Slashdot Mirror
What You Get When You Buy a Spam CD
defender writes "Recently over here in The Netherlands, the spam versus anti-spam 'war' has hardened. More professional spamming coming from a handful of hard-core spammers utilizing bulletproof hosting in India, chained open proxies, more and more false whois information, etc. One of the more known anti-spam people has been sent one of the subjects of those spams: a CD with millions of e-mail addressess of 'individuals' and hundreds of thousands of 'businesses'... Rejo Zenger has done an analysis of such a CD, which is fuelling new debate as to why the recent EU anti-spam directive was weakened because of businesses complaining or indicating that spam wasn't a big issue for them."
Sadly the bad guys can DDOS the good guys, but the good guys can't (easily) DDOS the bad guys... at least not without either using the tactics of the bad guys, or getting caught... =(
perl -e'print$_{$_} for sort%_=`lynx -dump svanstrom.com/t`'
Is anyone surprised that the 10 million promised addresses boils down to less than 7 million after removing duplicates? The article is interesting in terms of statistical analysis of the data (especially the fact that a number of abuse and postmaster addresses are in the email database), but I don't think anyone expected quality email lists from spammers.
On the other hand, why would someone sending spam care too much about the integrity of the data? You're still getting over 6 million email addresses. So several million messages bounce...does the spammer care?
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
You can't PROVE intent with one of these CDs. If I have a pound of marijuana on my kitchen table, the odds are good that someone is gonna use it in an illegal manner. It's not illegal to have e-mail addresses, though, because they can be used for something legitimate (i.e. research, as the author of the article did).
Denver Isuzu Suzuki
The /dev/random method is world reknown[ed]
You joke, but this algorithm was sufficient for human evolution. (Hmm, spam as sperm?)
"with their freedom lost all virtue lose" - Milton
I can't stand spam and won't use it in business practices, but I don't thin kit should be any more illegal to sell a CD with aggregated e-mail address than it should be to sell a phone book CD with telephone numbers. There is value added in the indexing and providing of tools to manage so many addresses.
... organ" and patronize the spammer, then the spam will continue.
What should be illegal is selling generated, known to be false, addresses. This is basically false advertising.
What should also be illegal is bulk mailing to people who do not subscribe to a service. We need better mail servers that optionally require a "key" to receive mail, otherwise it goes straight to "File 13".
Sadly, all this bulk mail, even if "bounced" back to the sender, uses tons of bandwidth and is ultimately a tremendous waste of everyones time.
Unfortunately, all this Spam would stop is people STOPPED BUYING FROM THE SPAMMERS, but even if 0.0001% of recipients say "yeah, I DO want a larger
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Pointing out spammer's mistakes and helping them evolve/correct the problem.
I'm not sure what the secret to success is, but the secret to failure lies in trying to please everyone -Bill Cosby
As for the author's assertion that the "bulletproof" spam hosts are in India, I give you ... China, Brazil, most of the Pacific Rim, as well as clueless/malicious providers such as Level3, Wanadoo.fr, etc. I can count the number of spams I've received from Indian sources recently on one hand, while the Chinese/Brazilian spam numbers in the tens of thousands.
No mod points, no meta-moderating/Firehose/all the other free work Slashdot wants me to do.
No, he's right - evolution is not random. The process by which mutations occur is, but they are under heavy selective pressure and those which are propagated are not truly "random". This does not mean that evolution has some guiding direction (although you often hear sloppy terminology used, e.g. "evolution designed this organsim to blah blah blah"), only that the process by which mutations are incorporated is based on a complex set of mathematical/chemical/biological rules.
/dev/random joke, this would be comparable to evolution if you only accepted strings that had a valid TLD in them (as well as the proper form of email address), and then filtered them to leave only those where mail delivery was successful. Which is more or less what spammers already do with Hotmail and Yahoo.
To return to the
Bittorrents, for example, must have a seed site out there somewhere. This site can be taken out, and any other "offical" site that mirrors it. If the data is signed, then the offical sources of such signed data are vulnerable (if you need to revoke the key). The general problem of anonomizing traffic, while being able to trust the data on it at the same time, is Hard.
The wheel is turning, but the hamster is dead.
We'll soon see a change in the law.
Yes - to make intentionally submitting the email addresses of such people to spammers illegal. Hell, they can probably swing it as a terrorist act - interfering with the democratic process, distributed dos attack on their email, etc.
It's official. Most of you are morons.
If you think this will make a difference in the quality of the lists, think again. These people are more interested in volume than quality, or they wouldn't have spent time on spam in the first place.
The more unsophisticated spammers don't really care about the list quality, as they'll just keep accumulating addresses since sending out the mails cost them next to nothing anyway. The sophisticated spammers are more likely collecting their own lists.
And the people selling these lists have every interest in inflating the number of addresses as much as they can get away with from their prospective customer base.
...over the years I've recieved exactly TWO Norwegian spams - from "Trondelag Teater" and "freewave.no" Of course, I'm pretty careful with my "official" mail, I keep various other junk accounts for other stuff. But the US spam (presumably) keeps coming in, viagra, 411 scams, mortgages, gambling, whatever. They still fill up my inbox.
I think the only way to do it is to have
a) hashcash payments (CPU time) OR
b) cryptographic pass-through "token"
The former for all the low-volume mail, where you can "afford" to burn a little CPU. The latter for mailing-lists and similar high-volume stuff, which would allow it through without paying any hashcash, but must be specifically issued (by the server, at the user's request).
The server wouldn't need to keep a database of them, it would simply have to verify them. Yes, this is my own signature, a valid user@mydomain.tld token with the name "Slashdot". They could also be time-limited. Furthermore, the token email address should be different from the non-token email, so that I can issue them "anonymously". (e.g. the SHA hash of the real email...)
Compromised token? Reject any further mail from that token, preferably at server (revocation database, wouldn't be that large). By default, mailing lists should take a rejected token as an "unsubscription".
That would also allow for degrees of "blocking", not simply black&white lists.... these semi-spammy domains get higher hashcash, these highly no-spam areas get lower hashcash.
So how would this work. Let's say I want to sign up for a slashdot newsletter:
Subscribe
1. Send subscription email to server, check box for "Issue token", and call the token "Slashdot".
2. Server recieves requests, generates a cryptographic token, and sends it to the list from the TOKEN address (say e.g. a hash of the real email, server has a hashmap).
3. Server recieves mail from mailing list, looks up real email based on token, verifies token, and pass it on (with proper "X-Token" header or soemthing like that). Replies to messages with an X-Token also sent over token address.
Unsubscribe (either due to compromised/SPAM/leaving list):
1. Revoke token
2. Mailing list tries to send mail, but fails on invalid token. Removes you from list. They could try again but the result would be the same.
What information does slashdot have now? Nothing. No valid token, no valid address. No matter how hostile/compromised they got, they can't do any more damage. They can't even sell my real address to spammers.
Having removed all "high-volume" automatic lists from the equation, we can jack up the hashcash requirement high enough that it really hurts spammers. You can finally have a SPAM policy without directly rejecting mail.
Hell, you could even have a two-stage hashcash deal. One based on origin (before wasting bandwidth) and one after retrieving mail and passing it through spam-assasin, with higher hashcash the more "spammy" the mail is (wasting bandwidth, but saving space in inbox).
The only ones hurt by this are those sending mass amounts of unsolicitated mail. Which are, in approximately 99,99% of the cases, spammers. If it isn't, it's mass requests to sign "save futurama/the rainforest/whatever" campaigns or similar. That much collateral damage, I'm willing to take.
Kjella
Live today, because you never know what tomorrow brings
No, it's not bullshit, you're just an idiot and you have a problem with context.
Now, if you can show me where I said anyone SHOULD do it, as opposed to the entire post which is a hypothetical question regarding what would happen if an army of hackers DID do it, I'll eat those words.
And, please, just knock off the moralistic white-hat hacker bs. I'm sick and tired of people continuing the "play by the rules even if the rules are crooked" credo with their inflated egos and pomp. If the solution to the problem is a brute force assault, that's the solution. What sort of self-respecting geek would overlook the solution to a problem because they had a different one in mind to begin with? Mark my words: withing a year Bayesian filtering will be another dead suggestion in the pile of stopgap solutions to the problem. Whitelisting is already a solution only for those few mortals who can afford to miss random / unknown contacts and don't receive enough mail to make the overwhelmingly execruciating maintenance completely offset the benefits. Blacklists are under illegal assault as we speak and nobody is lifting a finger to help them. Computers are being zombified and mobilized on a daily basis making innocent users who just want to send pictures of their kids to grandma unwitting weapons in the arsenal of anyone with a little technical skill and some ill intent.
Hate to tell yah buddy, but the Internet is, in fact, a warzone. The technical solution is a total revamp of protocols, and it's unlikely that the implementation would be anywhere close to being construed as successful given the widespread nature of the network.
And for those of you who've been wondering about the obvious anarchist slant to these last two posts, no, I'm not anarchist, but the Internet IS an anarchy. As a result, it's the responsibility of the clueful few to handle problems in whatever manner the majority community sees fit (including the clueless ones in the community, not just the geeks). The Internet can route around physical damage, but it can't route around social problems like spam. Trying to solve a social problem like spam with a technical solution is stupid. That's like trying to "cure" racism with pills. A strong message needs to be sent, and, unfortunately, it would appear that nobody within the bounds of the law is willing to send it.
So, I ask again: what would happen if the community took care of the problem for them?
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
The problem with the "friendly virus" approach: you're trying to install software on zillions of strangers' computers, blindfold. Assuming this is windoze we're talking about here, there are scads of different versions and subversions and patched and hacked OSes. It's a certainty that your "upgrade" will fry the OS in a fair percentage of cases, even if you wrote it without a single bug. Which you won't have done, because its first real test-run will be live.
The first "great internet worm" was a friendly program that went haywire.
By the time I've received an email, ie downloaded it to my local machine, it has just polluted (ie stolen/consumed the resources of)
- my cpu
- my disk
- my bandwidth
- the ISP mailserver cpu
- the ISP mailserver disk
- the ISP bandwidth
- the ISP bandwidth of every ISP it transits to get across 'the internet' to me
So, tell me again how your "solution" actually solves *any* problem?Repeat after me the problem with spam is *NOT* that we're unable to recognise it for the SPAM that it is.
The problem with SPAM is the resources it steals from me and all the ISPs.
Face it people, SPAM is THEFT, inbound SPAM steals resources from me, and resources from my ISP. In the end, I (the consumer) pay for that theft (eg increased internet access costs etc).
Visit CryptoGnome in his home.
The entire analysis boils down to one thing, which I call Rule #5, the King of All Rules: Spammers don't give a shit.
They don't care who you are, what you think, what you would or would not like to receive, what sex you are, if you are a minor or not, if the address they are sending to is valid or malformed, or if you are dead. All the lying that they do and the rationalizing of their behavior exists soley because -- lets chant together -- "Spammers don't give a shit"
The notion that a spammer should clean up a spamming CD to remove duplicate addresses or to remove role addresses at ISPs is simply ridiculous. Why spend the time? It will have zero impact on the number of sales that they make and -- chant it -- spammers don't give a shit.
So forget all the other rules. It is a waste of time to assign qualitive analysis to the behavior of sociopaths. They want money, and they don't give a shit about how they go about doing it. Once you realize that, you will see that all the other "Rules" for spammers are superfulous and stem from Rule #5.
I'm amazed at the ability of otherwise intelligent people (well, that's the theory) to focus on the spammers at the expense of those who're really responsible for the spam - those who pay for it to be sent.
You want to shoot the messenger? Fine. But don't forget that someone pays the messenger to send their message. Whether they are selling you something (which may or may not work), or just harvesting replies to sell to interested businesses, they are the ones to target.
Spamcop can choke and die.
Woohoo! Lookie here! A PISSED OFF SPAMMER!
Awwwwwwww, isn't that cute?
They blacklist people regardless of if the user tried to unsubscribe.
Fuck off and die. You have absolutely no right to expect people to burn up an entire LIFESPAN unsubscribing to your computer generated bulk crapflood.
Lets assume you never spam any address more than once. Lets assume that the average internet user goes through a mere two email addresses in his entire life. Let's even forget the 600 million global internet users and assume you only e-mail the 150 million or so American internet users. Lets assume it takes an average of 5 seconds to download, review, and use the unsubscribe process.
Unsubscribing from a SINGLE spammer:
150 million people * 2 email addresses * 5 seconds
= 1.5 BILLION seconds.
One human lifespan:
60 second per minute * 60 minutes per hour * 16 (waking) hours per day * 365.24 days per year (0.24 factors in leap years) * 71.3 years
= 1.5 BILLION seconds.
So each and every "unsubscribe-system" spammer can easily KILL an entire human life! Yeah, it only consumes a tiny portion of each person's life, but that does not change the fact that the final cumulative impact equals an entire human life.
If the user is too damn lazy to use unsubscribe it's our fault?
Lazy - that's a real hoot! He had to work to file a complaint against you. That takes quite a bit more time and effort than simply clicking an unsubscribe link.
That proves there's an error in your mental perception of the situation. You are trying to place the blame on people who are "simply too lazy to unsubscibe". THEY are not the problem, and THEY are obviously not lazy, or they wouldn't be making the effort to cause you trouble. They make that effort because YOU and YOUR COMPUTER are causing troube for THEM with computer generated bulk messages that need to be dealt with BY HAND. You burn up a few milliseconds of computer time to generate each message, messages that cumulatively burn up hours, days, years, or decades of human time to deal with.
YOU should not be burndening MY TIME with computer generated bulk mail unless I specificly requested it from YOU. NO stupid-ass games constantly trying to shoe-horn people onto global "opt-in lists" to sell around the planet.
If I want your bulk mail then *I* will give you my address, and I will give it to you for FREE!
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Shooting the proverbial messenger is just fine when the problem is the message itself. Shooting the messenger only becomes a problem when you don't want to hear a message about a DIFFERENT problem.
Of course, in this case, I have no problems with shooting the messenger AND the person who sent him...
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!