What You Get When You Buy a Spam CD

defender writes "Recently over here in The Netherlands, the spam versus anti-spam 'war' has hardened. More professional spamming coming from a handful of hard-core spammers utilizing bulletproof hosting in India, chained open proxies, more and more false whois information, etc. One of the more known anti-spam people has been sent one of the subjects of those spams: a CD with millions of e-mail addressess of 'individuals' and hundreds of thousands of 'businesses'... Rejo Zenger has done an analysis of such a CD, which is fuelling new debate as to why the recent EU anti-spam directive was weakened because of businesses complaining or indicating that spam wasn't a big issue for them."

Spammers are beginning to organise

[Tirel]

It's been reported that SpamCop is paying upwards to $30K / year for bandwidth as a direct cause of the continous DDOS attacks on it.

The spammers are doing everything they can to squeeze the anti-spammers out. They use frivolous lawsuits (aka Mark Felstein and his porn spamming backers) or DDOS attacks that either knock the anti-spam resources off completely or increase the costs so that no hobbyist can run them.

And while all this is going on, the law enforcement agencies are doing nothing to counter the clearly illegal acts of the spammers.

And ISPs are doing NOTHING to reduce the number of zombies on their networks. So the DDOS attacks continue.

Nice going.

It's only a matter of time when someone (Al Queda?) will use the zombie network for something that will truly be noticed.

Re:Spammers are beginning to organise

[Lumpy]

A simple answer is a bittorrent solution to the blacklists or other data, or a p2p type of app to get the lists or data out tot he servers/customers.

if you dont have one target to attack, and not allow the scumbags to modify the data file (md5 sums + other means to ensure the file is real... you can end run these spamming scumbags.

I for one dont understand why this has not been done already.

Re:Spammers are beginning to organise

[the_mad_poster]

Seriously... what would happen if everyone here went rogue, said "fuck it", and just actively blew away spammers (online, mind you, we don't need any gun-toting geeks for the love of god)?

With 700,000+ people on slashdot, a less than 1% high techno-competency rate (let the jokes fly...) would yield 7000 individuals from this site alone capable of tracking spam, breaking down proxies and ISPs, stealing and altering logs, etc. How long would it take before 7000 militant hackers working together broke down the spammers under an onslaught of attacks as underhanded as the ones the spammers are using? People like Ralsky aren't even that smart, technologically. I'm willing to bet that once the tough part is done: tracking them, actually beating the daylights out of their systems and them wouldn't be that hard.

Of course, each individual would have to be willing to deal with the fact that they could be one of the people that gets arrested and charged with a couple of felonies. Sort of like the old trick "yep - all three of you can surely beat me, but the first one in to try it dies". Who wants to be the hero?

Re:Spammers are beginning to organise

[svanstrom]

Seriously... what would happen if everyone here went rogue, said "fuck it", and just actively blew away spammers (online, mind you, we don't need any gun-toting geeks for the love of god)?

We could do it without saying "fuck it"...

Seriously, it doesn't take a genius to write a virus/worm that take advantage of the latest virus/worm-problem, patches the local system, spends 30 minutes attacking spammers and spreading to other infected systems, after which it just erases itself.

_ONE_ person is enough for such a thing, and sooner or later someone will do it.

Re:Spammers are beginning to organise

[gmack]

No.. it's not.

Having run an opt in mailing list for a previous employer I can tell you that some people sign up then go complain to spamcop when they actually get the email. And then the mail server gets an Instant blacklist thanks to the automated system and your stuck with the rest of the emails getting bounced.

The problem gets worse when they black out the email addresses so it becomes impossible to tell who actually wanted off.

Re:Spammers are beginning to organise

[the_mad_poster]

I think we'd all rather see an elegant solution here.

I don't WANT regulation, plain and simple. The government fucks up enough things without sticking its nose in the Internet too. It would be nice, however, if they'd bother to investigate and prosecute spammers and spam-virus writers the way they go after the "real Bad Guys" like Mitnick or Phiber Optik.

I think we'd all rather see an elegant solution here. I think we'd all rather NOT see More DOS attacks.

Agreed on both counts. But, I don't see any elegant solutions in the works and the ones that are on the way are already under attack. Bayesian filtering is trivially circumvented with blocks of "real" text to drive down the % likelihood of a spam being labeled as such and, at the same time, drive UP the likelihood that a legitimate message is labeled as spam. It's the best stopgap to date, but it will fail eventually. As for the DDoSs - a good way to put a total stop to them would be to wipe out the spammers. Sure, there'd be a huge spike for awhile if people DDoSed in return, but that's a clunky, temporary solution to them. There's far more "elegant" ways to fight back.

And, physical violence? Sort of. It's more akin to someone driving past your mailbox and bashing it in every time you get a new one. When you call the cops and they don't or can't do anything about it, what do you do? I'll tell you a good counter-measure: when you hear them coming down the street *pok* *pok* *pok* - grab a crowbar and hide in the bushes. As they slow down to pop your mailbox next, jump out and smash the back windshield of the car.

Never saw 'em again.

If the law can't be bothered to handle it (prosecution), and it can't be settled peacefully ("elegant" technology), I have no problem with a gun battle in the streets as long as the "victims" that you're fighting for approve of it.

Now, if someone has a serious proposal for retooling the SMTP or has some other workable solution to the problem, and has a plan for rolling it out, I'm all ears. However, I don't see a serious proposal that will be ready NOW and spam is a HUGE problem NOW. A solution that's going to take another 5 years to develop and implement is NOT ACCEPTABLE. The spammers are going to destroy e-mail in the process. They are not playing by the rules, they are not playing by the law, and nobody has a realistic solution that will be ready in time. Why should anybody else play by the rules if the law's not going to deal with them?

The same thing happens here...

[bc90021]

Any CD that is sold containing email addresses invariably has some that work, but the vast majority are just generated. I once knew someone (and I no longer communicate with that person) who insisted that spam was the only way to sell his products. He paid $400 to some marketing company, and they sold him a CD with a million addresses. He asked me to look at it, and my conclusions were that he got ripped off. He didn't want to believe me, but the sheer number of addresses that were obviously generated proved to me that someone had written a quick script to create addresses. A good portion of the addresses were also old-school, with lots of "71532.4532@compuserve.com" type addresses.

Spammers aren't just evil for selling addresses, they are evil for making up about 3/4 of the ones that they do sell, and anyone who buys a CD with email addresses on it should be aware of that.

I've often wondered...

[psycho_tinman]

Yes, its great that people embed "remove-this" and so on into their email addresses at Slashdot and other places (like Usenet), for example to make it harder for bots to parse and detect valid email addresses..

But one wonders if tools cant easily be written to remove basic patterns of that sort ... a simple substitute (or regex, whatever) would cleanse quite a few addresses, especially on UseNet..

Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?

Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..

It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..

Re:I've often wondered...

[Golias]

Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?

If your business model depends ot targetting spam at people who hate spam enough to obfuscate their e-mail address, you are not going to be in business very long.

Besides, the whole point of spam is that it's a cheap broad scattershot. If you were willing to go to the trouble of demographic research, you would probably be better off buying a banner ad at megatokyo.com or something.

Do me a favour

[skinfitz]

Edit the CD to include the email address of every politician the wolrd over, along with known spammers and the editor of every media outlet. If you can, use addresses that forward a notification to their mobile phone via SMS, then sell the new CD.

We'll soon see a change in the law.

Ahh I can dream.

the master plan

[Tumbleweed]

Okay, set up a site for potential spammers to buy one of these CDs. Require they give correct contact information to purchase.

Once lots of them have purchased, send out the CDs with the list of people who purchased the CD.

Profit and the joy of justice, all in the same business plan!

"Oh yeah."
- The Duffman

"Evil's no good. Ya just don't cotton to it. You've gotta whack it on the nose with the rolled-up Newspaper of Justice, and say, 'Bad dog...bad dog!'"
- The Tick (as best I can remember)

How about a private-public key?

[simetra]

Have a key that is like a public key, but isn't published to the world; only give it out to people from whom you authorize email to be delivered to you. If your incoming mail doesn't contain that key, delete it.

Then, have a specifically formatted message type to handle key requests. Say if Betty wanted to email Veronica to request her private-public key, it would have to be in a strict format, say with the subject line: KEYREQ . For example: KEYREQ veronica@archie.com Hi it's veronica. ?? Then your email client could have a button called "Reply/Authorize".

Attack the Bulletproof Hosting Companies

Type "bulletproof hosting" into Google and you get lots of hits advertising "bulker friendly" and "assistance with spamming -- we do more than just give you a place to send from" sites.

Why aren't these sites listed, real-time blacklisted, and DDoS'd by the good guys? If there is a SETI screensaver, why not a Pitchforks-and-Torches (my name for the angry mob of ordinary folks) one that, say, once a minute sends a query to known spam-friendly ISPs. A million of these would be a million messages a minute. Hard to call that a real DDoS attack from any one person since all I wanted to see if their page has updated.

Whitehat CD

[hey]

How about this... some whitehat could make and market a CD of millions of mail addresses. But they'd all be fake except a few for monitoring, spamer tarpits and a few of abuse@ISP and the feds ;-)

Besides cutting down spam you'd be tranfering month
directly from the spammers to yourself.

Bayesian is still good

[siskbc]

Mark my words: withing a year Bayesian filtering will be another dead suggestion in the pile of stopgap solutions to the problem.

I doubt that, at least to the extent you likely intend it. The great thing about Bayesian filtering is that it's adaptive. So they would have to dramatically increase the rate at which they discover and use filter-killing tricks for this to work.

I'm running Mozilla, and in the last 8 months (roughly) I've gotten 10,000 spams - modest, but a great library for catching spams. I catch about 97% or more of them. And I can tell when they come out with a new trick - my catch rate will drop to say 80% for a day, after which my filter catches up to the new trick. In fact, when they don't have new tricks, my catch rate is about 99+%. Most of what gets through is new tricks.

I'd say now, they come out with a filter-busting trick maybe once a month. For spam to become a problem to my client, they'd have to do it better than once a day. I don't think they have the resources to do that.

Re:Selling e-mail addresses shouldn't be illegal

[Alsee]

If you are selling a product that will only make you about $50 a year per customer, and have to spam 10,000 people ... there's no way you are actually turning a profit.

Unfortunately it CAN be profitable. You missed the fact that the cost of sending spam is vanishingly small.

Lets assume that one in ten thousand response rate. Lets assume $50 total profit. Lets assume you send a measly 2 spams per second (1.2 million per week). That is over $314,000 per year.

It will be profitable as long as your expenses are less than that. Hardware costs: insignifigant. Software costs: insignifigant. Address lists: insignifigant. Labor: one person part time. Bandwith: Maybe several thousand, but still not signifigant.

If some of them keep buying herbal viagra every year it becomes that much more profitable. When you find such a "live one" they are prime candidates for every other crack-pot offer you dream up. One single fruit-cake can be a gold mine giving you a few thousand per year.

I hate working out this math, it almost makes me want to go into the spam business. On the other hand if you do the math it becomes clear that each spammer can easily kill entire LIFESPANS worth of other people's time just deleting this crap.

-