Paid To Spam

Lathiat writes "It seems that spammers have taken a new distributed approach to sending spam, and you get paid for it. Virtual MDA will pay you $1 per CPU hour their program is running to relay spam around the world. Obviously this is not something you should do, most users are all to familiar with the atrocity of sorting through up to hundreds of spams a day just to find one real email, Although it has been previously reported that some users love spam, I for one don't. Is there any way end users can fight back against people like this?" At $1/hour, this sounds like a low-gain way to infuriate both your friends and perfect strangers.

Fight back!

[YanceyAI]

(1 x 24) x 7 = $168/week.

I say we sentence the people who like/read/send spam to filter through all the email that the filters tosses, just to make sure no legitimate email has been accidentally deleted. Maybe if the know what it's to sift through this crap all day long (like I do when the server filter goes down), they'll get the drift.

Re:Fight back!

[The_Mr_Flibble]

Ok I've got a bunch of old 386's in the attic and I'm pretty sure that I can lock down my bandwidth down to about 1 bit an hour for a seperate lan.

Re:Fight back!

[Spyffe]

In addition, you don't even have to use up bandwidth.

If you simply install a firewall filter that blocks the outgoing spam mail, the spammers can never figure it out and you're making money for nothing. The program runs, it sends spam, the spam just gets nowhere.
A powerful computer to pump out spam quickly and a decent firewall to block it will pay for themselves quickly if you keep them running 24/7.

Re:Fight back!

[TykeClone]

Is there a minimum CPU level? How much spam can a 486/25 send in the course of an hour's worth of cycles?

Re:Fight back!

[drooling-dog]

(1 x 24) x 7 = $168/week.

Umm... I believe they said $1 per CPU hour. You'd probably have to send many millions of messages just to get your first buck.

Re:Fight back!

[The_Mr_Flibble]

You know it only takes 15 mins of elevated mail traffic on our systems before your ip gets locked down.

Re:Fight back!

[DaHat]

I had the same thought, but I'm guessing they'll have test messages now and then to make sure you are sending, or even enough intelligence in the daemon to determine of a higher then normal % of messages are failing.

Re:Fight back!

[shadowcabbit]

Sadly, an easy way to prevent decent folks like you and me from screwing over the bad guys would be to seed several addresses into the listing that go back to the master spammer. If the master spammer never receives the email-- which conveniently has a tracking number to identify the machine that sent it-- the sender never gets a dime.

I'm unimpressed, but wait till someone codes this into a trojan with his spam-sender-id-thingy on it. He'll easily make thousands an hour without ever sullying his own machine, and at no risk to his ISP account because hey-- he's not sending the spam, the zillions of clueless users he infected are.

Re:Fight back!

[Technician]

(1 x 24) x 7 = $168/week.

And loss of your ISP connection due to violation of the TOS.

I guess they will find enough short term accounts this way. They don't care that the people they use have a new problem to deal with.

Re:Fight back!

[bfields]

If you simply install a firewall filter that blocks the outgoing spam mail, the spammers can never figure it out and you're making money for nothing.

It'd be trivial for them to detect this--seed the mailing lists they give you with a few addresses that forward to them. I believe the same thing is established practice in the world of mass (non-electronic) mailings.

--Bruce Fields

Re:Fight back!

It's hard to notice when you're connection to the Internet is a 2400baud modem.

Re:Fight back!

[brassman]

One catch -- if you read through their "agreement," they have the right to round the time you "work" downwards, they have the right to defer payment until you reach a certain amount accrued, and they have the "right" to LOSE YOUR ACCOUNT INFORMATION. Really. "Sorry, we lost your info, so we don't owe you anything."

In short, after you sell your soul and your internet access, you get nothing in return. Zero, zilch, nada. Find someone who has received a nickel from these guys, if you can.

Re:Fight back!

[arivanov]

It has already been done. 95% of the so called "OEM discount software" sold by SPAM gangs is pre-seeded with SPAM bots which the gangs use to sell more software, drugs and run more scams.

Re:Fight back!

[Pointer80]

What are you using to detect "elevated mail traffic?"

Re:Fight back!

Better yet set up your DNS and actually recieve all the mail on another box so it appears the mail was received successfully.

--db.root--
localhost IN A 127.0.0.1
mybox IN A 10.0.0.1
*. IN A 10.0.0.2

Re:Fight back!

[mwood]

I doubt a 486/25 would even get warm from the amount of work it could do when it's bottlenecked by a consumer-grade ISP hookup. You could push the utilization up a little by linking to your broadband box through a really simple NIC like an NE2000-clone, I suppose.

Re:Fight back!

[Glamdrlng]

A powerful computer to pump out spam quickly and a decent firewall to block it will pay for themselves quickly if you keep them running 24/7.

Forget the firewall (Well, don't forget it. Just don't block the outgoing mail) Instead, just report your IP to the major blacklists. Everyone who uses an RBL wil be unaffected, and the people who don't will have more pressure put on them to use blacklists. Problem solved...

Re:Fight back!

[tdemark]

A lot more than you would guess.

A few years ago I developed and managed a cluster of such machines to send out daily emails to the users of a large internet site (these were emails that people signed up for, not spam).

One machine ran a perl script which accessed the db and pulled out the various bits of content, addresses, and names. It would piece together the basic message and hand off the rest of the assembly and actual sending to one of three other machines.

These four 486/25 with 32M RAM running FreeBSD were able to send about 300,000 custom emails per hour without breaking a sweat.

Re:Fight back!

[mwood]

Most people probably have a big enough stack of AOL CDs in the closet to stay in business for a couple of months no matter how fast they get shut down.

Re:Fight back!

[NoMoreNicksLeft]

So build a honeypot that looks like a real SMTP. If it's on an external box, there's no way that the spam daemon (spamd?) would be able to tell it was being fooled.

Now, the test messages, that's a toughy. But if the honeypot maintains a list, I wonder if there is any way to determine which emails are the silent drops. Forward only those...

Hell, so that they don't start wondering that the response rate is just too low, we could send a bunch (though nothing so excessive that it gets your service terminated) to that idiot that likes spam.

Re:Fight back!

[oberondarksoul]

If a trojan was written that contained the ID number of its author to exploit in this way, then surely one can just poke around the trojan, find out his ID number, and report him? The spam-merchants would be glad to be rid of a fraudster like that, and I'm sure the feds would like to have one or two 'words' with him themselves...

Re:Fight back!

[Technician]

Ever try to use an AOL free CD without a Credit Card? Ever try to cancel the monthly bill afterward?

By your comment, I can tell you were smart enough to never get an AOL account. ;-)

Re:Fight back!

[eric76]

(1 x 24) x 7 = $168/week.

How much CPU time does it actually take to send traffic on a network?

Even if it were a gigabit network, you probably wouldn't see that great a network utilization.

On a regular cable modem, it might take a week to use a couple of hours of CPU time.

I'd bet the CPU utilization wouldn't max out even with an 80286 and earlier computer.

So, assume it uses about 2% of your CPU. Then, it would be:

$1/CPU hour * 24 hours/day * 7 days/week * 2 CPU hour/100 hours = $3.36 per week.

Re:Fight back!

[DrXym]

Better yet if you could flick of a switch and redirect all outgoing SMTP connections straight to a local mail client that tossed the spam straight into the bitbucket.

It is possible of course that there are marker emails amongst the spam that they used to determine if you are actually sending anything (a bit like ringing up customers on a paperboy route), but those could be let through or forged.

Of course this is all academic. The persons who do these kinds of services are likely to be fly by night scumbags who you'd be hard pressed earn a cent for doing their illegal bidding. It would be much better to ignore them altogether.

Let the idiots trojan their own machines. I'm sure that $1 of pure profit will come in handy when they're looking for a new ISP.

Re:Fight back!

[DrSkwid]

and when the messagew fails to find it's recipient, how will you explain it?

Re:Fight back!

[guile*fr]

I guess with that with that money you can buy a second DSL line because the first one is hosed.

BesideI think its against your provider contract to:
- act as a server
- spam

Re:Fight back!

[magarity]

a bunch of old 386's in the attic and I'm pretty sure that I can lock down my bandwidth down to about 1 bit an hour

Yours is only one of many suggestions to use a "slow" old computer to do this on the theory that it can't handle much bandwidth. Au contraire. I used a 386-20Mhz as a Linux based firewall for my cable internet connection for several years. It easily held up to the 3Mb/sec I got on good days. I assure you that just because a 386 can't run UT2004 does not mean it can't saturate even the fastest home broadband connection.

Re:Fight back!

how should i know, i don't know anything about computers i am joe sixpack stupid windows luser! must be something wrong with your program.

Re:Fight back!

[NoMoreNicksLeft]

Like I said, 99% of these messages could be dropped, they'd never be able to confirm it.

As for the 1% that do need to be sent (secret free email accounts of the spammer checking up on you), you'd need to be able to figure out which addresses those were. Not so easy. But we do have a few clues. An AOL or hotmail account is more likely than blah@blah.demon.co.uk, for instance. I dunno, was really hoping someone more clever than I could fill in that part.

Then again, with all the loopholes, it seems they never intend to pay one red cent. Maybe they won't even go to the trouble of checking up on the fools that go for it... I mean, if they won't pay anyway, why should they care if someone were really spamming or not? Besides, if they just want to know how successful they are, they still have their spam-response rates to show them that.

Re:Fight back!

[ichandarin]

Oh yeah? An even better way to make money:

1. Sign up for the service with, say, 150 spammers. Find their contact information.

2. Sell the spammers' email addresses to, say, 100 angry users per month, who have recieved one-too-many penis-enlargement offers.

3. You sell $50 worth of spammers' addresses to 100 users per month, every month. That's $60000 per year.

4. The spammers' addresses are shut down by angry users who have signed the spammers themselves up for spam. The spammers, in turn, get new addresses. You sell the new addresses.

5a. Life of spammers is hell!
5b. Profit!

Re:Fight back!

[Allen+Zadr]

First off, some ISPs do this sort of scanning. Second, yes, they could be looking specifically for TCP Port 25 connections.

I should point out though that most of these ISPs don't actually care about port 25. If your "upload" bandwidth stays high for a specific length of time, some ISPs will shut down your IP, pending investigation. The investigation would reveal if you are violating your Terms of Use.

Re:Fight back!

[Guspaz]

Run a machine in a virtual machine, and then resolve ALL IPs to a local mail server. All mail is successfully delivered, but never leaves the machine. The spam company is none the wiser.

Re:Fight back!

[kayen_telva]

actually he was saying he would throttle the bandwidth down.
the mention of computer type was incidental.
but you are right.
I use a pentium 233 for a firewall/router and it handles everything I can dish at it.

Re:Fight back!

[NoMoreNicksLeft]

Some mails might need to be delivered. I wouldn't think that it would be more than 1 or 2 a day, tops... but those would be the giveaway.

Now, figure out which addresses you need to do that with, then do what you said for all the rest. Then they really are none the wiser.

Re:Fight back!

The spam-merchants would be glad to be rid of a fraudster like that

Why exactly? A "fraudster" who can in effect produce, say, 1000 times the spam a normal person could, is worth a 1000 honest spammers to them.

Re:Fight back!

[ManoMarks]

Actually, I would think that the spam-merchants would love it. After all, if the zombies are doing mass-sending, they're getting their CPU usage. The Feds on the other hand...

Re:Fight back!

Can you trust a spammer to actually pay you for this?

Re:Fight back!

Think about this, "Can you actually trust a Spammer to come thru and PAY you at the end of the month ?"

Re:Fight back!

Now I know what to do with all those old 286 systems I have. The slower the CPU, the less work that gets done - but they're paying for the CPU by the hour!

Re:Fight back!

[WuphonsReach]

In short, after you sell your soul and your internet access, you get nothing in return. Zero, zilch, nada. Find someone who has received a nickel from these guys, if you can.

I'll bet you get a free gift!

Identity theft! Especially since they'll probably ask for account information where they can deposit your ill-gotten gains.

(Never try to out-scam a scammer... it's like trying to argue with an idiot.)

Re:Fight back!

[WM_NCDESTROY]

Hey now, don't sully the good name of drug dealers by associating them with spammers!

Re:Fight back!

[rixstep]

That's US$ per CPU hour - that's not going to add up. There's real time, system time, and CPU time. CPU time isn't squat.

Re:Fight back!

Absolutely don't archive their site http://www.virtualmda.com/
by 24/7 wget'ing it to dev/null because that might consume bandwidth they really need.

Re:Fight back!

[JuggleGeek]

All mail is successfully delivered, but never leaves the machine. The spam company is none the wiser.

No, because as explained previously, they'll seed the list with some of their own "test" addresses. If the mail doesn't get delivered to those addresses, they'll know you didn't send the emails. To get something like this to work, you would need to sort out their seeds from the rest, and deliver the mails to the seeds. Since you have no way of knowing which addresses are seeds and which are from "BillyBobsIncredible5MillionOptInAddresses" CD...

Re:Fight back!

[SeregonSandgrain]

I use a pentium II 200 for a firewall, router, web server (several sites), mail server, MUD server (2 muds), ssh server and a few other things. My connection runs through at about 500kb/s (can get about 510kb/s if not through it). I experience very little lag when accessing services, too. So ya, it handles everything I can dish at it.

Re:Fight back!

[huchida]

Ever tried to sign up for an AOL account with one of those basically anonymous, pay-in-advance Visa cards you can pick up at Rite-Aid?

Yes, it works.

Re:Fight back!

[Pointer80]

I realize that some ISPs do it. I was just curious what they were using. We (the ISP I work for) just block outbound 25/tcp for our customers.

My question was _what exactly_ was the parent of my original post using.

FWIW, we don't really care how much bandwidth our customers are using. /pointer

Re:Fight back!

[The_Mr_Flibble]

We monitor the average number of connections coming from assigned blocks of ips (on port 25) then doing some strange mathy type stuff on it then blocking it if it gets to a certain number. However we can only do this on our broadband connections.

Re:Fight back!

[cyb97]

I guess you didn't read the part of the link that said if you UID logged more than 24 cpu-hours in one 24h period; your account would be suspended.

Re:Fight back!

[Pointer80]

Is this something that you guys wrote in house?

Something based on libpcap?

Is this using iptables or snort?

Thanks for the info (in advance). :)

/pointer

Re:Fight back!

[The_Mr_Flibble]

Yeah our system engineers built it (I only play with routers and a bit of administration of the systems). I know the firewall part of it is based on iptables (and possibly a bit more) but I never really get time to play with the systems very much anymore since our department got downsized and I have very little time left (what with reading slashdot and all)

Re:Fight back!

[shadowcabbit]

Ah, I guess not.

Read the article? Where do you think this is, pal? ^_^

Re:Fight back!

[LaCosaNostradamus]

Wasn't there some article on K5 about a scam of selling speakers from a van? Buying (likely) stolen goods and getting a Radio Shack cheap speaker (or a box of bricks), is about on the same level of this. We should not expect anything but people wailing in misery when the spamlords fail to produce the payments allegedly promised.

That aside, you gotta admire the pluck of the spamlords. They're preying on the weakness of ignorant hope currently infecting the middle and lower classes. "Just leave your comptuer on! Eventually you'll get weekly checks!" Multilevel marketing schemes have planted their seeds in this fertile ground for ages, and have continued to harvest their ill-gotten fruit.

We're going to see a whole lot more of this. You just can't underestimate the stupidity and desperation of the public.

Re:Fight back!

[Technician]

pay-in-advance Visa cards you can pick up at Rite-Aid?

Those still exist? I thought they pretty much died because they they were abused so much. A primary example of abuse was using them to sign up for a SPAM sending account with an ISP. Other abuses were for hotel rooms that were thrashed. I'll have to check out Rite-aid and see if they are still avaliable for a totaly anonymous cell phone to call to check my orders from Bin Lauden. (Just kidding)

But seriously, I thought the pre-paid credit cards were toast due to abuse/drugs/rip-off's etc.

Re:Fight back!

[huchida]

I saw them for sale recently. There are lots of illegal immigrants in my community so I wouldn't be surprised if they were pulled in some areas, but quietly left on the market here.

I believe you can also buy them in the form of "Gift Cards" -- a credit card sold as a gift certificate you can use anywhere (American Express definitely sells these, though I don't know if you have to be an actual cardmember to buy them.)

Anyway, if you want to call Bin, just go down to Target and pick up a Virgin Mobile pre-paid cell phone. I have one, all you need is an e-mail address to sign up-- otherwise they're completely anonymous (you can buy top-up cards with cash.) I'm surprised these things are legal, you essentially get a phone, number and voice mail that's pretty much untracable... The exploitation potential is pretty obvious.

Re:Fight back!

[GORby_]

Why doesn't anybody seem to notice that the word CPU time is used instead of just time. This means that you will get this profit only if the application is constantly using up 100% of your CPU.

I seriously doubt if that will be the case. I guess your mail server and some other apps will be eating the majority of your CPU time, leaving you with maybe 20-30% of that income... and an evil SPAM mark on your forehead!

Timmy the Wet Blanket

[Mr.+Darl+McBride]

Just try getting through to a human when you tell most ISPs that you want to close your account. Hell, they've written articles about what happens when you try with AOL and MSN.

So keep your editorializing to yourself, Timothy. If I can finally get that ISP account closed AND earn $2-3 in the time it takes my ISP to sort through the hundreds of complaints against me and kill my login, then I'm all for it.

If you're really so high-and-mighty against this, sign up to sell those "CPU hours" the site says they wayt, and iptables -I OUTPUT 1 -j DROP -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 25, tough guy. You can bet that you'll never see a dime. Of course they're going to insist that they only send a check once you reach $100 or some number like that. And how many ISPs will tolerate four days of spam complaints? Hint: None of them are in the USA. And if you're not in the USA, ask around and see who's heard of an "international small claims court."

Re:Timmy the Wet Blanket

[Audigy]

From the website: How It Works Use this web site to download VirtualMDA, create your account, and begin using the program. Once you become a VirtualMDA user, you can return to the VirtualMDA home page periodically, login to check your earnings, and "cash out" everytime your earn fifty dollars. When you decide to cash out, Sendmails will transfer the money into your paypal account within a short period of time.

Re:Timmy the Wet Blanket

[GPLDAN]

Oh, and by the way, they will need your paypal account information, including your password.

Re:Timmy the Wet Blanket

[BigDork1001]

When you decide to cash out, Sendmails will transfer the money into your paypal account within a short period of time.

So not only do I get to piss off people by spamming I get to use PayPal. This keeps getting better and better.

Re:Timmy the Wet Blanket

[Mr.+Darl+McBride]

It looks like you prepared two posts and accidentally posted both at once? There's a funny post. And there's an informative post after the 'tough guy' part

I did. It's still early here in Utah, so I'm still quite rather drunk and I botched my posting script.

Thanks for pointing this out.

Re:Timmy the Wet Blanket

[BoldAC]

At $1/hour, this sounds like a low-gain way to infuriate both your friends and perfect strangers.

Why? Guys like this post to infuriate friends and strangers on slashdot... and does it for free!

If trolls thought they could make a dollar an hour, they would jump on it.

AC

$1/hour

[PurdueGraphicsMan]

At $1/hour, this sounds like a low-gain way to infuriate both your friends and perfect strangers.

What happens when other spammers adopt this business model? That $1/hour assumes that you would only work for one spammer at a time. If you were really trying to make a career out of it I'm sure you'd be working for as many spammers as once as you can handle. That being said, it's still a very sleezy way to make a few bucks considering the majority of people hate spam.

I for one would feel like I was selling the rights of everyone else for a living. I'm not sure how people can feel "good" about doing something like this.

Re:$1/hour

[Maestro4k]

• That $1/hour assumes that you would only work for one spammer at a time.

Actually it's $1 per CPU hour, so you can only work for one spammer per CPU hour. Seeings as spammers spam nonstop, I doubt your CPU cycles would ever be free to sign up with another spammer.

Re:$1/hour

[SilkBD]

I'd feel extremely bad doing this... I'd have to spend more time in the Carribean on my Yaht to feel better about it.

I'm sure that a daily massage by beautiful exotic woman would also help me feel better about it.

*gulps*

Re:$1/hour

[Rew190]

Not to mention that you could also have multiple computers doing multiple accounts at the same time...

Re:$1/hour

[myc_lykaon]

I for one would feel like I was selling the rights of everyone else for a living. I'm not sure how people can feel "good" about doing something like this.

It's the tragedy of the commons I'm afraid. Why do people murder? Why do people steal? Why do people feel the need to break into your house, steal your laptop and your CD collection and then take a shit in your bed? They feel, so long as it is 'them' doing it to 'not them', then it is a null question. They are sociopaths. 2k years ago they would have been left outside the village barricade and been told to fend for themselves and never come back. Now we see them as an tolerated byproduct of freedoms in society and not ostracising them as a mark of our civil advancement.

Re:$1/hour

[Suidae]

What makes you think I'd actually report valid data?

Never trust a client computer, particularly if you are a spammer paying that client.

I'd be willing to report about 500 hours of work per day to as many spammers as I can scam.

Re:$1/hour

[micromoog]

Tragedy of the commons refers to crimes that can be rationalized as "not really hurting anyone specific", not the individualized crimes you mention. Selling CPU cycles to a spammer is a good example; murder is not.

Re:$1/hour

[danidude]

I for one would feel like I was selling the rights of everyone else for a living. I'm not sure how people can feel "good" about doing something like this.

Well, It is not a breaking new, but there are people in the world capable of killing, practicing genocide, throwing planes into buildings full of other people. I'm sure that finding people willing to gain a buck/hour when it is the computer that is doing all the work will not be that hard. Unfortunelly. :(

Re:$1/hour

[Cobralisk]

You only have 1 CPU laying around your basement?

Re:$1/hour

[Anonym0us+Cow+Herd]

$1 per CPU hour. But nobody said anything about how fast that CPU needs to be.

How about a beowulf cluster of x286's?

Fifty old slow cpu's and you're making $50/hour.

Oh, and did I mention that my 50 old x286 boxes all share a single dial up line?

On a 300 baud modem?

Re:$1/hour

[mirko]

If yes, I'd then suggest he installed VMWare on it so that he'd simulate 3000 CPUs with his Pentium 75.

Re:$1/hour

haven't you heard of multitasking?

as a matter of fact, take a single box (read: physical CPU), drop a couple (or more) of low-overhead VMs on it (read: multiple virtual CPUs), and let each VM work for one (or more, read: multitask) spammer(s).

I think I just figured out how to afford that Ferarri. I'm thinking "spam farm", "spam cluster", or even "hpc-beowulf-spam cluster"!

Re:$1/hour

[Bert64]

Per CPU Hour? Well then theres an easy way to make money here... Just buy lots of machines with very slow cpus, or buy some ancient multiprocessor machines that contain lots of slow cpus..
Or perhaps run vmware, and create 500 virtual ultra-slow cpus on your one machine

Re:$1/hour

[eclectus]

but what if I send all that mail through my default mail gateway (my other machine), which accepts the mail and directs it to /dev/null?

Re:$1/hour

[STrinity]

$1/CPU hour? That's outrageous! Not only are spammers clogging servers, but they pay computers sweat-shop wages! Fight back. Demand they pay your computer minimum wage.

Re:$1/hour

[Lord+Apathy]

I'm sure that a daily massage by beautiful exotic woman would also help me feel better about it.

Would work for me!

Re:$1/hour

[Ifni]

And the hosts file resolves all domains to 127.0.0.1?

This really sounds like a great way to get kicked off your ISP for violating their AUP.

Re:$1/hour

[Eraser_]

Assuming they don't seed the list with their own addresses to insure validity (damn gave them the idea), whats to stop you from just, you know, setting up your {freebsd|openbsd|linux} gateway from re-routing port 25 traffic to your own custom sendmail hack? "Accept" all the mail it sends and pipe it to /dev/null. Check to see if it's the daily report or whatever just in case they use email to send themselves the data. I see this as a great way to STOP spam ;-)

Re:$1/hour

[jrcamp]

Assuming they don't seed the list with their own addresses to insure validity (damn gave them the idea)

Not really an original idea. Snail mail mass marketers seed their lists with their own PO Boxes and such to ensure that mails are actually getting sent.

Re:$1/hour

[megalogeek]

That's true, but the companies who sell mailing lists also seed the lists they sell with mail drop addresses so the lists can only be used once. If they recieve a second piece of mail for the same address, the company gets billed for the list again.

It's true, I used to work for one of the companies that sold the lists--I know, I'm going to hell now.

--James

Re:$1/hour

[__aawavt7683]

I must say... wrong. One CPU hour. My distributed.net client has 226 hours in... my comp's been up for 1 week, 2 days, 15 hours (it's a windows box :-/). Now, mirc has been running 99.99% of that time... it's cpu time is 11 minutes 24 seconds. Winamp, up for the last four days and playing music for approximately 10 hours, 9 seconds cpu time. Bittorrent, up for most of the week with about two clients going, four minutes.

The point is, it's _hard_ to rack up a cpu hour. With this spam coming through, you're basically hosting a proxy. Even if they completely saturate your connection and run non stop, it'll be a very long time before they manage to take up one CPU hour. Further, if they managed to take up one CPU hour every hour, your system would be utterly unusable and you'd have to have the connection of a large ISP.

So really.. besides this not being worth it, they're not even giving the expected. Unless the website uses terms incorrectly, they'll be paying you about 1$ a year... and in that time, billions of spam messages can be sent. Not worth it in any measure. My cpu hour is worth far more than 1$.

-DrkShadow

Re:$1/hour

It's not the CPU speed, it's your bandwidth. Let's say you have enough bandwidth to send 1000 emails an hour. Even on a 486 you will only need a tiny bit of CPU time to send out 1000 emails.

The key thing to remember is that the spam program doesn't keep running when it runs out of (300bps modem or whatever) bandwidth. If you have to wait 1/2 sec for more bandwidth, that 1/2 second counts as idle time.

So, 1000 emails on a modem = as much CPU time as 1000 emails on a T1 = maybe a couple seconds of CPU time per hour of "real time." It'd take you forever to get even $1's worth of time.

Re:$1/hour

[Lost+Race]

Assuming they don't seed the list with their own addresses to insure validity (damn gave them the idea)

Spammers have had to do that ever since they started using open/hijacked proxies, to make sure they aren't just hitting honeypots.

Re:$1/hour

[chainsaw1]

If we can trust that the spammers will have variance in their distribution lists, then over time it should be possible to determine which addresses are the seeds and which are the innocent. As the list changes, we can see some addresses go and some new ones added. There should also be some that stay the same. The more lists received, the fewer addresses that will be the same on all lists ever received.

At some point, the number of similar addresses across all lists received should reach a minimum limit. At this point, these remaining addresses should be the most likely canidates for the seed emails.

The amount of time it takes to wittle down the list is going to be inversely proportional to the variance in the address lists used.

Sounds like a bad idea

[thebra]

and plus I'm still waiting for my check from All-Advantage!

Re:Sounds like a bad idea

[unformed]

Actually, one of my friends a few years ago made a few hundred dollars over a year through AA.

(That's by the AllAdvantage stuff, not by sneaking alchol into AlAnon.)

Re:Sounds like a bad idea

I got paid until they figured out how I was scamming them....

Re:Sounds like a bad idea

[ergo98]

They paid me and my friends as well. Trivial amount of money, but it was a free lunch on them.

Of course I did feel a little guilty about it: Strange that they'd pay for an automated testing utility to perform GUI actions for a 20 hour or so interval...

Re:Sounds like a bad idea

[tonywong]

Dude, I actually got two cheques from All-Advantage before they went down...

Re:Sounds like a bad idea

[phita23]

I made over $1000 by AllAdvantage. I referred one guy, who was a master spammer or something. I was up to like $30,000 one month, and they realized he was a spammer and took most of his, and my referalls, away.... but I guess they didn't find all of his :D.

Re:Sounds like a bad idea

[Zork+the+Almighty]

I'm killing my moderations to post this, but did anyone actually read their website ?!

Your computers are always on, and always connected to the Internet. And yet, for most of that time, they have no productive use.

I am pissing myself over the irony.

Re:Sounds like a bad idea

[nametaken]

Wow, AA was great. A quick little VB program running off a list of URLS at random intervals, with random locations sent as mouse movement and a one-key break. Now get the pyramid of users rolling and you wonder why they went bust.

Of course, I didn't do this... I just HEAR it happened. What was that little VB app called again? The Money Machine? ...something like that, I think.

Great

[TheSpoom]

Great. Way to give them free advertising on a very popular website. As much as Slashdot has users that for the most part hate spam, we also have trolls and people who just don't care and see this as a way to make money. I can hear them cheering right now.

On another note, perhaps legislation should be put forward to outlaw distributed (this would have to be defined further... perhaps third party or in a different physical location, obviously wouldn't want it to affect legitimate servers) mail delivery like this. There's not really any point in a widescale distributed email delivery system OTHER than delivering spam that I can think of... Though I'm sure spam companies would try to come up with something. In this case, I think legislation may be a good thing.

Re:Great

As much as Slashdot has users that for the most part hate spam, we also have trolls and people who just don't care and see this as a way to make money. I can hear them cheering right now.

As a generality, the trolls are far more technically sophisticated than the overwhelming mass of Slashbots. They get a kick out of yanking the chains of overzealous, underinformed Lunix kiddies but they're far more likely to be sending reports to SpamCop or whoever than is the average jackass yapping about "the community".

Re:Great

You must be new here... the /. crowd is quite against the idea of security through obscurity. This is the same idea.

Re:Great

[PretzelBat]

The problem with legislation is that... well, I don't know how to say this nicely. Despite the fact that we elected them, our wonderful government officials seem to be fairly stupid. I mean, really, they create as many problems as they solve with most of the laws they pass.

Calls for legislation at the drop of a hat are not usually wise. We have a law in place to prevent spam (granted it's not a great one). Let's enforce the bad laws we've got before we write more bad laws.

Re:Great

[hoggoth]

> Great. Way to give them free advertising on a very popular website.

Well, for now it's a great way to pummel their web server into submission.
If only we could keep the slashdot effect working for months instead of days.

Re:Great

[Mr.+Darl+McBride]

Great. Way to give them free advertising on a very popular website. As much as Slashdot has users that for the most part hate spam, we also have trolls and people who just don't care and see this as a way to make money. I can hear them cheering right now.

Oh, tish tosh. They're now very much in the public eye because of articles like this, which means a better chance of a politician spotting them. And, being an election year, they'll be tripping over themselves to be the one to legislate this monkey into the ground.

Believe me -- they would very much have preferred to have the URL passed around by naive high-schoolers on AIM than have had it thrown so far and wide as this.

Re:Great

[phorm]

Error Diagnostic Information

An error has occurred.

HTTP/1.0 404 Object Not Found


You know... I wouldn't mind free advertising on a popular website, but getting one's site on a headline article of slashdot is not always a good thing. I'm thinking these spammers would rather do without such "popularity"

I'm guessing that $1/hr is a lot less than they have to pay out in charges for exceeding bandwidth limits.

Re:Great

[kwoff]

There's not really any point in a widescale distributed email delivery system OTHER than delivering spam that I can think of...

And nobody needs more than 640kb of RAM, and all the important science has been done already, and because I can't think of anything lets outlaw any new laws of nature.

Re:Great

[Jeagoss]

Well, I wouldn't call it free advertising. I would call it preventitive measures. It appears their website has been slashdotted. The slashdot effect seams to be a very good defence for preventing people from visiting a website. Maybe, we should just run a different story every hour or so with the website address of this software in it.

Re:Great

[GreyWolf3000]

Yup. Imagine a distributed emergency information relay system.

Re:Great

[mwood]

You don't think the party bosses would allow anyone *smart* to run for office? Intellectually challenged people with photogenic grins make much better puppets.

Re:Great

Perhaps you know about the /. effect, perhaps you don't know about the /. DUPE effect?

Re:Great

[lightspawn]

On another note, perhaps legislation should be put forward to outlaw distributed (this would have to be defined further... perhaps third party or in a different physical location, obviously wouldn't want it to affect legitimate servers) mail delivery like this. There's not really any point in a widescale distributed email delivery system OTHER than delivering spam that I can think of.

If it's covered by existing laws, we don't need new ones. And remember that laws aren't enforced - they're just feel-good measures.

Plus, you wouldn't want the gov't to accidentally make SETI or distributed.net or something illegal, would you? Remember when video games were illegal in Greece? (are they still illegal, or did they fix it?).

Re:Great

And my mind immediately jumps to the most popular defense, and one telemarketers use, "What happened to freedom of speech?" Or some such bullshit loopholein the constitution that gives people the right to annoy others for a profit.

Re:Great

Well, if they want to trust spammers to actually pay them I say let them do it. I really doubt that these criminals would pay people, but programs like this help make their activites seem legamit and trustworthy. The only person here who will win is the spammer, and those who share the spammers greed and lack of ethics will end up being screwed.

Plus those who run this crap(which could include other nasty things like raping open proxies, compromising computers, installing a key logger, etc) might even manage to get kicked off of their ISP for spamming.

Re:Great

[TheSpoom]

That's why I said making a distributed email relay system illegal, not anything like what was mentioned.

Re:Great

[lightspawn]

That's why I said making a distributed email relay system illegal, not anything like what was mentioned.

One of my points was that since politicians are non-technical (you know, what we geeks call "stupid"), they can end up wording the thing wrong and outlawing much more than intended (like all video gaming instead of gambling, as in Greece).

Re:Great

[Frizzle+Fry]

There's not really any point in a widescale distributed email delivery system OTHER than delivering spam that I can think of

This is the same argument as "there's no point to kazaa other than piracy", "there's no point to encryption unless you have something to hide", "there's no point to hacking tools unless you want to break into a system illegally", etc.

Those arguments are derided hear because they take away our rights in order to protect the profits or convenience of others. But suddenly when we have the chance to take away someone else's rights (for example, someone trying to distribute a large mailing list in a distributed way) for our convenience (stopping some spam), no one objects. You're not all so different from those you hate as you think you are.

Re:Great

[JuggleGeek]

If only we could keep the slashdot effect working for months instead of days.

Load page in Opera, right click, select "Reload every X seconds", depending on how much bandwidth you are willing to use up. I suspect that most browswers have a similar feature.

Re:Great

[chainsaw1]

nohup while [ true ]; do lynx -source www.virtualmda.com > /dev/null 2>&1 ; done &

Re:Great

[TheSpoom]

It's called putting an idea forward. If you don't like it, come up with some constructive criticism and make a better idea, rather than taking the easy road and shooting down ones that are already out there.

Thousands per year

[millahtime]

(1 x 24) x 365 = $8760 per year.

The money is tempting. Imagine all the toys that could be bought with it.

Re:Thousands per year

[PurdueGraphicsMan]

I will also confess/be honest and say that it is tempting. That's money that would seem free to the person "earning" it.

Re:Thousands per year

[gowen]

Imagine all the toys that could be bought with it.

Forget that, Imagine how much I'll be able to extend my penis...

Re:Thousands per year

[nojomofo]

If I'm going to sell my soul, I'm going to sell it for a lot more than that!

Re:Thousands per year

These aren't "good Xian soldiers" here (not that that would be any better). Do you REALLY trust them to pay?... I somehow doubt that they're willing to cut you a cheque or M.O. Wouldn't surprise me if they were running a double-scam: "Yeah, umm, your $1723 weasel payment is coming right up. Can we just have your account and routing numbers?"

Not that we would fall for it, but just think about who will.

Re:Thousands per year

[mirko]

Well, I'd go for these 87xx$ : I'd just run their spam program on a very very old computer which'd perform only one mail per day (and which'd only resolve adresses within my own intranet so that it would not bother many people).

Re:Thousands per year

[supun]

Imagine your provider shutting down your service after the first week.

Re:Thousands per year

[Braingoo]

5 computers runing 24/7 is 120$ a day runinng 7 days straight is 840 a week you could live off that easliy.

Re:Thousands per year

[Lehk228]

time to go get an old computer and screw up it's internal clock so hours pass in a second or two

Re:Thousands per year

[Lord+Apathy]

Damn Straight! I would want a bigger TV out of it too.

Re:Thousands per year

[System.out.println()]

It's not hard to take advantage of. Run it on a 100MHz (or the lowest speed this thing'll run at) computer on a slow-ass connection, you'll only send out a few spams, but get paid the same.

Get a Beowulf cluster of those.... ;)

Re:Thousands per year

[antarctican]

I wonder, is there any way one could setup a dummy machine between your "CPU" and the internet to trick this software into thinking it's sending out spam? Some kind of dummy MTA that responds to all outbound port 25 requests and "accepts" all emails.

It would be fantastic! Take the spammers money and have all their spam flow into a big blackhole. This has definite possibilities....

Re:Thousands per year

[eschasi]

>The money is tempting . . .

Assuming you'd actually get paid. Who wants to be most users will never see a dime?

Re:Thousands per year

[NanoGator]

"If I'm going to sell my soul, I'm going to sell it for a lot more than that!"

Why would you be 'selling your soul'? Sounds to me like you'd be forcing change. If spam becomes ridiculous enough, suddenly new email protocols etc come into demand.

Re:Thousands per year

[JaffaKREE]

First off...

There are a lot of posts below mentioning that "real time" != "computer time". Anyone who has run SETI or the UD Agent can tell you, there's less of a difference than you may think. For the vast part of any day, your processor is sitting close to 0% usage (I'm speaking for home computers, not graphics processing systems, etc). Any machine dedicated to this could easily hit 23+ hrs per day, even if the process priority is "lowest" or "idle". I have a machine here that I rebooted about 10 hours ago, and the UD agent has used 8 Hrs/30 minutes since then - and I've been actively using the box.

Second, I think people will have a Massive interest in a program like this. Think of how many clock cycles get dedicated to SETI, and they don't pay $1/hr. 6 computers here, @ $20/day ? That's more than $800/week (assuming legality/no B.S. from the company). Can I say no to an extra $800 a week ? Even $400 a week ? Morality of spam aside, that's a tough decision.

Re:Thousands per year

[TheRaven64]

Better idea:

They don't actually get delivery receipts for these things, do they? So as soon as the email's left their program, they assume delivery. So set up your computer to resolve every IP address to the loopback device, then just send yourself spam. Even better, use the spam as seed material to refine a spam filter, and publish the result.

Re:Thousands per year

[ForteTuba]

I dunno, if I were writing a program like this, I'd insert mail addresses I monitor into the stream of addresses I sent out. If I send one of those addresses to you, and I don't get my mail back, no soup for you.

Re:Thousands per year

[aastanna]

From their terms and conditions:
"In the event of technical problems or data loss which causes a loss of account information, your account will be reset at $0.00, and you hereby waive any and all claims for any amount previously accrued but not yet disbursed."

You can't claim until it gets to $50, and your account can be reset to $0 at any time.

Re:Thousands per year

[aastanna]

From their terms and conditions:
"If your UID logs more than 24 CPU HOURS in one 24 hour period, your account may be suspended or terminated for unusual or suspicious activity."

Re:Thousands per year

[aastanna]

From their terms and conditions:
"In consideration for this Service, Member agrees to: (1) create only one account per household and, (2) provide certain current, complete, and accurate information about Member as prompted to do so by the Service"

Since they send you the checks in the mail you'd have to give a vaild address. I doubt they'd let you register to a P.O. box.

One other thing I haven't seen mentioned yet (though I haven't read to the bottom of the comments) is that this is spyware.

Also from their terms and conditions:
"SENDMAILS CORPORATION collects online behavior statistical information for our members. Examples of information that we collect, other than through the registration form, include URL of visited pages, registration for offerings and IP addresses. Examples of data gathering activities include web page retrieval, domain tld discovery, and internet port/proxy discovery."

Re:Thousands per year

[John.Thompson]

I suspect it will be much less than that. Note that the Virtual MDA web site states that "Sendmails pays VirtualMDA users based on every CPU hour used." CPU time is not the same as the entire time your computer is switched on; only those CPU cycles used by their spamming software will accrue towards the $1/hr they offer. From my mail server:

last pid: 1164; load averages: 2.06, 2.03, 2.05 up 9+18:45:52 14:10:25

118 processes: 3 running, 114 sleeping, 1 zombie CPU states: 0.0% user, 99.2% nice, 0.8% system, 0.0% interrupt, 0.0% idle

Mem: 170M Active, 118M Inact, 89M Wired, 17M Cache, 61M Buf, 106M Free

Swap: 512M Total, 484K Used, 511M Free

PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU CPU COMMAND

79891 smmsp 2 0 1880K 1168K poll 0 0:14 0.00% 0.00% mimedef

636 smmsp -6 0 25880K 24908K piperd 0 0:08 0.00% 0.00% perl

835 smmsp -6 0 14304K 13812K piperd 0 0:03 0.00% 0.00% perl

73986 smmsp 2 0 2188K 984K select 1 0:01 0.00% 0.00% mimedef

243 smmsp 18 0 2384K 1224K pause 0 0:01 0.00% 0.00% sendmail

73986 smmsp 18 0 2388K 1760K pause 0 0:00 0.00% 0.00% sendmail

You can see that sendmail only accrued about a seconds worth of cpu time in the 9+ days it has been running here. Granted, a busy spam spewer would rack up cycles much faster, but it still wouldn't amount to the total length of time the computer has been running. I'd guess after a couple weeks of continuous spamming, you might have earned an hour or so of cpu time. Whoopee! Sign me up. Not.

Re:Thousands per year

[JuggleGeek]

$8760 per year. The money is tempting.

Two points you seem to be missing.

1: Rule #1 is that spammers lie. Do you trust them to pay?

2: How long before your ISP see's you sending massive amount s of spam and shuts you off? How long before your IP gets blacklisted, so you can't send legitimate mail? How long before a friend of yours figures out that you are doing it and burns down your house? There are a lot of side effects, and the chances that you could do this for a year without hitting some major problmes is very, *very* small.

I'm assuming that you already realize the moral implications of this - I could be wrong.

Re:Thousands per year

[zbuffered]

"will pay you $1 per CPU hour..."

You don't think that this thing will be using all your idle CPU time, do you? Certainly not -- it will use 2-10%, and that's going to cut deeply into your profits.

Re:Thousands per year

[BuckaBooBob]

Welll Pretty much every ISP has no spamming in their AUP... so alot of people will be talking to their ISp support when their accounts gets turned off for spamming.

Re:Thousands per year

But as another poster pointed out, you will use up all your outgoing bandwidth before you hit anywhere near 100% of your CPU time.

Someone also posted that they installed the program and only got 2% CPU time. And it contained spyware... not such a great deal.

Re:Thousands per year

[femto]

So, if I fire up twenty 4004 cpus on the end of my 300 baud modem, does that mean I get $480 per day? Sounds like a pretty good deal to me.

The only catch being that the whole thing is probably a scam and the spammers have no intention of paying anyone anything.

Re:Thousands per year

[beetle99]

I'm not so sure they would allow you to have multiple systems going... Reading their terms of service (here), in section 2, "Payment", it says, "You will be paid by SENDMAILS CORPORATION $1 (one dollar) for every Central Processing Unit Hour ("CPU HOUR") used by the VirtualMDA software located on your personal or business computer(s) (either or both of which shall be the "Installed Computer(s)") is actively connected to the internet ("Online"). The Installed Computer may accumulate a maximum of 24 CPU HOUR's in one day. If your UID logs more than 24 CPU HOURS in one 24 hour period, your account may be suspended or terminated for unusual or suspicious activity." [emphasis added by me] What this might be saying is that no matter how many systems you run their agent on, it is treated as one "Installed Computer" and they'll only pay you for up to 24 CPU hours in a day. I could be wrong, but it makes sense to me that they wouldn't want people setting up arrays of systems in order to maximize income - their approach works better if you just have one computer that is "flying low under the radar" of blocklists.

Re:Thousands per year

[Stray7Xi]

Except I did send it to you! Your ISP must of filtered it out as spam!

illegal in many places

[PrvtBurrito]

It also needs to be said that this is also illegal in many places (due to spam laws). Spammers are very good at hiding their identities. Stupid users are not, and would be relatively easy to get caught. Honestly, it sounds like a money saving scheme, get someone else to break the law for you, and you come out clean as a whistle. -Sean

Re:illegal in many places

[ArmenTanzarian]

People who hire contract killers can also be brought up on charges though. This should be "conspiracy to be a dumbass" and be punishable by chemical castration.

Re:illegal in many places

punishable by chemical castration
I agree if by chemical castration you mean pouring caustic chemicals on their genitals.

Re:illegal in many places

This also means the spammer can be found. The check has to have an address on it (unless they are paying through paypal).

We've already struck back...

[Phil+John]

...ph33r the /. effect ;o)

Re:We've already struck back...

[stecoop]

Something funny when I did a yahoo search (to get a cahced article) this is the only page about www.virtualmda.com on http://www.sndr.org/email_deployment.html; Interesting...

Email Deployment

Reliable and Effective Email Campaigns

Sendmails Corporation has created relationships with over 60,000 individuals throughout the world who act as sending agents for the Sendmails Corporation Distributed Email Delivery System. Sendmails Corporation has developed a software called VirtualMDA (see www.virtualmda.com ) which resides on these sending agents’ machines and periodically talks to an array of servers within our data center, looking for messages to deliver. When messages are available, each agent machine can receive up to 100 emails to deliver. For example, with 20,000 agents sending 100 emails each, the Sendmails Corporation Distributed Email Delivery System can deliver 2 Million emails in one quick shot.

Politeness is key

There are approximately 4500 "well known" mail servers within the US and Canada, so being "polite" on how we connect and deliver the messages is important. Sendmails Corporation doesn’t want to cripple the receiving mail servers with millions of messages, so we create delays and meter traffic so not to overload the receiving server with connections.

Distributed delivery prevents blocking

Sendmails Corporation developed our Distributed Email Delivery System because many email providers will obstruct otherwise legal emails from very large senders at will and without notification to the sender/list owner. Using sending agents and VirtualMDA, blocking is much less likely.

Creating a campaign

Once signed up with Sendmails Corporation, most customers can create their campaigns in a few easy steps through our web interface:

1. Create the campaign
2. Test and OK the campaign
3. Set delivery date and time
4. Upload your data records
5. Set the campaign to "Ready."
6. Our system automatically starts delivery at the time and date set within the campaign.

For more information about using Sendmails Corporation to deploy your next email marketing campaign, contact us.

ISPs

[Zog+The+Undeniable]

Most ISPs prohibit this in their T&Cs. So unless you have a direct pipe to the Internet, you're surely going to be cut off as soon as they realise what all that 24/7 traffic is?

Re:ISPs

[Indy1]

unless your isp is a pack of clueless fucks like sbc, crapcast (er comcast), roachrunner (rr.com), etc.

Re:ISPs

[Zog+The+Undeniable]

OK, I'll bite. Cut and pasted from Comcast's acceptable usage policy, you may not

'(xi) transmit unsolicited bulk or commercial messages or "spam." This includes, but is not limited to, unsolicited advertising, promotional materials or other solicitation material, bulk mailing of commercial advertising, chain mail, informational announcements, charity requests, and petitions for signatures;'

Re:ISPs

[Ben+Hutchings]

Practically every AUP says that. That doesn't mean they actually stop people doing it.

Re:ISPs

[Suidae]

Cox blocks all outgong and incoming connections on the standard SMTP port.

As a 'power user', I was a bit annoyed when I noticed this. Then I reconsidered, I'd rather be forced to my ISPs SMTP relay (which really isn't a big deal for non-business accounts) than have spammers free to send email.

Re:ISPs

[AndroidCat]

You aren't forced to use your ISP's SMTP. Most smart-hosting services will let you use another port. But unless it's business or the user has their own domain (or the ISP sucks :), it's not worth it.

Re:ISPs

[gowen]

I'll bite back : cut and paste from my server logs
comcast-spam 4445 4441 y

Meaning I've received 4445 unique spams from *.client.comcast.net (4 in the last hour) from the time when I gave up trying to get any sense from abuse@comcast.net (about 3 months ago)

UBE/UCE Liability Issues?

[aksansai]

Does that mean that for a buck an hour, you also get your own set of legal issues if some ISP, like AOL, decides to come after you for spamming their customers?

Losers?

[tikoloshe]

Are those spammers who are paying to use peoples computers to spam, such losers that they cannot even hack together a virus/trojan to hijack unprotected computers to spam like the real spammers?

Earn money fast!

[EinarH]

I wonder how long it will take before someone finds out that they can use captured, trojan infected, computers to relay spam and earn money through this scheme.
I guess it's tempting to think that "ahh, I have 500 "clients" and could earn thousands each day!".

Re:Earn money fast!

[IncarnadineConor]

Isn't that what has been happening with all the latest worms?

Re:Earn money fast!

[LordKronos]

I was thinking, how long until someone figures out how to hack this program, firewall it off, redirect a port, or something so that they get the money* but the emails never make it to their destination.

*assuming the spammers are honest enough to pay...I wouldn't take that bet

Re:Earn money fast!

[EinarH]

Isn't that what has been happening with all the latest worms?

True. But many of the crackers/script kiddies that control large amounts of infected computers have not found a way to earn money on it yet. Some of them are not in it for money but more for the "look dude I controll xxx # of computerz, I roxxor" or for the joy of DDoS. But it's cash and people sometimes do even more stupid things to get some of it.
Earning money on DDoS is hard unless you have mafia connections. With this scheme it's possible to earn a buck for some wannabe spamking's. If the spammer pay up off course.

Re:Earn money fast!

Thats allready happening. According to the german Computer Magazine c't (Edition 5/2004, Page 18) one "Owner" of Trojaned Client PC's rented the controlled Maschines to Spammers. The Author of the Article (which is not named) gathered enought evidence (mainly by conning the Tojan-Writer) to allow Scotland Yard to get the Guy.
Sorry, found no online Text to this (not even in German).

Take the money and run

How can they check that you're actually processing the spam? Sign up, block the outgoing non-meat product and take their money.

Re:Take the money and run

[semaj]

How can they check that you're actually processing the spam? Sign up, block the outgoing non-meat product and take their money.

Well, it's a pretty outlandish, off the wall type idea, but perhaps maybe add a couple of their own addresses in there and see if they arrive?

Re:Take the money and run

they will seed the data

Re:Take the money and run

[Czmyt]

It would be nice if your approach worked, unfortunately, they can send themselves a message every few minutes to check that their program is actually working effectively.

Re:Take the money and run

[maxwell+demon]

They could include one or two addresses under their control into the reciever list, and if those addresses don't get their spam, they got you.

Re:Take the money and run

[Geoffreyerffoeg]

Every 500 addresses goes to a spammer's account. If it doesn't get through, you aren't paid.

It would even be difficult to defeat, since they could automatedly sign up for free accounts.

Cool! I'll do it!

[fearlezz]

$168 a week? Cool! I'll do it!

Psst.. don't tell the spammers: I'll fix the spamming problem by putting a black hole transparent proxy between the machine running their program and the internet... :)
Anything they'll try to mail gets sent straight to /dev/null.

No, not really, but it'd be a nice way to cheat them...

Re:Cool! I'll do it!

[greechneb]

I'm sure they send a test message so they can check that you actually are sending spam.

Spammers may be immorral liars, but they aren't stupid!

Re:Cool! I'll do it!

[74nova]

you do bring up an interesting issue, tho. how do they validate the spam as sent? shoot, id send all sorts of spam to /dev/null for $1/hr

Re:Cool! I'll do it!

[RevDobbs]

I'll fix the spamming problem by putting a black hole transparent proxy between the machine running their program and the internet.

That was my first thought... but I'm sure that every 100 or so spams they send out, one is bound for a Virtual MDA owned machine to test out that you're actually sending these message. It would also be fairly easy to ad some kind of tracking device to the out-bound emails to check click-through and, at the very least, whether anyone is even opening the emails you're sending out. Too low of a "message read" rate and I'm sure you get das boot. Uhm, the boot.

Re:Cool! I'll do it!

All they need do is plant a few of their own email addesses into the list of addresses you're s'posed to send the spam to. If the spam doesn't get sent to their addresses you don't get the money.

Re:Cool! I'll do it!

[74nova]

hmm... youre right. i also dont see a way to tell which ones in the list would be the monitors, either. oh well, guess ill have to earn a living still

Re:Cool! I'll do it!

[FictionPimp]

You could always insert a message at the top of the email that says:

this is spam delete now and also filter your outgoing email with a blackhole list. Maybe even run your own legit opt out and filter down the amount of spam your sending.

Although personally, I wouldn't be caught dead sending spam no matter how much I could justify it. Maybe they should start a program paying me to receive their spam, and paying the ISP to waste their bandwith.

Step 2 finally revealed!

1)install VirtualMDA

2) At a dollar every hour, I think I'll go check it out, and let iptables limit my outgoing bandwidth, or even better, drop everything with outgoing tcp/25.

3)PROFIT!!!

Trick the spammers

[micah03]

For us geeks, why not just run the program and use our own outgoing mail server that just drops the emails? Easy way to make money without actually sending out emails. I don't think it'd be too hard to trick their program.

Lighten up

[Mr.+Darl+McBride]

Just try getting through to a human when you tell most ISPs that you want to close your account. Hell, they've written articles about what happens when you try with AOL and MSN.

So keep your editorializing to yourself, Timothy. If I can finally get that ISP account closed AND earn $2-3 in the time it takes my ISP to sort through the hundreds of complaints against me and kill my login, then I'm all for it.

If you're really so high-and-mighty against this, or just want to keep your account with your ISP, sign up to sell those "CPU hours" the site says they want, and then iptables -I OUTPUT 1 -j DROP -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 25 since there's no rule against it, tough guy.

Re:Lighten up

[Yottabyte84]

At the ISP I work for, we don't block outgoing SMTP connections, but we limit them to reasonable ammounts, no more then a few dozen an hour.

It's my computer!

[cecil36]

Shouldn't the end user decide how much to charge per hour of CPU time. What I would do is price the use of my CPU so high that the cost of doing business for the spammer would be detrimental to his operation, effectively shutting him down. The money would then be used to pay off all the legal fees, fines, etc. owed to the ISP. But then again the best thing to do is not to partake in this silliness.

Re:It's my computer!

[drooling-dog]

What I would do is price the use of my CPU so high that the cost of doing business for the spammer would be detrimental to his operation

Of course the spammer is free not to accept your offer, too...

Re:It's my computer!

[maxwell+demon]

Of course you can decide how much you demand, just as they can decide how much they are willing to pay.

They offer you their price. If you accept or not, is your choice. Also, you could offer them your CPU time for another price. If they accept or not then is their choice.

Re:It's my computer!

[EricWright]

Uh... it's just like a job. If you are offered a job, the employer will make you an offer. You can either agree, or make a counter-demand. If you can't reach an agreement, then no job for you. In this case, I don't think the employer is interested in negotiations. There's nothing unique (to them) about your computer.

Re:It's my computer!

[Big_Al_B]

Shouldn't the end user decide how much to charge per hour of CPU time. What I would do is price the use of my CPU so high that the cost of doing business for the spammer would be detrimental to his operation, effectively shutting him down.

Um, in your world, what happens when the spammer just says, "No." then looks down the row to the next greedy dipwad and yells, "NEXT!"

Hmmm there might be a flaw....

1) Setup firewall
2) Filter all emails that don't go to their domain
3) Profit

Getting paid and cutting down the spam rate, sounds like a good deal to me

Better Watch The Laws

[millahtime]

"perhaps legislation should be put forward to outlaw distributed (this would have to be defined further... perhaps third party or in a different physical location, obviously wouldn't want it to affect legitimate servers) mail delivery like this"

There are may legitimate companies that have distributed mail systems in may different locations. Yahoo and M$ for example. This is not only for load but redundancy. Something like this might be hard to do.

Re:Better Watch The Laws

[TheSpoom]

That's what I was thinking, if, for example, the laws stated that the computers had to specifically be owned by the company, it could work. Of course, then you have cases where the email systems are being operated by datacenters. It would have to be very specific, no doubt.

Re:Better Watch The Laws

how about we stop suggesting legislation to fix internet problems?

if somebody running this *doesnt* find themselves cut off by their ISP within short order, they *will* find themselves on blacklists pretty quickly. the last thing we need is governments deciding how mailservers are to be ran.

CPU hour, not normal hour

[Theatetus]

It runs as a service (or whatever windows calls daemons nowadays) so you're not getting even close to a CPU hour in an hour.

Re:CPU hour, not normal hour

[gerardrj]

You are assuming that a daemon/service is incapable of running at 100% CPU utilization, which is just an entirely erroneous assumption. Background processes can hog just as much CPU time as your newest 3D shooter.
It all depends on what the thing it trying to do. Look at Seti or Folding, bot run as daemon/service/background processes and both will use 100% CPU.

Re:CPU hour, not normal hour

[gl4ss]

so what is a cpu hour?

does a VIRTUAL cpu hour cost?

how about running 100 clients on one computer under virtualisation on one feeble line that, that gets the sent spam filtered later on the line anyways, just to screw these guys up?

Re:CPU hour, not normal hour

Might be time to pull some old Mac Classics and SPARCStation 1's out of the closet.

Re:CPU hour, not normal hour

[DR+SoB]

True although, Windows for example will never let a single application always run at 100% CPU, because if so, the OS wouldn't be running now would it?

Look at it this way, if you let it use 100% CPU usuage, but only give it a 1bps internet connection (use a router to alterate the uprate speed or something), do you still get paid by CPU? Isn't the problem with spam bandwidth not CPU? I'm so confused! Would a person running a 486 with a modem get paid as much for 100% cpu as someone running a zSeries IBM mainframe on bundled T3's??

Re:CPU hour, not normal hour

[mwood]

Indeed, a Windows service is just a process started by the service controller. It could be running at top priority and starving everything else in the system, if it's set up to do that.

Even at lowest priority it'll get all the cycles no one else demands, which could be just shy of 100% all night long (plus most of the day, while you're at work or in class or whatever). Viewed over a 24-hour period, the vast majority of computers nowadays have essentially zero load.

Re:CPU hour, not normal hour

You are assuming that a daemon/service is incapable of running at 100% CPU utilization

No, he knows for a fact that this process won't be running at 100% utilization. Spamming is a heavily I/O bound process. Programmatically writing an e-mail takes nearly no time. Sending it to millions of people take a very very long time, during which the spam process will sit idle. It's a simple fact of the inherent design.

Re:CPU hour, not normal hour

I'm thinking trap it all and use it as a spamtrap. That way you're inoculated before anyone ever gets it.

Re:CPU hour, not normal hour

[misleb]

A service (when written correctly) is only going to use the CPU it needs. The rest goes the user and the "Idle system task" or whatever. I'm sure people who wrote the program did everythign they could to minimize CPU usage if only to limit the amount they have to pay out to users. Besides, sending email is largely I/O bound... not CPU bound. HOw much CPU do you need to send out email at 384kbit/sec (or whatever your cable modem limits your upload to)?

-matthew

Re:CPU hour, not normal hour

[ncc74656]

Might be time to pull some old Mac Classics and SPARCStation 1's out of the closet.

Mac Classics and SPARCstation 1s? An MTA for that Commodore 64 webserver would be more useful here. Even if they try to weasel out of paying by using "CPU hours" instead of real hours, I suspect they're not doing their budgeting on the assumption that someone might want to do this from a ~1-MHz 6502.

Re:CPU hour, not normal hour

Those are CPU-bound processes. Sending mail has a network bottleneck. If they know what's good for them, their program will block on network transfers. You won't see anything close to 100% CPU utilization.

Re:CPU hour, not normal hour

Sending spam is a network I/O intensive job, not a CPU intensive job (like SETI@Home). For the 1 hour your machine is abusing all your network bandwidth, you'd be luck to use 5-10 minutes of CPU time.

Spammers are scammers, do you expect them to not scam the PC users that agree to do this, too?

Re:CPU hour, not normal hour

Would a person running a 486 with a modem get paid as much for 100% cpu as someone running a zSeries IBM mainframe on bundled T3's??

Yes. They can reset your account to $0.00 on any number of technicalities (that they can control). (See their terms and conditions).

So NASA's main computer system will get the same payout as my 286 with a 800 baud modem, namely: zero.

SCAM THEM!

[Grendel+Drago]

Oh, come on! This is a perfect opportunity to scam the scammers! Remember AllAdvantage or whatever, that thing that displayed a banner ad and paid you some fractional penny per minute that your mouse was moving? There were applications to jiggle your mouse while you were away, or even to hide the ad-bar.

Why would this be any different? Drain $1/hr from the pockets of the spammers, but use a crack that sends all the spam either to their joespam@spamco.com address or to /dev/null.

Scam them, my fellows. Scam them hard. If anyone deserves it, it's the spammers.

--grendel drago

Re:SCAM THEM!

[jayayeem]

Sure, run it in virtual machine, and set up a firewall so that only packets going back to the spammer can get out. They see all their status information, nothing goes out to the world at large.

Maybe? worth a try.

Re:SCAM THEM!

[agentZ]

Of course, signing up with them will also guarentee you a lifetime's worth of spam. Check out this from their "Privacy Policy"

Upon registration our members are required to provide full name, postal address, e-mail address.... Email address is required to provide user login and/or value-added services. In addition, we require user-specific information such as interests, gender, age, household income, and education, which is used to build member profiles that are used for the purposes of targeted advertising and benefit distribution.
Sendmails Corporation will not share, sell, trade, or give away personally identifiable member information to third parties without members' explicit permission. Upon registration, all users grant to Sendmails Corporation their explicit permission (1) to contact them with important information about members' accounts and updates to our services, policies and business practices, and (2) to share members' information with third parties. The users have the option to choose not to be contacted or their information shared by terminating their account.

Re:SCAM THEM!

[tribulation2004]

I'm sure that the lists of e-mail addresses that they send you will include a few dummy accounts that will be checked to ensure that the spam is actually flowing, make the /dev/null approach useless.

Don't try to cheat the cheats, ignore them, sue them, do anything except sink to their level. Dishonest people are always going to be better at scamming honest people than vice-versa.

Chances are pretty good that the average cable-modem user will have their account shut down after about 10-12 hours of spamming. So you lose your internet connection for $4-5 (assuming mr. spamking is honest and sends you the check), how is this a good thing?

Re:SCAM THEM!

[maxwell+demon]

They just need a test account from any freemailer. This way you'd not be able to distinguish test address and innocent target.

Re:SCAM THEM!

Or, you could just get out the 300 baud modem... and don't forget to have an iso downloading at higher priority.

Re:SCAM THEM!

[darien]

I think this is hilarious!

Sendmails Corporation will not share, sell, trade, or give away personally identifiable member information to third parties without members' explicit permission. Upon registration, all users grant to Sendmails Corporation their explicit permission ... to share members' information with third parties.

Here's some more free advertising..

Including their phone number and mailing address:

Sendmails Corporation
P.O. Box 195
Manchester, NH 03105
TEL: 603.622.6999
FAX: 603.624.9089


Of course what you choose to do with that information is up to you...

Re:Here's some more free advertising..

[DJStealth]

How about their e-mail address? :)

Re:Here's some more free advertising..

[voidptr]

Am I the only person thinking that the real Sendmail guys may be interested in these crooks? I'm pretty sure Sendmails and Sendmail are close enough for a trademark infringement.

Arrest Them!

[Nuclear+Elephant]

Wouldn't this make people accessories to the crime of sending email?

Re:Arrest Them!

[Nuclear+Elephant]

...or rather sending spam (not email). d'oh.

short career

[spectrokid]

You can bet that when your PC is on every blacklist on this planet, your employer will look for another sucker. It is at this point your friends start telling you they never received that mail you sent them...

Re:short career

[Czmyt]

This is not going to stop your friends from receiving your e-mail unless you are running your own e-mail server. Most people send their outgoing e-mail to their ISP's e-mail server, but this program will likely run its own SMTP server. You're Internet connection's IP address will be blocklisted, but this should not affect your ISP's e-mail server.

Hmm....

[mindhaze]

It would be interesting to see if you could setup a system where all the emails didn't actually go out. You'd be reaping money from this company, and preventing spam at the same time! How could would that be.

This would be ESPECIALLY good on those ISPs that block port 25... again, you get money, no spam gets sent! :)

Re:Hmm....

[mindhaze]

How COOL would that be... not 'could'. :)

Hungry People.

[Grey+Ninja]

This summer I was living on about 5 bags of ramen a day, and was in danger of losing a place to live. About all I had to my name was my PC, and a free internet connection.

As much as I hate spam, if I was ever in the same situation again, I would sign up for this in a heartbeat. $720 per month is more than I would make with a legitimate part time job (considering that I am a student, making Canadian money). Spam isn't going away, and I would be more than willing to run the risk of losing friends, and making enemies of perfect strangers if it meant putting food on my table, and giving me a roof to live under.

At the moment however, I am doing fine, and in spite of the nice things I could buy with $1000 a month, I will not be signing up for this, as I value my principles more than material goods.

Just something to keep in mind before slamming people who give CPU time to this cause.

Re:Hungry People.

[gcaseye6677]

Good thing you didn't go for something like this. All it would do is leave you broke and without an internet connection, after it was shut off for spamming. And as other people have pointed out, its unlikely that you would have gotten paid. I'm sure the agreement has enough technicalities in it to let the company use almost any excuse not to pay you. Its unfortunate that sleazy companies do tend to prey on those who don't have a lot, since they tend to be the most desperate for any offer of money, no matter how unlikely it really is.

Re:Hungry People.

[Vengeance]

No, you might THINK you'd get 720 bucks a month, but that could only happen if you had such a fast network connection that there was literally no lag between sent messages. In addition, you would have to have your machine entirely (100%) cpu-bound, and thus it would have no spare cycles available for you to use for little things like, I dunno, running a web browser or something.

If you take a look at how much time your CPU would realistically spend actually formatting and sending emails, you'd be REALLY lucky to pull even 5% of that $720.

Re:Hungry People.

[schon]

all I had to my name was my PC, and a free internet connection.[...] if I was ever in the same situation again, I would sign up for this in a heartbeat

And you'd deserve everything you got - like having your internet account terminated, and not getting any money.

Remember rule #1: SPAMMERS LIE.

These are people who have no problem with stealing from people. You really think that they'd pay you?

Spammers are con men who prey on stupid people. I'm guessing they're counting on people like you.

I value my principles more than material goods

Didn't you just finish saying the exact opposite?

Re:Hungry People.

[Grey+Ninja]

Yeah, the thought had crossed my mind as well. I am always suspicious of easy money like that, but I would at least give it a try, if it meant a chance of getting some food.

Re:Hungry People.

> As much as I hate spam, if I was ever in the same situation again, I would sign up for this in a heartbeat.

And lose your account in a heartbeat. Gee what a great idea...

Re:Hungry People.

[Sethseekstruth]

Hello. Please contact me and I'll tell you how to make ablut $400 a month with out spaming people. I do it now as a hobbie.

Re:Hungry People.

[banzai75]

Yes, but imagine all the Ramen you could buy with $144!! I think that might be a whole wharehouse worth of noodles....

Re:Hungry People.

Amway, right?

No, wait, don't tell me... Prostitution? Mugging? Selling organs for medical experiments? Yeah, that's it, isn't it?

Re:Hungry People.

[Sethseekstruth]

None of the above, but keep guessing.

Re:Hungry People.

[pointbeing]

I have three SMP machines at home.

Their TOS says one CPU per household and if a machine logs more than 24 CPU hours in a day they shut you off.

Not that I'd be interested in this, but it is kinda nice to daydream ;-)

Once again, missing the obvious!

[wowbagger]

Folks, they are paying PER CPU hour, not per wallclock hour.

Since in almost every case you will be I/O bound, while this thing may tie up your entire connection it will not run more than a couple of CPU minutes per wallclock hour.

Thus the spammers screw the people doing this - they think they are going to get 24*7 = $168 a week, but they really are going to get about 24*7*.1 = $16.8 a week. Then they will get nothing because their account was terminated.

HOWEVER, this gives us a GREAT way to screw the spammers - run this sucker on an UNDERCLOCKED machine.

WAYYYYYY underclocked.

Like about 100 kHz.

That way, even with a modem the program will be CPU bound.

Re:Once again, missing the obvious!

[City+Jim+3000]

MOD PARENT UP! I'm setting up a VIC-20 spam network NOW!

Re:Once again, missing the obvious!

[Lehk228]

how about 10000 virtual 100khz CPU's, use up 1 ghz(+ overhead est 1.5ghz) worth of cycles and therefore making 10,000/hour, run it for three hours a day once a week.

Re:Once again, missing the obvious!

It's probably not even minutes per hour. It's probably more like seconds. The spamming process itself will barely do anything. If it uses something such as Outlook Express as its interface to e-mail, the spam process itself will only make one call per message. Since sending that one message to thousands or millions of people will take a matter of minutes to actually send, you're looking at bare seconds of CPU time per clock hour. Not a good deal at all.

Now if they paid for your bandwidth, it might be a good deal. If it wasn't for the inevitable shut-off from your ISP.

Re:Once again, missing the obvious!

[downix]

Wow, a new use for those 386's I have in the closet......

Re:Once again, missing the obvious!

Just nest it inside of bochs (on a 386), and claim the 100% cpu time for the bochs process. Oh, and don't forget to give it a really slow network connection.

Re:Once again, missing the obvious!

[Rhys]

1) Buy a bunch of Atari 800s
2) Connect to internet
3) Spam for $1/CPU hour
4) Profit!

Alternatly, just run about 10000 copies of UML on one P200. You'll need to tank it up on memory tho.

Re:Once again, missing the obvious!

[Pegasus]

Hey wait, 386 is waay to fast for this ... Lets think about those commodore 128 with whatwasitcalledagain version of linux ... but ... ummm ... those would still be too fast. What about pocket calculators?

Re:Once again, missing the obvious!

[imr]

No, YOU missed the OBVIOUS:
they are SPAMMERS, they won't pay, EVER.

Re:Once again, missing the obvious!

[STrinity]

No, YOU missed the OBVIOUS: they are SPAMMERS, they won't pay, EVER.

They can't be bargained with. They can't be reasoned with. They don't feel pity, or remorse, or the caress of a woman. And they absolutely will not pay, ever, until you are dead.

Re:Once again, missing the obvious!

[alonsoac]

it wouldn't make sense for them not to pay. They could run away with your last payment but if they want to have a long term spamming business they would have to pay regularly and even build a good reputation of timley payment. This is just like running an affiliate program, you can't make money if you screw the affiliates too much.

Re:Once again, missing the obvious!

Nevertheless, they are spammers. Spammers lie. They may pay you for a while if you've got a fast connection and a lazy ISP who doesn't cut you off in a week, but they will do their best to screw you. Hell, they might get a sufficient flow of new idiots signing up that they don't need to pay anyone, ever. (How would they do that? By spamming, of course!)

Re:Once again, missing the obvious!

[Xenophon+Fenderson,]

The way to really defraud this company is reverse engineer the reporting protocol so that it claims utilization when there isn't actually any. Of course, fraud is illegal, so you don't actually want to do this.

Should be easy to fool

It should be easy to fool that tool:

Computer behind a firewall. Firewall redirects all port 25 connections to some other server. This server accepts all mail and dumps it.

24 h sending mail, 24 earning money !

Re:Should be easy to fool

[oolon]

Thats assuming they ever pay you. Perhaps they will offer to do a payment to your CC card or bank account. You really sure they will credit rather that debit it?

James

Re:Should be easy to fool

[74nova]

an AC replied to me above that all theyd have to do is plant a few of their own emails in the list and not pay you if they dont receive anything.

Just out of curiosity

[CGP314]

Just out of curiosity, are there any legitimate companies out there that pay for CPU cycles? I'm sure the hordes of unemployed on slashdot (myself included) would like to know.


-Colin

Re:Just out of curiosity

[zsazsa]

Gomez Peer is a legitimate company that'll pay you for your bandwidth and CPU time. Basically, it checks various websites for reachability/performance. Apparently it's hard to get in, unless you're on their "most wanted" location list.

Re:Just out of curiosity

[shachart]

I'm working on it. No, seriously, I am.

I'm starting a distributed computing start-up that pays internet users for their cycles. And yes, there is a business model.

Interested in joining? Unmangle my slashdot-mangled email address to drop me a line.

Re:Just out of curiosity

[jmays]

tag

Re:Just out of curiosity

[Maestro4k]

• Gomez Peer is a legitimate company that'll pay you for your bandwidth and CPU time. Basically, it checks various websites for reachability/performance. Apparently it's hard to get in, unless you're on their "most wanted" location list.

Actually my experience with them is they're not totally legit. I ended up feeling they were a scam personally, let me tell you what happened so you can make your own judgement.

I signed up for them originally and knew from reading their info it would be about 10 working days before I found out if my pending install would be accepted for pay. Well that never happened. It never changed from pending, and after a month of waiting I decided I wanted my cpu cycles back and uninstalled.

Fast forward a few weeks and I get an E-mail from them saying they need a massive amount of new peers and ANYONE that installs in the next few days will be accepted. I decided to try again and installed their peer client yet again and waited... and waited... and waited.... After another month with no status change I decided that what they were really after was all those "pending" installs. It doesn't use much CPU, but it does use some, and it looks like they're using your computer to do work without accepting you into the program.

From my experience I'd recommend avoiding them like the plague, you can put your CPU cycles to better free use than them, and they don't seem very likely to accept you and pay you.

One final note, the uninstall wasn't a clean one, it's still listed under add/remove programs but as far as I can tell I got rid of it. I had to do a fair bit of manual deleting though.

No Payday

[Mr.+Darl+McBride]

You can bet that you'll never see a dime. Of course they're going to insist that they only send a check once you reach $100 or some number like that. And how many ISPs will tolerate four days of spam complaints? Hint: None of them are in the USA. And if you're not in the USA, ask around and see who's heard of an "international small claims court."

Re:No Payday

[Richardsonke1]

Great point, I didn't even think of it that way. Few people are going to be able to make it to the $50 that is required by their TOS. And on top of that, there's this clause:

In the event of technical problems or data loss which causes a loss of account information, your account will be reset at $0.00, and you hereby waive any and all claims for any amount previously accrued but not yet disbursed.

Right, like anyone's going to be paid.

P.S. Yes, I already posted about this below, but I figured this would be a good place to comment on this point again.

Re:No Payday

[SuperMario666]

You're right - the TOS specifies that you must accrue $50 before payment is sent. I'm guessing either they or your ISP will find a way to boot you before you reach that magic number.

Re:No Payday

[AndroidCat]

You can bet that you'll never see a dime.

Of course, Rule #1. However, you will receive endless amounts of email from people who claim they made a closet-full of money doing this--as well as email of all kinds. (Since the spammer now has your email address, he's certainly going to include it in the next Millions CD of addresses that he/she sells.)

Re:No Payday

Yet again, another troll just proving how dumb the slashdot moderators are. To see how stupid the mods are, just look at the trolls history and their other posts in this same article.

I'm not worried

[misleb]

It doesn't take long to get blacklisted by Spamcop doing this kind of thing. I know my servers are not going to see much SPAM from home cable/DSL users getting paid to relay.

-matthew

Re:I'm not worried

[Czmyt]

dul.dnsbl.sorbs.net is the list to use to block dynamic IP addresses, though I recommend the complete ball of wax at dnsbl.sorbs.net that blocks dynamic IP addresses, open HTTP proxies, other open proxies, open relays, senders to spam traps, etc.

Re:I'm not worried

[Frit+Mock]

Hm ... I think you got that thing with blacklists totaly wrong!

Do you realy think, it is possible to blacklist, all the dynamic IP's dial up users get?

I dial up, spam, and spamcop blacklists, I am automatically disconnected after 24 hours, and reconnect, get a new, fresh I, rince&repeat.

Most homeusers have no fixed IP, that can be blacklisted, think about it!

Spammers want normal users to spam, just for one reason ... circumvent blacklists!

Re:I'm not worried

[misleb]

Do you realy think, it is possible to blacklist, all the dynamic IP's dial up users get?

For the most part, yes. You can subscribe to blacklists that already include the dynamic ranges for major residential broadband providers.

I dial up, spam, and spamcop blacklists, I am automatically disconnected after 24 hours, and reconnect, get a new, fresh I, rince&repeat.

Dialup??? You're not going to get much spamming done through a dialup connection. Besides, it wouldn't really be worth the effort (and potentially the cost) of staying dialed up 24/7, hanging up, and dialing again. Are you going to simply stop using the internet just so you can make $10/week sending spam? Yeah, I said $10 per week. You don't think they'd actually pay $1 per HOUR, do you? If you read it carefully, they say "CPU hour" which probably translates to a certain number of spams. In the case of dialup, it'll take many real hours to equal one "CPU hour."

Most homeusers have no fixed IP, that can be blacklisted, think about it!

DSL and cable dynamic IPs tend to stay pretty constant when you comptuter is on 24/7.. ESPECIALLY if you have a broadband router.

Also, ISPs are getting wise to residential spamming. An ISP will disconnect you if they catch you repeatedly sending spam.

Spammers want normal users to spam, just for one reason ... circumvent blacklists!

Sure, but it isn't sustainable. The net effect of this practice is to cheat a few greedy users out of an internet connection and CPU cycles for a couple bucks a week. It is a sign that spammers are getting desparate.

Anyway, as I said, my servers are not likely to catch much of the resulting spam. So I am not worried.

-matthew

Re:I'm not worried

[Frit+Mock]

Mhm ... may I lack some english speaking skill. ;)

Hm ... I still dial up with my DSL connection! ;)

"You're not going to get much spamming done through a dialup connection"

Hm ... spamm-mails are not that huge ... I think I still transmitt about 4 spam-mails per second over a 56k dial up connection. That would be about 350.000 mails per day.

That's enough to send every single person (with an internetconnection) in the whole world a email in less than a year ... ;)

You mentioned costs? What costs' The cost for a dial-up line? ... puh man, it takes me a few seconds to tap a line ... the ones of public telephones can be tapped in less than 10 seconds, but the ones in the basements of a large apartment houses I would prefere for that kind of work ;)

"Also, ISPs are getting wise to residential spamming. An ISP will disconnect you if they catch you repeatedly sending spam."

I am not sure, if you lack deep knowledge how a a "virtual MDA" works or if you lack knowledge what possibilities ISP have, to detect spam. (No offense!)
Either an ISP catch me sending spam over their smtp-servers or they trace the my packets sent on transport layers. The first is circumvented with a virtual MDA, the second is technically nearly impossible for ISP's.

Anyway it is a good idea, to use a dial up connection on a tapped line, send out 666 mails, disconnect and dial in again, maybe even to a different ISP ...

Ok, that's everything, a spammer can already do on his own and probably they already do this or similar things ... and these methodes work fine!
However, it is much easier and probably more efficent to hire people from all over the world. Spammers don't have to care for "new and clean" IP'S, they do no more have to care about beeing detected, because a ferw stupid people (and there are realy many of them around) just try it out.

If there are just a few spammers (maybe a hundred or two) in the world and they can flood the whole net with spams, what will happen if they find some more idiots to spam around, for a few $ ??

If only 0.0001% of all users on the internet try to earn some extra $ with that virtual MDA per day, then you have about a 1000 new spammers per day ... (if I remember the number of internetusers correctly.)

But you feel save, cause you have blacklisted all dynamic IP's ... what a foolish aproach ...

It is not to difficult to spoof information in an email! Exactly that's what a _virtual MDA_ does ... it is a _virtual mail transport agent_, because it mimics a _real mail transpüort agent_!
All information you find in emails, sent by such a program looks like it was sent by a real (and not blöacklisted!) mail transport agent!
(If the program is very clever, it even spoofs the IP packets sent out and there is nothing left, to differ between a real and a spoofed mail, not even on lower transport layers!)

You can blacklist the whole dynamic IP adressrange, but your mail-servers won't "see" any of these IP's, because the whoile mail (if not even the whole transport) contains false (the virtual) IP's.

You receive mail from aomeone@aol.com and belive AOL is doing a good job in preventing spam, so you do not blacklist aol.com, but actually not even one byte of that mail ever passed any system that belongs to aol ... you are perfectly fooled, buy some fools that just want to earn some extra bucks.

Don't worry, be happy ...

Re:I'm not worried

[Frit+Mock]

Oh, I forgot something ... it does not matter, if anyone is ever paid, the promise to get paid is enough to catch the fools running that virtual MDA fore some hours.

And I forgot another point ... once that virtual MDA is capable to construct the information of the real MDA it mimics, from information collected on the client it runs, it's getting worse. It could, similar to Loveletter, scan the outlook adressbook for adresses, but not to send spam to this adress, but to use it as sender of the mail.

There is absolutly no limitation what a virtual MDA can do ...

Re:I'm not worried

[TheRaven64]

Why not subscribe to it yourself? You get an advanced preview copy of the spam this particular spammer is sending, and you can feed that into your servers' spam filters. Even if you don't get any money (well, it's hardly likely you will if you're not actually sending the emails out), it may still be worth.

Re:I'm not worried

[misleb]

Hm ... spamm-mails are not that huge ... I think I still transmitt about 4 spam-mails per second over a 56k dial up connection. That would be about 350.000 mails per day.

You would give up use of the internet for such a small amount of money? You do understand that it is $1 per "CPU hour"... not "clock hour," don't ou? It would take you days to make a single dollar off of one dialup connection.

You mentioned costs? What costs' The cost for a dial-up line? ... puh man, it takes me a few seconds to tap a line ... the ones of public telephones can be tapped in less than 10 seconds, but the ones in the basements of a large apartment houses I would prefere for that kind of work ;)

No only are you goign to waste your time for such a small amount of money but you would risk going to jail? Now that is foolish.

I am not sure, if you lack deep knowledge how a a "virtual MDA" works or if you lack knowledge what possibilities ISP have, to detect spam. (No offense!) Either an ISP catch me sending spam over their smtp-servers or they trace the my packets sent on transport layers. The first is circumvented with a virtual MDA, the second is technically nearly impossible for ISP's.

Sorry, but I work for an ISP. We dont' have to trace packets. We get emails from Spamcop when anyone on our IP range is sending spam. We find out about it within hours. Given an IP address, we can track down the user in seconds. We diconnect users who are infected with virtual MDAs all the time. We dont' usually cancel their service because they are generally not aware that their PC is sending spam. They are not allowed back on the internet until they fix the problem.

Anyway it is a good idea, to use a dial up connection on a tapped line, send out 666 mails, disconnect and dial in again, maybe even to a different ISP ...

No, it is a waste of time.

It is not to difficult to spoof information in an email! Exactly that's what a _virtual MDA_ does ... it is a _virtual mail transport agent_, because it mimics a _real mail transpüort agent_! All information you find in emails, sent by such a program looks like it was sent by a real (and not blöacklisted!) mail transport agent!

No amount of SMTP spoofing can change the IP address that is connecting to my mail server. As long as that is blocked (and it will be if not by a global blacklist on all dialup IPs then by Spamcop), I don't get the spam.

(If the program is very clever, it even spoofs the IP packets sent out and there is nothing left, to differ between a real and a spoofed mail, not even on lower transport layers!)

Theoretically possible, but not practical. Spoofing a TCP connection is very difficult and requires knowledge of the OS on the other end. It is difficult to maintain because you have to guess the right TCP sequence numbers. Also, you would never know if the spam was successfully sent because you can only send data on a spoofed connection, you can't receive.

You can blacklist the whole dynamic IP adressrange, but your mail-servers won't "see" any of these IP's, because the whoile mail (if not even the whole transport) contains false (the virtual) IP's.

The blacklist doesn't use any address inside the message. It uses the IP of the connecting MTA. That can't be spoofed as a general rule.

You receive mail from aomeone@aol.com and belive AOL is doing a good job in preventing spam, so you do not blacklist aol.com, but actually not even one byte of that mail ever passed any system that belongs to aol ... you are perfectly fooled, buy some fools that just want to earn some extra bucks.

Actually, our servers verify that email claiming to be from an AOL user is actually coming from an AOL server. We do the same thing for Yahoo email and some other domains.

All this combined with decent Bayesian filtering and I hardly ever see a piece of spam in my inbox anymore. As far as I am concerned, the spammers have lost. This latest story about spammers paying users is nothing more than a desparate act of a dying breed.

-matthew

Re:I'm not worried

[misleb]

Why not subscribe to it yourself? You get an advanced preview copy of the spam this particular spammer is sending, and you can feed that into your servers' spam filters. Even if you don't get any money (well, it's hardly likely you will if you're not actually sending the emails out), it may still be worth.

Why? I've already solved the spam problem on my end. Between RBLs and Bayesian filtering, i hardly get any spam in my inbox. The last thing I need is more spam to train my filter.

-matthew

Spam blockers

[fatwreckfan]

This is going to cause havok for every person that runs their own safe smtp server at home (like I do).

There's already some email services that use spam blockers that will not accept mail sent from IP addresses which are known to be DHCP blocks for large ISPs, since they just assume that such traffic is either virus or spam related, but it's a bitch for me. Now that any Joe Schmoe can run this crap, I can see far more spam blocking services go the same way, and I'll be stuck using my ISPs notoriously unreliable smtp server again.

Re:Spam blockers

[Yottabyte84]

I feel your pain. It's a that users with dynamic ip addresses are being treated as colateral damage like this. Even if you get a static IP with a large ISP, you STILL may be on blacklists because you have a 'residential' connection, never mind that buisnesses often use DSL.

bust the senders

I think we need to bust the people whose machines are sending spam. Some may say that it's cruel, but i think it's the only way to get people to be responsible.

People will claim that they got a virus, but they're still negligent. If you get paid for it, that pretty much blows out that excuse.

Profit

[tcdk]

1. Install on all computers at work.
2. Quit.
3. Profit.

(not that it should take a new sysadm long to notice...)

Re:Profit

[tunabomber]

Unfortunately, I think the more likely approach would be:

1. Write virus, with Virtual MDA as its payload.
2. Release it into the wild, infect 5000 computers.
3. Profit!

Re:Profit

[74nova]

this is your boss. you're fired, go home now.

Re:Profit

[tcdk]

this is your boss. you're fired, go home now.

Totally unrelated (I promise!), but I actually quit my job two weeks ago. And I am at home.

The first thing I did was to get the sysAdm to change all root passwords and remove my admin rights.

TOS?

[Richardsonke1]

First of all, does this mean that the mail is sent through your own mail server? If so, that's a major TOS violation for most ISPs. If your computer is going to be its own mailserver, that may not work either, because of the number of ISPs now blocking outbout mail servers on their networks.

Secondly, check out their own TOS. For example, this line:

"In the event of technical problems or data loss which causes a loss of account information, your account will be reset at $0.00, and you hereby waive any and all claims for any amount previously accrued but not yet disbursed."

So, not only are you helping spammers, but if they "accidentally" drop that table in their database, they don't have to pay you a thing. Sounds like a really good scam to me. I should go buy a house and put in the contract that if I forget to pay, the house is free for me to keep and the loan is forgiven.

Re:TOS?

> So, not only are you helping spammers, but if they "accidentally" drop that table in their database, they don't have to pay you a thing. Sounds like a really good scam to me.

Folks, this is Atriks we're talking about. They've pulled every lying spammer scam in the book, and written a few new ones in the book. They're not going to pay a dime.

And no one will go for this either, especially once ISP's start yanking their access.

Trust Atriks. What a laugh.

Use the VMDA as an input to spam filtering

[InsomniaCity]

This could be coupled with upstream filtering, and used to collect hashes of known spam in order to block spam all over the world.

How about getting paid $1/hour to help STOP spam ??

This sounds like a great idea for an open source project!

College students

[Sefert]

This is going to be extremely appealing as easy money for college students who often have broadband connections and very little extra cash. This amount of money goes a long way. The smarter ones will even figure out a way to throttle the connection so they don't catch hell from their ISP for bandwidth usage. This is extra appealing to people in countries outside of the U.S. where the U.S. dollar has more buying power. Add 25% alone in value for us Canadians. I expect to see widespread adoption. Most importantly, this will really make the use of blacklists irrelevant as I expect these machines will act as their own SMTP servers.

A Solution to this Problem

[millahtime]

A solution to this might be to block mail from mail servers with residential cable and DSL IPs. Many ISPs are already doing this.

Scam the spammers

[neosake]

How about allowing them to use your computer for 1$ an hour, but blocking outgoing connections on port 25 (smtp)?

Re:Scam the spammers

[InsomniaCity]

That won't work because they will no doubt include email addresses which they use to check you are sending the spam.

Not so free...

[blorg]

...when their internet connection gets pulled. Which would probably happen within the first week.

Re:Not so free...

For life, I hope. Sweet.

Re:Not so free...

[Mattintosh]

A few boxen on the party-end of a T1 would be $8k/yr. each, and I doubt anyone would yank your line. Only morons that try this stunt on a home DSL connection would get cut off. With the extra $$$ flowing in (a T1 costs about $500/mo around these parts), you could buy another T1 and some nice gear. Maybe even a $1m house.

You'd still be evil, though. It's so hard to wash away the stains spam leaves on your hands.

Re:Not so free...

[Chiasmus_]

A few boxen on the party-end of a T1 would be $8k/yr. each

Well, the fact that a company would happily pay you $1 an hour to send spam over an ADSL is strong evidence that, if you were delivering spam from eight machines hooked up to a T1, you could be making far, far more than $8 an hour.

I mean, if you want to be evil, why pay most of your profit to a middleman?

Re:Not so free...

The same's true if you're working for many large companies.

The fact that you're employer will pay you $8/hour (for those of you who are employed) means you could be making more on your own.

The reason to work with the spam company on this is the same reason to work for the company you're working for now -- they deal with the sales stuff which is harder than just the IT work of running a computer.

Re:Not so free...

[Chiasmus_]

The fact that you're employer will pay you $8/hour (for those of you who are employed) means you could be making more on your own.

Well, sure, if you own the means of production, like, for example, an enormous aluminum smelting plant, or a medical degree.

Now, I'll grant that sales stuff is part of the total picture - but if you have a T1 and eight machines hooked up to it, and you want to dedicate them to spam, you really do have the bulk of the means of production at your command. Getting paid a buck an hour to do another company's spam seems a little like getting paid $6.50 an hour to do open heart surgery because, hey, the boss owns the building and knows a lot of people with bad hearts.

It seems self-evident to me that there are about five hundred thousand companies dedicated to selling "herb@l VI@G Ra" - how hard can it really be to land a contract with one of them? :)

Re:Not so free...

[geminidomino]

And then the same evil assholes with the T1's would run to /. and all the other quasi-news sites shouting "$BLOCKLIST is evil! Frea Speach! Communist! Spam Nazi! Terrorism!" when they're email is blocked to hell and back.

There is potential here for good use

[HullBreach]

Think about this: I offer you a free broadband connection on a couple of terms: #1: you must leave your computer on at all times, and #2: You must install and leave installed my special little distributed computing applet. When your machine is idle, it would connect to my servers and become a node in a massive cluster. I could then sell time on this cluster to companies and individuals with needs for extreme processing power. Interesting idea, no?

Why not broadcast the spam instead?

[horza]

Pipe it through to Spam Radio so we can all enjoy it!

Phillip.

It isn't $1/hour

[Moderation+abuser]

It's $1/CPU hour. If your CPU was running at 100% for an hour you'd get $1/hr. For server based operation like an email relay, the CPU will sit almost completely idle waiting on the network and waiting on the disk. So it's going to take a lot longer than an hour to get your $1.

Alternatively. Get your shitest old 386 and shitest pre-IDE hard disks and watch the CPU spend ages sucking data from here and there.

Re:It isn't $1/hour

[WormholeFiend]

"Alternatively. Get your shitest old 386 and shitest pre-IDE hard disks and watch the CPU spend ages sucking data from here and there"

better yet, I still have an old Tandy 1000 and an acoustic modem!

Paid by the hour, eh?

[CrazySailor]

I'll install their client on a Sinclair Z-80 operating over a 110 bps teletype line and make out like a bandit!

$1/CPU hour? Sure!

[Warpedcow]

Virtual MDA will pay you $1 per CPU hour their program is running to relay spam around the world.

Sure I'll run it. I'll also setup a firewall so that this program can't send any actual data. After all, you're getting paid per CPU hour and not per email actually sent. Who cares if the program sits there and spins the cpu trying to send and resend it's first email message? Sounds like easy money to me! ;)

You'll never get paid

[Bitmanhome]

Site's down, so I can't verify, but $1 per CPU hour means you'll get no money, as e-mail is all I/O. At best, you likely won't get more than a couple dollars a month.

Re:You'll never get paid

What you actually need:
1. A lot of very slow virtual computers.
2. Each computer keeps spam on a RAM drive so I/O is not an issue.
3. Very nice firewall to block outgoing spam.

Alternative solution:
Reverse engineer spam tool and just send stats that your gazilion servers used multi gazilion CPU/hours to send their precious junk.

And don't forget their WHOIS Info:

Atriks, LLC
55 Bridge Street
Manchester, NH 03101-1188
US

Administrative Contact:
Host Master hostmaster@atriks.com
Atriks, LLC
55 Bridge Street
Manchester, NH 03101-1188
US
Phone: 603-624-7008
Fax: 603-624-9089

Technical Contact:
Host Master hostmaster@atriks.com
Atriks, LLC
55 Bridge Street
Manchester, NH 03101-1188
US
Phone: 603-624-7008
Fax: 603-624-9089

Re:And don't forget their WHOIS Info:

[sndtech]

I live just up ther road from them if anyone wants me to go pay a visit in person just reply.

Re:And don't forget their WHOIS Info:

Say hello. And please, show them they are welcome in the neighborhood... bring them a few dozen eggs.

Re:And don't forget their WHOIS Info:

How long till someone makes a hacked client that also sends all the spam to their domain as well.

no outbound connections?

[Capt_Troy]

Someone needs to set up a huge server room that accepts only incoming packets so the spammers can seed the servers. Then no spam is sent out, but you still get paid. Make spam more costly that the revenue it generates... (Yea I know server rooms are expensive... just a thought)

Re:no outbound connections?

[AnotherBlackHat]

Someone needs to set up a huge server room that accepts only incoming packets so the spammers can seed the servers.

mailsiphon.com

--this is not a .sig

Not a bad pay rate...

[akaina]

... considering the value of a dollar in some countries. I guess this program's demographic includes any computer up to spec in 3rd world countries.

Hey, all the more reason to go to war with them!!!

Re:Not a bad pay rate...

[akaina]

(looks around & laughs nervously)
right guys?!

(cricket cricket)

Re:Not a bad pay rate...

[mritunjai]

considering the value of a dollar in some countries. I guess this program's demographic includes any computer up to spec in 3rd world

Yeah Riiight... and in 3rd world countries exactly how many can afford to pay for broadband ? A housewife with 56k dialup that *usually* does

Their targets are gullible 1st world households... the normal kinda who fall for gator et al

For the record, I'm a software dev (ugh) from India... work for No. 2 software firm in world and spend quite a lotof chunk of my paycheck in 512/512 w 300MB cap ADSL line.

Aw crap... end run around RBLs?

[weslocke]

This is actually a heckuva way for the spammers to get around RBLs such as the ones used by Razor for blocking high spam domains. Now instead there will be god knows how many spammers coming from more trustworthy domains such as att.net, comcast.net, msn.com, etc. Granted each person may be only able to do 100 or so a day before tripping their ISP mail server off, but if a few thousand people are doing it... sheesh...

And I just installed SpamAssassin/Amavisd-New/Razor/etc, then they go and do this.

Could've fought back, but you just helped them

[Ridgelift]

At Sendmails Corporation, we move the data that drives the Internet, delivering millions of emails daily for a large number of Small business and Fortune 1000 corporations. When you don't need your computers, we do. And, we're willing to pay you for them.

Way to go, guys. You just informed about 2 million readers about a way to make easy money. Even if a very small percentage of /. readers decide to run the client, I'm sure VirtualMDA will look back on this date favourably as the day their company soared to new heights.

Sometimes the way to fight people is to ignore them; you chose to give them front page exposure on the most read tech news site in the world. I'm sure there's a lot of handshaking and celebration in the VirtualMDA offices this morning. Maybe other companies will try and get a 'negative' story published on Slashdot as the way to grow their business.

Marketing Mantra: "There's no such thing as bad publicity"

What about CPU/internet speed?

[blorg]

Surely someone with a fast CPU on a fast connection is worth more per "CPU hour" than someone with a 486 on dialup? Disclaimer: I didn't read the site; it's now slashdotted and it's not in the Google cache.

Re:What about CPU/internet speed?

[stilwebm]

Surely someone with a fast CPU on a fast connection is worth more per "CPU hour" than someone with a 486 on dialup?

The program probably is limited by IO, so the process sleeps once the outbound mail queue fills up. Translation: if you can only send 100 mails per hour on a Pentium 200 because of your bandwith limitation, the process will use just as much CPU as if the Pentium 200 were sending 100 emails in a few seconds over a 1.5Mbps link. However, you're right that an hour of CPU time on a 486 is worth much less than an hour of CPU time on an Athlon FX-53.

Re:What about CPU/internet speed?

However, you're right that an hour of CPU time on a 486 is worth much less than an hour of CPU time on an Athlon FX-53.

Now, lets see if this runs on my Z-80...

Don't get too excited

[Welsh+Dwarf]

I hate to blow some people expectations here, but these are _cpu_ hours we're talking about.

Let me demonstrate: here's a section from my ps -ax:

PID TTY STAT TIME COMMAND
1 ? S 0:05 init [4]

and here's my uptime:
16:45:07 up 4:31, 4 users, load average: 0.09, 0.34, 0.34

(yes I turn my PC off at night, so what...).

To sum it up, init has been running for 4 hours 30 minutes, but only has 5 cpu seconds on the clock. This is an extreme example, X on my laptop has used 15 mins on 2:30 hours uptime, but it get's the point across.

Sending out spam is bandwidth limited, not cpu limited (unless you run this on a 486 over a T1), therefor, you are going to be hammering your connection, whilst only using a small percentage of your cpu, and only earning mabey 2-3 dollars a night (and I'm being optimistic there, it could be a lot less).

So in short, this will work until people realise that there being had, and then it'll just disappear into the mist.

Nice try, but zombies are more effective...

Re:Don't get too excited

[kryps]

Let me demonstrate: here's a section from my ps -ax:

PID TTY STAT TIME COMMAND
1 ? S 0:05 init [4]

This is not even close to the actual CPU time your machine spent. You need ps -aSx to account for processes which have terminated.

-- kryps

Re:Don't get too excited

[Welsh+Dwarf]

david@Betelgieuse:~$ ps -aSx
PID TTY STAT TIME COMMAND
1 ? S 32:49 init [4]

Thanks for the info :) doesn't change my point though, this is decidly unprofitable for the poor fools who sign up...

Re:Don't get too excited

[b0rken]

Linux's /proc/uptime reports the total time since reboot, and the total idle time.
This machine is a development machine for an engineering package, and is also part of the distcc pool for compiles:
10:45:11 up 44 days, 2:30, 36 users, load average: 0.48, 0.49, 0.37
3810603.88 3635816.47

This is a dual-CPU machine which serves NFS and is the master in compiles:
10:46:01 up 89 days, 1:48, 2 users, load average: 5.81, 4.78, 3.66
7696130.58 7245888.15

That's 4.6% and 5.9% CPU usage in both cases.

CPU time to send 10 megs across 100mbps ethernet using rsh: 0.020s user, 0.040s sys

Saturating a pathetic 1 or 2 mbps of outgoing bandwidth shouldn't take much CPU time, surely well less than 1% of a GHz CPU.

Re:Don't get too excited

[benja]

Sending out spam is bandwidth limited, not cpu limited (unless you run this on a 486 over a T1), therefor, you are going to be hammering your connection, whilst only using a small percentage of your cpu, and only earning mabey 2-3 dollars a night (and I'm being optimistic there, it could be a lot less).

That's why you want to take care to route most IPs that their program is talking to to the loopback device. (The one that contacts their billing machine is exempted, of course.)

Re:Don't get too excited

[Sn_wC_t]

If you could somehow sandbox an instance of this app, sectioning off power from the CPU and making the app think thats all the CPU its going to get out of one CPU hour, you could have maybe 5-10 instances all cranking out these CPU hours. Do you think I might get a reasonable dollar for selling my soul to the devil? I have two computers already, maybe getting a third.

Converting your PC into a Spam-box - your morals

Giving the spammers a competitive edge - your soul

Making a few bucks per day - Priceless

Re:Don't get too excited

[thinkninja]

Eh.

ninja@fire:~> ps V ; ps aSx | sort -n -r -k 4,4 | head ; uptime
procps version 3.2.1
1 ? S 9297:08 init [2]
30693 ? S 4476:58 xscreensaver [snip]
30584 ? SL 1192:31 /usr/X11R6/bin/X [snip]
30721 ? Ss 133:09 python /usr/bin/gdesklets [snip]
2244 pts/9 Rs 112:30 /bin/bash
31683 pts/15 Ss 42:09 /bin/bash
735 ? Ss 30:17 /usr/sbin/cron
15394 ? S< 26:46 [khcfpcimodemd]
1015 ? Ss 19:26 SCREEN -S torrents
1503 pts/8 Ss+ 16:07 /bin/bash
19:16:09 up 19 days, 43 min, 12 users, load average: 0.16, 0.30, 0.32

Which I think just goes to show that...my ps is fucked up (or I fucked it up). Beyond that, however, it illustrates that these things aren't always accurate, their data can become corrupt or be manipulated.

Some people scam reporting data on projects like SETI to bolster their stats, and there's not even a financial incentive! If this is a legitimate scheme, I can only imagine the number of bogus claimants against spammers. I would cheat these people without compunction, what with the amount of my time/bandwidth/resources they've wasted over the last decade.

The Lighter Side

[MrNonchalant]

There will be plenty of anti-spam tirades and jokes, so I will not bother duplicating that effort. However this is the first instance I've heard of commercial distributed computing (I'm sure there are others). If this trend continues, and I have faith that it will, some very cool sh!te could be in our future. I for one would welcome $1 dollar a processor hour for something not connected to penis enlargement and illegal nigerian money transfers. Though I have to wonder if eventually the computers will unionize and demand a higher hourly wage.

Re:The Lighter Side

[Frit+Mock]

That won't ever happen, there is not realy a reason for it ... except for such things like spam!

A computer is not that expensive. If someone is in need of computing power, it is cheaper to buy the computer than to "hire" that computation-power. And if it is not cheaper to buy your own computers (and bandwidth and ...), one can rent it from professional centers, that have computation-power, bandwidth (and everything else that normal users could provide in "small units".)

Actually, the smaller the units you want to rent get, the higher your costs for all the accounting and financial-transactions get. That's the reason why huge-centers (not only with computing, with _everything_ else) work more efficent than small ones.

The only thing, that normal users could offer are their IP's ... the spammers do not want to rent your computational-power, neither your bandwith, they want to hire your IP-adresses ... that's what they want to spend money on!

Your check is in the mail.

Riiiiiight! We'll pay you, sure. Your check is in the mail.

Pay people to find spammers

[bersl2]

and beat the crap out of them.

That will end the spamming quickly.

Re:Pay people to find spammers

I'd happily pay more than $1 an hour for the chance to legally beat up some spammers. It's the "legally" that's the main stumbling block - a prison sentance for GBH is more than I'm prepared to pay.

MOD PARENT UP

[pjt33]

Insightful.

IP address fun

[Theatetus]

I'm a commercial bulk emailer. We've wanted to do something like this for a while but always got scared off by liability issues.

This is a brilliant solution because the one thing we're always short of (even as legal bulk emailers) is IP blocks that aren't blacklisted (since a lot of the blacklists run simply on volume of email sent or take the word of somebody who's too stupid to remember he actually did sign up for a mailing list). I would assume actual spammers have an even tougher time with their IP addresses. Now they can spam up all the cable ISP's IP blocks, and once a block gets blacklisted they can just switch to a new set of users. Brilliant.

Re:IP address fun

[AKnightCowboy]

Now they can spam up all the cable ISP's IP blocks, and once a block gets blacklisted they can just switch to a new set of users. Brilliant.

Yes, very "brilliant" of them. The only thing this will accomplish is getting port 25/tcp blocked all across the Internet completely whether you're an offender or not. Thanks asshole.

Re:IP address fun

[photon317]

So in other words, you're a spammer in denial, who likes to look down on other spammers and blame your legal and practical problems on those pesky other spammers.

spam is spam is spam, "legal bulk emailer" = we duped some idiot into not unchecking a small box on a form somewhere or duped him nito accidentally clicking yes somewhere he shouldn't have, therefore we're legally ok to spam him with his "consent".

Re:IP address fun

[electrichamster]

"I'm a commercial bulk emailer."

For gods sake, you may as well call yourself a spammer. Thats like calling a binman a "Waste disposal technician".

Re:IP address fun

So in other words, you're a spammer in denial

No. Spammers operate illegal operations. I am a Commercial Bulk Emailer.

Big difference. look it up sometime

Re:IP address fun

[micromoog]

I'm a commercial bulk emailer.

Does telling yourself you're not a spammer make your money seem less dirty?

Re:IP address fun

take the word of somebody who's too stupid to remember he actually did sign up for a mailing list

Signed up as in:

[ ] didn't notice the small "do not send commercial mail to me" tick when registering
[ ] we bught the list from someone who said they where subscribed and opt-in
[ ] our affiliate sent it, honestly not us!

A have little belief in "bulk mailers" left.

Re:IP address fun

[CritterNYC]

I'm a commercial bulk emailer. We've wanted to do something like this for a while but always got scared off by liability issues.

This is a brilliant solution because the one thing we're always short of (even as legal bulk emailers) is IP blocks that aren't blacklisted **SNIP**

Except for the fact that *legitimate* "commercial bulk email" uses confirmed opt-in (note that I didn't say "double opt-in", a term used by spammers to imply that it's somehow extra work), has a simple and effective unsubscribe process, never purchases or rents lists, never assumes permission to do anything (email, phone, physical mail, etc), provides something of real value (weekly commentary newsletter, real sales specials, etc), and doesn't send it out too often. I have colleagues that support companies with thousands subscribed to weekly newsletters and the like (industry commentary, etc) which they send directly from their own mail server and they've never been on an RBL or had a spam complaint.

Re:IP address fun

[Theatetus]

Eh, not really. Most of our mailing lists are for bands that want to get tour info out to their fans and antique stores that want to get their inventory lists out to their customers. If you don't see the difference between sending mail that people actually asked for and sending mail with forged headers about penis enlargement, maybe you need to think about it a little more.

Re:IP address fun

[Steve+B]

If you don't see the difference between sending mail that people actually asked for and sending mail with forged headers about penis enlargement

The obvious difference is that the latter, and only the latter, needs to be sent out under other people's names.

Re:IP address fun

[Theatetus]

and they've never been on an RBL or had a spam complaint.

We've had maybe 10 spam complaints in 5 years, and in all 10 cases we had the date, time, and IP address from which the user signed up for the list. Despite the fact that we can prove when and where they signed up for the list, those complaints + our mail volume is enough to get us blacklisted.

Re:IP address fun

[afidel]

No, if it is not unsolicited then it is not spam by definition. I recieve email from plenty of commercial interests that isn't spam. I get stuff from vendors, trade journals, gaming mags whos site I signed up for, etc. That email has to go out somehow and it's often easier to hand it off to an outside firm with a colo and some beefy email servers to send it out. This has it's benifits (leaves bandwidth free for other things, doesn't delay normal emails, keeps your own IP's from accidently being blacklisted), and its detractions (possibly becoming associated with a real spammer if you don't do proper research, being listed as a spamming organization by clueless idiots who forgot they signed up for your newsletter, updates, etc). Again I will repeat my point, not all bulk email is spam.

Re:IP address fun

[AndroidCat]

And how do you obtain email addresses and the permission to send them email? Hopefully by some confirmed opt-in process and not by buying lists.

Re:IP address fun

[gmby]

Hmmm...
Lets see...
Getting port 25 block accross the internet....
Not a bad idea...
How can we help it along...

After all only a few IP's need port 25...
All others need to be blocked anyway...

Re:IP address fun

[CritterNYC]

We've had maybe 10 spam complaints in 5 years, and in all 10 cases we had the date, time, and IP address from which the user signed up for the list. Despite the fact that we can prove when and where they signed up for the list, those complaints + our mail volume is enough to get us blacklisted.

Are you using confirmed opt-in? I had another prospective client claim they were and that they had the records, even though all they were doing was keeping the date, time and IP of the initial signup without sending a confirmation email requiring a click of a URL with a unique ID in it. It coulda been some random hax0r in a China that signed the email address up in their case.

Re:IP address fun

[Theatetus]

Yeah the email address signing up receives a confirm/deny email with three links: "subscribe", "don't subscribe", and "for God's sake don't ever send me anything from any of your servers ever again" (last two links are also in the footer of all messages we send out). We did once have a problem with a h4x0r (one of our clients at the time) trying to automate hits to the subscribe link but we caught him.

We never could think of a good fix to prevent that. Anybody have any ideas?

Re:IP address fun

Gee, so that dial-up blacklist doesn't do anything?

They're *ALREADY* blacklisted.

Re:IP address fun

Long, random confirmation tokens so that brute force doesn't work. If one not in your database gets hit, consider banning that IP from accepting subscriptions for a time period.

You shouldn't need a "don't subscribe" link in a confirmation e-mail. A simple "don't reply" should be enough.

Include date/time/IP/URL (if applicable) in the mail.

Re:IP address fun

After all only a few IP's need port 25...

And on that note, how about configuring all routers to drop windows traffic using p0f or the like? Works for me, these people didn't need computers anyway.

Re:IP address fun

I disagree with you - I think this is a very stupid idea. It's not only going to get the participants cut off from the internet, but it's also going to be made illegal if it already isn't. Although this activity isn't explicitly covered in the CAN SPAM act, that's not to say the act won't get ammended to prohibit this activity....

But like I keep saying - there's a sucker born every minute...

Re:IP address fun

[nuintari]

I'm a commercial bulk emailer.

If I knew where you lived, I'd set a flaming bag of dogshit on your front porch, soup your screens, egg your siding, sugar your gastank, and get your isp to resolve all http requests to tubgirl.com.

I hope you like your money, I don't care how legit you think you are, bulk email sent to me and my customers eats my bandwidth and costs me money. You outta be paying me to mail them your crap. I don't wanna hear how opt in it is, because 99% of the time, the opt in check box is so well hidden, users have no idea they even signed up for it.

I think I speak for every legitimate email server admin when I say, "Eat a dick."

Re:IP address fun

[nacturation]

We did once have a problem with a h4x0r (one of our clients at the time) trying to automate hits to the subscribe link but we caught him.

We never could think of a good fix to prevent that. Anybody have any ideas?

Very simple. I assume you keep all the email records in a database, each row having its own unique primary key such as subscriber_id and another with a timestamp, right? All you need to do is an MD5 hash of the subscriber_id + timestamp. So if subscriber_id 29481 signs up on April 18, 2004 08:01:23 then create a string with: "29481 2004-04-18 08:01:23" and grab the MD5 hash of it. Take the last 8 digits of that and send it with the link and ID value. eg:

http://xyz.com/confirm.php?action=sub&id=29481&h as h=82C15F0B

On the server, lookup that subscriber_id, compute the hash of the id with the timestamp, and compare the last 8 digits. If it matches, you know it's good.

Of course, this *could* still be hacked, but you're looking at huge odds of getting both the id and hash correct because the end-user won't know your specific hash algorithm (does take the hash of id+timestamp or timestamp+id or timestamp+sqrt[id] or "howdy"+cos[id]+timestamp+"banana" or ... ?). In a nutshell, it's effectively impossible.

perfect!

[WormholeFiend]

One thing I have noticed in this world is, nothing gets fixed until there's some major crap hitting the big collective fan.

Now here we have an email system which is increasingly broken, taken over by spammers, yet no one can agree to cooperate on a solution. Even the laws we make dont have any teeth.

I think we should promote this new thing, and all jump onto the bandwagon.

We should be able to definitely slashdot the email system at a planetary scale, thereby causing massive amounts of media aired/printed 24/7 for a few weeks.

The repercussions on spammers would be spectacular, to say the least.

I bet there would also be some political clout to revamp email to eliminate spam and prevent it from ever occuring again.

I equate this to a spammer saying: "here's a perfectly working gun. now use it to shoot me."

Re:perfect!

[leerpm]

I bet there would also be some political clout to revamp email to eliminate spam and prevent it from ever occuring again.

Yes, and that would be about the worse thing that could ever happen: the government regulating email. I cannot think of a more frightening scenario, short of the entire Internet being extensively regulated.

Re:perfect!

[mst]

I equate this to a spammer saying: "here's a perfectly working gun. now use it to shoot me."

True, but - like with a real gun - few will actually use it because of the legal issues involved.

Some will use it, but not enough to cause the stir you hope for. But, sadly, perhaps enough to be useful for the culprits behind all this...

Re:perfect!

[Azureflare]

Uh...

I think that interchange goes something like this:

Spammer: Here's a loaded gun. Shoot me.
You: Nah, who needs a bleedin' gun? Look, I've got a portable tactical nuclear warhead right here which will blow up all the spammers! I'll use that instead!

BOOOOOMMMMM

I dunno if I subscribe to the idea that to save something, you have to destroy it...

(note in the example that tactical nuclear warhead=slashdot)

Re:perfect!

[WormholeFiend]

"I dunno if I subscribe to the idea that to save something, you have to destroy it..."

well, I think in most cases we shouldnt do that, but in the case of email, the system is headed for self-destruction anyway... at a slowly enough pace that people barely notice.

when all the technical and legal solutions have been exhausted, people will just stop using email as we know it, permanently.

Re:perfect!

[WormholeFiend]

you mean it isnt already?

Re:perfect!

[Kizzle]

Take off your enter key. Throw it away.

$1/CPU hour?

[shachart]

Excuse me, but what does CPU usage have to do with spamming? It's not like spamming is a CPU-hogging task. Unless this is a distributed computation, meant to defeat bayesian filters (/me putting tinfoil hat on...), I fail to realize the connection.

1. Let's all get paid for giving them our CPU cycles, while having our favorite firewall block its outgoing connections on port 25!
2. ???
3. Profit! (for us. Expenses for spammers!)

Oh man, killing two birds with one stone. And I thought this day was going downhill...

Re:$1/CPU hour?

[superpulpsicle]

At least you know you are wasting CPU cycles on SPAM.

We don't know what the hell we are calculating with Seti.

Re:$1/CPU hour?

Fourier transforms.

Sheesh.

WHOIS

[KevinKnSC]

According to WHOIS, it looks like the folks at Atriks are behind this. You can contact them directly (toll free!) at 866-624-7008. You know, if you wanted more information about this, or something.

Lynching

[PretzelBat]

On the other hand, there are alternatives to legislation:

"Hey, spammer buddies, let's have a big ol' LAN party!"

(Aside)-"Calling all /. $p4m h4t3rz! Let's have a BONFIRE"

thank you!

[gosand]

Folks, they are paying PER CPU hour, not per wallclock hour. Since in almost every case you will be I/O bound, while this thing may tie up your entire connection it will not run more than a couple of CPU minutes per wallclock hour. Thus the spammers screw the people doing this - they think they are going to get 24*7 = $168 a week, but they really are going to get about 24*7*.1 = $16.8 a week. Then they will get nothing because their account was terminated. HOWEVER, this gives us a GREAT way to screw the spammers - run this sucker on an UNDERCLOCKED machine. WAYYYYYY underclocked. Like about 100 kHz. That way, even with a modem the program will be CPU bound.

I am glad someone pointed this out so I didn't have to. Now I am going to go fire up my TRS-80 and make some money!!! :-)

PowerLESS computer!

[InfiniteWisdom]

A powerful computer to pump out spam quickly and a decent firewall to block it will pay for themselves quickly if you keep them running 24/7.

A powerful computer is counterproductive, since you're paid by the hour, not by output. Use the slowest CPU you can find.

Re:PowerLESS computer!

blah blah blah.. you ppl are ignoring the obvious... How does the program report back what your CPU usage was??? Just spoof that, you morons.

Netcraft

[un1xl0ser]

Netcraft says they are running:

NT4/Windows 98 Microsoft-IIS/4.0 14-Apr-2004 216.204.150.246 Atriks, LLC

My moral obligation to not deal with a company using NT4 or IIS 4.0 trumps the spam morality dilema.

- un1xl0ser

Re:Netcraft

That will be down any time a half competent and very bored windows admin has 5 seconds on their hands.

Seriously, what a bunch of idiots.

Okay, here's how to do it...

[janic]

Providing you have a Linux(tm) (or something) firewall handy, and a junk windows box to run the proggie on, you can set up a few rules with iptables, bind, and sendmail to put this together as follows:

1 - install crapware on the junk machine
2 - on the fw, have iptables transparently redirect all outboud smtp traffic to the local copy of sendmail
3 - configure bind on FW to be a root, and put a wildcard MX record in to point to your FW as the MX for world+dog
4 - have sendmail configured to accept all messages from everywhere (the wildcard MX record above will aid in this)
5 - work some virtusertable magic to get sendmail to dump all messages to a local account whose mailspool dumps to dev/null
6 - ???
7 - Profit!

Of course, we would have to include some exceptions to allow some presumed "test" or "tracker" messages through to let the company know that the program is running, and to fool them into thinking you are sending the spam out, but hey...

Anything else I am missing?

John

Re:Okay, here's how to do it...

[jejones]

Anything else I am missing?

Wouldn't you also want to feed the messages to services that accumulate spam to aid in spam blocking, or try to determine the spammers' identities?

Re:Okay, here's how to do it...

[janic]

Hey, I like that...

Once the messages get hashed the fist time they get nuked everywhere!

That in itself is probably of more value than the $1/hour that they would be paying.

It might also provide some more insight into how we can overcome the obfuscation that is added into the messages.

Hmmm... (/self goes and takes another look at the website)

John

Licensing Fees

It seems that spammers have taken a new distributed approach to sending spam, in which you the end user gets paid. Virtual MDA contains secret patented SCO code which is in breach of our interlectual property contracts.
To avoid legal action SCO will provide you with a license to use our technology from as little as $1 per CPU hour if you buy now. SCO will be taking legal action against bulk senders who have not purchased a license within 90 days.

exim users

You can avoid stuff like this by turning on both sender_verify and reverse_host_lookup.

The spam friendly user will be doing something like:
Helo some-domain.com
mail from: spam-tracker-id-1223456@spammy.com
Actual host adsl.isp.com (1.2.3.4)
So by turning on these features we can test that they are not really some-domain.com or spammy.com, but actually adsl.isp.com.

Those of you who dont want to break stuff then an ACl like :
warn !verify = reverse_host_lookup
delay = 60s
log_message = Lame arse spammer

Slow down spammers, but let through badly configured mail servers.Game over
(waiting for flames from proper exim guru's (guri ?) :)

Mod parent up!

[danharan]

I'm unemployed too, and I'd love it if there was an _ethical_ way to make money from idle CPU time.

PS: need some Java coding? :)

HMMM... thinking about it... if you wanted to buy CPU time, you'd just rent a server. $100/month for a nice machine on a fat connection... :(

Yeah, right.

[Phs2501]

Since

• They're paying by CPU time
• Sending mail is by nature completely I/O bound
• Computers are really really fast these days
• They're not paying anyone until they build up $50

It's almost a certainty that they will never have to pay anyone anything before they are put out of business. It would take months if not years to build up fifty hours of CPU time sending mail over a cable modem. And if they actually manage to hook someone with a rediculously large pipe, they're getting their money's worth in spades.

This is a brilliant scam for people who don't know what CPU time means.

Re:Yeah, right.

[0x0d0a]

I agree with you that this is a scam on par with Nigerian stuff.

However, in the interests of playing mind games and trying to force the program to consume CPU time:

* What would happen if you were using a 386 (or lower, if the program would run on one)?

* What if you ran a virtual machine on a virtual machine on a virtual machine...

* What if a program kept sending messages or other IPC to the spam program?

More practically, unless the spammers take steps to identify honeypots, using this system might be useful to do early automated identification of spam, feeding the output into a bogus mail server that submits the results to Vipul's Razor and similar services. It'd be even better if these people are reselling spamming services...

Re:Yeah, right.

[Phs2501]

As long as you're running in a virtual machine (or even on real hardware) you might as well crank the timer interrupts up by a factor of, well, as much as you can, without telling the OS about it. That combined with forcing the process to take 100% CPU somehow should work quite well for getting the hours up fast. Combine with clever transparent proxying to send all mail to a local bit bucket (that looks suspiciously like an SMTP server) except for its time reporting.

Of course it's probably easier to just reverse engineer how it reports its hours and simply lie.

This is all completely theoretical of course. :)

Slashdotted

[lorcha]

That didn't take long. Don't forget to email the site administrator at webmaster@greenhorse.com to let him know about the issue. Might want to use a throwaway email account, tho.

No...

[blorg]

Wouldn't this make people accessories to the crime of sending [spam]?

No, it would make them guilty of the crime of sending spam.

Re:No...

[andreMA]

Cool. And if by some remote chance, the spammer actually paid them a dime, that would be forfeited as the procedes of criminal activity. The computer would need to be seized as evidence too for an indefinite period. With luck, they'll be put on five years probation wuith a restriction to not touch any networked computer during that time.

If this catches on, the average IQ on the net might start climbing again!

Damn. I'm assuming judges with a clue. I knew there had to be a flaw...

And when thay are done sending spam?

[Zocalo]

Virtual MDA will pay you $1 per CPU hour their program is running to relay spam around the world.

And what might "their" program do when, after approximately one CPU hour, the IP that it is running on has been blacklisted and is no longer of use for spamming? Join a DDoS net? Download and host some very dodgy software or porn? The list goes on... Still, at least you'd be able to afford a quartet of two bit lawyers when you get busted for hosting a kiddie porn site or something.

virtual machine

[Lehk228]

Can i run it on my TI86 and give it 100% CPU time, that'll prolly be about 3 messages per day (especially if i set the unit to runset that shit up to run in a virtual 33mhz environment so it is getting "100%" of 33 mhz, oh and give the virtual machine a TCP/carrier pidgeon connection

Make no distinction

[digitalgimpus]

We will make no distinction between the terrorists (spammers), and those who harbor them.

- George W. Bush

Nuff Said. :-D

How smart.

[Fuzzums]

Their own servers and accounts are no longer cut off the internet, but the accounts of perfect strangers.

If I were a spammer, I wouldn't care less...

$1 per *CPU* hour

[Pan+T.+Hose]

Please read it carefully. It is $1 per CPU hour, not $1 per hour. Sending email is not a CPU-intensive task. One CPU hour can be equivalent to as much as several weeks of saturated modem traffic!

Re:$1 per *CPU* hour

Run it on a 386-20 with the turbo off...

Re:$1 per *CPU* hour

[Kashif+Shaikh]

So run the program under WINE and change WINEs behavior to allow increased CPU usage stats for a process.

Or if they "trust" the operating system/environment, then they can only get screwed. BTW, If the call to get process stats is within some DLL, they you can replace the DLL with your nefarious version. I'm not too familiar with Windows, but you could do this under linux because glibc's symbols are "weak" and can be overridden by another library.

Re:$1 per *CPU* hour

[kindbud]

Read it even more carefully. The actual terms of service says they will pay you $0.25 per CPU Hour, not $1.00. I don't see anywhere in the ToS how they get the $1.00/hr figure. In other words, they flat-out lied, what a surprise.

Ah yes

[Dark+Lord+Seth]

Of course, considering spammers are such honest and legitimate business people, they will pay me fairly for the amount of CPU time I have given them. I mean, people who spam do not have questionable business models and serve as role models for entrepeneurs of all levels.

Excuse me, the nurse says it's time for my medication again. I need my happy fun pills!

oh good

[VanillaCoke420]

Does this mean the flood of spam will now reach biblical proportions, just because some shitheads pay people to send even more spam? Yes, please clog up the internet with even more crap, since clearly there's not quite enough of it! We want you to waste more bandwidth, and to chase away users from using email and the internet. Actually, spammers must be some of the most irresponsible people out there. Why is it so impossible for them to understand what they're doing? They should be treated the same way as the retards who vandalize public property with tags and graffitti.

Money trail

[Ra5pu7in]

Wouldn't this create a money trail that would lead back to the spammer? I don't expect the spammers would be sending actual dollar bills.

This doesn't make sense in another respect. It would only take less then two months of 24x7 running for the expense to equal purchasing a computer. This expense doesn't decrease as the quantity of computers involved increases. Why pay for CPU hours when the amount you would pay would buy that CPU in less than 2 months?

everyone is looking att heis the wrong way..

This is a perfect way to bite the spammers...

someone write a virus that spreads looking for this program.. it pathces it to report back that is is sucessful but doesn't spam to any addresses . and make it slowly ramp up and down to simulate net changes...

Voila! spammer is paying for nothing to lots of people.

it's time to use their tools against them.

Do you need matches???

[heybo]

Do you need matches and gasoline??? I'll be happy to pay for it! Nothing is better than Spam roasting on an open fire.

Paid spam

[garlicfarmer]

1. Set up dummy email server that goes nowhere. 2. Sign up for spam program. 3. Send spam to dummy server. 4. Collect $24/day ($8760/year) The more people who do this, the broker the spammers will become.

Re:Paid spam

[Feanturi]

I think step 4 is likely to be the extremely difficult part of this otherwise simple plan, regardless of how many CPU hours you can rack up. :)

Non-event

[Safety+Cap]

The few people who fall into this sucker trap will quickly wake up when they discover that their ISP terminated their account for TOS violations.

I noticed recently while trying to diagnose an email problem that Time Warner Cable now limits its "unlimited service" to 1,000 emails sent per day. Obviously, you'll hit your limit well before that CPU-hour, so you'll never make more than $365/year and eliminate your ability to send any personal email.

You'd make more money hanging out at the street corner holding cardboard sign that says, "Will compute for food."

Re:Non-event

[Czmyt]

Do they limit customers to sending a maximum of 1,000 messages a day through their e-mail servers, or do they limit their customers from sending 1,000 outgoing e-mail messages a day through port 25 on their Internet connection? Big difference.

Re:Non-event

[Safety+Cap]

You are right. They limit SMTP mail through the TWC server. As a "security measure" they block all mail originating from within the network destined for any TWC IP address that doesn't go through the SMTP server. So you can't spam a TWC person without using the offical server and hitting the limit.

I couldn't find any info about whether they port block or limit its use.

I'm all for it!

Just run this sucker behind a firewall that intercepts all outbound port 25 connections, and proxies them to an SMTP server that *pretends* to accept the message. That way, you run the program, pick up the cash, and no spam ever gets out...

Should be pretty simple if you put your box behind a Linux box with some firewall rules, or perhaps if you're cunning, you can hack up the box you're running the app on.

Of course, they might send emails to certain addresses to prove that your email is getting out, so you might have to be doubly cunning and not filter that out... Or, fake a bunch of rejections so that the stats look correct or something.

Where?

[Kchuck]

I didn't read the article, where do I sign up?

Hrmmm take advantage of them??

[emtboy9]

Step 1, set up 3 or 4 boxen on lan
Step 2, allow spammers to pay you for CPU hours
Step 3, have all outgoing traffic routed through a box that sends all outgoing smtp traffic to dev/null
Step 4: PROFIT!!!!

faster machine == lower income?!?

[jarkun]

So this scam pays more to run on slower machines?!!

ISP Reaction?

[4of12]

If I were an ISP I'd be pretty pissed if a subscriber got my valuable name and IP addresses blackballed as a spamspewer.

Require a deposit or credit card for service and impose a contract clause that imposed monetary penalties on subscribers who did that either through negligence or, heaven forbid, on purpose.

Of course big providers like AOL and MSN with millions of subscribers don't worry as much about being blackballed because it will always be the little ISP's help desk that will get the query about why Aunt Agatha's email from aol.com didn't get through. The explanation that Aunt Agatha is using a spammer-friendly ISP is a hard sell when so many people are using it.

That didn't take long

[Ridgelift]

I first read this article about 10 minutes ago. Checking back, I now see this at http://www.virtualmda.com/:

Error Occurred While Processing Request
Error Diagnostic Information
An error has occurred.
HTTP/1.0 404 Object Not Found

Note to self: Do not try and use Slashdot to gain publicity on what they perceive as negative activity. It ain't worth it!

Use a slow PC !!!

[neonfrog]

1. Dredge up that old P75 from the closet
2. Underclock it rather dramatically
3. Sign on with spammer for $1/CPU hour
4. Send only 3 spam an hour thus slowing the bastards down
5. PROFIT!!!

Re:Use a slow PC !!!

Whoa! Dude!

A "do sumpin .... profit" post that actually has the "...." filled in!

Hey, quit raisin' teh bar for the rest o' us!

Scam the Scammer, Rob the Crook

[Steve+B]

Is there any way end users can fight back against people like this?

Sure; you just need to figure out a way to sign up and get the money without actually spamming. Scammers are not entitled to honest dealings, and thieves are not entitled to respect for their property.

Bandwidth cost

[PRES_00]

I'm thinking that the cost of bandwidth more worriesome than the ressources it would use up on your pc. For some, the rate increases exponentially. Besides, I think that the amount of data sent is a more reliable way to measure your contribution than the cpu load.

Frighteningly Attractive

[mdielmann]

At $1/hour, running round-the-clock, this would generate more income per month than some people make flipping burgers (1 * 24 * 30 = 720), with the added advantage that you can still flip burgers. If I ran 4 or 5 machines, it would make more than I make working. Rest assured that people will sign up.

what IS a "CPU hour" anyways? Correlations??

[Geek_3.3]

By their definition, what IS a CPU hr? Sorry for my ignorance, but the website just got /.ed off the face of the planet. Wouldn't the amount of bandwidth have more to do with spam output than CPU cycles? So, If I get my dual opteron's with a 56K connection going, I'll make more than my Athlon 800 connected via an OC15 line?

I don't get it. Illuminate me, oh who got on the site before it got annihilated.

I hope someone will be examining it closely

Is anyone planning to sign up and run it in a closed environment to determine what it is sending out? It strikes me that this could be very useful for the writers of various anti-spam filters. It would provide a database of known spam that they would use for tests.

Re:I hope someone will be examining it closely

[kasperd]

It strikes me that this could be very useful for the writers of various anti-spam filters.

How much help would one million identical spam mails be in development of anti-spam filters? If you got one million different spam mails it could be a good thing, but that is not going to be the case. Of course it might still help a bit.

$8760 per year -- very attractive

[skoda]

This will seem very attractive to a lot of people. Running 24/7/365 it's $8760 per year, and would seem to only require a $500 dedicated computer. After taxes, that's about $5000 take-home for no effort at all!

People have commented on the difference between CPU-hour and clock-hour. Perhaps the details of this scheme prevent people from actually making money. But at first, I think this will appear very lucrative and attractive to people looking for a few extra bucks. I expect college students would be immediately drawn to this (easy cash, and they've got the network and computer already setup).

Re:$8760 per year -- very attractive

[mabu]

This will seem very attractive to a lot of people. Running 24/7/365 it's $8760 per year, and would seem to only require a $500 dedicated computer. After taxes, that's about $5000 take-home for no effort at all!

Yea, right. You'll be operating about a week max before your ISP terminates your broadband connection. Factor that in.

Re:$8760 per year -- very attractive

And also factor in the rule that spammers lie, so you probably were not going to be paid anyway. Then there is the fact that spammers don't make that much money, and they have to cover the expense of avoding being caught, bandwidth, and being caught.

They had a clause about accidential database resets and paying you $0.00, so don't be surprised if there are other caluses with the intent of screwing you and getting out of paying you.

AWESOME!

[Eric_Cartman_South_P]

Virtual MDA will pay you $1 per CPU hour

With Intel HyperThreading on my P4, I can get $2.00 /hr!

My usual response:

[Luckboy]

Time to give Spam hunters some extra tools. Trace, Ping, Whois, Frequent Flier Miles, Louisville Slugger.

Check your ISP's Terms and Conditions

[Caveman+Og]

Using VirtualMDA almost certainly is a direct violation of the terms and conditions you signed when you first purchased your DSL or cable modem connection.

In addition, Atriks' own policy insures that they will NEVER pay you.

Believe me, this news hits slashdot late. The folks at your ISP almost certainly are aware of Atriks, and its owner Brian Harberstroh by now, and if not, you can point them to THIS. Spamhaus does not add listings to ROKSO until after a spammer has had three documented terminations. In fact it often takes several before one can get three which are documented, as most ISPs don't announce when they've terminated a spammer.

--Og

Re:$1/CPU hour? Sure!

[MrNonchalant]

Better yet, just hex edit it.

Re:$1/CPU hour? Sure!

[mbyte]

even better, reroute the outward port 25 of that computer to something like a /dev/null email server (i.e. acceppt anything, then discard it), so the client actually thinks it send out the emails :)

Scott Richter interview

[Bender+Unit+22]

I am sure that people by now have seen the interview on the daily show. :D too funny.

Morals and Conscience of running NT4/Windows 98

[un1xl0ser]

Netcraft says they are running:

NT4/Windows 98 Microsoft-IIS/4.0 14-Apr-2004 216.204.150.246 Atriks, LLC

My moral obligation to not deal with a company using NT4 or IIS 4.0 trumps the spam morality dilema.

- un1xl0ser

Re:Morals and Conscience of running NT4/Windows 98

[Audigy]

Hmm. That would probably explain why first, the index.html file turned up missing... ...and now the domain doesn't even resolve.

I bet someone got r00ted. :D

Wow! What a deal!!

[DrDebug]

For the great introductory price of only ONE DOLLAR per CPU HOUR, I can have friends and enemies alike want to COME TO MY HOUSE and SMASH MY COMPUTER to bits with SLEDGEHAMMERS!!

What can be the downside to that?

Sarcasm mode off.

Both your friends?

[carlos_benj]

At $1/hour, this sounds like a low-gain way to infuriate both your friends and perfect strangers.

Hey, how'd you know I only have two friends...?

Re:Both your friends?

[Linknoid]

At $1/hour, this sounds like a low-gain way to infuriate both your friends and perfect strangers.

Hey, how'd you know I only have two friends...?

And furthermore, if I'm going to perfect someone, I'd rather it be myself, not a stranger.

MDA as in mail delivery agent?

[mini+me]

As in POP3, IMAP, etc.? Why would they want to use pop3 and IMAP to spam???

Re:Aw crap... end run around RBLs?

[Czmyt]

Razor does not use blocklists. Razor is a database of message signatures. The more messages received with the same signature, the more spammy the message likely is. Using a distributed network should not affect the effectiveness of Razor, but other factors totally unrelated to where the message comes from will.

Terms of Service

[thebus]

I case you couldn't get to the site like me, here are the terms of service from the google cache.

Terms Of Service
1. ACKNOWLEDGMENT AND ACCEPTANCE OF TERMS OF SERVICE. Atriks, LLC
("ATRIKS") web site, VirtualMDA and other ATRIKS services and web properties ("Service"),
owned and operated by ATRIKS, is provided to the
member community under the following Terms of Service and any operating rules
or policies that may be published by ATRIKS. The Terms of Service comprise the
entire agreement between Member and ATRIKS and supersede all prior agreements
between the parties, regarding the subject matter contained herein. By
participating in the registration process, members are indicating their
agreement to be bound by all of these Terms of Service.

2.Payment. Upon completing the registration procedure, you will be given a unique
identification account number ("UID"). You will be paid by ATRIKS $0.25 for every
Central Processing Unit Hour ("CPU HOUR") used by the VirtualMDA software located
on your personal or business computer(s) (either or both of which shall be the
"Installed Computer(s)") is actively connected to the internet ("Online"). The
Installed Computer may accumulate a maximum of 24 CPU HOUR's in one day. If
your UID logs more than 24 CPU HOURS in one 24 hour period, your account
may be suspended or terminated for unusual or suspicious activity. In order to
receive payment, you must submit a request to ATRIKS using the electronic request
form provided to you via your member account webpage. Your member account webpage
will contain a calculation showing the amount of money accrued in your account.
In case of a dispute as to the amount accrued, the amount shown in your account
is final and binding upon you in all respects. You may only request payment, and
ATRIKS shall only disburse from your account, when your account is equal to or
greater than $50.00 for United States residents and $90.00 for those residents
outside the United States. In the event of technical problems or data loss which
causes a loss of account information, your account will be reset at $0.00, and
you hereby waive any and all claims for any amount previously accrued but not yet
disbursed. All payments shall be by check, made payable to you, and sent to you
at your last known address via the U.S. Postal Service, first class mail. There
will be a check processing fee of $3.00 (three dollars) and any payment returned
to ATRIKS shall be voided, and your account shall be deleted and any accrued
amounts will be forfeited

3. DESCRIPTION OF SERVICE. ATRIKS is providing Member with Internet services and
opportunities to get rewarded while using the Internet in exchange for performing
certain actions as desired by our advertisers. As part of this service ATRIKS provides
Member with proprietary software ("SOFTWARE") for relaying email messages.
In consideration for this Service, Member agrees to: (1) create only
one account per household and, (2) provide certain current, complete, and accurate
information about Member as prompted to do so by the Service and, (3) maintain and
update this information as required to keep it current, complete and accurate and.
All information requested on original sign-up shall be referred to as account
information ("Account Information"). Furthermore, ATRIKS will not share, sell, trade,
or give away personally identifiable Member information to third parties without Members'
explicit permission. Upon registration, all users grant to ATRIKS their explicit
permission (1) to contact them with important information about Members' accounts and
updates to our services, policies and business practices, (2) to access and use the
Installed Computer(s) for relaying permission based (opt-in) email for ATRIKS and/or
third parties, and (4) data gathering activities, without further notice to or permission
from Member. The users have the option to choose not to be contacted or t

Re:Terms of Service

[Hassman]

This is total BS:
In the event of technical problems or data loss which causes a loss of account information, your account will be reset at $0.00, and you hereby waive any and all claims for any amount previously accrued but not yet distibuted.

This is their back door. Every time their accounts get to the point where they need to pay out... they have an 'accident'. I can see it now:

You: Where is my paycheck bitch?
Them: I'm sorry sir, there was a technical problem that resulted in data loss of account information.
You: So? Where is my paycheck?
Them: The terms of agreement clearly state that we are not responsible for any payment if this happens.
You: But this is the 4th time in a row that you were suppose to pay me!!!
Them: Sucks to be you. Now get outta here, you bother me.

I also like section 15. Give it a read.

What a scam.

Perfect use for Vmware

[Oriumpor]

Dual Processor Xeon Server system w/2gigs of ram: $4000
Single Professional License for Vmware from ebay: $200~
The ability to milk a spammer for 30 bucks an hour: priceless.

Re:Perfect use for Vmware

Looking at it now, you'd only have to let it run a little more than 5 CPU days to break even. and you'd rake in: $720/CPU day after that.

umm ...

[jacobm]

Is there any way end users can fight back against people like this?

You could've started by not advertising their product for free on the front page of Slashdot ...

Re:umm ...

[smatt-man]

Except no one can check out their product because of the Slashdot effect.

Re:umm ...

How myopic of you. How incredibly myopic.

The site has been DDoS'ed (aka "slashdotted"). No one can get to the client. No one can download it. Let's hope that they client is configured to report back to their webserver (this would make me giggle like a little anime girl)...and, if that's the case, no one who is reporting back to the server is getting through. That means no new email lists are sent and no sent lists can report back and collect the $$$ due them. I would presume that all the clients that can't get through are just queueing up for a second DDoS, seti@home style. Once the article leaves slashdot's homepage, the DDoS will still continue as each and every client reports back in to the server. if they have poor qa, the sudden spike in client requests for more work and reporting of completed units may be enough to bring the server down for a second time. The db of completed workunits gets conveniently reset (it broke! there was nothing we could do!) and lots of people get pissed off. They stop spamming. meanwhile, lots of other people violate their ToS and get their connection yanked. Entire ip blocks get blacklisted. net traffic decreases. The percent of pr0n traffic spikes. whee!! zoink!!

Re:umm ...

[orkysoft]

And don't forget the inevitable duplicate article tomorrow...

Re:umm ...

No, I think Slashdotting them is the perfect way to fight back.

Has to be bogus

[interiot]

The page is slashdotted, so it may not be possible to dig into this further, but just based on the slashdot story, this seems to be clearly bogus:

• they pay by CPU-hour, not bandwidth-hour or any other number remotely related to the actual number of spam emails sent
• $1 / CPU hour is almost so low as to make administrative costs overwhelm the actual costs. If the spammers won't pay more than $1 / CPU hour, will they be willing to spend the time to stuff an envelope or even the moeny for the stamp?
• How many people are going to fight for a spammer for a $10 check when they fail to pay you?
• Spam-fighters can sign up for this service and have a corpus of 100% known-spam to train their bayesian filters and such by, so having untrusted third parties knownly help spammers probably won't work. (as noted here, it's unfortunately probably not possible to block outgoing messages, even if you were willing to masquerade thousands of different SMTP servers)

It Could Never Work...

[disntrstd]

I believe All Advantage tried something similar. What ended up happening was a bunch of people who used hacks to simulate client behavior. Because of All Advantage I was making 1000$ a month doing nothing until the company eventually crumbled. Now for the real question of ethics: "It is ok to cheat a spammer?" Is this just bullshit? Do they actually intend to pay out the money?

I keep reloading and...

[gmby]

nothing happens. This ucks,,, i want my money...;
guess i'll keep trying a few more hours.

I know they want me. I have such a big one two...
I'm the best of all what one wants....
I'll give it to'em so i can make egood money....

i calculated it out once

[dumbfounder]

and if I bought every product that was spammed to me my penis would be growing faster than the speed of light, I would be debt free for 10 trillion years, my website would be number one for every search query imaginable, its design would be changing faster than is comprehensible by humans, and Nigerian princes would make me the richest person in the universe

Re:$1/CPU hour? Sure!

I'm sure Virtual MDA is not stupid enough to leave themselves with no way to check if emails are actually being sent out. All you need is a testing account set up expressly for the purpose of validating whether certain accounts are actually sending email. Then have the user's (victim's?) account attemtp to mail that account every 100 emails or so.

Would they really pay?

[Carl+T]

Everyone here seems to be assuming that they're actually going to pay you if you do this. But with most spam being sent by criminals much more interested in quick $ than customer loyalty, what's the chance that they'll actually cough up?

Work at home

[monster811]

Maybe this is the crap they advertise through the work at home - earn big money spam?

Note to self...

Note to self: Kill allm idiots who us word "boxen".

Re:Note to self...

2dn note to self: Learn to spell properly when writing notes to self.

PS: I think we should just call them Boxii (a la "virii")

Tucows,yahoo,hotmail,ghandi stop supportin 'em

Domains contained within spam messages nearly always have contact information with emails at yahoo or hotmail. Even more often than AOL. Much more often now that I'm thinking about it. Spamcop, and other reporting services, and yahoo and hotmail directly, need an automated mechanism (or they can do it manually) to 1. disable the yahoo or hotmail account in the whois listing, and then they need to inform the registrar that the contact information is not valid. And they need to pressure the registrars (and ICANN if necessary) to disable the domain registration (let the registrar keep the registration fee if necessary) of the domains contained inside the spam mail.

The next step is to go after the domains directly. The domains inside the spam messages are using name servers. Those nameservers need to be checked for correct whois info, and if they are using yahoo or hotmail contact info, yahoo and MS/hotmail need to 1. disable the accounts, and 2. pressure the registrars to drop the registrations of the domains used by the name servers. This also needs to be automated. I need to be able to go to SpamCop, paste and submit, and then the service needs to be able to send spam reports to not just the open relay owner or isp of the open relay, but also to the domain owner's isp, and the isp of the name servers. And at the same time, the registrars need to be pressured to drop the registrations of not just the domain in the spam, but the nameservers as well.

Tucows, you fuckers, stop providing a safe haven for spammers. Tucows keeps popping up when I'm checking the whois info on the domains contained in spam messages, and in the registrations of the name servers. Stop providing a safe haven for spammers Tucows. And /.ers should make sure to vote with their feet when it comes to sending money to registrars that provide cover for spammers. Ghandi, same story.

Anyone using DomainPeople for domain registration? How's this for their attitude on spam? (I received this after getting spammed repeatedly by one of their customers, and complained to them, this is the response I received):

As a Registrar, DomainPeople is not responsible for the content or marketting ethics of the Registrant and will not act on abuse complaints unless the request comes from a valid dipsute organization or is accompanied by a court order.

I hope no /.er ever uses DomainPeople (or Ghandi (Ghandi.net?) or Tucows) for anything.

Bankrupt 'em with an S/390

[swb]

Presumably a single S/390 can handle thousands of low-cycle Linux images simultaneously. You're being paid by the *hour*, not by the message, KB or any other piecework metric.

1000 images * 24 hours = $24k per day. Rate limit the aggregate pipe to the internet for all images to 9600 bps, to mitigate the real damage.

In a week the spammer could owe you nearly $200k.

How many S/390s can we get to collaborate on this? 10? 20?

The same thing might work on a more limited scale with Mac and PC based virtual environments, as well as maybe FreeBSD jails.

Of course...

[Tuxedo+Jack]

If they can afford to pay that, they should probably buy a bigger pipe for when we hit their server.

validation

[Cruciform]

Do they have a way to verify that the spam you send out actually gets where it was intended?

Could you trick their system into thinking that you were pumping out spam while your firewall routes everything coming out of that box to /dev/null?

Imagine what a few thousand Slashdotters could do to skew their statistics and devalue their advertising packages.

Re:validation

[hpavc]

yes they send special messages through you and test that they got them.

simular to mass snailmail mailing where you rent a list from someone and then if you continue to use it after the period you paid they know because they planted fake people in the list.

Re:validation

[Cruciform]

ah, that's a shame. at least their site is completely buggered for the time being though :)

$1/CPU hour on *my* box and *my* accounting?

Lordy lordy! Is there a Windows equivalent to LD_PRELOAD so I can cook the numbers the spam process generates for itself?

1. Run spam program.
2. Cook the CPU numbers.
3. ????
4. Profit!!!

Oh yeah, and
5. Screw spammers out of $$$!!!

If I overclock...

I can make $1 in 30 minutes!!!

Wooo hoo!!

Re:$1/CPU hour? Sure!

[nsebban]

You got moderated "funny", but that's perhaps one way to stop that kind of new spamming practice ?

Simple Solution

[qkslvr]

Here's what you do:

Subscribe.

Set up this program on as many computers behind a closed network.

Setup a DNS system that points to another machine for a wildcard domain (have it respond to one machine for ALL DNS lookups)setup as a local email server that responds to all domains for all send requests.

Run their program on a massive array of computers, getting paid $1/hour of CPU time to email to a blackhole.

Or, block outbound SMTP requests from all machines you run it on (assuming they don't verify send - which they probably do) and run it on as many machines.

Anyways, the best way to fight this is to sabotoge it. (And get paid for it at the same time.)

Mod parent up

1) I like this idea.
2) It is legal (apparently).
3) It doesn't create spam for the well-informed.

getting paid

[jhagler]

Anyone want to guess what your chances of ever actually seeing a penny from these people are?

Just one tiny little problem with this idea

[SmallFurryCreature]

It is the old money trail. Cops are very good at finding these.

Let me explain. In normat botnets the criminals use a long chain of infected machines to hide their location. So from their HOME->infected A -> trojaned B -> rooted C -> IRC D -> botnet E -> target

But with this would not be possible. TARGET (the trojaned machine doing the spamming) would have an ID that would link directly to the criminal. Namely the ID by wich he is known at the spammer.

In order for this to work each spamming machine must have some kind of ID that it sends to the spammer to identify who did how many hours. This ID is of course linked to payment details (if you believe spammers would actually pay out) and this would be trivial for a police force to find out and track back to you. So then you would face both spamming and hacking laws as well as profitting from them. Not good I think.

Re:Sashdot effect

alternative blurb from parent company: here.

Reply with bogus data

[gorfie]

When I have time, I visit the sites being advertised and fill out their online forms with bogus data. My theory is that this activity burdens the spammer/scammer and if enough people do it, the benefit of spamming is outweighed by the cost of sorting out the good data from the bad.

Oh my goodness

[Allen+Zadr]

Since your post - it seems like this place is suffering under slashdot load. I'm afraid that some people have actually figured out number 2 in the 1, 2, 3: Profit! Scenario.

Bottom line though, good luck finding an ISP that will sell you a T1 without SPAM restrictions. Perhaps more importantly, you would be 1/2 or 1/3 responsible for any CAN-SPAM violation law-suits. That would put a hamper on your day. The lawyer fees alone would swallow your profits whole.

Re:Oh my goodness

of course i didn't rtfa...but stay with me i have a plan...

you get about a dozen or so computers running...since they pay per cpu hour, you run it on all of the boxes 24/7 now you put up a firewall that blocks all outgoing email traffic...now you are killing 2 birds with one stone because you are sucking money out of the spammers and you aren't actually sending any spam!

now i guess i will rtfa...

Re:Oh my goodness

[NineNine]

Bottom line though, good luck finding an ISP that will sell you a T1 without SPAM restrictions

There are tons of them. You just have to know where to look. I could find a spam-friendly ISP in about 5 minutes if I was interested. That being said, you definitely do pay *quite a bit* for this kind of service. *QUITE* a bit.

Re:Oh my goodness

[caseydk]

That's exactly what I was thinking..

Essentially let the mail system /dev/null everything right then and there.

Too bad I'm not in college anymore, this would be a great thing to set up in the labs.

Re:Oh my goodness

[wo1verin3]

maybe not a firewall, but a honeypot so the app THINKS it is sending spam...

Unless they also send to accounts they own once in a while to verify the e-mail is getting out.

Re:Oh my goodness

[kasperd]

maybe not a firewall, but a honeypot so the app THINKS it is sending spam...

Anybody who wants to do that? Feel free to use my honeypot. (smtphoneypot.c) Put it on a Linux box acting as firewall, and use an iptables rule to redirect all outgoing SMTP connections to the honeypot. You might need to let a few test emails through to avoid them noticing. Hopefully it will work if you let their application contact their own mailserver, but no other mailserver.

Re:Oh my goodness

[wo1verin3]

heh, thats kinda cool...

I wonder if the spammers would take those who scammed them to court.....

Re:Oh my goodness

[JCCyC]

The firewall would have to be smarter than that. Maybe redirecting all outbound port 25 traffic to a faux MTA on the local machine that pretends to accept messages. Hmmm, interesting.

Re:Oh my goodness

[JuggleGeek]

It would be trivial for the spammers to seed the mail they have you send with some verification addresses. If they don't receive the mail you supposedly sent to those test addresses, then they know you aren't really delivering the mail you claim to be delivering.

First thought....

[psocccer]

Would be to sign up for this, setup their "proxy" or whatever, and feed the results straight in to razor to instantly blacklist the spam messages. Of course you'd block outgoing port 25 too so that the spam didn't actually get anywhere. I'm sure they'd catch on, but in the mean time you have a 100% fullproof spam corpus coming in.

Re:First thought....

[Violet+Null]

Though spammers have, as a rule, shown themselves to be pretty dumb in general, they are not, as a rule, dumb technically.

Trivial to have every nth (perhaps with some random deviation) email address be one of a number that the spammer itself monitors. If the mail does not get to those monitor accounts, you don't get paid.

Re:First thought....

[psocccer]

Trivial to have every nth (perhaps with some random deviation) email address be one of a number that the spammer itself monitors. If the mail does not get to those monitor accounts, you don't get paid.

The point is not to get paid, but to have a large amount of email that is 100% spam so you can submit it to hash based blocklists. The rate from being a proxy will undoubtedly be higher than just setting up a honeypot email address, so you will be able to block spam quicker because you are getting it from the source, not waiting for it to come to you.

Re:First thought....

[Violet+Null]

With random characters in the spam, hash-based blocklists are more or less useless, neh?

'Sides, after a few hours, if not minutes, of the spammer sending mail to you and not seeing anything come back, they'd just stop using you.

5 bags of ramen? Hungry or just fat? :)

[SmallFurryCreature]

Just kidding, yes it sounds like easy money. If you believe spammers would pay out. If your internet connection isn't closed of in a second. If you can deal with the risk of being targetted by AOL/MS and all the others who are fighting spam. If you are not worried about the taxman finding out.

But I got a technical question. How much power does a PC consume anyway? I sure know my electricity bill ain't cheap. You got free internet but you got to pay for the rest.

I think this is like the alladvantage idea. Remember them? Being paid to browse? Anyone ever received 1 cent from them?

Re:5 bags of ramen? Hungry or just fat? :)

[Quixotic137]

AllAdvantage did actually pay for a while. They tried to fight programs that simulated browsing by moving the cursor around and clicking links, but eventually reality caught up with them and they died.

mmm

[medelliadegray]

1.) install on a bunch of machines...
2.) firewall and snort everything off at your gateway
3.) profit!
4.) laugh as you're taking spamers money.

*granted this assumes the program does not report back to home about its successful deliveries...i should RTFA...

Free Cash $$$

[Lord+Apathy]

What is to stop me from signing up for this, taking thier cash, and routing thier crap right to /dev/null?

Solution

[42forty-two42]

1. Configure iptables to forward outbound port 25 on this program to local port $x. (Or use LD_PRELOAD).
2. Make a fake mail daemon on port $x, which accepts mail and sends it to the bit bucket.
3. Profit?

Is it the same guy as this? (read on...)

[Hoi+Polloi]

I wonder if it is this guy:

"Braden Bournival, vice-president of the New Hampshire Chess Association and his business partner, the former neo-Nazi leader Davis Wolfgang Hawke."

Wired Story

Talk About Spam

I hate spam

[smatt-man]

I hate spam too, unless it comes in a can, but...

Imagine a beowulf cluster...

Better yet...

[artemis67]

Set your cable or DSL router to block all outgoing SMTP traffic. Pure profit, and no spamming.

Re:Better yet...

[Monkeyman334]

That would be too easy. Have every 1 out of 1000 messages sent to a mailbox controlled by the spammer. No mail? Oops, no check.

Re:Better yet...

[misleb]

That would be too easy. Have every 1 out of 1000 messages sent to a mailbox controlled by the spammer. No mail? Oops, no check.

I'm sure the sleazbags would find plenty of other reasons not to send you a check.

Here is your payment

You: Is this the Atkris Company? Operator: Yes You: I am calling to find out why I have not received my check yet. I have over 500 *CPU* hours. Operator: Let me check. Please hold (waits a few mins) Operator: Sir, we sent you the check by email. You didn't *delete* them without reading all your junk mail, did you? You: D'oh.

Sitting ducks

[Todd+Knarr]

The people who install this are sitting ducks. You see spam from them, do one of two things:

1. If it originates from a residential account, forward the spam to their ISP with full headers showing where it originated. They're almost certainly violating two different provisions of their ISP's TOS/AUP: running a server and commercial use.
2. If it's coming from a business (office PC or something), or if the ISP doesn't do anything, report the business/ISP to their upstream provider and/or some of the big blacklists as a spam source.

so, $1 per CPU hour?

[ardiri]

how about using a bandwidth throttling application to only allow the application to only send 1 byte per minute?

Re:so, $1 per CPU hour?

[bmetzler]

how about using a bandwidth throttling application to only allow the application to only send 1 byte per minute?

I'd guess it would take you a long time to get one computer hour at that rate.

-Brent

Why not just pay us to receive it?

[MegaT]

Great, so now they're paying us to send spam. If only they'd just pay us to receive it, there'd be no problem...
If I was paid $1 for every hour I spent deleting junk mail, why... I'd have at least 2 dollars by now!

Also, to anyone who's tempted, I would say remember they're paying you per CPU hour, and it doesn't take an awfully long time to send emails, so they probably won't actually use your CPU for more than a dozen minutes every day.

DUL RBL *NOW*

[mabu]

This is why we need to get the major ISPs to contribute to centralized IP address lists of all broadband DUL space. Legitimate mail servers should refuse to accept mail from cable and DSL SMTP traffic. Then these spammers' schemes won't work, and it will also dramatically cut down on virus/worm propagation. I'm unaware of any really good DUL RBL except for Maps which is now pay. Does anyone know of a solid DUL RBL that's free?

Re:DUL RBL *NOW*

[mkettler]

Check out the SORBS DUL.. Works very well when used properly, well enough that it's standard in SpamAssassin.

(This list is the former dynablock list. Sorbs took it over when the maintainer wished to retire to do other things with his spare time)

http://www.dnsbl.sorbs.net/
http://www.dnsbl.us .sorbs.net/DUL-FAQ.html

Re:DUL RBL *NOW*

A really nice DUL-like system with almost no false postives is the Spamhaus XBL, it catches stuff that traces to these ATRIKS scumbags all the time.

I for one...

[Azureflare]

I for one welcome our new paid-by-the-spammer, troll-in-the-slammer overlords.

Ha! I'd like to see those damn trolls troll from the clink!

Oh, crap, they have net access there don't they? Doh!

Another brilliant plan to destroy all trolls obliterated...

virtualmda is a "branch"... see the ROOT of evil

virtualmda site is down...
but visit(not so nicely i hope) the root(PARENT company)of evil http://sendmails.com/email_deployment.html?a=

Collection and Vouchers

[Compulawyer]

Good luck trying to collect your payment if the company decides not to send a check. I wouldn't be surprised if the "payment" ends up being vouchers good for use in purchasing the products advertised in the spam you send. $48.00 off that $250.00 penis enlargement kit? Who can complain about that? The kit is probably a bargain at ANY price!

Take their money and throw out the spam

[antarctican]

I wonder, is there any way one could setup a dummy machine between your "CPU" and the internet to trick this software into thinking it's sending out spam? Some kind of dummy MTA that responds to all outbound port 25 requests and "accepts" all emails.

It would be fantastic! Take the spammers money and have all their spam flow into a big blackhole. This has possibilities....

Here's how they describe their distributed system

[Cytotoxic]

From the description below, you can see that they don't want your ISP to block your connection. They only send you 100 emails at a time. I would speculate that their service is very difficult to uninstall, ensuring stability in their network.

Atriks Description:

Email Deployment

Reliable and Effective Email Campaigns

Atriks has created relationships with over 60,000 individuals throughout the world who act as sending agents for the Atriks Distributed Email Delivery System. Atriks has developed a software called VirtualMDA (see www.virtualmda.com ) which resides on these sending agents' machines and periodically talks to an array of servers within our data center, looking for messages to deliver. When messages are available, each agent machine can receive up to 100 emails to deliver. For example, with 20,000 agents sending 100 emails each, the Atriks Distributed Email Delivery System can deliver 2 Million emails in one quick shot.

Politeness is key

There are approximately 4500 "well known" mail servers within the US and Canada, so being "polite" on how we connect and deliver the messages is important. Atriks doesn't want to cripple the receiving mail servers with millions of messages, so we create delays and meter traffic so not to overload the receiving server with connections.

Distributed delivery prevents blocking

Atriks developed our Distributed Email Delivery System because many email providers will obstruct otherwise legal emails from very large senders at will and without notification to the sender/list owner. Using sending agents and VirtualMDA, blocking is much less likely.

Creating a campaign

Once signed up with Atriks, most customers can create their campaigns in a few easy steps through our web interface:
Create the campaign
Test and OK the campaign
Set delivery date and time
Upload your data records
Set the campaign to "Ready."
Our system automatically starts delivery at the time and date set within the campaign.

For more information about using Atriks to deploy your next email marketing campaign, contact us.

Not that much

[Allen+Zadr]

$840 a week sounds good, but let's break it down.

DSL/Cable Method:
Sounds good: $840 per week
First, Taxes: $500
DSL/Cable gets cut off after a week, weekly replacement, non refundable: $440
Two day wait for installation of new DSL provider (cuts funds by 2/7): $315
Give two months, and you have likely run out of providers.

T1 Method
Sounds good: $840 per week
First, Taxes: $500
Pay for T1: $375
Now were talking!

Oh, but wait - assuming you find a provider that offers a T1 that doesn't cut you off... then, within 6 to 12 months, you become a Co-Defendant in a CAN-SPAM law suit. Assuming the judge does not find you responsible... Good luck paying yourself and a lawyer on $375 per month.

There's another thing here as well. There's very little likelyhood that ANY computer can dedicate more than 95% CPU to a single task (unless you are running this program on DOS). It also assumes that they give you enough addresses to process to actually make this type of money (very doubtful).

However, assuming everything were to go your way, T1 provider that likes you and no law-suit...Yeah, you can live on that, but you'd probably want to steal candy from kids to suppliment your income.

Re:Not that much

[Jane_Dozey]

You've forgotten the electricity bill that'll hit you every month.
I shouldn't imagine it'd be that hefty but it's something.
Also, what about computer crashes? It's likely to happen now and again, so you lose a few dollers a month rebooting/fixing the machine.
It's looking less and less attrative.

Re:Not that much

There's another thing here as well. There's very little likelyhood that ANY computer can dedicate more than 95% CPU to a single task (unless you are running this program on DOS). It also assumes that they give you enough addresses to process to actually make this type of money (very doubtful).

The other corollary here is that it really doesn't take that much CPU to saturate a T1 with spam. Figure an ordinary computer can pretty easily fill 100 Mb/s, and your T1 line limits you to maybe 0.02 cpu-hr/hr. That makes your 24/7 top line not $840/week but only $16.80/week.

This is one of those too-good-to-be-true offers.

Re:Not that much

[CyberdogOSX]

where the hell do you live that taxes on 840.00 is 500.00? even in a 30% tax bracket it would only be 252.00.

and why again would you need a T1? a business cable line will do fine.

One advantage (and a disadvantage)

[eric76]

Sign up but make sure your outgoing port 25 are blocked. The spammer will think the spams are going out.

However, the spammer could just send out multiple copies of the spam to each address from a variety of sources to ensure that the recipient is sufficiently annoyed.

Re:$1/CPU hour? Sure!

[orkysoft]

Once every 100 emails? That would make it easy to spot! Once per spam run is virtually impossible to spot. Or just have lots of verification accounts in the list.

solution

[fudgefactor7]

(1) set up this on a system;
(2) kill all services except this;
(3) set this service's priority to realtime;
(4) set firewall to deny any outgoing email from that system;
(5) set firewall to allow for their method of verification;
(6) profit! ;)

Voila! We all get paid and there's no addition to the spam problem.

Yes, 386

[Gleef]

The Intel 80386SX processor is definately the way to go here. It will run Linux / Windows / Whatever, unlike many earlier processors, but the clock speeds are low by modern standards. Furthermore, this has to be one of the least efficient microprocessors ever designed, it certainly gives the least bang per clock cycle of anything Intel ever put out. Make sure you have a good network connection to the next hop of the scheme, and you're pretty much guaranteed to be CPU-bound.

The next hop, of course, being another machine on the same LAN: an SMTP server to quickly and efficiently accept all the emails put out by the spammers software and happily dump them in a bit bucket.

Re:Yes, 386

[radiophonic]

Damn! I wish Gentoo would hurry up and build on this thing so I can start making $$$ !

Re:Yes, 386

[fredrik70]

huh? 386 we re *great*! first intel with flat memory space. 286 though, very weird thing...

Re:Yes, 386

[Gleef]

Sure, the instruction set got cleaned up, the memory model got cleaned up, the security model got cleaned up, but they were slow. A 16MHz 80286 was noticably faster at most things than a 16MHz 80386DX. The 80386SX was even slower, because it was trying to cram a 32 bit wide data stream over a 16 bit data bus.

Why are spammers doing this?

[mabu]

Do you wonder why spammers are now trying to sign up individual users to help them relay spam?

The answer is because relay-blacklisting is working!

None of the client-side, server-side, content-based filtering has made any difference. What HAS made a difference are mail servers which are utilizing relay-blacklists of known spammer IP space and refusing to connect with them. This has forced the spammers to begin abandoning their havens in China, Brazil, Korea and other areas. Now they're trying to infiltrate domestic broadband IP space. First they tried it via propagating viruses and worms and that isn't working out as well as they'd like (and they probably figure sooner or later, the Feds just might actually prosecute one of them), so now they want to sucker people into spamming for them.

All this is an indication that relay blacklisting IS effective.

RBLs are becoming more sophisticated nowadays. Spamcop can usually ID a spam source in real time within an hour of it beginning operation. AOL and other major ISPs are now looking at RBLs to help them block spam. It's much more economical than strip-searching e-mail content using filters.

Let's keep up the pressure. Let's continue to force the spammers into smaller areas of the Internet where they can be identified and dealt with. This latest effort is a good sign they're getting desperate to figure out where they can send spam out from. None of the content-based filtering schemes have come nearly as close to slowing down their efforts as much as RBLs.

Re:Why are spammers doing this?

[garcia]

All this is an indication that relay blacklisting IS effective.

All it has been effective in doing to me is causing me email headaches. I block SHIT TONS of IP ranges for SPAM. I also get block a SHIT TON for being on a residential IP block.

I have a valid connection to the Internet. I am not spamming, and I am certainly not sending any large volumes of email. My IP should not be blocked.

I now have to send email through my ISP's SMTP server (which I have found to routinely timeout, give me fucking connection errors, and even has been blocked on some blacklists for short periods of time).

It's a pain in the ass, it's a hassle, and it's all because of a handfull of people being assholes.

Sounds like 9/11.

Re:Why are spammers doing this?

RBLs are becoming more sophisticated nowadays.

Oh please! RBLs are a joke. They're far from accurate, have no real appeals process (they just *pretend* to have one) and the 'downfall' of a few of them a few months back proves that clearly.

Re:Why are spammers doing this?

I'm sorry you're in that situation. However, there's a good chance if you have a consumer DUL/broadband, that running a SMTP relay is in violation of their TOS.

Nonetheless, I'm sorry you have to suffer. It does suck. I suggest you take your frustrations out by lobbying your local District Attorney to get off his lazy ass and start prosecuting these spammers. So far, none of them have been nailed. The feds haven't done anything.

Re:Why are spammers doing this?

[mabu]

Oh please! RBLs are a joke. They're far from accurate, have no real appeals process (they just *pretend* to have one) and the 'downfall' of a few of them a few months back proves that clearly.

You don't know what you're talking about. Maybe you're used to dealing with RBLs that are run by BOFHs, but systems like Maps and Spamcop are very well run and regulated.

I'd bet good money you're a spammer posting AC.

Re:Why are spammers doing this?

You'll win that bet!

In fact, he's probably one of the spammers who DDoSed the blocklists last summer and caused their 'downfall".

To bad some remain spammy-one. Oh, and the next knock at your door could be the Feds... bring lube.

Re:Why are spammers doing this?

[sal]

Blacklisting has been going on for at least the past five years and the amount of spam sent has gone up for each of the last five years.

Re:Why are spammers doing this?

[Thundersnatch]

I don't think you know what the hell you're talking about. RBLs do not work in practice.

In my experience administering email server for hundreds of real corporate users, "moderate" RBLs like SpamCop are only about 60% effective at blocking spam. They also produce false positives in the 2% area, which is completely unacceptable in a business environment. Don't even talk to me about SPEWS - yeah, it gets more than 95% of spam, but it also generated 30% or more in false positives during our tests. A lot of people think RBLs "work great", because the quantity of spam spam does indeed go down. But most never even measure the false postive rate - their "good" inbound messages are just sent to /dev/null.

Per-recipient statistical (Bayesian) filtering programs like SpamBayes result in greater than 98% spam capture rate and less than 0.1% false positives.

Also, a good statistical filter is by it's nature a much more intelligent take on the RBL concept, since netblocks and individual addresses are used as spam clues from the Received headers. But now they have probabilities associated with them, rather than being simple "all or nothing" indicators as in an RBL. These "sending host" probailites are only one piece of the puzzle, and are weigthed intelligently with the rest of the message content.

Basically, RBLs were a hack put together in the early days of the spam war. Yes, they encouraged spammers to turn to Trojanned machines as a means of distribution. But spammers may have done that anyway, in order to limit their anonimity in light of spam legislation. In any case, my experimental evidence seems to indicate they are unable to cope with the new spam landscape. The time of the RBL has passed.

Statistical content filters simply work much better than RBLs in practice, which is why you see them on Yahoo, Hotmail, and in every new enterprise-class filtering product.

That said, I'm all for ideas like SPF (which we have implemented), and work-alikes such as Yahoo Domain Keys and Microsoft's domain signatures. If we feed that sort of information into statistical filters, we'll be able to build our own customized domain reputaion lists very quickly. Filtering will be that much more accurate, and less CPU intensive.

Re:what IS a "CPU hour" anyways? Correlations??

Probably a comparison of how much damage your PC does compared to 1 hour of there reference PC doing as much damage as possible.

I'm guessing they will have a Supercomputer classed as a CPU and then you lovely opterons will socer 0.1CPU hours even when working at full wack.

There will be many waying in which they can stop you being payed. If they did do it on actual CPU load then you best bet is to get the old 2/3/486 and dust it off, remove it from it's position as a door stop and set that going. Of course you could then proxy it, watch for what it does and get the proxy to drop all the succesfully sent e-mails ;)

I've been blacklisted

[Craig+Ringer]

I've had my mailserver blacklisted, and I tell you - $1000 an hour couldn't possibly be enough to blacklist-bait yourself like that. You never realise just how totally your business relies on email until suddenly it mostly stops working.

Of course, then there's the fact that this proposal is offensive, anti-social, and just plain retarded.

How were we blacklisted, you ask? We use an exim server as the gateway, with sendmail internally. The gateway server was marked as a trusted host for relaying on the internal server (indirectly; it was part of a subnet of hosts that needed to be able to relay). Normally that's not an issue, because the exim gateway would refuse to accept messages asking for relaying anyway.

Unfortunately, the exim gateway permitted percent-hack messages to pass, permitting an attacker to bypass the gateway server's checks, and deliver a message for relaying to the sendmail server. Which promptly relayed it, because the gateway was a trusted host.

Fix: disable percent hack (Why TF is it even supported anymore anyway?) and set the gateway to be able to deliver, but not relay.

Business plan

[ultranova]

1. Take 2 computers.

2. Connect them with a LAN.

3. Run Windows and this spam generator on computer A. Set it's network settings to use machine B as its gateway.

4. Run Linux on computer B. Hijack all connections and packets originating from computer A and destined for port 25 (or all which are targeted outside the spammer's IP, to be safe). Let other packets to travel to Internet normally, so that the spammer can download new spam definitions.

5. Run a mail server on computer B. Forward all mail coming from computer A to be study material for a Bayesian filter and then /dev/null -filler.

6. Profit !!!

7. Watch as all the other geeks get the same bright idea.

8. Watch and enjoy as the spammers go bankrupt.

9. ??? (it is impossible to predict what a post-spam Internet will be like).

Re:Business plan

[stand]

The way around this (from the spammer's perspective) would be to make sure you include a few tester email addresses (randomly generated, hard to find) in the spam address list that can be monitored. If no spam ever reaches my tester addresses, I don't pay you.

I'm sorry if I just advanced the spammer business plan, but I don't this counter plan would work either.

Re:Business plan

[ultranova]

Hmm... An interesting problem. It can be solved, thought.

The key here is cooperation. Individually, the participants (or conspirators :) can't know which messages are used to test functionality. However, because there are several people participating, this becomes possible.

There's two possible ways the spammers can know who sent the test message. They can either set up a separate test email adresses for everyone, or include some kind of identification in the messages themselves (schemes based on sender IP adress detection can be likened to the message content based detection for purposes of circumvention).

If the identification is in the message, that is, the test email adresses are the same for all people, this becomes very easy. Simply let the program send messages for a few hours and log the receiver adresses (block the messages from actually going throught), then compare the logs from several (hundred) conspirators. Because the goal of the spammer is to send spam to as many people as possible, the adresses you were sending to were mostly different. The only adresses that show up in all lists are the test adresses.

Note that the spammer, if he was real smart, might drop one or two randomly picked test adresses from each conspirator's list - but even then they should receive a lot more traffick than any normal victim adress.

If the differentiation is on e-mail accounts, that is, each person has different check accounts, the problem harder.

If the test accounts are all in the same host, there's no problem - you can find that host with the same kind of analysis you found the common test accounts.

If the test accounts are spread accross different (virtual) hosts in the same DNS domain, one needs to find the domain. Again, no problem.

If the test accounts are spread accross different free email servers, one will still find them by statistical analysis.

The only way the spammer could really do this testing reliably would be to have dynamic accounts in popular servers - that is, constantly and automatically signing up for new accounts and using them to verify just one mail each (one-time pad). However, this would likely make those popular servers to either complicate their signup, ban their IPs or simply sue them.

Re:Business plan

[stand]

When I wrote my original reply, I had your last scenario in mind (where spammers use email accounts set up all over the internet on potentially different hosts). The other scenarios you describe would be pretty simple to account for with a cooperative approach.

I'm not sure how you would use statistical analysis to find the test addresses though. Could you explain? Remember, you (the wannabe anti-spam conspirator, not the spammer) have to extract test addresses from the list sent to you by the spammer. These addresses might come from pretty much any domain and would probably be different for each list sent out. Remember also that, from what I understand, most spammer's email lists are already filled with invalid and cruddy addresses. I think you probably could count on a lot of intersection of valid addresses between conspirators, especially if this made the test addresses harder to find.

Re:Business plan

[ultranova]

I'm not sure how you would use statistical analysis to find the test addresses though. Could you explain? Remember, you (the wannabe anti-spam conspirator, not the spammer) have to extract test addresses from the list sent to you by the spammer. These addresses might come from pretty much any domain and would probably be different for each list sent out.

No, as a matter of fact they can't come from just any domain. They have to come from domains where the spammer can set up and check e-mail accounts automatically. In practice this means free e-mail servers, and AFAIK there isn't very many of those.

So the spammer would be limited to keeping their test accounts on relatively few hosts. This, in turn, would lead to a significant statisticial spike on the amount of mail going to those specific hosts, because the victim adresses are probably distributed evenly among victim mail servers (relative to the amount of accounts in these hosts), while the test adresses are in a single or in a few hosts. By putting these test accounts on large free e-mail providers (such as Hotmail) they could decrease the relative size of this spike, but not make it disappear completely.

So, basically, for each host in the list I divide the total amount of e-mail accounts in the host with the amount of victimized e-mail accounts in the host. The larger the resulting ratio, the more likely it is to contain the test adresses.

Unless, of course, the spammer is smart enough to drop one potential victim adress in a host for each test adress, that is, instead of just adding a test account to the list they replace one of the legitimate adresses with it. Then there would be no statistical bias.

Of course, even then, we could try checking if there's been legitimate communication with the account-holder, but this would require a tremendously large conspiracy...

Any given test tactic can be defeated somehow, but any such circumvention can in turn be defeated by the spammer. It's an armz race, baby :).

Of course, the spammer would eventually have to give up, simply because constant development would cost far too much.

Re:Business plan

[stand]

Any given test tactic can be defeated somehow, but any such circumvention can in turn be defeated by the spammer. It's an armz race, baby :).

Exactly!

Of course, the spammer would eventually have to give up, simply because constant development would cost far too much.

Unfortunately, I don't agree. That may be the case for the individual spammer, but not as a collective. There are always new spammers crawling out from between the bathroom tiles, and they take advantage of the development costs borne by those that preceeded them. It's kind of the downside of the Open Source model.

Man...that sucks!

Um, duh!

[whisper_jeff]

Is there any way end users can fight back against people like this?

Uh, yeah. Very simple way - do not post a message that amounts to recruitment-advertising to Slashdot...

Mailing lists

[Craig+Ringer]

One issue with your suggestion comes to mind immediately, and that's mailing lists. Are mailing lists not, in fact, reflectors designed to send email by proxy from another location?

Re:Mailing lists

[TheSpoom]

Yes, but mailing lists are operated by the server that runs the email to which the mails are sent. Therefore, not distributed.

That answers step 2

[Snotnose]

From the old:
1. Hack machines
2. ???
3. Profit!

Now we know step 2 is "rent the CPU for $1 per hour". Dang, 50 machines, $1/hour, 24 hours/day, gives $1200/day just for sitting on your ass.

don't subscribe link

[Theatetus]

You don't need the "don't subscribe" link to avoid subscribing (ignoring the email works fine), it just lets us know that person X chose not to subscribe at time Y from IP address Z.

The real company is Atriks, LLC in New Hampshire

[Animats]

OK, who's behind "virtualmda.com"?

Whois:

• Atriks, LLC
  55 Bridge Street
  Manchester, NH 03101-1188
  Phone- 603-624-7008
  Fax- 603-624-9089
  hostmaster@atriks.com

Atriks is a mailing list company. "Atriks offers targeted public record data that comes entirely from publicly available Internet sources. We collect, compile, aggregate and provide the most high-quality, complete, and up-to-date data possible for every individual and business with a presence on the Internet." They're a member of the Direct Marketing Association. They claim a server farm with 330 servers and seven terabytes of data. Here are some of the lists they offer:

• Atriks Broadband Consumers "1,000,000+ consumers who have demonstrated a thirst for better technology and a willingness to spend money for enhanced products and services are included."
• Atriks Personal Domain Owners with Credit Cards "7,000,000+ consumers have registered a domain for their own personal use and have created Web sites that share everything from jokes to family pictures. A key part of their registration is supplying credit card information, resulting in a file with all major credit card selects available."
• Atriks Subscribers by ISP "6,700,000+ subscribers identified by ISP are included in this database. Mailers can target these subscribers by more than 100 selectable ISP providers."

Those are just the "consumer" lists. They also have business-to-business lists.

Atriks is co-located with a local ISP, MV Communications.. MV has been in business for many years. They have modest backbone connections for an ISP; 6Mb/s to Global Crossing, 12Mb/s to Level 3, and 12Mb/s to Paetec. Unclear at this time if MV and Atriks have common ownership.

They're what the DMA would call a "legitimate spammer".

hahahaha i know how to screw them

make that $10.00 an hour and offer health benefits and you can have my 286 spam for you 24/hours a day, although when port 25 is rediected to /dev/null it's not my fault that someone spammed that box with a trojen and ownzored the bitch. but hey as far as you are concerned you see 1000's of email being sent an hour.

Pay per "CPU hour"? Use a slow CPU!

[Futaba-chan]

(1 x 24) x 365 = $8760 per year.

So, the thing to do is to set up a lab full of old 386/20 boxen, all diligently churning away sending spam on the slowest processors you can find... and filter all of your outgoing port 25 traffic through a faster machine running SpamAssassin.

Re:Pay per "CPU hour"? Use a slow CPU!

[AchilleTalon]

Come on! Use a 286/8 or a lab full of Commodore Vic-20 with 300 bauds serial lines.

Wait!?! You mean the spammer might scam me?

I just *can't* believe it!! You mean, the spammers might be making up bullcrap units of measurement that are arbitrary and designed to screw me, by paying me as little as absolutely possible to send their spam!?! But, but. . . But I thought spammers were honest! Paragon's of the virtual community. Trustworthy. I'm confused. . .

Feeding the Spam to DCC/ Vipul's Razor / etc.

[billstewart]

There are IP-based blocklists, but there are also message-content-hashing systems like Vipul's Razor, DCC, etc. that block messages that are roughly identical to reported spam. If you're a good enough firewall hacker to build something that captures the message and feeds it to those services, you're probably already running your own email (:-), and of course your ISP's AUP almost certainly bans you from sending the spam, but it's an entertaining gedankenexperiment.

how to fight back..

[way2trivial]

well, a slashdotting never feels good, so, thats off to a good start..

I, for one, welcome....

[egriebel]

I, for one, welcome our new spam overlords!

This give me a GREAT idea

[SilentReproach]

Let's all sign up for it, for the sole purpose of finding out who owns the originating mailservers! Then we can ddos them, and blackhole 'em, and report 'em, and order pizzas for them...

Use this to improve our filters!

This seems like a no-brainer way to improve the efficiency of spam filters. Sign up for the service and shoot everything through your local mail "gateway" - which just happens to be a filtering process. Everything that comes in is designated as SPAM. If they don't intend to pay, then they won't immediately shut you off for not sending messages.

Re:Use this to improve our filters!

[WhiteWolf666]

Brilliant!

This is a REALLY good idea.....

I think I might just have to do that.

They are giving us an excellent, unadulterated 'spam-feed'.....

This will make my baysean filtering atleast 2x as good!

Even better...

[OmniGeek]

firewall/route all outgoing SMTP traffic to a dummy box on your LAN; the spammers think their mail went out, and it goes to straight to /dev/null. If they never pay, so what? You've spiked their efforts, and can turn'em in to the Feds for a reward.

Sendmails' Web site

[davidag]

http://sendmails.com/email_deployment.html

Sendmails Corporation developed our Distributed Email Delivery System because many email providers will obstruct otherwise legal emails from very large senders at will and without notification to the sender/list owner. Using sending agents and VirtualMDA, blocking is much less likely.

Dust off the 64!!

[Nikker]

Time for that old clunker that you have in the back of your closet to get jacked up with the latest version of DOS not only will you get paid fast

but they'll only get like 100 emails a month!!!

They all work!

[chefren]

I have tested a number if penis enlargement pills bought from the Internet over the last two years and I can say they all work! My penis is now over 5 yards long and still growing several inches per day! Pretty soon I can use it to fetch beer from the fridge, put a new disc in the cd-player or scratch my back. Then I will be a happy man.

Oh, so this troll is back.

Thats funny, I thought you wanted to be a spammer and earn $2-3 before the ISP nukes you? Also, does your ISP charge you less then $2, or do you like losing money?

Here's what you do:

[Eudial]

Install Wine.
Run with nice -19.
Run everything though a spam filter.
???
Profit

Re: RBLs

[InvisiBill]

Forget the firewall (Well, don't forget it. Just don't block the outgoing mail) Instead, just report your IP to the major blacklists. Everyone who uses an RBL wil be unaffected, and the people who don't will have more pressure put on them to use blacklists. Problem solved...

Sorry, I prefer to determine what is and isn't spam myself. I worked for a company whose legitimate web/mail server was blacklisted for no reason other than being on a cable modem. It was a business cable account, with static IPs, specifically designated for servers. It was secure and all information on the website and in the WHOIS entry matched and was accurate. I contacted the blacklist maintainers and explained the situation, to no avail.

We did everything we could, short of buying a T1 (for about 10 users doing mild web and email). When you're willing to buy a dedicated connection for every legitimate mail server that can't afford one, then I'll put all my trust into RBLs.

Some RBLs go so far as to state outright that their purpose is to cause collateral damage. If one person gets one spam from a Comcast address, the RBL blocks all of Comcast. The idea is to hurt Comcast's legitimate email enough that they're pressured into getting rid of the spammer. Do they block one area around the spammer? One state? The whole nationwide ISP? And considering how many spoofed virus emails still get sent back to the "sender", I don't trust network admins to even correctly figure out where the spam is actually coming from. (The point of that is not that finding originating mail servers is like finding email addresses, but that people are generally incompetent.)

Sorry, but RBLs are far from perfect. As such, I won't rely on them. But thanks for trying to force your opinion of software onto me.

Re:Internet connection gets pulled.

[A55M0NKEY]

ISPs might pull the odd user that was sending spam, but if EVERYBODY sent spam they would have to cancel every customer's account. Customers used to recieving that $168/week will switch to their competitors and tell their friends about their new spam money making software.

I hate to say it, but opening a mailbox to the world, - saying that anyone can store bytes on your hard drive is asking for abuse. It may be that a combination of bulk email filters and whitelists are the only way for those that don't want a box full of spam to get any usefulness out of email.

Maybe there will be email certification services that you can subscribe to for a fee that have TOS that will forbid spam. ( basically the fee pays the cost of administators handling spam complaints and cancelling accounts ) Then you could whitelist any 'certified' mail, and not depend on any uncertified mail you send to actually pass people's very strict spam filters.

This would make anonymous email still possible, but not guaranteed to get past spam filters or get delivered to people who don't wish to recieve anonymous email.

Market forces will decide what people do about spam. If someone opens a registered email service if/when ISPs stop cancelling people's network accounts in response to the flood of willing paid spam-hosts, and people decide to use it then that's what'll happen.

ISPs shouldn't really be responsible for the 'usability of the internet at large' anyway. If some dingus decides to DOS a site let law enforcement take care of it. They at least are paid to help ensure the usability of the 'mean streets' and the internet too.

Better than other methods...

[edunbar93]

At $1/hour, this sounds like a low-gain way to infuriate both your friends and perfect strangers.

Well, that sure beats doing it for shits and giggles by being a punk in Counter-strike or Day of Defeat. Heck, it even beats welfare at $720 a month for loaning out CPU time on a $25 Pentium 100.

WHOIS can be faked

[exi1ed0ne]

From the sendmails website:
Sendmails Corporation
P.O. Box 195
Manchester, NH 03105
TEL: 603.624.8936
FAX: 603.624.9089

352 Lowell St, Manchester, NH 03104

Who ya gonna believe? I'd hate do unleash some slashdot wrath on an innocent.

Re:$1/CPU hour? Sure!

[AwesomeJT]

Easy, Just write a quick app to monitor the emials. You could even write some logic to "randomly" send your obligated message back to Virtual MDA. Sounds like a shell script to me. :-) The rest of the time, just pipe to /dev/null.

Terms and conditions

[belphegore]

Worth reading through their T&Cs'. One major point is that they don't actually ever need to pay anyone, as long as they delete the logfiles which tell them how much they owe you. They have language in there which basically says "If the data gets deleted, either accidentally or on purpose, then we owe you nothing".

Hungry People-Poor man's spam.

Pretty much true. I recommend reading this book*. It's slightly dated, but with all the things that are happening in the economy, I doubt that being poor has gotten better, and with the ranks being swelled with former IT. Not only will principles go by the wayside (Food, or principles?), but the people doing the spamming will be technically literate. Sucks yes, but then humanity has made their bed, and will now be required to lie in it.

*The "evaluation" chapter is especially interesting, and very relevent.

a way around it?

[zornorph]

I can't get to the site at the moment, so I can't say how this app credits you for the work, although some have said it is based on CPU time. Since this is spam that is being sent out, why not just setup a box that does the spamming, behind another box that accepts these spams and tries to relay them on to your firewall, at which point, your firewall drops everything coming from the relay box? As far as the spam app is concerned, the email was sent, and it was accepted for delivery. Also, since all these boxes would be located on a local segment of your home network, the spamming machine wouldnt waste time in io wait, but instead would be able to churn out mail at a pretty good pace, all for nothing (except money in your pocket)

I got paid!

[Dog135]

I got paid! No, really, I got lots of money from them! I got rich, and I did it quick! Now go sign up and tell them luser#29766628 sent you!

While you're at it, don't forget to make your order for viagralax, the only viagra alternative that's also a laxative. I'm not only a peddler, I'm also a satisfied customer!

(As if you could really trust someone who said they got paid.)

Breaking the law

[suso]

So now that Spammers are paying other people to do something that's questionable legally, aren't the spammers then breaking a law? It's like if they paid a hitman.

Imagine a beowulf cluster of these!

[menscher]

...hooked up over a 300-baud modem, of course.

Yeah, yeah, I know. CPU-hour doesn't mean wall-clock time. Still, too funny to not say.

how they don't pay....

[tedshultz]

I checked out there web site. They only pay you when you've 'earned' over fifty dollars. If you are running a Spam relay, most ISP will cut you off before you ever get to 50 hours, and so you never actually qualify to get a payment.

Don't forget the spyware!

[nf0s3c]

From their license agreement: Examples of information that we collect, other than through the registration form, include URL of visited pages, registration for offerings and IP addresses. Examples of data gathering activities include web page retrieval, domain tld discovery, and internet port/proxy discovery. Upon termination of the online session, closing of the browser and/or termination of your membership, this information will no longer be collected. We gather this information to improve the administration of the services and to increase the earning potential of our members. What a deal - lose your ISP, get sued, give them free marketing data, then have them lose the info to pay you. They even charge YOU a $3 check processing fee just to pay you.

they'll sue you for using their service?

[winsk]

from their terms of service:

Member will not use the
Service for chain letters, unsolicited email, spamming or any use of distribution lists
to any person who has not given specific permission to be included in such a process. SENDMAILS CORPORATION
will cancel membership privileges, terminate service and take legal action against any user
of its service that utilizes any of the acts described above.

IP address fun-P2P abuse.

And yet the majority here, have no problem with P2P'ers abusing networks, and when those ports are blocked, the ISP is somehow evil (Hey! I paid for this connection. I can do whatever I want==Hey! I paid for this spamming connection. I can do whatever I want).

I have a suggestion for the next time you're in...

this state of affairs.
>I was...in danger of losing a place to live
>...I would sign up for this in a heartbeat

Cut the line cord off an appliance.
Strip each free end.
When you have enough bare copper, wrap 1 end around each wrist.
Plug the cord into an outlet.

The planet has enough mercenaries.

gewg_

Gems from T&C

[raj2569]

with small editing

In the event of technical problems or data loss which causes a loss of account information, your account will be reset at $0.00, and you hereby waive any and all claims for any amount previously accrued but not yet disbursed.

SENDMAILS CORPORATION collects online behavior statistical information for our members. This information will be made available to third parties.

Member agrees: (2) not to use the Service for illegal purposes; (3) not to interfere or disrupt networks connected to the Service;

15. AGREEMENT NOT TO BRING OR PARTICIPATE IN CLASS ACTIONS: repeated twice

raj

Interesting name: Sendmails..

[Dr+Rick]

Did anybody notice (or did I not do a deep enough search of the /. trail) but their company name is 'sendmails'. I wonder if anybody will confuse them with 'sendmail' and thus give them a underserved veneer of legitemacy...

Re:Interesting name: Sendmails..

[innate]

I would hope the real Sendmail corporation issues a cease-and-desist order ASAP. Not that that will stop these guys for long.

I signed up

Yes, I signed up, so sue me. The way I see it, nothing I do will stop spam. These guys claim that all they are doing is sending emails to opt-in subscribers, and I see no problem with that. If they are willing to pay me a $1 per CPU cycle, that's better than nothing. I've been averaging around a 3% load since installing and setting it to the highest level, so that equals around $20 a month. Every 10 weeks or so I'll be getting a $50 check in mail, and I have no complaints about that.

The user agreement is ambiguous about using multiple computers, but I have a couple of spare PC's that I'll test this out on and see if it will work. It's not a $168 a week (unless I get 30 PCs), but it's an extra bonus.

Hey they say Paypal there and Check in other place

[JCCyC]

http://www.virtualmda.com/services.htm :

"When you decide to cash out, Sendmails will transfer the money into your paypal account within a short period of time."

http://www.virtualmda.com/download_vmda.ghc (The Terms of Service page):

"All payments shall be by check, made payable to you, and sent to you at your last known address via the U.S. Postal Service, first class mail."

As if it didn't smell funny enough already...

MOD PARENT UP

Anyone volunteering to do the coding?

Paid to spam

[John.Thompson]

At least this is a more honest approach to spamming than covertly installing spam spoftware via worms and other exploits.

That said, "sendmails.com" has ahd a generous entry in my procmail spam recipes for some time now: :0 H:
* ((4mails|emials|mailinthebox|mailnotice|mailspool| send-mails|sendermailer|\
sendmial|wwwanswers|www offer|wwwreports|activeserv ermail|citymailserver|\
cookmailserver|dedicatede mailserver|dedicatedemail servers|emaildeskserver|\
fastmailserver|imailser versgrab|instantvoicemailse rver|mailserver2Grab|\
mailserver3Grab|mailserver biz|mailserverboss|sendm ails|mailserveruser|\
marksmailserver|myemailserv ers|openbsdmailservers| ourmailservers|ourskymail|\
server|privatemailser ver|proofmailer|savedmessage| sqlemailserver|\
themailorderserver|turbomailserv er|worldmailserver |yahoomailserver|\
airmailserver|fanmailserver|fo odserversemail|foods erversemail|hotmailservers|\
indiamailserver|iser vermail|myskymailserver|ntmail servers|worldwidemailserver|\
zapemailserver)\.co m|\
(sendmails|dailyemail)\.org|\
(sendermailer| proudmailer)\.net) /dev/null

All those domains belong to sendmails.com and I suspect there are even more by now. I keep adding them all the time.

You can't block with a firewall

[mdfst13]

Forget emailing themselves, blocking with a firewall is functionally equivalent to not plugging in the network cable. The SMTP connection won't get through. If they aren't at least checking that you *can* spam (i.e. that you can make network connections), then they are pretty pathetic.

Sending all the spam to a local machine that just answers on port 25 for any IP (suggested elsewhere) would probably work, but is easily found out by the spammer including emails to themselves. If they aren't checking, this would be a good use of that 386 machine with network for which you can't find any other use. Note that one gets paid by the CPU hour, so the slowest PC is best.

selling the rights of others

[Clod9]

"selling the rights of everyone else for a living"

This is what lots of people do for a living. Timber corporations, insurance companies, PAC's and quite a few other types of entities spend billions on legions of lawyers, agents, and lobbyists to do just this.

If I could nullify their effect as easily as I can with spam (a few mouseclicks a day and a marginally higher ISP bill) I would be overjoyed.

CPU time vs bandwidth

I don't imagine that the processor will be the bottleneck, but the internet connection.

Summary of ToS, with comments

[AnotherBlackHat]

Full ToS is on their website
http://www.virtualmda.com/terms.htm

I've paraphrased their clauses.
My comments are in italics after.

1. By signing up, you agree to this ToS

2. You get $1 for every "CPU HOUR".
You have to ask to get paid.
We won't pay unless it's at least $50.
If there's anything suspicious, or we make a mistake in accounting, you get nothing.

Comment: it's not clear what a "CPU HOUR" is, but I suspect despite the many claims on slashdot, that they really do mean $1 for every hour your computer is running their program and is connected to the internet sending email. But their program doesn't run unless both you and they tell it to, so they could guarantee that it runs less than 40 hours if they wanted to.

3. You agree not to cheat.

4. We can change the Terms of Service whenever we want.

My guess is that this happens if you would actually get paid if they didn't.

5. You are responsible for security.

6. There is no warranty.

7. We aren't liable for anything.

8. Our software has a copyright.

9. We decide if you violated the ToS.

10. You can't resell the service.

I wonder why they're worried about that.

11. You are responsible for anything we send.

Yes, they really do expect you to take the fall for what they are doing.

12. You indeminfy us.

And if they should happen to take the fall, then you have to pay for that too.

13. All you can do if you don't like it is quit.

14. The legal jurisdicition for everything is New Hampshire.

15. You agree not to participate in class actions against us.
And that goes for all time, not just this.

In other words, they know you're going to want to sue them, so they want to make sure it's not worthwhile to do it.

Mostly, the ToS is the usual collection of stupidity, but that last clause is so out there that I had to comment.

-- this is not a .sig

File a law suit - or just threaten to

It will become quickly evident to someone who is getting $1 per hour for their CPU time that it's not worth the time and effort. Even if you filed in small claims court, where you can represent yourself, you could make an argument to the spammer that it's going to cost more in time an hassle than he/she makes, even if they successfully defend themselves.

Alternative not involving the legal system:
suggest to the spammer that the price of a kevlar vest exceeds their spam income. Or that paying for a body guard would quickly eat up all the income. If a spammer asks why they'd ever need either one, don't say anything! They might be recording the conversation.

G3T P@ID $$$ T0 SPAM

[ddent]

VI@GR@ X@N@X @ND M0R3 ALL 4 FR33

I can see the spam a new trend in spam coming now... get spammed to spam.

Re: RBLs

[Glamdrlng]

Sorry, but RBLs are far from perfect. As such, I won't rely on them. But thanks for trying to force your opinion of software onto me.

So you're holding every blacklist maintainer accountable for the actions of one. While you're at it, why don't you boycott operating systems because you don't like windows. If you employ an RBL that you consider trustworthy and have your mail server set up so that blacklisted IP's can still send mail to your postmaster and abuse accounts you're good to go. And if that isn't good enough for you, you can run spamassassin and have a hit on an RBL count as part of the overall SA score. Either way, it seems foolish to me to ignore a useful tool because of one bad experience.

Re:Internet connection gets pulled.

[JuggleGeek]

ISPs might pull the odd user that was sending spam, but if EVERYBODY sent spam they would have to cancel every customer's account. Customers used to recieving that $168/week will switch to their competitors and tell their friends about their new spam money making software.

Unless your friends make a living by robbing banks and muggling little old ladies, you might want to be careful about mentioning that you've decided to dedicate your computer to spamming 24 hours a day.

ISP's won't have to get rid of everybody, as not everybody is going to join leagues with the spammers. ISP's don't want to be blacklisted - that kills the use for their legitimate customers. They don't want massive bandwidth bills for allowing their customers to spam 24 hours a day (most don't have that kind of bandwidth available, if as you claim, *everybody* did it.) Most realize that spam is bad for their business, and will fight against it.

from their TOS

[pmf]

"You may only request payment, and
SENDMAILS CORPORATION shall only disburse from your account, when your account is equal to or
greater than $50.00 for United States residents and $90.00 for those residents
outside the United States."

nice one:

"In the event of technical problems or data loss which causes a loss of account information, your account will be reset at $0.00, and you hereby waive any and all claims for any amount previously accrued but not yet disbursed."

and it includes spyware:

"SENDMAILS CORPORATION collects online behavior
statistical information for our members. Examples of information that we collect,
other than through the registration form, include URL of visited pages, registration
for offerings and IP addresses."

Not quite (Also, it has a trojan)

[Guspaz]

I installed the client just for kicks (Don't expect them to pay out, I'm curious):

Time Run: 1:31:14:999
CPU Time Used: 0:01:05:199
CPU % Usage: 1.69%

Oh yeah, did I mention it has a trojan?

Typed screenshot from AVG Antivirus:

AVG Residant shield

Virus
Trojan horse Downloader.4.Small.BT

is found in file
D:\Program Files\VirtualMda\package.exe

To remove this virus, please run AVG for Windows

Re:Not quite (Also, it has a trojan)

[NineNine]

This was due to a Slashdotter hacking their server and changing their client. Their original client is clean.

Re:Not quite (Also, it has a trojan)

[Guspaz]

Does the original client also produce a real time to CPU time ratio of better than 50:1?

Somethin' ain't kosher

[turtles11]

If you read the fine print of the Terms of Service you'll find an interesting tidbit where you state that you won't use this program for spam. Huh? Section 11 states:

Member agrees: (1) to comply with US
law regarding the transmission of technical information; (2) not to use the Service for
illegal purposes; (3) not to interfere or disrupt networks connected to the Service; and
(4) to comply with all regulations, policies and procedures of networks connected to the
Service. Member agrees not to transmit through the Service any unlawful, harassing, libelous,
abusive, threatening, harmful, vulgar, obscene or otherwise objectionable material of any
kind or nature. Member agrees not to transmit any material that encourages conduct that
could constitute a criminal offense, give rise to civil liability or otherwise violate
any applicable local, state, or international law or regulation. Member will not use the
Service for chain letters, unsolicited email, spamming or any use of distribution lists
to any person who has not given specific permission to be included in such a process

Apparently, you're only sending out spam that people have "signed up" for? How could you prove that I wonder...

hmm...virus found.

I downloaded this client to see how much bandwidth it would use, and during the installation my anti-virus found a trojan.

Strange

[Pan+T.+Hose]

Read it even more carefully. The actual terms of service says they will pay you $0.25 per CPU Hour, not $1.00. I don't see anywhere in the ToS how they get the $1.00/hr figure. In other words, they flat-out lied, what a surprise.

That's strange. Spammers have never lied to me about numbers before...

Recipie for success

[brunes69]

So it is 1 $ per CPU hour? How to make money for nothing:

Step 1: Dig out that old 486DX33 from the closet. 1 CPU hour on a 486 goes buy much faster than on a modern machine.

Step 2: Block outbound port 25 at your router.

Step 3: Run program 24/7. Get free $$$.

They hope you're bad at math.

[dtfinch]

At 0.2% CPU usage:
24x365x.002 = $17.52/yr

You can bet they've optimized it for minimal cpu usage, and that it'll suck up nearly all of your bandwidth. You'd be paid about $20 a year for most of what you pay over $300 a yr for. A very raw deal, not to mention the high probability of it getting you in trouble with your isp.

Re:They hope you're bad at math.

I installed it and I'm getting around 3% utilization on average. That's around $20 a month for one PC, and I've got a few spares around here....

The TOS limits your account to 24 CPU hours per day, but there's nothing that says you can't have more than one account. Finding more than 30 PC's to install the software on might be difficult though.

too tempting

Well this is just too tempting for me. I hate spam but I love weed more. Thats alot of weed i could buy for 168 bucks a week.

Sounds like fun . . .

[Java+Ape]

OK, lets all sell them time on our computers. I've got seven CPU's running in my basement, most of which are idle far too often. If they can get 70% CPU utilization I'll make $4.90 an hour, which ought to offset the electrical bill.

However, since that $4.90/hour won't even come close to covering the potential bandwidth charges they'd accumulate, it seems only prudent that I configure a mail filter to route outbound messages to /dev/null . . .

sendmails.com. Someone should sue!

[capica]

Next thing we know, we'll have qmails, exims, postfixes, meraks, IISes...

They have taken our mailboxes, now our MTAs, next...

Re:$1/CPU hour? Sure!

[zentigger]

better yet, VMware. run a couple dozen virtual machines on one p4 and only allocate about 10MHz CPU per VM. just watch the clock ticks add up in a real hurry!

I tried it. It will take 18.75 days runn...

I tried it. It will take 18.75 days running Non-Stop to get my first $50.

With everything set at Max on a standard Cable Modem. You get about 1 Min of CPU time for every 10 Min of actual app run time.

No thanks.

Luckily this is my test pc which I can totally wipe.

Slow CPU, Minimal RAM, slow drives..

[sudog]

You can make it work so slowly that it turns out to be $1/email.

Stick it to them! Dig up your old 386's and get them running it.

Or you can intercept outgoing emails as they're sent and simply drop them on the floor.

Scamming the scammers

[jroysdon]

Put a box in an isolated network whose gateway "fakes" dns and smtp responses and just keeps all the mail.

Spammer thinks you're spamming, you get paid (drain spammers assets), no one is hurt.

Not like they're going to try and sue you in court for not doing something illegal.

Spaming is only 1/2 the issue

[Jallen2]

It appears few have bothered to read the Terms of Service (the example is the real kicker)...

1. Upon registration, all users grant to SENDMAILS CORPORATION their explicit permission (1) to contact them with important information about Members' accounts and updates to our services, policies and business practices, (2) to access and use the Installed Computer(s) for relaying permission based (opt-in) email for SENDMAILS CORPORATION and/or third parties, (3) to access and use the Installed Computer(s) for domain name resolution, and (4) data gathering activities, without further notice to or permission from Member. ... Examples of information that we collect, other than through the registration form, include URL of visited pages, registration for offerings and IP addresses. Examples of data gathering activities include web page retrieval, domain tld discovery, and internet port/proxy discovery.

With a Terms of Service like these, there is no need to even bother having you send out ANY spam. They can make a nice profit just by tracking you.

Speed Gear

I'm going to try using a program like speed gear to get my max (according the the T&C) 24 CPU hours in one day very quickly, then turn it off.

I LOVE IT !!!

This is simply great:

1) Build a SMTP spoofing router that silently eats SPAM without passing it through

2) Install their software on computer behind said router

3) Register for service

4) PROFIT !!!

Better yer, a beowulf cluster of such boxes

How's that for hitting all the buttons :-)

Idea!

[stfvon007]

Join the program, have the software all set up and running, But have an outgoing firewall blocking the mail port so none of the spam leaves your network! Drain the spammers of their money wothout causing a problem! :)

Re:Idea!

[Old+Uncle+Bill]

I'd mod you up if I had points. I'm sure there is a way to bilk these people using this.

Another idea

How about writing a spoofing SMTP router that sits between this computer and the Internet, that absorbs all the messages before they leave your infrastructure ?

To make it more fun, harvest the destination email addresses, build a nice big list, and resell the addresses back to the spammers :-)

Some info about the application

[jrj102]

OK, I installed it in a closed-lab scenario, and poked, prodded, and port-scanned to get some info. Here are some basics:

• CPU time is, indeed, CPU time. It is based on the amount of time the CPU actually spends on the given process ID. I cranked everything for 60 minutes, and the total CPU time was 41 seconds.
  
• It sends traffic on port 25 as expected.
  
• SMTP failure does not seem to have a short-term impact on the calculated CPU time. I ran it for 30 minutes where it was being tricked into thinking the messages were sent, and 30 minutes where it WASN'T being tricked into thinking the messages were sent. The CPU time was about the same for each of those half hour segments. (19 seconds for the first, 23 second for the second.) They don't seem to be checking. These numbers WERE reflected on the web site's management area as well.
  
• based on the above info (i.e. that they are not checking to see if the messages are actually being sent) I have to assume that they don't plan to pay anyone. I can't imagine they would have made that mistake otherwise.
  
• Their backend (which handles the requests) seems to be web services based, and doesn't seem to have any form of authentication in place.
  
• The app is pretty configurable. I've posted some informative screenshots on my blog.
  

Re:The real company is Atriks, LLC in New Hampshit

Spamhaus sez NOT LEGIT - I'll belive them. Time to toast MV Communications I guess. Adios spammy.

Memo from VirtualMDA

[CristalShandaLear]

From: Prez
TO: Logistics Staff
RE: TEST PHASE/ FRAUD

Finding morons who think they'll get away with spamming their family, friends, and neighbors is no problem.

Issue: those who will find a way around the system with successful results that we haven't even thought of yet. Test phase provided some unexpected results in regards to fraud and you numbskulls better way to conteract this.

Come up with something fast!

Prez

To: Prez
From: Logistics
RE: TEST PHASE/ FRAUD

We have assmebled a special IT team working on this issue. Our team will be of no additional cost to our company. They are a volunteer, international team, working 24/7, for the sheer delight of exploring our new brand of technology. What's more, with minimal information, they will soon provide us with enough ground level feedback to foresee any possible avenues of fraud and/or minimize any such activity. Some of them will even sign up or the service themselves just to "test" it.

The situation is under control sir.

*giggle from the IT team over the memo after they hit SEND*

The slashdot folk will find out about us soon enough. They'll figure out all the possible ways anyone could possibly think of for fraud, and post their answers, theories, and countless possibilities for us to go over whenever we get a sec. Let's go to lunch! :)

This is simple!

[Randseed]

This is simple, people. Just find a way to send the spam to the bit bucket, while still getting paid. Talk about sticking it to them!

Why in the hell

[Moonpie+Madness]

wouldnt the spammer use this money to buy his own computer and t1 lines? this is stupid, a dollar an hour is far more than this is worth, further, could the cpu really send out enough ads to generate a dollar an hour for the businesses? maybe i suppose, but i rather doubt this is even a possibility

Hm-m-m-m-mmm....

[BillX]

On today's modern machines, what miniscule percentage of CPU would it actually use to send this outgoing spam? I could easily see one "cpu hour" equating to one "spamming week"...

Makes me wonder, though...

1) Pull 386 from basement and install spamming software (1 CPU hour = 1 hour)
1.5) Optional: ever heard of Underclocking?
2) OUTBOUND HOST MODIFICATOR: tracker.virtualmda.com unchanged; all others routed to all.roads.lead.to.localhost:25
3) Spam spam spam spam spam
4) ???
5) Profit.

MV does NOT host atriks

They are in the same building. That's it. They do NOT share a circuit.

Re:MV does NOT host atriks

[Animats]

You may be right.

So it's actually getting better..

[dave1212]

At $1/hour, this sounds like the spam fighting is working. Keep it up.

VMWare

[grahamsz]

Run 100 virtual machines on a single box with 32Mb ram, It'll thrash it's hardware to death, each individual 'machine' will be running balls to the wall, and you'll probably not max out a 2400 baud modem.

Scary terms of service...

[billybob]

Allight, this is just scary...

Upon registration, all users grant to SENDMAILS CORPORATION their explicit
permission (1) to contact them with important information about Members' accounts and
updates to our services, policies and business practices, (2) to access and use the
Installed Computer(s) for relaying permission based (opt-in) email for SENDMAILS CORPORATION and/or
third parties, (3) to access and use the Installed Computer(s) for domain name resolution,
and (4) data gathering activities, without further notice to or permission
from Member. The users have the option to choose not to be contacted or their
information shared by terminating their account. SENDMAILS CORPORATION collects online behavior
statistical information for our members. Examples of information that we collect,
other than through the registration form, include URL of visited pages, registration
for offerings and IP addresses. Examples of data gathering activities include web page
retrieval, domain tld discovery, and internet port/proxy discovery. Upon termination
of the online session, closing of the browser and/or termination of your membership,
this information will no longer be collected. We gather this information to improve
the administration of the services and to increase the earning potential of our members.
This information will be made available to third parties. If any information provided
by Member is incomplete or inaccurate, SENDMAILS CORPORATION retains the right to terminate Member's
membership and rights to use the Service.

No thank you....

O_O

Re:Internet connection gets pulled.

[meringuoid]

The longterm result of the spam war: netsplit.

There will be two internets. One where spammer money is gratefully received and pink contracts abound, and one where spammers are despised and utterly rejected. The light side will have the dark side totally firewalled.

So, no problem, then? Sign up for an account on the light side, don't spam, and you're all set? Well, maybe not. Problems:

the Dark Side will probably include whole countries. Brazil, China and the South Korean school system, I'm looking at you...
the Light Side is unlikely to tolerate some of our own misdemeanours. P2P apps, fair use technologies, dubious binaries newsgroups, unlicensed Hungarian DVD players...

So everyone will need to have an account on both internets. Damn.

CPU Time Accuracy

[Mike_01_01]

I see a lot of posts about how they calculate CPU time (whether its clock time, or usage time), but I dont see anything about HOW they calculate this. A few things come to mind:

How, and how often is the program polling for this information? Is it checking total CPU usage, or just what the program itself is using?

If its doing its workload, then checking the cpu usage afterwords, its going to be very low. Unless it has a seperate thread to check cpu usage while the program is actually sending the emails, its going to return almost no cpu usage if anything at that time.

Imagine the source code like this:

do {
build_email (); //cpu time high here
send_email (); //and here as well
increment_email(); //maybe not here, but whatever
check_cpu_usage (); //probably very low when it checks here
} while (currentemail <= total)

I really doubt they would write the code to use a seperate thread. Also, if its rounding the number to an integer, you can expect it to return 0 often.

Also, the program may simply just LIE about how much work its done. Unless someone writes and runs a program to keep track of this service's cpu time, its not likely anyone would know otherwise.

Paid to Spam?

Whooooo, I'm finally gunna get paid to download spam - I mean, my CPU is being used to deliver spam to me, so it's about time they paid me to download them.

So just pick you own.I did and am wating for cash

[Memetic]

The terms of service field is fully editable, I just signed up with the following very reasonable terms:

"Terms Of Service
ACKNOWLEDGMENT AND ACCEPTANCE OF TERMS OF SERVICE. Sendmails Corporation
("SENDMAILS CORPORATION") web site, VirtualMDA and other SENDMAILS CORPORATION services and web properties ("Service"), owned and operated by SENDMAILS CORPORATION, is provided to the member community under the following Terms of Service .

The Terms of Service comprise the entire agreement between Member and SENDMAILS CORPORATION and supersede all prior agreements between the parties, regarding the subject matter contained herein. By participating in the registration process, members are indicating their
agreement to be bound by all of these Terms of Service.

Payment. Upon completing the registration procedure, you will be given a unique
identification account number ("UID"). You will be paid by SENDMAILS CORPORATION $1,000,000 (one million dollars) for every Nano Second that the VirtualMDA software is located on strorage media on your personal or business computer(s).

In order to receive payment, you must submit a request to SENDMAILS CORPORATION using email containing your UID. You may only request payment, and
SENDMAILS CORPORATION shall only disburse from your account, when your account is equal to or greater than $50.00 for United States residents and $90.00 for those residents
outside the United States. In the event of technical problems or data loss which
causes a loss of account information, your account will be credited with $1,000 (One Thousand US Dollars) by way of appology for our poor administration.

We ( SENDMAILS CORPORATION ) hereby waive any and all rights to ammend or terminate this contract once you the individual or corporation downloading our software clicks "I agree to these terms" .

All payments shall be by bank transfer in a currency of your choice, the fees for which we shall be liable for. All payments not made by us to you within 5 working days shall be subject to 15% daily compund interest."

False Advertising?

[some+guy+I+know]

On their front page, they claim: "At Sendmails Corporation, we move the data that drives the Internet, delivering millions of emails daily..."
Shouldn't they instead claim: "At Sendmails Corporation, we move the data that slows the Internet to a crawl and costs businesses and individuals millions of dollars in lost productivity..."?

Contact Info

[some+guy+I+know]

Also, did you notice that this company, which makes its living by delivering email, doesn't publish its email address on its website?

WOW! i was looking for a way....

[CyberdogOSX]

....to get my cable modem service revoked!
and here it was, right before my eyes!

God bless you, VirtualMDA!

Good one :)

[billybob]

I didnt notice it was editable. Unfortunately I have a feeling that they dont store the terms of service for each user when they click agree. Worth a shot though. A million dollars per nanosecond... man you are already richer than every person on the planet combined!!

Tax day

[Allen+Zadr]

Ah, I can tell it's tax day.

Well the intent was to show what's left (not to show what is taken out). But you are right, 340 is a little too much.

I really don't think the point is diluted by the poorly chosen tax figures though.

Re:Tax day

[CyberdogOSX]

i disagree. your point was to show the viability of doing that spam thing.

the amount of taxes taken out affect that directly. one amount would make it impossible to do profitably. the other makes a dent, but doesn't eliminate it as a reasonable enterprise.

and you said 500.00, not 340.00, which is still wrong.

Re:Tax day

[Allen+Zadr]

I did not mean for $500 to represent the AMOUNT of taxes, but the amount that would be left over.

Taxes: $840 - $340 = $500
T1: $500 - $125 = $375

The last paragraph goes on to say, "Yeah, you can live on that, ..."

I want it on my 4kbit/s connection!

I would love to run it on my 386 connected
with 4kbit/s connection ...

I will try installing this today

Ill post an update later on how well it works. Since I'm a 50 year old ham artist and not really a windows geek, can anyone give me instructions on how to set up these nifty VM devices?

-The Not-Yet-Registered Anonymous Coward!

Re:Internet connection gets pulled.

[Stray7Xi]

But just wait to the dark side gets split into chaotic good (where p2p is allowed but no spam) and chaotic evil (no restrictions)!

And it'll keep splitting and splitting until we're not dealing anymore with a few individual networks but a bunch of single computer networks hooked up to one giant... umm internetwork.

Isn't this slightly similar to what happened with AOL, Prodigy, Compuserv and most of the early networks offering access to internet.

Shaddup and listen!

[Cycicle]

As of right now and as far as I know, VirtualMDA does Not verify that you are actully sending spam. I am running the program right now and my bandwidth isn't being touched by spam (filtered by zone alarm) and im getting money (or so I think?).

Anyway, they give you $5 for signing up, and as of right now I have $6.17 - assuming they pay.

So yeah, big whoop, I made $1.17 (assuming) and I had it running since Wed. (4/14) night (11PM). So here's what we must try and figure out - how do we get this program to suck up more CPU time?

I did some research and found a nice little option for DOS programs called Idle Sensitivity, but this isn't a DOS program so thats out. What I tried last night was I ran 8 (yes, 8) VMWare Win2k pro machines (win2k pro seemed to get higher CPU usage (around 8% as opposed to 2% I get in XP and 98) in safe mode with networking). My cash flow was higher then normal, but not much.

Also what I tried was a bootable XP Pro CD (BartPE) and that didn't get my CPU usage any higher either, maybe knoppix-STD running WINE?

Also I've been working with ethereal and trying to find out what packets get sent where with this program so maybe I could send a custom packet to whatever remote server and boost my cash flow that way. But as far as I can see, ethereal is all hype. Anyone know anyway to edit and send your own custom packet in ethereal? Etherpeek can do it, and it's easy to use.

But yes, back to virtualmda, anyone know anyway to force a program to use more CPU time?