What You Get When You Buy a Spam CD

defender writes "Recently over here in The Netherlands, the spam versus anti-spam 'war' has hardened. More professional spamming coming from a handful of hard-core spammers utilizing bulletproof hosting in India, chained open proxies, more and more false whois information, etc. One of the more known anti-spam people has been sent one of the subjects of those spams: a CD with millions of e-mail addressess of 'individuals' and hundreds of thousands of 'businesses'... Rejo Zenger has done an analysis of such a CD, which is fuelling new debate as to why the recent EU anti-spam directive was weakened because of businesses complaining or indicating that spam wasn't a big issue for them."

Re:Spammers are beginning to organise

[svanstrom]

Sadly the bad guys can DDOS the good guys, but the good guys can't (easily) DDOS the bad guys... at least not without either using the tactics of the bad guys, or getting caught... =(

No surprises here

[John3]

Is anyone surprised that the 10 million promised addresses boils down to less than 7 million after removing duplicates? The article is interesting in terms of statistical analysis of the data (especially the fact that a number of abuse and postmaster addresses are in the email database), but I don't think anyone expected quality email lists from spammers.

On the other hand, why would someone sending spam care too much about the integrity of the data? You're still getting over 6 million email addresses. So several million messages bounce...does the spammer care?

Re:No surprises here

[oobar]

In my opinion it's no mistake that the product this spammer was selling was of very low quality. Spammers' best resources are their lists. If you could shell out 50 or 300 Euros (or whatever he said the price was) and get a quality list of 100% valid, working, non-role email accounts then suddenly the value of all those lists just went down. In other words, if you're going to sell these CDs it's in your best interest to include the lowest-quality data that you have available. I'm sure there are some idiots out there that will try to buy these things and send directly to the lists without removing duplicates and role accounts, etc. But these people will obviously not have great results, and they may even be caught and booted from their ISP quickly if they spam a lot of role accounts. I have to believe that the *good* spammers out there have realized that it's in their best interest to remove invalids, dupes, abuse desks, role accounts, etc. In other words if you can sell these CDs with such low quality data then why not? Why sell your "trade secrets" when you can sell the unrefined sludge that is the raw output of your poorly written harvester robots?

Re:Why?

[allism]

You can't PROVE intent with one of these CDs. If I have a pound of marijuana on my kitchen table, the odds are good that someone is gonna use it in an illegal manner. It's not illegal to have e-mail addresses, though, because they can be used for something legitimate (i.e. research, as the author of the article did).

Re:/dev/random CD for sale!

[wytcld]

The /dev/random method is world reknown[ed]

You joke, but this algorithm was sufficient for human evolution. (Hmm, spam as sperm?)

Selling e-mail addresses shouldn't be illegal

[amichalo]

I can't stand spam and won't use it in business practices, but I don't thin kit should be any more illegal to sell a CD with aggregated e-mail address than it should be to sell a phone book CD with telephone numbers. There is value added in the indexing and providing of tools to manage so many addresses.

What should be illegal is selling generated, known to be false, addresses. This is basically false advertising.

What should also be illegal is bulk mailing to people who do not subscribe to a service. We need better mail servers that optionally require a "key" to receive mail, otherwise it goes straight to "File 13".

Sadly, all this bulk mail, even if "bounced" back to the sender, uses tons of bandwidth and is ultimately a tremendous waste of everyones time.

Unfortunately, all this Spam would stop is people STOPPED BUYING FROM THE SPAMMERS, but even if 0.0001% of recipients say "yeah, I DO want a larger ... organ" and patronize the spammer, then the spam will continue.

Re:Selling e-mail addresses shouldn't be illegal

[Golias]

My theory is that the whole industry is built of fraud.

I can't believe that anybody is actually making money selling "herbal viagra" via spam. There are only so many people suffering from E.D., and most of them care enough about their little soldier that they are not going to gamble on "alternative" treatments when the real stuff is perfectly affordable and readilly available at the pharmacy. There's just no money in this sort of scam for the person who's trying to do the selling...

However, the pyramid scheme that they joined and told them they would get rich doing this is making money off of their greed, as is the spamming company who said they could reach "millions of Internet users" with news of their product. Also, the people selling addresses to the spammers who sell the idea to the sucker at the bottom of the pyramid is making money selling fake addresses. ISPs who turn a blind eye towards abuse until they get blacklisted and start up a new ISP under a new name are making money off them too.

The problem is not the 0.01% of people who buy from spammers. Think about it. If you are selling a product that will only make you about $50 a year per customer, and have to spam 10,000 people (and go through all the additional trouble of hiding from the many anti-spam vigilaties out there like us who love nothing more than to ruin the day of a spammer) for each customer you get, there's no way you are actually turning a profit. However, if you are suckered into trying, you might spend hundreds or even thousands of dollars on spam services in the attempt. You, the would-be Herbal Viagra King, are the real customer of the spam industry, and the one who is feeding the machine.

Re:Selling e-mail addresses shouldn't be illegal

[schon]

If no-one ever responded to spam, then there wouldn't be anyone willing to pay to have it sent on their behalf!

Wrong. Totally wrong.

Even if nobody ever responded to spam (and there really is no hard evidence that anyone does) spammers would still be able to find victims, because there are people who believe "well, they wouldn't be sending it if it didn't work."

Spammers are con men. They con victims into believing that spam is effective, regardless of whether it's effective or not.

I'm not sure this is a good idea...

[mpath]

Pointing out spammer's mistakes and helping them evolve/correct the problem.

Re:I wonder

Spammers put email addresses in thier own lists and lists they sell. The first is so they know how far through thier software is in spamming out. The second is so they know who is distroing thier email list without approval.

why the recent EU anti-spam directive was weakened

why the recent EU anti-spam directive was weakened

Because like prOn, spam produces hugh amounts of money from the internet. Getting 100+ spam/day assures me that there is still a lot of money to earn from spam. And where a lot of money is to earn there is a lot of power involved (lobbying, etc.).

Deal with it. Spam will never go away. Spam might increase the infrastructure of the internet (well in india, etc.), but it will never go away.

Just install Mozilla and give the Junk Mail feature a try. Every other action is a laugh.

Nothing New About This ...

[strelitsa]

"Millions" CDs are nothing new under the sun. Spammers have been using "dirty" lists since ARPANET days, and they merely turn "just hit delete" sheeple into raving anti-spam activists.

As for the author's assertion that the "bulletproof" spam hosts are in India, I give you ... China, Brazil, most of the Pacific Rim, as well as clueless/malicious providers such as Level3, Wanadoo.fr, etc. I can count the number of spams I've received from Indian sources recently on one hand, while the Chinese/Brazilian spam numbers in the tens of thousands.

Re:/dev/random CD for sale!

[the+gnat]

No, he's right - evolution is not random. The process by which mutations occur is, but they are under heavy selective pressure and those which are propagated are not truly "random". This does not mean that evolution has some guiding direction (although you often hear sloppy terminology used, e.g. "evolution designed this organsim to blah blah blah"), only that the process by which mutations are incorporated is based on a complex set of mathematical/chemical/biological rules.

To return to the /dev/random joke, this would be comparable to evolution if you only accepted strings that had a valid TLD in them (as well as the proper form of email address), and then filtered them to leave only those where mail delivery was successful. Which is more or less what spammers already do with Hotmail and Yahoo.

Could someone explain to me the problem with spam.

Every spam message contains a link to somebody who is trying to make money. Why not go after the companies that the spam links to, instead of trying to trace down the spam? In other words, investigate it from the other end.

For example: I receive a spam which suggests I link to XYZ company's website. Obviously, XYZ company is responsible for sending out the spam. Why not go after XYZ company?

Is this too simple?

This is NOT Simple

[ink]

You say that this is simple, but it is not. In order to have an authoritative source for the data, one must have a named, vulnerable location to dispense it from. P2P networks function because everyone trusts everyone else, and if you download the latest Audioslave video, and it turns out to be Brittany and Modonna making out, well then c'est la vie. If you download the latest blacklist, and it ends up shutting off legitimate email, then mon dieu!

Bittorrents, for example, must have a seed site out there somewhere. This site can be taken out, and any other "offical" site that mirrors it. If the data is signed, then the offical sources of such signed data are vulnerable (if you need to revoke the key). The general problem of anonomizing traffic, while being able to trust the data on it at the same time, is Hard.

Re:I wonder

[pla]

The second is so they know who is distroing thier email list without approval.

To accomplish what, sue the person selling the list?

To sue someone, you need to exist, and provide contact information. Considering that the linked article basically states that this CD of supposedly valid and unique email addresses amounts to little more than false advertising (and for the purpose of something that counts as a crime in an increasing number of places), only an idiot would out themselves over $60.

More importantly, even if a spammer did reveal their identity in this manner, at least in the US, you cannot cannot copyright a collection of facts (even with bogus tracer data thrown in as proof, as the case of Fred L Worth vs Trivial Pursuit proved), only the presentation thereof. A list of email addresses has no unique presentation (I doubt any court would consider a trivial means of organizing, such as putting them in alphabetical order, or as in the linked article, in geographical order, as a sufficient "presentation" to warrant protection), so a spam list seller would have very little ground to stand on in such a suit.

Re:Big Evil Spammers

In fact, it is probably "innocent" hackers who are angry at being blocked (or script kiddies or whoever) that are doing this in retaliation for being caught in a blacklist battle between a spammer and an anti-spam group. But who knows, until the perpetrators are found and brought to justice it's all guess work.

Here's a question: do you think the CEO of a Fortune 500 company opens and reads all of his own mail? Similarly, why should we email users open and read all of our own email? Paul Graham and others have been touting the use of learning algorithms that can tailor spam detection to our own personal needs (and when we start getting more into learning algorithms we'll see that the software agents can also classify our inbox according to mailing lists, friends/family, expected commercial mail, whatever-- and who knows once we start to get more comfortable with learning algorithms and have standard libraries for them what wonders we'll see). Once we correctly focus our energies we'll see these problems go away.

Re:Could someone explain to me the problem with sp

Yeah, and then some guy gets the idea and runs with it and says they are from M$ or some other corp. I am not sure if half the spam I get actually originates from the company. This trick has been played before.

Re:Do me a favour

[Tim+C]

We'll soon see a change in the law.

Yes - to make intentionally submitting the email addresses of such people to spammers illegal. Hell, they can probably swing it as a terrorist act - interfering with the democratic process, distributed dos attack on their email, etc.

Re:How about a private-public key?

This is no good. Essentially, you could already view your email address as a public key -- don't publish to the world, only give it out to people you authorize email to be delivered to you.

The problem is when you WANT to be able to receive unsolicited email (ie. from customers).

Or when somebody you gave your public key to turns around and sells your public key to spammers.

Re:Great Tutorial

[vidarh]

Yeah, because finding this information is so incredibly hard, and would have taken the spammers a whole hour or two of intense work, so of course that's why they haven't done it.

If you think this will make a difference in the quality of the lists, think again. These people are more interested in volume than quality, or they wouldn't have spent time on spam in the first place.

The more unsophisticated spammers don't really care about the list quality, as they'll just keep accumulating addresses since sending out the mails cost them next to nothing anyway. The sophisticated spammers are more likely collecting their own lists.

And the people selling these lists have every interest in inflating the number of addresses as much as they can get away with from their prospective customer base.

Re:Spammers are beginning to organise

[yaar]

Right. And when we're done with the scurvy spammers, we'll let loose on MS! We'll wipe em off the face of the internet! Why stop?!? Nigeria has it coming!

Parent is utter bullshit. What self respecting geek approaches any problem with brute force before atleast attemping alternatives?

Spamers spam, it's their job. Our job is to come up with a technical fix, not to bluggen mom & pop ISPs with DOS attacks.

Poisoning the list

[Confused]

As the spammers are selling the addresses by volume, you can't poison the list by adding to it. The CD are only generated for those suckers willing to pay for it, and the more the better. None of the spammers are concerned about data quality of their products, I guess.

And most likely, they generated some of the email addresses themselves anyway.

Re:/dev/random CD for sale!

"Perhaps we should reclassify rapists as spammers"

Other way around.

Re:Force Registrars to do their Job Up Front

[PSaltyDS]

"...require a documented verification process...

Exactly what I was thinking of, but it would have to be enforced by generally accepted policy (maybe from ICANN?). This is the hard part. There would have to be consequences from higher level domains for not enforcing valid WhoIs records on their lower level domains. And ICANN's history does not indicate a real interest in taking the end user's side over biz interests.

"Heck, we force one in the US for guns, among other things - a misused domain can be just as dreadful in terms of consequence."

That's just an absurd statement. Misuse of a gun (of which I own several), or a knife, or a claw hammer, or a car, has much more serious consequences than spam ever will. Let's get some perspective here, folks!

"I've never, ever seen a valid .biz domain. And very few valid .us domains."

This illustrates my earlier point about enforcement from the top. The .biz registry could only be forced to maintain a valid WhoIs database by the really big boys in a position to impose consequences, or customers who don't want their .biz domain to be synonymous with "scam site". If .biz INTENDS to be the haven of scams and spams, so legitamate business customers have no sway over them, then it's back to the big guns. BTW, I use several .us sites for local and state government and school stuff, so I'm not sure what your problem is there.

Yep.. but it doesn't stop the SPAM from flowing...

[Kjella]

...over the years I've recieved exactly TWO Norwegian spams - from "Trondelag Teater" and "freewave.no" Of course, I'm pretty careful with my "official" mail, I keep various other junk accounts for other stuff. But the US spam (presumably) keeps coming in, viagra, 411 scams, mortgages, gambling, whatever. They still fill up my inbox.

I think the only way to do it is to have
a) hashcash payments (CPU time) OR
b) cryptographic pass-through "token"

The former for all the low-volume mail, where you can "afford" to burn a little CPU. The latter for mailing-lists and similar high-volume stuff, which would allow it through without paying any hashcash, but must be specifically issued (by the server, at the user's request).

The server wouldn't need to keep a database of them, it would simply have to verify them. Yes, this is my own signature, a valid user@mydomain.tld token with the name "Slashdot". They could also be time-limited. Furthermore, the token email address should be different from the non-token email, so that I can issue them "anonymously". (e.g. the SHA hash of the real email...)

Compromised token? Reject any further mail from that token, preferably at server (revocation database, wouldn't be that large). By default, mailing lists should take a rejected token as an "unsubscription".

That would also allow for degrees of "blocking", not simply black&white lists.... these semi-spammy domains get higher hashcash, these highly no-spam areas get lower hashcash.

So how would this work. Let's say I want to sign up for a slashdot newsletter:

Subscribe
1. Send subscription email to server, check box for "Issue token", and call the token "Slashdot".
2. Server recieves requests, generates a cryptographic token, and sends it to the list from the TOKEN address (say e.g. a hash of the real email, server has a hashmap).
3. Server recieves mail from mailing list, looks up real email based on token, verifies token, and pass it on (with proper "X-Token" header or soemthing like that). Replies to messages with an X-Token also sent over token address.

Unsubscribe (either due to compromised/SPAM/leaving list):
1. Revoke token
2. Mailing list tries to send mail, but fails on invalid token. Removes you from list. They could try again but the result would be the same.

What information does slashdot have now? Nothing. No valid token, no valid address. No matter how hostile/compromised they got, they can't do any more damage. They can't even sell my real address to spammers.

Having removed all "high-volume" automatic lists from the equation, we can jack up the hashcash requirement high enough that it really hurts spammers. You can finally have a SPAM policy without directly rejecting mail.

Hell, you could even have a two-stage hashcash deal. One based on origin (before wasting bandwidth) and one after retrieving mail and passing it through spam-assasin, with higher hashcash the more "spammy" the mail is (wasting bandwidth, but saving space in inbox).

The only ones hurt by this are those sending mass amounts of unsolicitated mail. Which are, in approximately 99,99% of the cases, spammers. If it isn't, it's mass requests to sign "save futurama/the rainforest/whatever" campaigns or similar. That much collateral damage, I'm willing to take.

Kjella

Re:Spammers are beginning to organise

[the_mad_poster]

No, it's not bullshit, you're just an idiot and you have a problem with context.

Now, if you can show me where I said anyone SHOULD do it, as opposed to the entire post which is a hypothetical question regarding what would happen if an army of hackers DID do it, I'll eat those words.

And, please, just knock off the moralistic white-hat hacker bs. I'm sick and tired of people continuing the "play by the rules even if the rules are crooked" credo with their inflated egos and pomp. If the solution to the problem is a brute force assault, that's the solution. What sort of self-respecting geek would overlook the solution to a problem because they had a different one in mind to begin with? Mark my words: withing a year Bayesian filtering will be another dead suggestion in the pile of stopgap solutions to the problem. Whitelisting is already a solution only for those few mortals who can afford to miss random / unknown contacts and don't receive enough mail to make the overwhelmingly execruciating maintenance completely offset the benefits. Blacklists are under illegal assault as we speak and nobody is lifting a finger to help them. Computers are being zombified and mobilized on a daily basis making innocent users who just want to send pictures of their kids to grandma unwitting weapons in the arsenal of anyone with a little technical skill and some ill intent.

Hate to tell yah buddy, but the Internet is, in fact, a warzone. The technical solution is a total revamp of protocols, and it's unlikely that the implementation would be anywhere close to being construed as successful given the widespread nature of the network.

And for those of you who've been wondering about the obvious anarchist slant to these last two posts, no, I'm not anarchist, but the Internet IS an anarchy. As a result, it's the responsibility of the clueful few to handle problems in whatever manner the majority community sees fit (including the clueless ones in the community, not just the geeks). The Internet can route around physical damage, but it can't route around social problems like spam. Trying to solve a social problem like spam with a technical solution is stupid. That's like trying to "cure" racism with pills. A strong message needs to be sent, and, unfortunately, it would appear that nobody within the bounds of the law is willing to send it.

So, I ask again: what would happen if the community took care of the problem for them?

Friendly virus == shoot self in foot

[Julian+Morrison]

The problem with the "friendly virus" approach: you're trying to install software on zillions of strangers' computers, blindfold. Assuming this is windoze we're talking about here, there are scads of different versions and subversions and patched and hacked OSes. It's a certainty that your "upgrade" will fry the OS in a fair percentage of cases, even if you wrote it without a single bug. Which you won't have done, because its first real test-run will be live.

The first "great internet worm" was a friendly program that went haywire.

Re:How about a private-public key?

[Crypto+Gnome]

Of course you've just completely ignored the core problem with SPAM.

By the time I've received an email, ie downloaded it to my local machine, it has just polluted (ie stolen/consumed the resources of)

• my cpu
• my disk
• my bandwidth
• the ISP mailserver cpu
• the ISP mailserver disk
• the ISP bandwidth
• the ISP bandwidth of every ISP it transits to get across 'the internet' to me

So, tell me again how your "solution" actually solves *any* problem?

Repeat after me the problem with spam is *NOT* that we're unable to recognise it for the SPAM that it is.

The problem with SPAM is the resources it steals from me and all the ISPs.

Face it people, SPAM is THEFT, inbound SPAM steals resources from me, and resources from my ISP. In the end, I (the consumer) pay for that theft (eg increased internet access costs etc).

What about Rule #5?

The entire analysis boils down to one thing, which I call Rule #5, the King of All Rules: Spammers don't give a shit.

They don't care who you are, what you think, what you would or would not like to receive, what sex you are, if you are a minor or not, if the address they are sending to is valid or malformed, or if you are dead. All the lying that they do and the rationalizing of their behavior exists soley because -- lets chant together -- "Spammers don't give a shit"

The notion that a spammer should clean up a spamming CD to remove duplicate addresses or to remove role addresses at ISPs is simply ridiculous. Why spend the time? It will have zero impact on the number of sales that they make and -- chant it -- spammers don't give a shit.

So forget all the other rules. It is a waste of time to assign qualitive analysis to the behavior of sociopaths. They want money, and they don't give a shit about how they go about doing it. Once you realize that, you will see that all the other "Rules" for spammers are superfulous and stem from Rule #5.

Re:How to legally DDOS spammers

[svanstrom]

If a spam message has a link to an image, let it go through and view it lots and lots of times. It's trivial to make a simple browser app that you feed URLs and it repeatly grabs the data from that URL. Most spammers use affiliate programs so if you want to be really mean you can call the affiliated link a few million times so that they get paid nothing (or even kicked off the program for cheating) or you bankrupt the affiliate company if they don't have rules against such things. (pay per click and not pay per sale). 1 million click thrus times a few pennies per click really adds up.

A 25KB image sent to 25 million people takes around 667GB of transfer. So if lots of people just sacrifice a few hundred megs of transfer, the spammer's servers will choak and die or the bandwidth costs will put them out of business.

And there's nothing illegal about it.

WRONG; you can't legally DOS spammers just by switching tools you're doing it with.

You will very often not actually hit/hurt the spammer, so most of the time you'd hurt innocent servers/companies; and everyone knowing you're using this tool could send you e-mails making you DOS any site they want to.

The spammer won't be kicked off the program for cheating, you'll get arrested for abusing their system by automatically downloading the same thing automatically over and over again, intending to hurt their systems and/or their users/clients.

Re:Spammers are beginning to organise

[__aatgod8309]

I'm amazed at the ability of otherwise intelligent people (well, that's the theory) to focus on the spammers at the expense of those who're really responsible for the spam - those who pay for it to be sent.

You want to shoot the messenger? Fine. But don't forget that someone pays the messenger to send their message. Whether they are selling you something (which may or may not work), or just harvesting replies to sell to interested businesses, they are the ones to target.

Re:Spammers are beginning to organise

[Alsee]

Spamcop can choke and die.

Woohoo! Lookie here! A PISSED OFF SPAMMER!
Awwwwwwww, isn't that cute?

They blacklist people regardless of if the user tried to unsubscribe.

Fuck off and die. You have absolutely no right to expect people to burn up an entire LIFESPAN unsubscribing to your computer generated bulk crapflood.

Lets assume you never spam any address more than once. Lets assume that the average internet user goes through a mere two email addresses in his entire life. Let's even forget the 600 million global internet users and assume you only e-mail the 150 million or so American internet users. Lets assume it takes an average of 5 seconds to download, review, and use the unsubscribe process.

Unsubscribing from a SINGLE spammer:
150 million people * 2 email addresses * 5 seconds
= 1.5 BILLION seconds.

One human lifespan:
60 second per minute * 60 minutes per hour * 16 (waking) hours per day * 365.24 days per year (0.24 factors in leap years) * 71.3 years
= 1.5 BILLION seconds.

So each and every "unsubscribe-system" spammer can easily KILL an entire human life! Yeah, it only consumes a tiny portion of each person's life, but that does not change the fact that the final cumulative impact equals an entire human life.

If the user is too damn lazy to use unsubscribe it's our fault?

Lazy - that's a real hoot! He had to work to file a complaint against you. That takes quite a bit more time and effort than simply clicking an unsubscribe link.

That proves there's an error in your mental perception of the situation. You are trying to place the blame on people who are "simply too lazy to unsubscibe". THEY are not the problem, and THEY are obviously not lazy, or they wouldn't be making the effort to cause you trouble. They make that effort because YOU and YOUR COMPUTER are causing troube for THEM with computer generated bulk messages that need to be dealt with BY HAND. You burn up a few milliseconds of computer time to generate each message, messages that cumulatively burn up hours, days, years, or decades of human time to deal with.

YOU should not be burndening MY TIME with computer generated bulk mail unless I specificly requested it from YOU. NO stupid-ass games constantly trying to shoe-horn people onto global "opt-in lists" to sell around the planet.

If I want your bulk mail then *I* will give you my address, and I will give it to you for FREE!

-

Re:Spammers are beginning to organise

[Ed+Avis]

For every one 'techno-competent' Slashdot reader who attacks the spammer, there will be ten who get fooled by a Joe job and attack some innocent party.

Re:Spammers are beginning to organise

[the_mad_poster]

Shooting the proverbial messenger is just fine when the problem is the message itself. Shooting the messenger only becomes a problem when you don't want to hear a message about a DIFFERENT problem.

Of course, in this case, I have no problems with shooting the messenger AND the person who sent him...

You are misunderstanding...

[joto]

But one wonders if tools cant easily be written to remove basic patterns of that sort ... a simple substitute (or regex, whatever) would cleanse quite a few addresses, especially on UseNet..

They probably can. And they are probably already in use by some spammers. No big deal here.

Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?

This isn't how spam works. You only care about target groups when it costs you money to reach people. The cost of sending spam is, for all practical purposes, zero. Thus, you don't care about target groups, instead you spam as many addresses as possible.

And as proven by the article, spammers don't care much about duplicates, abuse-accounts, etc.. either. By the time you have spammed a zillion people, your ISP will know about your spamming, regardless of whether you spammed their abuse-account yourself, or someone else notified them.

Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..

That would raise the cost of spamming enormously. The high-school kid would want $10/hour, and could proabably be expected to do 5-10 addresses/minute, meaning you'd pay up to 3 cent per address. This is 4 orders of magnitude higher cost than the CD in the article.

It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..

There are all kinds of silly models for spammers to get their money. But if anyone is stupid enough to pay spammers per mail sent, they can expect to get bankrupt soon. As a spammer, I could then send emails to dummyacct000000001@hotmail.com, dummyacct000000002@hotmail.com, and so on, and still get paid.

Re:Spam Prevention?

[pjrc]

Your SMTP server gets a piece of mail. It notes the IP address and the mail-from header. Your SMTP server does a lookup. Does the mail-from domain correspond to the IP address that said HELO? This gives you a hunch whether or not a message is fake.

This is almost exactly what SPF (and RMX and DMP) actually do. With SPF, your server makes a query to the claimed from domain and asks HOW to test if the IP number is an authorized sender. Many different methods are defined by SPF, and if any of the ones returned in the query match, then the message is legit.

Next, your SMTP server tries to open a connection to the IP that said HELO and tries to send a message to the address in mail-from. If it gets "no such recipient" then assume the message is spam.

This definately will NOT work. Many sites transmit email from different IP numbers than where they receive it.

It would use more bandwidth, opening all those sessions to see if recipients actually exists, but once you've done it once the resuslts can be put in a lookup table.

That would be redundant, since the queries are all by DNS, and the local nameserver (should be) already caching the result.

Whitelists and blacklists would be created. Bandwidth cost would be high at first, but as more IPs are logged, and mail-from rcpt-to pairs are sorted, the cost would decrease.

The cost is already minimal. DNS doesn't use much bandwidth.

But whitelists and blacklists will definately be needed....

Once many sites are verifying the from header matches an IP number that the claimed domain says it authorized to transmit email, spammers will simply register lots of disposable domain names, and return SPF results that says whatever proxy or compromised IP number they are using is authorized for that domain.

So real-time blacklists and whitelists of domain names will be needed to reject spam.... if SPF becomes widely deployed and spammers adapt to it.

Re:Melior, Inc.'s iSecure to fight DDoS

[elemental23]

Without looking at their web site, I'll bet this still suffers from the same problem regular firewalls do. Namely, that the firewall can keep all this traffic away from the servers, but they can't prevent your pipe being saturated. Hence "denial of service". It doesn't matter how well your servers are running if you have no bandwidth left.

Protecting Privacy is Much More Important

[billstewart]

Sure, I also find it annoying when some spammer has a GoDaddy privacy-protecting address, or is registered with email contact address: SkriptKiddie@hotmail.com, snail-mail 1600 Pennsylvania Ave, phone 1-900-spam-you. But "valid" addresses don't solve that problem - one spammer I traced yesterday has a street address that's identical to The Company Corporation, which for the last 105 years has been the canonical simple low-priced way to set up a Delaware corporation, and their phone number was an answering service somewhere. You can hunt them down, seize their assets (a manila folder in one of The Company Corporation's file cabinets) and have John Ashcroft burn it at the stake at high noon and all that means is that the spammer needs to spend another $100-500 to set up a new corporation for the next time they get busted, along with a couple more $25/month ISP accounts.

But the real purposes of the whois information are working contact information when you're system's broken or spewing. Phone numbers are helpful because if your DNS or email is broken, then sending you email often doesn't work. Street address information is useful if the registrar wants to send you paper bills, but that doesn't need to be public.

ICANN has been pressing for whois information to require True Names, ICBM addresses, and Subpoena-delivery addresses because they want anybody to be able to drag you into court over domain name trademark issues, and if there's no way to determine _your_ legal jurisdiction, somebody might try to sue them or the registries or registrars instead, plus different jurisdictions have different rules about trademarks. (Remember that the only IP that ICANN cares about is Intellectual Property, not Internet Protocol.) But that's just tough - they could just as well make a rule that says that you need to provide a working email address, and that if you don't respond within X days, they can give away your domain name to any reasonable-sounding claimant, and tell you what court or arbitrator to go to if you want it back.

RIAA and MPAA are pushing ICANN to include True Names and legal jurisdictions because they want to sue your ass if anybody thinks about sharing music on anything you own. The US Department of Homeland Security wants the whois records to include your blood type, DNA records, retina scans, fingerprints, and US Not-Known-To-Be-A-Terrorist-Or-Democrat-Yet permission slip, because John Ashcroft wants to be able to burn *you* at the stake and not just your domain name contract, just in case your web site has pictures of that Department of Justice statue with the bare breasts that he covered up. Lots of other people have reasons they'd like to get your marketing information from your whois records.

But that's not what domain names are about. Domain names are about giving ways for you to publish information on the Internet where people can find it, and to provide contact information for people who you want to be able to reach you. They're a technical tool for doing that, and whois records are a technical tool for maintaining them. They can be an important privacy tool if you want privacy, or an important publicity tool if you want publicity. If you want to publish your political rants on "www.federalist-papers.org" the way the original authors pseudonymously published theirs on dead trees, that's a critical part of freedom of speech. If you want to publish your Falun Gong religious rants on the net and not have the Chinese government censor your or hunt you down and throw you in jail, or hunt down the people who read them, that's your right too.

Privacy is much more important that stopping spammers, annoying as they are. Stop spammers with technical tools, or stop spammers by changing the economics that lets some of them profit, or stop spammers with baseball bats for all I care, but don't say it's ok to mess with our civil rights as collateral damage.