What You Get When You Buy a Spam CD

defender writes "Recently over here in The Netherlands, the spam versus anti-spam 'war' has hardened. More professional spamming coming from a handful of hard-core spammers utilizing bulletproof hosting in India, chained open proxies, more and more false whois information, etc. One of the more known anti-spam people has been sent one of the subjects of those spams: a CD with millions of e-mail addressess of 'individuals' and hundreds of thousands of 'businesses'... Rejo Zenger has done an analysis of such a CD, which is fuelling new debate as to why the recent EU anti-spam directive was weakened because of businesses complaining or indicating that spam wasn't a big issue for them."

Spammers are beginning to organise

[Tirel]

It's been reported that SpamCop is paying upwards to $30K / year for bandwidth as a direct cause of the continous DDOS attacks on it.

The spammers are doing everything they can to squeeze the anti-spammers out. They use frivolous lawsuits (aka Mark Felstein and his porn spamming backers) or DDOS attacks that either knock the anti-spam resources off completely or increase the costs so that no hobbyist can run them.

And while all this is going on, the law enforcement agencies are doing nothing to counter the clearly illegal acts of the spammers.

And ISPs are doing NOTHING to reduce the number of zombies on their networks. So the DDOS attacks continue.

Nice going.

It's only a matter of time when someone (Al Queda?) will use the zombie network for something that will truly be noticed.

Re:Spammers are beginning to organise

[Lumpy]

A simple answer is a bittorrent solution to the blacklists or other data, or a p2p type of app to get the lists or data out tot he servers/customers.

if you dont have one target to attack, and not allow the scumbags to modify the data file (md5 sums + other means to ensure the file is real... you can end run these spamming scumbags.

I for one dont understand why this has not been done already.

Re:Spammers are beginning to organise

how do you know the md5 sums are legit? Do you get them off p2p too? Or do you have a central website that can be DDOSed?

The answer is to drop SMTP and go with QMTP.

Re:Spammers are beginning to organise

[the_mad_poster]

Seriously... what would happen if everyone here went rogue, said "fuck it", and just actively blew away spammers (online, mind you, we don't need any gun-toting geeks for the love of god)?

With 700,000+ people on slashdot, a less than 1% high techno-competency rate (let the jokes fly...) would yield 7000 individuals from this site alone capable of tracking spam, breaking down proxies and ISPs, stealing and altering logs, etc. How long would it take before 7000 militant hackers working together broke down the spammers under an onslaught of attacks as underhanded as the ones the spammers are using? People like Ralsky aren't even that smart, technologically. I'm willing to bet that once the tough part is done: tracking them, actually beating the daylights out of their systems and them wouldn't be that hard.

Of course, each individual would have to be willing to deal with the fact that they could be one of the people that gets arrested and charged with a couple of felonies. Sort of like the old trick "yep - all three of you can surely beat me, but the first one in to try it dies". Who wants to be the hero?

Re:Spammers are beginning to organise

[svanstrom]

Seriously... what would happen if everyone here went rogue, said "fuck it", and just actively blew away spammers (online, mind you, we don't need any gun-toting geeks for the love of god)?

We could do it without saying "fuck it"...

Seriously, it doesn't take a genius to write a virus/worm that take advantage of the latest virus/worm-problem, patches the local system, spends 30 minutes attacking spammers and spreading to other infected systems, after which it just erases itself.

_ONE_ person is enough for such a thing, and sooner or later someone will do it.

Re:Spammers are beginning to organise

[gmack]

No.. it's not.

Having run an opt in mailing list for a previous employer I can tell you that some people sign up then go complain to spamcop when they actually get the email. And then the mail server gets an Instant blacklist thanks to the automated system and your stuck with the rest of the emails getting bounced.

The problem gets worse when they black out the email addresses so it becomes impossible to tell who actually wanted off.

Re:Spammers are beginning to organise

But will they strike??

Anyway, I worked at a failing web host for a few months and received a project to blast-mail a promotion for a new customer using their "validated opt-in" list tha came on a packed CD as described in this story (except targeting US persons, ostensibly). After loading the millions of addresses into MySQL ... a real chore ... my co-worker and I reviewed the list. He found his email address and I found my own father on the list. I was sure that neither had opt'ed in for a bridal registry. Further checks revealed cmdrtaco, pudge, cowboy neal and others at Slashdot (absent was Jon Katz, but he, like Wim Kok, didn't use computers anyway, right?) and a whole bunch of die.net addresses. Hint: don't send email to die.net. Sendmail will choke and your server will die. It's cool.

I'd like to say we found this out BEFORE running a couple days of email, but I can't; for 3 days in Feb of 2002 my company sent spam -- although marked correctly according to CA law ("ADV: ....") with a working remove link and for a legitimate product (not related to organs, mortgages or peek-a-boobies). But it was spam nonetheless. We probably sent out 275,000 emails -- but would have sent many more if the list hadn't been polluted with die.net addresses, which don't let go of the connection...very effective.

I've mentioned this before, but won't sign my name this time due to the legal climate.

For all the shyters promoting email there is a nerd enabling them -- many may be on /. Don't support spammers.

Re:Spammers are beginning to organise

[the_mad_poster]

I think we'd all rather see an elegant solution here.

I don't WANT regulation, plain and simple. The government fucks up enough things without sticking its nose in the Internet too. It would be nice, however, if they'd bother to investigate and prosecute spammers and spam-virus writers the way they go after the "real Bad Guys" like Mitnick or Phiber Optik.

I think we'd all rather see an elegant solution here. I think we'd all rather NOT see More DOS attacks.

Agreed on both counts. But, I don't see any elegant solutions in the works and the ones that are on the way are already under attack. Bayesian filtering is trivially circumvented with blocks of "real" text to drive down the % likelihood of a spam being labeled as such and, at the same time, drive UP the likelihood that a legitimate message is labeled as spam. It's the best stopgap to date, but it will fail eventually. As for the DDoSs - a good way to put a total stop to them would be to wipe out the spammers. Sure, there'd be a huge spike for awhile if people DDoSed in return, but that's a clunky, temporary solution to them. There's far more "elegant" ways to fight back.

And, physical violence? Sort of. It's more akin to someone driving past your mailbox and bashing it in every time you get a new one. When you call the cops and they don't or can't do anything about it, what do you do? I'll tell you a good counter-measure: when you hear them coming down the street *pok* *pok* *pok* - grab a crowbar and hide in the bushes. As they slow down to pop your mailbox next, jump out and smash the back windshield of the car.

Never saw 'em again.

If the law can't be bothered to handle it (prosecution), and it can't be settled peacefully ("elegant" technology), I have no problem with a gun battle in the streets as long as the "victims" that you're fighting for approve of it.

Now, if someone has a serious proposal for retooling the SMTP or has some other workable solution to the problem, and has a plan for rolling it out, I'm all ears. However, I don't see a serious proposal that will be ready NOW and spam is a HUGE problem NOW. A solution that's going to take another 5 years to develop and implement is NOT ACCEPTABLE. The spammers are going to destroy e-mail in the process. They are not playing by the rules, they are not playing by the law, and nobody has a realistic solution that will be ready in time. Why should anybody else play by the rules if the law's not going to deal with them?

Re:Spammers are beginning to organise

[Unsolicited+Commando]

Sadly the bad guys can DDOS the good guys, but the good guys can't (easily) DDOS the bad guys... at least not without either using the tactics of the bad guys, or getting caught... =(

Actually, I'm working on a project that is already annoying spammers who use information gathering type spams(sign up to refinance your homeloan, get rich quick...). Although distributed, it's not really a denial of service attack. I can't find any laws that suggest that what I am doing is illegal, and if it was it would be hard to prosecute anyone participating in my system. Check it out...

Why?

[k3vmo]

Why aren't such CD's outlawed? I mean, contries go after drug suppliers... why not go after those supplying an individuals email address?

The same thing happens here...

[bc90021]

Any CD that is sold containing email addresses invariably has some that work, but the vast majority are just generated. I once knew someone (and I no longer communicate with that person) who insisted that spam was the only way to sell his products. He paid $400 to some marketing company, and they sold him a CD with a million addresses. He asked me to look at it, and my conclusions were that he got ripped off. He didn't want to believe me, but the sheer number of addresses that were obviously generated proved to me that someone had written a quick script to create addresses. A good portion of the addresses were also old-school, with lots of "71532.4532@compuserve.com" type addresses.

Spammers aren't just evil for selling addresses, they are evil for making up about 3/4 of the ones that they do sell, and anyone who buys a CD with email addresses on it should be aware of that.

Re:"Unregular syntax"

[r1ch]

To be fair he also says "The addresses ending in one dot are technically valid adresses. If handled correctly by the software that is used, they should cause no problems. However, when sending bulk e-mail your goal would be to reach as many as possible and one would prefer to play at safe."

I've often wondered...

[psycho_tinman]

Yes, its great that people embed "remove-this" and so on into their email addresses at Slashdot and other places (like Usenet), for example to make it harder for bots to parse and detect valid email addresses..

But one wonders if tools cant easily be written to remove basic patterns of that sort ... a simple substitute (or regex, whatever) would cleanse quite a few addresses, especially on UseNet..

Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?

Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..

It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..

Re:I've often wondered...

[Golias]

Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?

If your business model depends ot targetting spam at people who hate spam enough to obfuscate their e-mail address, you are not going to be in business very long.

Besides, the whole point of spam is that it's a cheap broad scattershot. If you were willing to go to the trouble of demographic research, you would probably be better off buying a banner ad at megatokyo.com or something.

Re:Spam in Europe

[simetra]

Untraceable? Why not just pretend to be a customer, even buy the product, then bust them? Surely during the process of patronizing a spammer, you'll get their identity, address, etc.???

Do me a favour

[skinfitz]

Edit the CD to include the email address of every politician the wolrd over, along with known spammers and the editor of every media outlet. If you can, use addresses that forward a notification to their mobile phone via SMS, then sell the new CD.

We'll soon see a change in the law.

Ahh I can dream.

Re:Do me a favour

[Saeger]

If laws suddenly started working against spam, I'd be worried, as that would mean we were in the middle of a lock-down of the net

Hear, hear!

The best solution is a new protocol (or extention) that isn't so blatantly easy to abuse as SMTP is. The problem is that the current spam-ridden email system is still hugely valuable simply because of the network effect of everyone using it, that it's hard to get people to switch. People have been increasing IM usage, but that's not open enough to take off.

IMO, we need a system based on webs-of-trust (w/PGP) so the problem of trust takes care of itself bottom-up.

--

Great Tutorial

[StarkII]

I find it doubtful that the erroneous e-mail addresses are malicious. That would suggest that these spammers have vastly higher intelligence they evidence indicates.

But...thanks to this new and wonderful tutorial, they can vastly improve the quality of their spam e-mail lists. The tutorial was even kind enough to provide the appropriate regex patterns at the bottom. How thoughtful

Re:No surprises here

[inode_buddha]

I still wonder about the possibility of "poisoning" these address databases with automated tools, rendering the info useless. I think that tech like that in addition to legal and financial methods would be required overall to reduce spam. In other words, no one thing can do it, it will require all three methods (tech, legal, financial) working *together*.

Hrmmm. now all I need is a mailserver on a *real* big pipe to generate zillions of bogus addresses and a handful of bots to respond to spams with these addresses. Of course, those addresses wouldn't exist the next day or week or whatever... Set it all up and leave it runing like that for a year or something...

Spam job creation.

[qualico]

Well, as a consultant/technician, I feel more job security in this new year. I received 70 spam emails today. The greatest amount in 1 day so far. This article confirms my prediction that 2004 will see an exponetial growth of spam, zombies and open relays. Thats not necessarily a bad thing. Now I can sell my services to companies who are looking to implement strategies for managing email privacy. For example, you could simply go to a companies web site and show them that they have a flaw in listing their email addreses on the site. The best method is to post them as a graphic. Simple and effect. Now if I can just get hired.

War on Spam

[LinuxMacWin]

Don't you think the war on spam should be fought as aggressively as the war on terror (ok, I know iraq did sidetrack us from that war, but still). After all,

1. just like terrorism, the spam mainly affects western countries...most of the uneducated masses do not have computers
2. the spammers do not care if our life becomes hell...they are interested in their 72 virgins...or money in this case
3. the harder we fight them, the more workarounds they find
4. any time you turn to news, you find terrorism. any time you turn to computer, you find spam. does not matter whether it is a child's email account or a grownup's.
5. it is a relatively low cost business. any tom, dick and harry can get up and start spamming. you never know when your next door neighbor is a spammer.

If only the government and industry made it a mission to kill spam. The only way it can be killed is with collective will to do so. Prosecute the spammers at par with felony or higher. Kick the industry to find workable solutions without introducing proprietary protocols.

Can't target spammers - target the links !.

[openmtl]

Good to see that the emails CDs are crap because it means that the really expensive lists that spam intermediaries trade depend upon the live/not live status. This is found out via magic flags in links on the emails or by naive humans hitting remove links.

But the analysis shows that the raw lists are not all junk but still have value. What we now need to do is now polute the status of these.

This can be done by actually visiting every link that a spam offers to you and checking the content of that page.

It sounds like this would alert the spammers to your email being alive and unique and as an individual this would be a bad thing BUT what if EVERYONE did this ?. The web site would be hit (err just like a /.) in proportion to how much they supported spam.

Especially effective if done at a Brightgmail/ISP level where is behind the scenes and hasn't even hit your account. And no one can say that visiting a link is something illegal.

The analogy is shouting into a room of people and saying IS ANYONE HERE. If just 1 person replies then thats information. If everyone yells back then thats NOISE. Effectively what would happen is that a spammer sends out 1 Million emails and is say 250,000 replied back and visited their web site then they would have to seriously question if that was an effective campaign. Traditional media people would say yes BUT those 250,000 visits are in fact robots looking like humans. Aint no sales from robots and just left with a large bandwidth bill.

What its saying is we need a co-ordinated community to effectively stop spam. Just a thought. What I haven't worked out is how to stop spammers using this as a DDOS attack. I suspect a robots directive but haven't worked out the logic yet.

Re:This is NOT Simple

[svanstrom]

You say that this is simple, but it is not. In order to have an authoritative source for the data, one must have a named, vulnerable location to dispense it from. P2P networks function because everyone trusts everyone else, and if you download the latest Audioslave video, and it turns out to be Brittany and Modonna making out, well then c'est la vie. If you download the latest blacklist, and it ends up shutting off legitimate email, then mon dieu!

Bittorrents, for example, must have a seed site out there somewhere. This site can be taken out, and any other "offical" site that mirrors it. If the data is signed, then the offical sources of such signed data are vulnerable (if you need to revoke the key). The general problem of anonomizing traffic, while being able to trust the data on it at the same time, is Hard.

(I hate how everyone's starting to talk about bittorrents every time a distributed system is wanted, bittorrent isn't a miracle solution.)

You're right that such a system isn't easily created, but it isn't as hard as you seem to think either; correctly set up the one in charge of the system could insert the signed updated data anywhere.

The public key could be downloaded from the same website as most updates are downloaded from, but once that website is attacked the one responsible for that website uses his dialup/adsl to release the new data into the P2P-networks available to him.

The website might be gone, but the "service" wouldn't die with it.

the master plan

[Tumbleweed]

Okay, set up a site for potential spammers to buy one of these CDs. Require they give correct contact information to purchase.

Once lots of them have purchased, send out the CDs with the list of people who purchased the CD.

Profit and the joy of justice, all in the same business plan!

"Oh yeah."
- The Duffman

"Evil's no good. Ya just don't cotton to it. You've gotta whack it on the nose with the rolled-up Newspaper of Justice, and say, 'Bad dog...bad dog!'"
- The Tick (as best I can remember)

How about a private-public key?

[simetra]

Have a key that is like a public key, but isn't published to the world; only give it out to people from whom you authorize email to be delivered to you. If your incoming mail doesn't contain that key, delete it.

Then, have a specifically formatted message type to handle key requests. Say if Betty wanted to email Veronica to request her private-public key, it would have to be in a strict format, say with the subject line: KEYREQ . For example: KEYREQ veronica@archie.com Hi it's veronica. ?? Then your email client could have a button called "Reply/Authorize".

Attack the Bulletproof Hosting Companies

Type "bulletproof hosting" into Google and you get lots of hits advertising "bulker friendly" and "assistance with spamming -- we do more than just give you a place to send from" sites.

Why aren't these sites listed, real-time blacklisted, and DDoS'd by the good guys? If there is a SETI screensaver, why not a Pitchforks-and-Torches (my name for the angry mob of ordinary folks) one that, say, once a minute sends a query to known spam-friendly ISPs. A million of these would be a million messages a minute. Hard to call that a real DDoS attack from any one person since all I wanted to see if their page has updated.

Google makes money off spammers.

[keyshawn632]

While most e-mail users are digusted @ companies who spam and have business relations with spammers or spam-friendly ISP's; Google has not been mentioned yet as a part of that group.
By doing some searching on google - http://www.google.com/search?q=bulk+email+friendly +web+hosting+services&sourceid=mozilla-search&star t=0&start=0&ie=utf-8&oe=utf-8

It's evidently that would-be spammers can easily find spam-friendly ISP's with the help of Google's Sponsored Links.
Google profits through the Spam-Friendly ISP's sponsorships and advertisements.
Does anyone see anything ethically wrong with that ???

Re:Selling e-mail addresses shouldn't be illegal

[fractaltiger]

but I don't thin kit should be any more illegal to sell a CD with aggregated e-mail address than it should be to sell a phone book CD with telephone numbers

I agree with the rest of your post. This part seems a bit forced if you think about this reality that we come across:

When searching for a long lost friend, it is nearly impossible to find a phone number, or a working email address, and sometimes phonebooks list only partial names. Also, chances are that any user of a plain-old phone book will find a SINGLE # per private entity.
So, if I had multiple phone lines, the secondary ones would stay hidden from the general public and allow us to avoid telemarketters or unsolicited calls from strangers.

With this in mind, think about email: Having multiple email addresses, thanks to AOL's 7+ emails per "account," (compare "7" to how many phone #'s you have) the public can easily have multiple email addresses, to use one for work, another one for spam and so forth. Yet they all catch spam sooner or later... Getting back to the phone book issue, when's the last time your fax line got a telemarketting call? So if emails are more prone to bulk requests than even our phones, email directories would simplify the task of cataloguing all my undisclosed, private addresses --and I get lots of spam even despite the lack of a "free phonebook for emails." Heck, if I could pay for removing my address from suck a phonebook the way I can do so for my phone #'s, I probably would.

Whitehat CD

[hey]

How about this... some whitehat could make and market a CD of millions of mail addresses. But they'd all be fake except a few for monitoring, spamer tarpits and a few of abuse@ISP and the feds ;-)

Besides cutting down spam you'd be tranfering month
directly from the spammers to yourself.

Re:This is NOT Simple

[brandond1976]

The problem is not that the sites are vulnerable, its that law enforment will not step in to enforce the laws and so the DDOS continues. So why don't we go with this idea but find a server that they might care about to store the data on. If the blacklists were distributed by p2p, signed with gpg/pgp and the key was stored on a high profile server it might work. This is assuming that law enforcement would take an attack on this machine more seriously (not at all garunteed). There might be an even better server (maybe a .gov or .mil) where the key could be served from. I think the idea could work, if it is done properly.

Re:Selling e-mail addresses shouldn't be illegal

[calyphus]

It's not a question of allowing cc companies to reject payment. They already have that power. Just by including clauses to exclude specific businesses, as they do with child pornography. In the case of CP they use very broad definitions, broader than many government defs, to exclude anything remotely improper including art. Could art sites fight them in court? Sure. Can they afford to to the point of winning? Seldom.

Spammers are in the same boat. CC company's can, and should, deny service to spammers, but the CC Co's would have to actually research every business. Since someone looking to decieve could easily set up a CC merchant account for company X (the front) and recieve payment through division Y (the actual website) the CC Co. can be distanced long enough for the spammer to keep division Y unknown to the CC Co.

Unfortunately, any regulation, of any activity, depends on the penalties being enforceable against those without the ethics to abide to convention. Enforcement requires jurisdiction.

Could spam be the cause celeb that finally unites governments world-wide similar to the alien invasions of science fiction?

Re:Spam in Europe

[surprise_audit]

most spam comes from outside of the EU, or turns out to be untraceable anyway... so the question is if this new legislature would have any noticeable effect.

So, for the purposes of legislation, maybe the answer is to divide spam into two categories.

First category would be random junk, with no real product, or with no realistic way to reach the purveyor of said junk. It happens, you can't do much about it, let it slide.

Second category, however, would be the spam advertising a real product/service, with some way of reaching the purveyor of said product/service. Such spam can be legislated against, by making it illegal to use spam to deliver advertising. If there's a means for a buyer to reach the seller, the same means can be used by law enforcement to kick the seller's ass.

Think it couldn't happen? When was the last time you saw a billboard with a cigarette ad? I don't know if there was specific legislation against tobacco product ads, but there must certainly have been some "encouragement" for the tobacco companies to stop their ads.

Re:This is NOT Simple

[evilviper]

In order to have an authoritative source for the data, one must have a named, vulnerable location to dispense it from.

No, not at all. All you need is PGP. If the file's signature matches, it's the real thing. If it doesn't it's not. Pure P2P.

Bittorrents, for example, must have a seed site out there somewhere. This site can be taken out, and any other "offical" site that mirrors it

Gnutella would be much better. No central server.

If the data is signed, then the offical sources of such signed data are vulnerable (if you need to revoke the key).

I think it would be just fine if we had no way to revoke a key. Just make sure to keep it secure.

Besides that, why not just post the revocation cert to the P2P network, signed by it's own key? :-)

It sounds amusing, but it really would work. If somebody else could make-up a revoc cert and sign it with that key, the key is vulnerable anyhow.

The general problem of anonomizing traffic, while being able to trust the data on it at the same time, is Hard.

Well, since I just came up with a solution in 30 seconds, it's not all that hard.

Re:Spam in Europe

[AK+Marc]

However, it claims nine out of ten spam emails are either untraceable or come from operations outside the European Union.

Then they should come up with a better law. The tax laws for the US not only require that foreigners in the US pay income tax, but US citizens in foreign countries can be required to pay US income tax even never having set foot in the US for the year they are gone. Just because they aren't local does not mean that the law can not apply to them, even it is would be hard to enforce. If a company "does business" in a country, then it should be held to those standards. If the government enforcers had a clue, they could stop spam with little effect on other traffic, but the methods may be more draconian than many would like.

All traffic into a country travels over a few links (even 100 is a "few" links on the scale of the Intranet). Traking the spammers and blocking them at those choke points would stop outside spam. Inside spam would be dealt with by local laws.

And, though it seems to be a smaller portion of spam, clickthrough spam is still a problem. That is easier to deal with. Require that the companies that pay for clicks only pay domestic physical addresses and agree to turn over the names and addresses of those that spam to the authorities.

But I don't see that there will be any fix for spam to come from laws. The people writing the laws are technically ignorant (so they will not be able to anticipate the loopholes or possible abuses) and big businesses will oppose it on the grounds that it may interfere with marketing efforts, and the government here has long been of the people, by the people, and for the corporations.

P2P + PGP == Unasailable Spamcop Source

[IBitOBear]

I really don't know why this is so hard for people to understand, but it "shouldn't" be that hard to create a peer-to-peer, fully trusted spam blacklist system.

1) Take a well known provider of such lists and have him generate himself a PGP/GPG (etc) key.

2) Create a hashing algo that can be applied to email addresses and domain names and produces (about) 60 or so distinct hashes.

3) Coordinate the email blacklists into N files where N is the number of hash results from item 2. These are the N components to the complete list. IF you have an address X and its hash is Xn then if the address doesn't apear in file N the address isn not blacklisted.

4) Construct (or use an existing) P2P app to distribute these N files. Ideally the P2P system in question can "bias" the fetch operation to favor retrevial from "previously known good" sources.

Here are the fine points:

A) The GPG secret key, and not the "location fetched from", is the magic that marks the list valid. You can not DDOS a secret key, just an originator.

B) A first-order web of trust, instead of a simple key, could also be used. That is, instead of requiring a signature from the master key, require a signature from a key signed by the master key. This way "the one key" can stay relatively unused while persons need to attack the rotating and regularly expiring frontage keys if they want to game the transfer for any reason.

C) The master key and the frontage keys don't have to equate to any real nor active network facility. They only need to be unique in key space. You simply *CANNOT* attack a namespace that isn't backed up by a physical facility. (For instance, if the master key were "master@control.spamcop.org", spamcop.org itself could be pointed at Geocities or something or nothing at all.)

D) While a current (Kaza-esque) P2P app would probably be less than ideal for the actual transport, it wouldn't be dificult to design a P2P style distribution mechanisim. It wouldn't need to be any more subtle than a bunch of http mirrors really, as long as the mirroring system (rdist/wget alike) would only put the files in the public directory if they passed a frontage-key/master-key signing test.

In practice you would probably want to distribute a signed known-mirrors (root) file too.

[Then again, a shite load of ptr records in a "spamcop.org" dns table could function as the analog of an MX table for this rooting purpose. Those sites would tend to become targets, but only for as long as the list size were small.]

If a "real" P2P app, or even a well designed friend-of-friend http-based network were put together and reached a core complexity of a at least a couple dozen known base points, it would be unquenchable. The target density would be too diverse to attack effectively. It would be like trying to DDOS "all the bloggers on the net".

Heck, set a pseudo standard: Every doman that wants to join the P2P network "backbone" should issue itself a "spamcop@my.domain" key and then do a challenge/response signing (on connection each party sends the other a challenge, gets the challenge back signed, checks the signature as valid) when it comes onto the backbone. Organize the thing like IRC but with records kept for keys used. Add some throttling (like IRC flood protection) and you are off. Abusers can be tracked down to their hosts and keys.

Then you can devolve. Regular users don't have to have keys to join the net and request information. Keys and domains can be blacklisted (possibly together?).

Heck, use the haxors techniques. Actually get permission to stake out some IRC channels to act as the root seed broadcast-style distribution system (list of known good core hosts, again, such lists are signed).

All you have to do is get some distribution without losing authenticity. That is what public keys are all about. The anti-assailable nature of P2P and the semi-chaotic nature of IRC have their legitimate purposes. Now all you need is to use these systems for good instead of evil.

Bayesian is still good

[siskbc]

Mark my words: withing a year Bayesian filtering will be another dead suggestion in the pile of stopgap solutions to the problem.

I doubt that, at least to the extent you likely intend it. The great thing about Bayesian filtering is that it's adaptive. So they would have to dramatically increase the rate at which they discover and use filter-killing tricks for this to work.

I'm running Mozilla, and in the last 8 months (roughly) I've gotten 10,000 spams - modest, but a great library for catching spams. I catch about 97% or more of them. And I can tell when they come out with a new trick - my catch rate will drop to say 80% for a day, after which my filter catches up to the new trick. In fact, when they don't have new tricks, my catch rate is about 99+%. Most of what gets through is new tricks.

I'd say now, they come out with a filter-busting trick maybe once a month. For spam to become a problem to my client, they'd have to do it better than once a day. I don't think they have the resources to do that.

Re:Selling e-mail addresses shouldn't be illegal

[Alsee]

If you are selling a product that will only make you about $50 a year per customer, and have to spam 10,000 people ... there's no way you are actually turning a profit.

Unfortunately it CAN be profitable. You missed the fact that the cost of sending spam is vanishingly small.

Lets assume that one in ten thousand response rate. Lets assume $50 total profit. Lets assume you send a measly 2 spams per second (1.2 million per week). That is over $314,000 per year.

It will be profitable as long as your expenses are less than that. Hardware costs: insignifigant. Software costs: insignifigant. Address lists: insignifigant. Labor: one person part time. Bandwith: Maybe several thousand, but still not signifigant.

If some of them keep buying herbal viagra every year it becomes that much more profitable. When you find such a "live one" they are prime candidates for every other crack-pot offer you dream up. One single fruit-cake can be a gold mine giving you a few thousand per year.

I hate working out this math, it almost makes me want to go into the spam business. On the other hand if you do the math it becomes clear that each spammer can easily kill entire LIFESPANS worth of other people's time just deleting this crap.

-

But they'd find out The Hard Way

[billstewart]

Rule #1: Spammers always Lie. Rule#2: Spammers are Stupid

You're not going to sell this CD to Alan Ralsky or his ilk, the professional Florida ROKSO members or the newer mafiosi who run their own harvesters (you'll leave attractive-nuisance web pages around for them :-) This kind of product is designed for the Gullible Bottom-Feeder spammers, the anklebiters who think they'll Make Money Fast by buying a CD from the big professional spammers. That means they'll either see your ads and believe them, or they won't, but they won't have the clue about how to ask around for other spammers who've bought your fine product and are now in jail or court or bankruptcy or buried in paper junkmail or keep getting their single-wide trailer windows broken, plus you'll have had fun taking them for $39 and any other optional services you've sold them, like "bullet-proof hosting" and "spam-free bulk email delivery ISP services" .

For the slightly brighter potential spammers, word may get around faster (e.g. it shows up in Google next to your ad), but that's ok - any meme that says buying cheap spamware is dangerous is a Good Meme. The problem is making sure that *you* are hard to trace, because the guy in the singlewide trailer may have a doublewide baseball bat, and the slightly brighter spammer may have a kid brother who's a 31337 Skr14t K1dD13 who can annoy you as well.

The other problem, of course, is how to reach your potential customer base, other than by spamming... Google's a start.