Slashdot Mirror
What You Get When You Buy a Spam CD
defender writes "Recently over here in The Netherlands, the spam versus anti-spam 'war' has hardened. More professional spamming coming from a handful of hard-core spammers utilizing bulletproof hosting in India, chained open proxies, more and more false whois information, etc. One of the more known anti-spam people has been sent one of the subjects of those spams: a CD with millions of e-mail addressess of 'individuals' and hundreds of thousands of 'businesses'... Rejo Zenger has done an analysis of such a CD, which is fuelling new debate as to why the recent EU anti-spam directive was weakened because of businesses complaining or indicating that spam wasn't a big issue for them."
It's been reported that SpamCop is paying upwards to $30K / year for bandwidth as a direct cause of the continous DDOS attacks on it.
The spammers are doing everything they can to squeeze the anti-spammers out. They use frivolous lawsuits (aka Mark Felstein and his porn spamming backers) or DDOS attacks that either knock the anti-spam resources off completely or increase the costs so that no hobbyist can run them.
And while all this is going on, the law enforcement agencies are doing nothing to counter the clearly illegal acts of the spammers.
And ISPs are doing NOTHING to reduce the number of zombies on their networks. So the DDOS attacks continue.
Nice going.
It's only a matter of time when someone (Al Queda?) will use the zombie network for something that will truly be noticed.
That's right, E-mail is the best way to advertise your product. IF you send me $300 USD I'll give you a CD packed with email address that have been generated using the latest technology. The /dev/random method is world reknown for unique addresses with no repeats. I gaurantee that they are ALL ORIGINAL email addresses!
/dev/null E-mail address CD at no additional charge!
And if you act now, I'll send you the
In the future, I would want to not be isolated from my friends in the Space Station.
Is anyone surprised that the 10 million promised addresses boils down to less than 7 million after removing duplicates? The article is interesting in terms of statistical analysis of the data (especially the fact that a number of abuse and postmaster addresses are in the email database), but I don't think anyone expected quality email lists from spammers.
On the other hand, why would someone sending spam care too much about the integrity of the data? You're still getting over 6 million email addresses. So several million messages bounce...does the spammer care?
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Any CD that is sold containing email addresses invariably has some that work, but the vast majority are just generated. I once knew someone (and I no longer communicate with that person) who insisted that spam was the only way to sell his products. He paid $400 to some marketing company, and they sold him a CD with a million addresses. He asked me to look at it, and my conclusions were that he got ripped off. He didn't want to believe me, but the sheer number of addresses that were obviously generated proved to me that someone had written a quick script to create addresses. A good portion of the addresses were also old-school, with lots of "71532.4532@compuserve.com" type addresses.
Spammers aren't just evil for selling addresses, they are evil for making up about 3/4 of the ones that they do sell, and anyone who buys a CD with email addresses on it should be aware of that.
libertarianswag.com
You can't PROVE intent with one of these CDs. If I have a pound of marijuana on my kitchen table, the odds are good that someone is gonna use it in an illegal manner. It's not illegal to have e-mail addresses, though, because they can be used for something legitimate (i.e. research, as the author of the article did).
Denver Isuzu Suzuki
Bulletproof hosting in India? Gee, now I know what we can do with the variety of Kevlar-penetrating bullets in the US. Maybe your servers can survive a Slashdotting, but can they survive a barrage of 7.62mm armor-piercing bullets? I think not.
And if there are a few bullets left over, I'm sure someone can come up with some creative spammer-related uses for them...
Well, I heard only a week or so ago that the European Union was going to make sending spam illegal in the near future, or has already done so.
Unfortunately, as this article on the Register points out, most spam comes from outside of the EU, or turns out to be untraceable anyway... so the question is if this new legislature would have any noticeable effect.
A quote: Anti-spam software outfit, Brightmail, says the legislation only affects European registered companies and they're unlikely to flout the legislation. However, it claims nine out of ten spam emails are either untraceable or come from operations outside the European Union. Either way, professional spammers - whether inside or outside the EU - are unlikely to heed the new legislation. So in effect, this new law will make bugger all difference to the amount of spam we get in Europe.
IMHO this new law certainly is a step in the right direction, since the ISP's would be legally obliged to take action against spammers on their network. Now if only the rest of the world would go in the same direction...
can they also please test one of those penis enlargement pills? I'd like to know if they work...
I swear officers, I was just going to use it for making cookies. What? You mean thats illegal too? Dang it, now how am I going to be able to sit through the Matrix trillogy!
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
He refers to addresses ending with a dot as "unregular syntax", then later as "no TLD". However, the address with a trailing dot is the canoncial form of a domain name - the final dot refers to the "root" domain, the one that Verisign gets to play with.
I can't say that I don't give a fuck. I've just run out of fuck to give.
...AOL CDs, Compuserve CDs, Prodigy CDs, Earthlink CDs. Now I just get AOL CDs.
What I really miss are the days of spam floppies, now I never seem to have a floppy when I need one.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
One of the email addresses on the CD: ikautostelen@van.jouw
which translates from dutch to english to something like: me-steal-car@from.you
Yes, its great that people embed "remove-this" and so on into their email addresses at Slashdot and other places (like Usenet), for example to make it harder for bots to parse and detect valid email addresses..
But one wonders if tools cant easily be written to remove basic patterns of that sort ... a simple substitute (or regex, whatever) would cleanse quite a few addresses, especially on UseNet..
Why is this worth it ? playing devils advocate, if I wanted to market ThinkGeek-like toys, Slashdot readership would be squarely in my "target market". A bit of effort cleansing addresses would pay off (because presumably, a fair portion of the populace reading Slashdot have more disposable income to spend on toys and geeky appliances ? ) and thus the spam would be more "directed" ?
Along those lines, how much longer before someone just hires a highschool kid to manually "collect" addresses ? (a few bucks an hour payment, say).. all the fancy email obfuscation tricks would fly out the window then..
It all depends on the payment model for spammers (which I never could understand anyway..). Paid per email sent (with incentive to forge or do shoddy cleansing), or paid per items bought ? If its per item, then there is a good incentive to cleanse, I'd think..
I can't stand spam and won't use it in business practices, but I don't thin kit should be any more illegal to sell a CD with aggregated e-mail address than it should be to sell a phone book CD with telephone numbers. There is value added in the indexing and providing of tools to manage so many addresses.
... organ" and patronize the spammer, then the spam will continue.
What should be illegal is selling generated, known to be false, addresses. This is basically false advertising.
What should also be illegal is bulk mailing to people who do not subscribe to a service. We need better mail servers that optionally require a "key" to receive mail, otherwise it goes straight to "File 13".
Sadly, all this bulk mail, even if "bounced" back to the sender, uses tons of bandwidth and is ultimately a tremendous waste of everyones time.
Unfortunately, all this Spam would stop is people STOPPED BUYING FROM THE SPAMMERS, but even if 0.0001% of recipients say "yeah, I DO want a larger
I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
Pointing out spammer's mistakes and helping them evolve/correct the problem.
I'm not sure what the secret to success is, but the secret to failure lies in trying to please everyone -Bill Cosby
Edit the CD to include the email address of every politician the wolrd over, along with known spammers and the editor of every media outlet. If you can, use addresses that forward a notification to their mobile phone via SMS, then sell the new CD.
We'll soon see a change in the law.
Ahh I can dream.
Over here, the rule is opt-in. The recipient of the spam has to have consented to it beforehand. (for the Norwegians here - markedsforingsloven 2 b).
I used to have a job where I had to deal with different kinds of questions from the public that dealt with, among other things, spam. After contacting various Norwegian spammers to lay down the law, I found that a lot of them bought CDs or whatever with e-mail addresses. They seemed to (usually arrogantly) think that because they bought these lists, they were fully legal to use. This is not the case.
I don't know if these CDs were sold with the implication that their use was legal. Hindsight is 20-20 and I realize now I should have told these spammers to demand their money back from the people who sold them the CDs.
People say I'm crazy, I got diamonds on the soles of my shoes...
It's called SPF, Sender Permitted From.
As for the author's assertion that the "bulletproof" spam hosts are in India, I give you ... China, Brazil, most of the Pacific Rim, as well as clueless/malicious providers such as Level3, Wanadoo.fr, etc. I can count the number of spams I've received from Indian sources recently on one hand, while the Chinese/Brazilian spam numbers in the tens of thousands.
No mod points, no meta-moderating/Firehose/all the other free work Slashdot wants me to do.
Syphilis, hopefully. :)
/obvious
Bittorrents, for example, must have a seed site out there somewhere. This site can be taken out, and any other "offical" site that mirrors it. If the data is signed, then the offical sources of such signed data are vulnerable (if you need to revoke the key). The general problem of anonomizing traffic, while being able to trust the data on it at the same time, is Hard.
The wheel is turning, but the hamster is dead.
Okay, set up a site for potential spammers to buy one of these CDs. Require they give correct contact information to purchase.
Once lots of them have purchased, send out the CDs with the list of people who purchased the CD.
Profit and the joy of justice, all in the same business plan!
"Oh yeah."
- The Duffman
"Evil's no good. Ya just don't cotton to it. You've gotta whack it on the nose with the rolled-up Newspaper of Justice, and say, 'Bad dog...bad dog!'"
- The Tick (as best I can remember)
Have a key that is like a public key, but isn't published to the world; only give it out to people from whom you authorize email to be delivered to you. If your incoming mail doesn't contain that key, delete it.
Then, have a specifically formatted message type to handle key requests. Say if Betty wanted to email Veronica to request her private-public key, it would have to be in a strict format, say with the subject line: KEYREQ . For example: KEYREQ veronica@archie.com Hi it's veronica. ?? Then your email client could have a button called "Reply/Authorize".
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Why aren't these sites listed, real-time blacklisted, and DDoS'd by the good guys? If there is a SETI screensaver, why not a Pitchforks-and-Torches (my name for the angry mob of ordinary folks) one that, say, once a minute sends a query to known spam-friendly ISPs. A million of these would be a million messages a minute. Hard to call that a real DDoS attack from any one person since all I wanted to see if their page has updated.
If you think this will make a difference in the quality of the lists, think again. These people are more interested in volume than quality, or they wouldn't have spent time on spam in the first place.
The more unsophisticated spammers don't really care about the list quality, as they'll just keep accumulating addresses since sending out the mails cost them next to nothing anyway. The sophisticated spammers are more likely collecting their own lists.
And the people selling these lists have every interest in inflating the number of addresses as much as they can get away with from their prospective customer base.
Those odds approach 1 at the speed of light if you send me your address and you are within 100 miles of where I live.
My beliefs do not require that you agree with them.
...over the years I've recieved exactly TWO Norwegian spams - from "Trondelag Teater" and "freewave.no" Of course, I'm pretty careful with my "official" mail, I keep various other junk accounts for other stuff. But the US spam (presumably) keeps coming in, viagra, 411 scams, mortgages, gambling, whatever. They still fill up my inbox.
I think the only way to do it is to have
a) hashcash payments (CPU time) OR
b) cryptographic pass-through "token"
The former for all the low-volume mail, where you can "afford" to burn a little CPU. The latter for mailing-lists and similar high-volume stuff, which would allow it through without paying any hashcash, but must be specifically issued (by the server, at the user's request).
The server wouldn't need to keep a database of them, it would simply have to verify them. Yes, this is my own signature, a valid user@mydomain.tld token with the name "Slashdot". They could also be time-limited. Furthermore, the token email address should be different from the non-token email, so that I can issue them "anonymously". (e.g. the SHA hash of the real email...)
Compromised token? Reject any further mail from that token, preferably at server (revocation database, wouldn't be that large). By default, mailing lists should take a rejected token as an "unsubscription".
That would also allow for degrees of "blocking", not simply black&white lists.... these semi-spammy domains get higher hashcash, these highly no-spam areas get lower hashcash.
So how would this work. Let's say I want to sign up for a slashdot newsletter:
Subscribe
1. Send subscription email to server, check box for "Issue token", and call the token "Slashdot".
2. Server recieves requests, generates a cryptographic token, and sends it to the list from the TOKEN address (say e.g. a hash of the real email, server has a hashmap).
3. Server recieves mail from mailing list, looks up real email based on token, verifies token, and pass it on (with proper "X-Token" header or soemthing like that). Replies to messages with an X-Token also sent over token address.
Unsubscribe (either due to compromised/SPAM/leaving list):
1. Revoke token
2. Mailing list tries to send mail, but fails on invalid token. Removes you from list. They could try again but the result would be the same.
What information does slashdot have now? Nothing. No valid token, no valid address. No matter how hostile/compromised they got, they can't do any more damage. They can't even sell my real address to spammers.
Having removed all "high-volume" automatic lists from the equation, we can jack up the hashcash requirement high enough that it really hurts spammers. You can finally have a SPAM policy without directly rejecting mail.
Hell, you could even have a two-stage hashcash deal. One based on origin (before wasting bandwidth) and one after retrieving mail and passing it through spam-assasin, with higher hashcash the more "spammy" the mail is (wasting bandwidth, but saving space in inbox).
The only ones hurt by this are those sending mass amounts of unsolicitated mail. Which are, in approximately 99,99% of the cases, spammers. If it isn't, it's mass requests to sign "save futurama/the rainforest/whatever" campaigns or similar. That much collateral damage, I'm willing to take.
Kjella
Live today, because you never know what tomorrow brings
How about this... some whitehat could make and market a CD of millions of mail addresses. But they'd all be fake except a few for monitoring, spamer tarpits and a few of abuse@ISP and the feds ;-)
Besides cutting down spam you'd be tranfering month
directly from the spammers to yourself.
The problem with the "friendly virus" approach: you're trying to install software on zillions of strangers' computers, blindfold. Assuming this is windoze we're talking about here, there are scads of different versions and subversions and patched and hacked OSes. It's a certainty that your "upgrade" will fry the OS in a fair percentage of cases, even if you wrote it without a single bug. Which you won't have done, because its first real test-run will be live.
The first "great internet worm" was a friendly program that went haywire.
The entire analysis boils down to one thing, which I call Rule #5, the King of All Rules: Spammers don't give a shit.
They don't care who you are, what you think, what you would or would not like to receive, what sex you are, if you are a minor or not, if the address they are sending to is valid or malformed, or if you are dead. All the lying that they do and the rationalizing of their behavior exists soley because -- lets chant together -- "Spammers don't give a shit"
The notion that a spammer should clean up a spamming CD to remove duplicate addresses or to remove role addresses at ISPs is simply ridiculous. Why spend the time? It will have zero impact on the number of sales that they make and -- chant it -- spammers don't give a shit.
So forget all the other rules. It is a waste of time to assign qualitive analysis to the behavior of sociopaths. They want money, and they don't give a shit about how they go about doing it. Once you realize that, you will see that all the other "Rules" for spammers are superfulous and stem from Rule #5.
I doubt that, at least to the extent you likely intend it. The great thing about Bayesian filtering is that it's adaptive. So they would have to dramatically increase the rate at which they discover and use filter-killing tricks for this to work.
I'm running Mozilla, and in the last 8 months (roughly) I've gotten 10,000 spams - modest, but a great library for catching spams. I catch about 97% or more of them. And I can tell when they come out with a new trick - my catch rate will drop to say 80% for a day, after which my filter catches up to the new trick. In fact, when they don't have new tricks, my catch rate is about 99+%. Most of what gets through is new tricks.
I'd say now, they come out with a filter-busting trick maybe once a month. For spam to become a problem to my client, they'd have to do it better than once a day. I don't think they have the resources to do that.
-Looking for a job as a materials chemist or multivariat