who you want to be able to reach you. They're a technical tool for doing that, and whois records are a technical tool for maintaining them. They can be an important privacy tool if you want privacy, or an important publicity tool if you want publicity. If you want to publish your political rants on "www.federalist-papers.org" the way the original authors pseudonymously published theirs on dead trees, that's a critical part of freedom of speech. If you want to publish your Falun Gong religious rants on the net and not have the Chinese government censor your or hunt you down and throw you in jail, or hunt down the people who read them, that's your right too.
Privacy is much more important that stopping spammers, annoying as they are. Stop spammers with technical tools, or stop spammers by changing the economics that lets some of them profit, or stop spammers with baseball bats for all I care, but don't say it's ok to mess with our civil rights as collateral damage.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I run a small ISP. 50% of my bandwidth bill is to receive spam. I don't even care about the hours a week I spend ignoring or deleting it, but I do object to the theft of my resources most strenuously.
Need Mercedes parts ?
"71532.4532@compuserve.com" is a message ID. Plenty of spam bots will go ahead and parse anything with an @ sign in it. I started to receive a few of these a couple of years ago.
Now my system bounces about 20 a day to message ids (which are encoded in the form of msgid@server.addr) because I run several mailing lists with publicly searchable archives. The emails themselves (not in the body) are automatically hidden by Mailman, but it doesn't do anything to cloak message ids, which spam bots will harvest.
Spammers are scum. Fucking scum. They choose to not operate within the rules of a polite society, and thus deserve none of the privilege of a polite society. They need to be in jail with all the other criminals.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Eric Idle just had his Greedy Bastard tour, he had something to say about spam. It went something like this: "I keep on getting Spam. Particularly about penis enlargement. I responded to every single one. I now have a nine foot penis. I also get Spams about refinancing my home. And if there's one thing that will shrivel your dick up it's thinking about your mortgage. Which means I need more penis enlargement pills, and more viagra to fill it up again!"
Have each mail server sign the email with a PGP signature. The next mail server that recieves it verifies the signature against a database of allowed mail servers. If the message fails verification, it is dropped and nobody sees ever.
This would at least make it impossible to forge an email, which is what a spammer needs to hide behind.
Now, I know that this would require some major re-vamping of the internet. Just the amount of CPU power to sign a billion emails a day would be monolithic. But then if spam were eliminated from the pool of emails, the amount of signing would be reduced to a few million a day, if not fewer.
It's so simple. All you need is pistol and a disk; systematically go to every mail server on earth and force the administrator(s) to replace their crappy SPAM compliant mail software with the new software.
Lord_Alex
How much work could a network work if a network could net work?
The numbers in front of some of the usernames are the telephone numbers of these politicians. This makes it more than clear that spammers do not work very accurate and with decency.
I hope Rejo was decent enough to change the numbers before publishing them on the 'net.
-- Cheers!
Put a "key" in the subject, like _Key_id_ or _OK_This_is_my_new_id
:) )
If your smtp server recieves that email, it checks in a database for your key, if it is the same found at the subject, the email is not spam, if your friend loses your key, he recieves a email back to him whit your id, and then he resends you the email whit the right key.
If you think, "well but some spamer will get my key" simply change it, your autentic email senders will get your actual key because the smtp will send them your id to a "valid" email, so this is the way to stop all spamers, or at least making them the work, very frustrating (as one can change his key at any time, also they must have an account whit more than 1000mb to get all the new keys, but the keys will get changing again, so making a bot for it is very hard work)
I think this is the solution for that, and i am really happy to be the autor of it.
(Note, i saw an idea of a public key, but that sounds very hard to ALL users arrownd the world... a simple validate key as "hello or "its me!" is more (really more) easy to do, also the resend of the key by the smtp server to autentificated email address makes it simply, and your friends whitout your "public key" will not lose contact to you....)
Well, thats all for now... good luck! and i will be happy if my method get implementated in the near future... (i said my method, because is an original idea from me.. i dont know if somebody had this idea in the past... and i really dont care as i dont stolen my idea from others
Kind of xml or some shit like that...
I have to say I agree completely. As you say, the willingness to get charged is an asset, and geeks in many countries are facing strong and stronger laws against this kind of action. Anyone know any good hackers in countries that can't be touched by your laws? If all of this spam that comes through Asia or whereever can happen because "we" can't touch them, why can't the reverse happen?
How about a Ralsky bounty? How about a $10K (or whatever) kitty to pay to the keen fellows who take him and his cohorts down? Given the amount being spent on filtering, bandwidth, and support issues, even the big boys could find a way to divert some cash to a needy cause.
Sometimes you have to fight fire with fire.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
Donate free food here
Which will get their attention.
Simpler solution:
What's really missing is accountability, notice earlier comments that say "9 out of 10 spams are untraceable." I'm writing an email server that works as detailed below.
In short, Only send 80 char max notifications, and make the sender keep the email on their own server for the receiver to go get by himself.
The problem with spam is that once it's in the system, it's totally trusted, and the system bears the cost of transport and storage.
If you shift the cost to the sender, spam won't be economically viable.
If spammers have to hold spam on their own servers, the servers will quickly be found out and blacklisted.
The greatest benefit is that real geeks like us will shutdown or blacklist spam server before grandma and joe q. public do their weekly email check.
Q: What about Spammed Notifications?
A: will still be an improvement over full spam emails, and takes a lot less time to download.
Q: Will mailing list servers require lots of extra space?
A: not if you consider them mailing list archives as well.
Q: How does this work for the average user that has an account with an ISP?
A: You send your email to your ISP via SMTP, just as always. Your email remains there on the server, and the server sends a notification to the final destination. The final destination then chooses when it wants to pick up the mail from the ISP's server.
As for receiving email, your client will need to pick up from many different POP3 servers, rather than just picking up from one as now.
User Stories:
A Spammer registers an account with an ISP, and sends lots of Spam.
Result: That spam remains on the server until the spammer uses up their storage quota and flags the sysadmin (who should immediately kill the account and any non-picked up spam)
Or the public blacklists list the user@host once the first few spams have been picked up, and that user@host is not accepted by clients that check blacklists.
A spammer sets up their own server, and sends lots of Spam.
Result: the server is listed in the public blacklists, and is not accepted by clients that check blacklists.
A spammer tries to forge an email sender.
Result: your client can't pick up an email from a server that doesn't exist.
Shae Erisson - ScannedInAvian.com
Right now, that seems pretty true. Spammers aren't all that creative, they get in the business because it's quick money. Every once in a while, someone comes up with a new trick. My filter responds beautifully.
But I worry that eventually, some companies that advertise via spam will learn to speak in a human voice. Surely this is possible for some products or scams. Advertisements don't have to look like advertisements, especially if they are only trying to pique your interest in a product that you will then go buy (or vote for) offline.
Some try now, but there still has to be something that conveys the message. Is there a phone number? Good chance of spam. They'll still have to use certain words or phrases that can be keyed on. If they try something really strange...well, that won't look like normal email.
Basically, advertisers adapt. A parallel example: If we get too good at zapping TV commercials with our TiVOs, they'll switch to more insidious product placement in the shows, so that the commercials are indistinguishable from the content.
But that's a bit different - TV is serving me my content, and if they put the ad in the content I can't avoid it. Unless spammers find a way to put spam in wmails from my friends, that won't work. Ultimately, the anti-spam crowd simply puts more energy in the fight. Spammers simply want to make money. Antispamers are more zealous about it.
Spam might eventually come to resemble a bigger form of junk snailmail, or telemarketing -- where there are lots more advertisers but each one does a better job of targeting to a smaller list of customers (thanks to database companies like Experian).
Outside of the whole invasion of provacy thing, I'd call that a victory.
In the long run, I think we have to solve spam in the email architecture. I've always thought hashcash was the most promising idea, and it is now being pursued at Microsoft Research. There are also more radical proposals like Tripoli.
Problem is, that's something that can only be done as a standard, which means the list of groups that can do it are governments, AOL, and microsoft. The rest of us need to focus on things we can do to put these assholes out of commission, or at least make sure we never see their filth.
-Looking for a job as a materials chemist or multivariat
What if... the 700,000+ people on /. donated $10 each to an anonymous PayPal account (or equivelent), and put a million dollar bounty on the heads of the 7 biggest spammers? (Maybe we'll get a bulk discount & they'll do 10 :o)
...hypothetically, of course :o)
There has to be somebody out there who would take the job - bullets are cheap, and in this day & age murder's easy (ask OJ Simpson, Clinton, etc.) Christ, AOL would probably give you a medal.
There's an idea... get AOL, MSN, etc to sponsor it... it would be a step up for them, morally speaking, and they would have economical justification. They legally have to do as much for the shareholders as possible...
With the 7 biggest spammers gone, half my mail box goes too... and the rest of the spammers start to look slightly nervous...
This isn't flamebait. It's just a question. The morally richeous should just pass on & pretend they didn't see it...
3deaedb7.3050209@thock.com's not an address, it's a message ID. My server blocks many emails that contain a TO of these message IDs. This means my point's still valid, because the majority of emails of that form today are sniffed up message ids. You're just an asshole.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Why do I hardly ever get spam? I think is is a little like me and anti-virus software: I've never needed it, because I'm CAREFUL. Don't open or sign up for every goddamn thing on this planet, and you'll be fine. Get a better e-mail address or something. Geez!
If you're on that jury, remember that it only take one person to block a guilty verdict. Should you believe that fucking up a spammer is NOT a crime, you can stand up for your beliefs where it counts.
For more information, google on "jury nullification" and "Fully Informed Jury Association. This doctrine is something that judges, prosecutors, and defense lawyers will NOT explain to you.
I suspect that an epidemic of violence affecting spammers selectively would be discouraging. The only motivation for spam is profit, and if one is at the very bottom of the Pit (insert equivalent according to your religion), spending one's profit isn't really possible.
Tech Public Policy stuff
There's a database of spam that can be used for training your filters that has a lot more than 10,000 spams in it. ...tune to the spam on whose mailing lists I happen to fall, and to my own global ratio of spam/ham. Skewing either of those in a Bayesian system isn't so great an idea.
-Looking for a job as a materials chemist or multivariat