Slashdot Mirror
What You Get When You Buy a Spam CD
defender writes "Recently over here in The Netherlands, the spam versus anti-spam 'war' has hardened. More professional spamming coming from a handful of hard-core spammers utilizing bulletproof hosting in India, chained open proxies, more and more false whois information, etc. One of the more known anti-spam people has been sent one of the subjects of those spams: a CD with millions of e-mail addressess of 'individuals' and hundreds of thousands of 'businesses'... Rejo Zenger has done an analysis of such a CD, which is fuelling new debate as to why the recent EU anti-spam directive was weakened because of businesses complaining or indicating that spam wasn't a big issue for them."
It's been reported that SpamCop is paying upwards to $30K / year for bandwidth as a direct cause of the continous DDOS attacks on it.
The spammers are doing everything they can to squeeze the anti-spammers out. They use frivolous lawsuits (aka Mark Felstein and his porn spamming backers) or DDOS attacks that either knock the anti-spam resources off completely or increase the costs so that no hobbyist can run them.
And while all this is going on, the law enforcement agencies are doing nothing to counter the clearly illegal acts of the spammers.
And ISPs are doing NOTHING to reduce the number of zombies on their networks. So the DDOS attacks continue.
Nice going.
It's only a matter of time when someone (Al Queda?) will use the zombie network for something that will truly be noticed.
Why aren't such CD's outlawed? I mean, contries go after drug suppliers... why not go after those supplying an individuals email address?
That's right, E-mail is the best way to advertise your product. IF you send me $300 USD I'll give you a CD packed with email address that have been generated using the latest technology. The /dev/random method is world reknown for unique addresses with no repeats. I gaurantee that they are ALL ORIGINAL email addresses!
/dev/null E-mail address CD at no additional charge!
And if you act now, I'll send you the
In the future, I would want to not be isolated from my friends in the Space Station.
Is anyone surprised that the 10 million promised addresses boils down to less than 7 million after removing duplicates? The article is interesting in terms of statistical analysis of the data (especially the fact that a number of abuse and postmaster addresses are in the email database), but I don't think anyone expected quality email lists from spammers.
On the other hand, why would someone sending spam care too much about the integrity of the data? You're still getting over 6 million email addresses. So several million messages bounce...does the spammer care?
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Any CD that is sold containing email addresses invariably has some that work, but the vast majority are just generated. I once knew someone (and I no longer communicate with that person) who insisted that spam was the only way to sell his products. He paid $400 to some marketing company, and they sold him a CD with a million addresses. He asked me to look at it, and my conclusions were that he got ripped off. He didn't want to believe me, but the sheer number of addresses that were obviously generated proved to me that someone had written a quick script to create addresses. A good portion of the addresses were also old-school, with lots of "71532.4532@compuserve.com" type addresses.
Spammers aren't just evil for selling addresses, they are evil for making up about 3/4 of the ones that they do sell, and anyone who buys a CD with email addresses on it should be aware of that.
libertarianswag.com
Bulletproof hosting in India? Gee, now I know what we can do with the variety of Kevlar-penetrating bullets in the US. Maybe your servers can survive a Slashdotting, but can they survive a barrage of 7.62mm armor-piercing bullets? I think not.
And if there are a few bullets left over, I'm sure someone can come up with some creative spammer-related uses for them...
Well, I heard only a week or so ago that the European Union was going to make sending spam illegal in the near future, or has already done so.
Unfortunately, as this article on the Register points out, most spam comes from outside of the EU, or turns out to be untraceable anyway... so the question is if this new legislature would have any noticeable effect.
A quote: Anti-spam software outfit, Brightmail, says the legislation only affects European registered companies and they're unlikely to flout the legislation. However, it claims nine out of ten spam emails are either untraceable or come from operations outside the European Union. Either way, professional spammers - whether inside or outside the EU - are unlikely to heed the new legislation. So in effect, this new law will make bugger all difference to the amount of spam we get in Europe.
IMHO this new law certainly is a step in the right direction, since the ISP's would be legally obliged to take action against spammers on their network. Now if only the rest of the world would go in the same direction...
can they also please test one of those penis enlargement pills? I'd like to know if they work...
He refers to addresses ending with a dot as "unregular syntax", then later as "no TLD". However, the address with a trailing dot is the canoncial form of a domain name - the final dot refers to the "root" domain, the one that Verisign gets to play with.
I can't say that I don't give a fuck. I've just run out of fuck to give.
...AOL CDs, Compuserve CDs, Prodigy CDs, Earthlink CDs. Now I just get AOL CDs.
What I really miss are the days of spam floppies, now I never seem to have a floppy when I need one.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
One of the email addresses on the CD: ikautostelen@van.jouw
which translates from dutch to english to something like: me-steal-car@from.you
Yes, its great that people embed "remove-this" and so on into their email addresses at Slashdot and other places (like Usenet), for example to make it harder for bots to parse and detect valid email addresses..
But one wonders if tools cant easily be written to remove basic patterns of that sort ... a simple substitute (or regex, whatever) would cleanse quite a few addresses, especially on UseNet..
Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?
Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..
It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..
I can't stand spam and won't use it in business practices, but I don't thin kit should be any more illegal to sell a CD with aggregated e-mail address than it should be to sell a phone book CD with telephone numbers. There is value added in the indexing and providing of tools to manage so many addresses.
... organ" and patronize the spammer, then the spam will continue.
What should be illegal is selling generated, known to be false, addresses. This is basically false advertising.
What should also be illegal is bulk mailing to people who do not subscribe to a service. We need better mail servers that optionally require a "key" to receive mail, otherwise it goes straight to "File 13".
Sadly, all this bulk mail, even if "bounced" back to the sender, uses tons of bandwidth and is ultimately a tremendous waste of everyones time.
Unfortunately, all this Spam would stop is people STOPPED BUYING FROM THE SPAMMERS, but even if 0.0001% of recipients say "yeah, I DO want a larger
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Pointing out spammer's mistakes and helping them evolve/correct the problem.
I'm not sure what the secret to success is, but the secret to failure lies in trying to please everyone -Bill Cosby
Edit the CD to include the email address of every politician the wolrd over, along with known spammers and the editor of every media outlet. If you can, use addresses that forward a notification to their mobile phone via SMS, then sell the new CD.
We'll soon see a change in the law.
Ahh I can dream.
Spammers put email addresses in thier own lists and lists they sell. The first is so they know how far through thier software is in spamming out. The second is so they know who is distroing thier email list without approval.
Over here, the rule is opt-in. The recipient of the spam has to have consented to it beforehand. (for the Norwegians here - markedsforingsloven 2 b).
I used to have a job where I had to deal with different kinds of questions from the public that dealt with, among other things, spam. After contacting various Norwegian spammers to lay down the law, I found that a lot of them bought CDs or whatever with e-mail addresses. They seemed to (usually arrogantly) think that because they bought these lists, they were fully legal to use. This is not the case.
I don't know if these CDs were sold with the implication that their use was legal. Hindsight is 20-20 and I realize now I should have told these spammers to demand their money back from the people who sold them the CDs.
People say I'm crazy, I got diamonds on the soles of my shoes...
It's called SPF, Sender Permitted From.
I think the assumption that they are maliciously giving out bad e-mail addresses overstates their intelligence. It is more likely that they just don't know what they are doing. But...thanks to this wonderful (and free) tutorial, they can now vastly improve their own spam e-mail lists! The tutorial was even kind enough to provide the appropriate regex patterns at the bottom. How Thoughful.
Jens Wessling
As for the author's assertion that the "bulletproof" spam hosts are in India, I give you ... China, Brazil, most of the Pacific Rim, as well as clueless/malicious providers such as Level3, Wanadoo.fr, etc. I can count the number of spams I've received from Indian sources recently on one hand, while the Chinese/Brazilian spam numbers in the tens of thousands.
No mod points, no meta-moderating/Firehose/all the other free work Slashdot wants me to do.
I find it doubtful that the erroneous e-mail addresses are malicious. That would suggest that these spammers have vastly higher intelligence they evidence indicates.
But...thanks to this new and wonderful tutorial, they can vastly improve the quality of their spam e-mail lists. The tutorial was even kind enough to provide the appropriate regex patterns at the bottom. How thoughtful
Jens Wessling
Syphilis, hopefully. :)
/obvious
Don't you think the war on spam should be fought as aggressively as the war on terror (ok, I know iraq did sidetrack us from that war, but still). After all,
1. just like terrorism, the spam mainly affects western countries...most of the uneducated masses do not have computers
2. the spammers do not care if our life becomes hell...they are interested in their 72 virgins...or money in this case
3. the harder we fight them, the more workarounds they find
4. any time you turn to news, you find terrorism. any time you turn to computer, you find spam. does not matter whether it is a child's email account or a grownup's.
5. it is a relatively low cost business. any tom, dick and harry can get up and start spamming. you never know when your next door neighbor is a spammer.
If only the government and industry made it a mission to kill spam. The only way it can be killed is with collective will to do so. Prosecute the spammers at par with felony or higher. Kick the industry to find workable solutions without introducing proprietary protocols.
Spammers making outrageous claims? Who woulda thought!?!?!?
Bittorrents, for example, must have a seed site out there somewhere. This site can be taken out, and any other "offical" site that mirrors it. If the data is signed, then the offical sources of such signed data are vulnerable (if you need to revoke the key). The general problem of anonomizing traffic, while being able to trust the data on it at the same time, is Hard.
The wheel is turning, but the hamster is dead.
The second is so they know who is distroing thier email list without approval.
To accomplish what, sue the person selling the list?
To sue someone, you need to exist, and provide contact information. Considering that the linked article basically states that this CD of supposedly valid and unique email addresses amounts to little more than false advertising (and for the purpose of something that counts as a crime in an increasing number of places), only an idiot would out themselves over $60.
More importantly, even if a spammer did reveal their identity in this manner, at least in the US, you cannot cannot copyright a collection of facts (even with bogus tracer data thrown in as proof, as the case of Fred L Worth vs Trivial Pursuit proved), only the presentation thereof. A list of email addresses has no unique presentation (I doubt any court would consider a trivial means of organizing, such as putting them in alphabetical order, or as in the linked article, in geographical order, as a sufficient "presentation" to warrant protection), so a spam list seller would have very little ground to stand on in such a suit.
In fact, it is probably "innocent" hackers who are angry at being blocked (or script kiddies or whoever) that are doing this in retaliation for being caught in a blacklist battle between a spammer and an anti-spam group. But who knows, until the perpetrators are found and brought to justice it's all guess work.
Here's a question: do you think the CEO of a Fortune 500 company opens and reads all of his own mail? Similarly, why should we email users open and read all of our own email? Paul Graham and others have been touting the use of learning algorithms that can tailor spam detection to our own personal needs (and when we start getting more into learning algorithms we'll see that the software agents can also classify our inbox according to mailing lists, friends/family, expected commercial mail, whatever-- and who knows once we start to get more comfortable with learning algorithms and have standard libraries for them what wonders we'll see). Once we correctly focus our energies we'll see these problems go away.
But the analysis shows that the raw lists are not all junk but still have value. What we now need to do is now polute the status of these.
This can be done by actually visiting every link that a spam offers to you and checking the content of that page.
It sounds like this would alert the spammers to your email being alive and unique and as an individual this would be a bad thing BUT what if EVERYONE did this ?. The web site would be hit (err just like a /.) in proportion to how much they supported spam.
Especially effective if done at a Brightgmail/ISP level where is behind the scenes and hasn't even hit your account. And no one can say that visiting a link is something illegal.
The analogy is shouting into a room of people and saying IS ANYONE HERE. If just 1 person replies then thats information. If everyone yells back then thats NOISE. Effectively what would happen is that a spammer sends out 1 Million emails and is say 250,000 replied back and visited their web site then they would have to seriously question if that was an effective campaign. Traditional media people would say yes BUT those 250,000 visits are in fact robots looking like humans. Aint no sales from robots and just left with a large bandwidth bill.
What its saying is we need a co-ordinated community to effectively stop spam. Just a thought. What I haven't worked out is how to stop spammers using this as a DDOS attack. I suspect a robots directive but haven't worked out the logic yet.
Okay, set up a site for potential spammers to buy one of these CDs. Require they give correct contact information to purchase.
Once lots of them have purchased, send out the CDs with the list of people who purchased the CD.
Profit and the joy of justice, all in the same business plan!
"Oh yeah."
- The Duffman
"Evil's no good. Ya just don't cotton to it. You've gotta whack it on the nose with the rolled-up Newspaper of Justice, and say, 'Bad dog...bad dog!'"
- The Tick (as best I can remember)
Have a key that is like a public key, but isn't published to the world; only give it out to people from whom you authorize email to be delivered to you. If your incoming mail doesn't contain that key, delete it.
Then, have a specifically formatted message type to handle key requests. Say if Betty wanted to email Veronica to request her private-public key, it would have to be in a strict format, say with the subject line: KEYREQ . For example: KEYREQ veronica@archie.com Hi it's veronica. ?? Then your email client could have a button called "Reply/Authorize".
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Why aren't these sites listed, real-time blacklisted, and DDoS'd by the good guys? If there is a SETI screensaver, why not a Pitchforks-and-Torches (my name for the angry mob of ordinary folks) one that, say, once a minute sends a query to known spam-friendly ISPs. A million of these would be a million messages a minute. Hard to call that a real DDoS attack from any one person since all I wanted to see if their page has updated.
While most e-mail users are digusted @ companies who spam and have business relations with spammers or spam-friendly ISP's; Google has not been mentioned yet as a part of that group.y +web+hosting+services&sourceid=mozilla-search&star t=0&start=0&ie=utf-8&oe=utf-8
By doing some searching on google - http://www.google.com/search?q=bulk+email+friendl
It's evidently that would-be spammers can easily find spam-friendly ISP's with the help of Google's Sponsored Links.
Google profits through the Spam-Friendly ISP's sponsorships and advertisements.
Does anyone see anything ethically wrong with that ???
I think I am gonna copyright my email address . . . then I can bill any company that is being advertised for whatever amount I please when they use my address in an email header. Most won't pay, but those companies that paid sco probably will send me a few bucks :P
Those odds approach 1 at the speed of light if you send me your address and you are within 100 miles of where I live.
My beliefs do not require that you agree with them.
As the spammers are selling the addresses by volume, you can't poison the list by adding to it. The CD are only generated for those suckers willing to pay for it, and the more the better. None of the spammers are concerned about data quality of their products, I guess.
And most likely, they generated some of the email addresses themselves anyway.
"...require a documented verification process...
.biz domain. And very few valid .us domains."
.biz registry could only be forced to maintain a valid WhoIs database by the really big boys in a position to impose consequences, or customers who don't want their .biz domain to be synonymous with "scam site". If .biz INTENDS to be the haven of scams and spams, so legitamate business customers have no sway over them, then it's back to the big guns. BTW, I use several .us sites for local and state government and school stuff, so I'm not sure what your problem is there.
Exactly what I was thinking of, but it would have to be enforced by generally accepted policy (maybe from ICANN?). This is the hard part. There would have to be consequences from higher level domains for not enforcing valid WhoIs records on their lower level domains. And ICANN's history does not indicate a real interest in taking the end user's side over biz interests.
"Heck, we force one in the US for guns, among other things - a misused domain can be just as dreadful in terms of consequence."
That's just an absurd statement. Misuse of a gun (of which I own several), or a knife, or a claw hammer, or a car, has much more serious consequences than spam ever will. Let's get some perspective here, folks!
"I've never, ever seen a valid
This illustrates my earlier point about enforcement from the top. The
Any technology distinguishable from magic is insufficiently advanced. - Geek's corollary to Clarke's law
...over the years I've recieved exactly TWO Norwegian spams - from "Trondelag Teater" and "freewave.no" Of course, I'm pretty careful with my "official" mail, I keep various other junk accounts for other stuff. But the US spam (presumably) keeps coming in, viagra, 411 scams, mortgages, gambling, whatever. They still fill up my inbox.
I think the only way to do it is to have
a) hashcash payments (CPU time) OR
b) cryptographic pass-through "token"
The former for all the low-volume mail, where you can "afford" to burn a little CPU. The latter for mailing-lists and similar high-volume stuff, which would allow it through without paying any hashcash, but must be specifically issued (by the server, at the user's request).
The server wouldn't need to keep a database of them, it would simply have to verify them. Yes, this is my own signature, a valid user@mydomain.tld token with the name "Slashdot". They could also be time-limited. Furthermore, the token email address should be different from the non-token email, so that I can issue them "anonymously". (e.g. the SHA hash of the real email...)
Compromised token? Reject any further mail from that token, preferably at server (revocation database, wouldn't be that large). By default, mailing lists should take a rejected token as an "unsubscription".
That would also allow for degrees of "blocking", not simply black&white lists.... these semi-spammy domains get higher hashcash, these highly no-spam areas get lower hashcash.
So how would this work. Let's say I want to sign up for a slashdot newsletter:
Subscribe
1. Send subscription email to server, check box for "Issue token", and call the token "Slashdot".
2. Server recieves requests, generates a cryptographic token, and sends it to the list from the TOKEN address (say e.g. a hash of the real email, server has a hashmap).
3. Server recieves mail from mailing list, looks up real email based on token, verifies token, and pass it on (with proper "X-Token" header or soemthing like that). Replies to messages with an X-Token also sent over token address.
Unsubscribe (either due to compromised/SPAM/leaving list):
1. Revoke token
2. Mailing list tries to send mail, but fails on invalid token. Removes you from list. They could try again but the result would be the same.
What information does slashdot have now? Nothing. No valid token, no valid address. No matter how hostile/compromised they got, they can't do any more damage. They can't even sell my real address to spammers.
Having removed all "high-volume" automatic lists from the equation, we can jack up the hashcash requirement high enough that it really hurts spammers. You can finally have a SPAM policy without directly rejecting mail.
Hell, you could even have a two-stage hashcash deal. One based on origin (before wasting bandwidth) and one after retrieving mail and passing it through spam-assasin, with higher hashcash the more "spammy" the mail is (wasting bandwidth, but saving space in inbox).
The only ones hurt by this are those sending mass amounts of unsolicitated mail. Which are, in approximately 99,99% of the cases, spammers. If it isn't, it's mass requests to sign "save futurama/the rainforest/whatever" campaigns or similar. That much collateral damage, I'm willing to take.
Kjella
Live today, because you never know what tomorrow brings
How about this... some whitehat could make and market a CD of millions of mail addresses. But they'd all be fake except a few for monitoring, spamer tarpits and a few of abuse@ISP and the feds ;-)
Besides cutting down spam you'd be tranfering month
directly from the spammers to yourself.
The problem with the "friendly virus" approach: you're trying to install software on zillions of strangers' computers, blindfold. Assuming this is windoze we're talking about here, there are scads of different versions and subversions and patched and hacked OSes. It's a certainty that your "upgrade" will fry the OS in a fair percentage of cases, even if you wrote it without a single bug. Which you won't have done, because its first real test-run will be live.
The first "great internet worm" was a friendly program that went haywire.
Promote your business to millions of fictitious addresses!!! Waste your bandwidth!! Guaranteed 0.000% clickthrough rate!
The entire analysis boils down to one thing, which I call Rule #5, the King of All Rules: Spammers don't give a shit.
They don't care who you are, what you think, what you would or would not like to receive, what sex you are, if you are a minor or not, if the address they are sending to is valid or malformed, or if you are dead. All the lying that they do and the rationalizing of their behavior exists soley because -- lets chant together -- "Spammers don't give a shit"
The notion that a spammer should clean up a spamming CD to remove duplicate addresses or to remove role addresses at ISPs is simply ridiculous. Why spend the time? It will have zero impact on the number of sales that they make and -- chant it -- spammers don't give a shit.
So forget all the other rules. It is a waste of time to assign qualitive analysis to the behavior of sociopaths. They want money, and they don't give a shit about how they go about doing it. Once you realize that, you will see that all the other "Rules" for spammers are superfulous and stem from Rule #5.
WRONG; you can't legally DOS spammers just by switching tools you're doing it with.
You will very often not actually hit/hurt the spammer, so most of the time you'd hurt innocent servers/companies; and everyone knowing you're using this tool could send you e-mails making you DOS any site they want to.
The spammer won't be kicked off the program for cheating, you'll get arrested for abusing their system by automatically downloading the same thing automatically over and over again, intending to hurt their systems and/or their users/clients.
perl -e'print$_{$_} for sort%_=`lynx -dump svanstrom.com/t`'
I really don't know why this is so hard for people to understand, but it "shouldn't" be that hard to create a peer-to-peer, fully trusted spam blacklist system.
1) Take a well known provider of such lists and have him generate himself a PGP/GPG (etc) key.
2) Create a hashing algo that can be applied to email addresses and domain names and produces (about) 60 or so distinct hashes.
3) Coordinate the email blacklists into N files where N is the number of hash results from item 2. These are the N components to the complete list. IF you have an address X and its hash is Xn then if the address doesn't apear in file N the address isn not blacklisted.
4) Construct (or use an existing) P2P app to distribute these N files. Ideally the P2P system in question can "bias" the fetch operation to favor retrevial from "previously known good" sources.
Here are the fine points:
A) The GPG secret key, and not the "location fetched from", is the magic that marks the list valid. You can not DDOS a secret key, just an originator.
B) A first-order web of trust, instead of a simple key, could also be used. That is, instead of requiring a signature from the master key, require a signature from a key signed by the master key. This way "the one key" can stay relatively unused while persons need to attack the rotating and regularly expiring frontage keys if they want to game the transfer for any reason.
C) The master key and the frontage keys don't have to equate to any real nor active network facility. They only need to be unique in key space. You simply *CANNOT* attack a namespace that isn't backed up by a physical facility. (For instance, if the master key were "master@control.spamcop.org", spamcop.org itself could be pointed at Geocities or something or nothing at all.)
D) While a current (Kaza-esque) P2P app would probably be less than ideal for the actual transport, it wouldn't be dificult to design a P2P style distribution mechanisim. It wouldn't need to be any more subtle than a bunch of http mirrors really, as long as the mirroring system (rdist/wget alike) would only put the files in the public directory if they passed a frontage-key/master-key signing test.
In practice you would probably want to distribute a signed known-mirrors (root) file too.
[Then again, a shite load of ptr records in a "spamcop.org" dns table could function as the analog of an MX table for this rooting purpose. Those sites would tend to become targets, but only for as long as the list size were small.]
If a "real" P2P app, or even a well designed friend-of-friend http-based network were put together and reached a core complexity of a at least a couple dozen known base points, it would be unquenchable. The target density would be too diverse to attack effectively. It would be like trying to DDOS "all the bloggers on the net".
Heck, set a pseudo standard: Every doman that wants to join the P2P network "backbone" should issue itself a "spamcop@my.domain" key and then do a challenge/response signing (on connection each party sends the other a challenge, gets the challenge back signed, checks the signature as valid) when it comes onto the backbone. Organize the thing like IRC but with records kept for keys used. Add some throttling (like IRC flood protection) and you are off. Abusers can be tracked down to their hosts and keys.
Then you can devolve. Regular users don't have to have keys to join the net and request information. Keys and domains can be blacklisted (possibly together?).
Heck, use the haxors techniques. Actually get permission to stake out some IRC channels to act as the root seed broadcast-style distribution system (list of known good core hosts, again, such lists are signed).
All you have to do is get some distribution without losing authenticity. That is what public keys are all about. The anti-assailable nature of P2P and the semi-chaotic nature of IRC have their legitimate purposes. Now all you need is to use these systems for good instead of evil.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
They probably can. And they are probably already in use by some spammers. No big deal here.
Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?
This isn't how spam works. You only care about target groups when it costs you money to reach people. The cost of sending spam is, for all practical purposes, zero. Thus, you don't care about target groups, instead you spam as many addresses as possible.
And as proven by the article, spammers don't care much about duplicates, abuse-accounts, etc.. either. By the time you have spammed a zillion people, your ISP will know about your spamming, regardless of whether you spammed their abuse-account yourself, or someone else notified them.
Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..
That would raise the cost of spamming enormously. The high-school kid would want $10/hour, and could proabably be expected to do 5-10 addresses/minute, meaning you'd pay up to 3 cent per address. This is 4 orders of magnitude higher cost than the CD in the article.
It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..
There are all kinds of silly models for spammers to get their money. But if anyone is stupid enough to pay spammers per mail sent, they can expect to get bankrupt soon. As a spammer, I could then send emails to dummyacct000000001@hotmail.com, dummyacct000000002@hotmail.com, and so on, and still get paid.
The Email "From" address would have to originate from an Email server that matched its DNS entry. You could still fake the IP address or the DNS Service, but this is not as trivial as faking the "from" address.
Spammers will probably circumvent SPF by registering many disposable domain names, and configuring the DNS for those names to return SPF-style authorization for the IP numbers of whatever proxies or compromized machines they are currently using to transmit messages.
So SPF will put an end to spammers faking "yahoo.com" or any other domain with valid SPF records (and when the reciepient checks them).... but it won't end spam.
To combat spammers simply registering their own domains, real-time blocklists and whitelists of known-spam domain names and know-legitimate domain names will be needed.
SPF is a great idea (aside from the problems for all the people who currently transmit legitimate email with forged from headers).... but it definately won't stop spammers. It's just another step in the arms race.
PJRC: Electronic Projects, 8051 Microcontroller Tools
I doubt that, at least to the extent you likely intend it. The great thing about Bayesian filtering is that it's adaptive. So they would have to dramatically increase the rate at which they discover and use filter-killing tricks for this to work.
I'm running Mozilla, and in the last 8 months (roughly) I've gotten 10,000 spams - modest, but a great library for catching spams. I catch about 97% or more of them. And I can tell when they come out with a new trick - my catch rate will drop to say 80% for a day, after which my filter catches up to the new trick. In fact, when they don't have new tricks, my catch rate is about 99+%. Most of what gets through is new tricks.
I'd say now, they come out with a filter-busting trick maybe once a month. For spam to become a problem to my client, they'd have to do it better than once a day. I don't think they have the resources to do that.
-Looking for a job as a materials chemist or multivariat
This is almost exactly what SPF (and RMX and DMP) actually do. With SPF, your server makes a query to the claimed from domain and asks HOW to test if the IP number is an authorized sender. Many different methods are defined by SPF, and if any of the ones returned in the query match, then the message is legit.
Next, your SMTP server tries to open a connection to the IP that said HELO and tries to send a message to the address in mail-from. If it gets "no such recipient" then assume the message is spam.
This definately will NOT work. Many sites transmit email from different IP numbers than where they receive it.
It would use more bandwidth, opening all those sessions to see if recipients actually exists, but once you've done it once the resuslts can be put in a lookup table.
That would be redundant, since the queries are all by DNS, and the local nameserver (should be) already caching the result.
Whitelists and blacklists would be created. Bandwidth cost would be high at first, but as more IPs are logged, and mail-from rcpt-to pairs are sorted, the cost would decrease.
The cost is already minimal. DNS doesn't use much bandwidth.
But whitelists and blacklists will definately be needed....
Once many sites are verifying the from header matches an IP number that the claimed domain says it authorized to transmit email, spammers will simply register lots of disposable domain names, and return SPF results that says whatever proxy or compromised IP number they are using is authorized for that domain.
So real-time blacklists and whitelists of domain names will be needed to reject spam.... if SPF becomes widely deployed and spammers adapt to it.
PJRC: Electronic Projects, 8051 Microcontroller Tools
Without looking at their web site, I'll bet this still suffers from the same problem regular firewalls do. Namely, that the firewall can keep all this traffic away from the servers, but they can't prevent your pipe being saturated. Hence "denial of service". It doesn't matter how well your servers are running if you have no bandwidth left.
I like my women like my coffee... pale and bitter.
I've noticed something. I have a Hotmail account I use for people I don't want to have my real e-mail address. It use to get bombarded with SPAM. It was like bob50303, so I got nailed by every single dictionary attack. Then, Microsoft implemented something -- spam dropped off. And now its GONE. I get something like 1 or 2 spam messages a week. Inbox is spotless.
I think the time is getting close to where spam won't pay anymore, the filters are obviously getting better and if SMTP gets revamped or replaced by something with any sort of authentication -- Spam's done.. Stick a fork in it.
You're not going to sell this CD to Alan Ralsky or his ilk, the professional Florida ROKSO members or the newer mafiosi who run their own harvesters (you'll leave attractive-nuisance web pages around for them :-) This kind of product is designed for the Gullible Bottom-Feeder spammers, the anklebiters who think they'll Make Money Fast by buying a CD from the big professional spammers. That means they'll either see your ads and believe them, or they won't, but they won't have the clue about how to ask around for other spammers who've bought your fine product and are now in jail or court or bankruptcy or buried in paper junkmail or keep getting their single-wide trailer windows broken, plus you'll have had fun taking them for $39 and any other optional services you've sold them, like "bullet-proof hosting" and "spam-free bulk email delivery ISP services" .
For the slightly brighter potential spammers, word may get around faster (e.g. it shows up in Google next to your ad), but that's ok - any meme that says buying cheap spamware is dangerous is a Good Meme. The problem is making sure that *you* are hard to trace, because the guy in the singlewide trailer may have a doublewide baseball bat, and the slightly brighter spammer may have a kid brother who's a 31337 Skr14t K1dD13 who can annoy you as well.
The other problem, of course, is how to reach your potential customer base, other than by spamming... Google's a start.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But the real purposes of the whois information are working contact information when you're system's broken or spewing. Phone numbers are helpful because if your DNS or email is broken, then sending you email often doesn't work. Street address information is useful if the registrar wants to send you paper bills, but that doesn't need to be public.
ICANN has been pressing for whois information to require True Names, ICBM addresses, and Subpoena-delivery addresses because they want anybody to be able to drag you into court over domain name trademark issues, and if there's no way to determine _your_ legal jurisdiction, somebody might try to sue them or the registries or registrars instead, plus different jurisdictions have different rules about trademarks. (Remember that the only IP that ICANN cares about is Intellectual Property, not Internet Protocol.) But that's just tough - they could just as well make a rule that says that you need to provide a working email address, and that if you don't respond within X days, they can give away your domain name to any reasonable-sounding claimant, and tell you what court or arbitrator to go to if you want it back.
RIAA and MPAA are pushing ICANN to include True Names and legal jurisdictions because they want to sue your ass if anybody thinks about sharing music on anything you own. The US Department of Homeland Security wants the whois records to include your blood type, DNA records, retina scans, fingerprints, and US Not-Known-To-Be-A-Terrorist-Or-Democrat-Yet permission slip, because John Ashcroft wants to be able to burn *you* at the stake and not just your domain name contract, just in case your web site has pictures of that Department of Justice statue with the bare breasts that he covered up. Lots of other people have reasons they'd like to get your marketing information from your whois records.
But that's not what domain names are about. Domain names are about giving ways for you to publish information on the Internet where people can find it, and to provide contact information for people who you want to be able to reach you. They're a technical tool for doing that, and whois records are a technical tool for maintaining them. They can be an important privacy tool if you want privacy, or an important publicity tool if you want publicity. If you want to publish your political rants on "www.federalist-papers.org" the way the original authors pseudonymously published theirs on dead trees, that's a critical part of freedom of speech. If you want to publish your Falun Gong religious rants on the net and not have the Chinese government censor your or hunt you down and throw you in jail, or hunt down the people who read them, that's your right too.
Privacy is much more important that stopping spammers, annoying as they are. Stop spammers with technical tools, or stop spammers by changing the economics that lets some of them profit, or stop spammers with baseball bats for all I care, but don't say it's ok to mess with our civil rights as collateral damage.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks