Slashdot Mirror
Confession For Two: A Spammer Spills it All
defender writes "Rejo Zenger, well known Dutch anti-spam activist, recently had a very frank talk with a (now retired) spammer. He got information as to how and why S. Pammer started, where and why he was kicked out, who helped him get his bulletproof hosting, his open proxy mailings etc. It gives a nice and concise view of what the costs for a smalltime spammer are. About 200 Euros for the hosting and ability to spam at least half a million addresses (in a months time). That's for a turnover of 6 times and a net profit of well over twice those initial spam-related costs. Complete with screenshots, of course."
How about paying those vigilant individuals? maybe yahoo or hotmail could pay them?
He's earned 523 Euros which in America = close to 1000 dollars (no I don't have a currency converter).
Job Paying $8/hr * 40/hrs week = $1280 or about $1,000 after taxes, that's the average rate of your Starbucks Coffee guy in the United states, and the money is legit!
Mid level computer programmer (or someone like me) = $50k/year or $3,000/month after taxes.
In short it's getting pretty damn tough for the Spammers I see. The harder we make it, and pretty soon Spamming will just be unprofitable I hope. In the meantime my advice to this spammer = get a real job...even Starbucks Coffee guy is better than what you're doing.
...in bed
is a "pyramid scheme" of sorts. People who may or may not be the most adept at technology or business get the idea to spam. They pay the more "gifted" people at the top money for things like addresses and hosting etc. These are the people who are really cleaning up on spam and should probably be the ones that the authorities go after, cept that they usually hide in places (Russia, Hungary, China etc)where it's hard to enforce international laws, esp. spam laws. Even if we go after the little guy, there will probably be more to take his place, the lure of such "easy money" is too great for some people.
On a side note, it is kind of interesting the comment about bounced mails. My university disabled my account(because they thought I was no longer a student, even though I was) for about 2 months. As soon as I got it re-activated, the spam started flowing in like water again. Amazing.
If no one behaves, it's useless.
But if most behave, a few have a huge incentive to misbehave.
They key is to increase the penalties for misbehaving so that there is no incentive.
The problem is what you're willing to give up. Some servers are probably used for nothing but spam, but what about the other servers. What about the servers that belong to small ISPs, hosting companies (which might be used for MANY businesses), etc? Are you willing to assume all that is spam too? You might lose a decent number of ham messages that way.
But you could definatly use it as another input to a spamassassin type filter.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Have a look at the botton of the screenshot pay a visit for the "Send Safe" home page.
Would somebody PLEASE just kill those fuckers?
To sell such a program should be considered a crime for itself!
And have a look at the testimonials... Gosh... we are doomed.
The profit is a product of the investment though; had he had a large investment, he would have seen large profits(in theory).
The problem with spam is it's much harder to catch spammers than illegally polluting factories where disgruntled workers, regular inspections and so on can be used for enforcement. Spammers are hard to catch since they operate through intermediaries in other countries and fly beneath the radar, and because the legal tools to fight spam have been very slow to catch up. And there need to be government organizations dedicated to tracking down and prosecuting spammers, like there are for polluters.
this guy is "normal" non-tech user.
he used all 'download and run' services, he built nothing himself.
I think the real money being made here is providing these programs and websites for them to use and also the lists.
This is interesting stuff to consider and would make an interesting business model to create spamware for the spammers and then feed the data to places like spamhaus etc.
anime+manga together at last.. in real time.
Seriously, just off the top of my head I can think of one much-needed business in my (very small) local town that this spammer guy could set-up and he'd make 10x what he made from spamming. Oh and I've just thought of another one.
The world is full of money-making opportunities if you stop thinking about money and start thinking about what people *want* and what useful products and services you can provide. I'm pretty sure you'll find that those opportunities are more profitable than all but the most serious financial crimes.
Unfortunately it will always be profitable, at some level, to spam with the current email setup. The can is open and it will always remain as much of a problem as unwanted callers and junk faxes. Heck, at some point I'm peckered by street vendors trying to sell me something and I find them annoying too.
:). The .01/email type of setup simply won't catch on (hopefully :), but even with "Caller-ID" email somebody, somewhere will still try and spam you at the cost it needs to get the bandwidth. Clever spammers will continue to rape Windows boxes and instead of DIRECTLY sending out the messages properly send it through the subscribers "registered" and "authentic" mail server -- and if they're smart send out a message every 3 minutes now and forever. Times 5,000 infected computers and I'd bet you could still get the message out and make a buck doing it.
:), harvesting messages to spam traps (their game is a doubled edged sword :), and a little filtering I see maybe a couple of messages a month. Maybe. My logs show a very different story though...
;].
I'm no fan of Microsoft, but their efforts -- coupled with whatever other "standard(s)" are incorporated will go a long way to squelching the issue in short order. Yeah, like many of you I'm sitting here waiting for the "right" standard to catch and implement it into my Linux & BSD servers (and soon to be OS X running the same software
TODAY by simply blocking IP's (spam me once from any IP and that IP will never talk to me again, rule #1
Caller-ID email added into the mix and I could whack 'em and stack 'em even faster -- so it will be on par with the number of soliciting phone calls I get [one maybe every six months
Not in my case; I don't pay extra to receive telemarketing calls or junk mail. Nor does the telephone company or post office block my driveway so I cannot drive to work in the morning. However, spammers have hit my mail server so hard that it cut off my connection to the outside world, preventing me from working from home.
When a spammer takes advantage of a poorly secured system belonging to another person without permission and forges the e-mail addresses of other innocent people not involved in spamming, I will use the word "criminal". I know of no better way to summarize fraud, theft, and trespass.
When I write free software and distribute it for free (with my e-mail address in the documentation so people can contact me or know that I contributed to the project) and I receive spam, how does your argument make sense? There are hundreds of thousands of computers with my e-mail address stored in credits files somewhere; how does this keep the Internet free?
how to invest, a novice's guide
this is where the UN has started taking looks at 'managing the internet' and the general response from the tech community has been fear and horror.
either we WANT a system that is monitored and every packed is tracked (ala big brother, 1984, the current US DMCA-Patriot Act version of things) OR we must create a self-managing system that provides accountability and protection from fraud.
spamhaus seems to be a step in the right direction, but the direction that microsoft and the various big companies seem to be going is the 'registered sender' approach, which completely defeats the purpose of the internet altogether and creates instead any number of smaller private networks (ala AOL back in the day when normal email couldn't be sent to AOL users and vice versa).
have we improved the situation? unlikely. have we made things so convoluted as to being nearly useless? likely.
Gekido's Lair
So the 2000+ pieces of spam I get in my mailbox every week, that causes me to miss important messages occasionally because the filter gets them and they get lost in the noise, the several meg ads that tie up my connection for many minutes at a time as they download one after another, all of that is doing me no harm?
I never asked for spam, I never asked for my email to be used as a forged address (a recent development, so now I get complaints and counter spam too). Also I've never bought from a spammer.
These people ARE NOT direct marketers, they are CROOKS, using the bandwidth -I- pay for, to harrass me with things I do not want. And I have no real legal recourse to stopping them because I can afford to sue these hundreds of people. (If I could even find out who most of them were).
And again, please do not tell me they are not doing me any harm while I'm receiving spam complaint messages because some BUTTWIPE is forging my email address on their messages. It's no fun looking at having to change an email address that you've used for almost a decade, and all the associated grief that causes.
s/spammer/IP thief/
s/spammer/hacker/
s/spammer/dmca violator/
s/spammer/wannabe-homicidal nerd/
do you see what i'm getting at?
Spam is fundamentally identical to telemarketing and direct postal mail.
With the minor exception that direct marketting postal mail generally doesn't come "postage due," and telemarketers usually don't call collect. With spam, significant cost is incurred by those receiving the spam--more so, in fact, than it costs to send it in the first place.
There is no real comparision between traditional forms of direct marketting and spam. A far better example is unsolicitied advertisements sent to your fax machine (which, by the way, is illegal.)
What part of "shall not be infringed" is so hard to understand?
So the 20+ pieces of mail I get in my mailbox every week, that causes me to miss important letters occasionally because I toss them and they get lost in the noise, the several ounce ads that tie up hands for many minutes at a time as I carry one after another, all of that is doing me no harm?
I never asked for mail, I never asked for my address to be used as a forged address (a recent development, so now I get complaints and counter mail too). Also I've never bought from direct mail.
These people ARE NOT direct marketers, they are CROOKS, using the mailbox -I- pay for, to harrass me with things I do not want. And I have no real legal recourse to stopping them because I can afford to sue these hundreds of people. (If I could even find out who most of them were).
And again, please do not tell me they are not doing me any harm while I'm receiving spam complaint messages because some BUTTWIPE is forging my email address on their messages. It's no fun looking at having to change an address that you've used for almost a decade, and all the associated grief that causes.
------------
The only thing that isn't true for direct mail is the bolded bit. In the US, that would be mail fraud.
I'm not saying spam isn't a pain, but your argument is specious. You want something better, then create it. Its called innovation. And no, SPF isn't any better.
--
lds
Visit their website. /dev/null
Look at all the pages.
Maybe do a wget websuck to
Look for Contact forms, and fill them out.
If it is a Mortgage scam, fill out the forms with random stuff, or put in the name and addresses of known spammers.
Same for the car lookup stuff (How in the world do they make money?)
Keep them busy and waste their time.
If everyone who received a spam visited the site just once I doubt they would be able to afford the bandwidth.
And, just an afterthought on a different note, do most spammers report their spamming income to the tax man? Has anyone ever tried to nail a spammer for tax evasion?
Just thinking about these asshats really burns my toast!
Howdy Doodly Doo!
Anybody want some Toast?
This story illustrates that the profitability of spamming is not that great. It would be even less profitable if spammers e-mail address books were even more polluted by bad addresses. And spam would be even less profitable if spam-using sites were innudated with mail.
I wonder if we could kill two birds with one stone. Littering the web with dummy e-mail addresses that include the domains of spam-supported sites. That way, the sites become overwhelmed by inbound mail traffic. It would be a version of this or, better yet, this using real domains of spam-using sites (from a blacklist service). E-mail addys such as sdadhja@viagraspammer.com, eywheh@viagraspammer.com, wywhdi@viagraspammer.com would both cost the spammer and the site that is using spam.
Two wrongs don't make a right, but three lefts do.
Actually, I would argue that using an open mail relay without concent of the owner of the system it runs on is a criminal act. You have no right to use a system someone else owns without their consent, and if you do so, that is a criminal act. In fact, that defines a great number of criminal acts, appropriating someone else's property for your own use. Be it computational resource or physical one, it is still criminal.
Previously, spammers just used an insecure mail exchange that someone else used, abusing the system. Now, they have worms hack into unsuspecting systems and set up mail relays of their own. These two relays are fundamentally the same.
The only way this would be identical to direct mailing or telemarketing is if, god forbid, they ran their own servers and sent their massive spam blasts. If they did this, then it would not be a criminal act. They won't, however, because that would mean that it would be trivial for most people not wanting spam to blacklist their servers.
I don't believe that "Internet Direct Marketing" can work. Think about it. Many people don't like direct marketing tactics. It's crap in the mailbox that goes right in the garbage. Many many people do not like telemarketing, so much that the telemarketing industry fought tooth and nail to prevent the one tool that could punish and block their attempts to push random promotions onto the masses. Spamming is the same tactic in a new medium, except that unlike direct mail and telemarketing, it uses YOUR resources reguardless if you read the email or not (pick up the phone, open the direct mailer) and you have the potential for much more control over rejecting all kinds of spam at once, and the spammers cannot handle that.
Putting executable code, even in an interpretive language like TCL, into DNS records is a terrible idea. That offers a whole new channel for attacks. A good one, too; the code would be executed without any user intervention, and sometimes it would be executed on servers.
First of all, the cost of spam has never fully been paid by the spammers. Back in the days of Open SMTP relays such the most of the actual cost of the bandwidth was payed by people giving out service for free, because it was cheap and made the internet easier to use by all. Thus spammers stole took free resources and squandered them.
And secondly, spammers never had to pay for the download bandwidth. Imagine if the post office made you pay half postage for every single letter you recived, and someone sent you 10,000 messages. Your choices is either paying thousands of dolars, or forgetting about ever getting postal mail again.
But this is exactly what happend. A mailbox full of spam for a dialup user meant wasted modem time, which whent for as much as $2.95 an hour.
know you don't want to believe that, but it's true. When you give your email to a website operator, and that website operator sells it, that money is what keeps your content cheap or free.
I've never given my email address to a website tht sold it (with the exception being the LA times. But by then I was smart enough to use unique addresses for everything, and all the mail from them gets deleted automaticaly).
Most websites make money by advertizing, not by selling information. On my website, I advertize various pay services, and when the small persentage of people intrested in that service buy something, I get a cut. Some services work pay per click, or by impressions.
Thats the way the vast majority of websites make money. Anyone selling email addresses should be shot.
autopr0n is like, down and stuff.
Better yet, confiscate the profits from spamming activities and use that to pay them. We need to introduce disincentives. Having some big company pick up the tab just subsidizes the spammers.
US-bashing?
the US deserves to be bashed right now for their horrific record on just about every topic that you could possibly list.
i don't see that this is the problem - if anything the UN is not trusted simply because they MUST do what the US tells them, or the US simply veto's any motion, or simply does not support them (ie kyoto, etc) which effectively kills whatever motion is being attempted.
If the US (and their current militaristic foreign policy approach) continues, and if the UN becomes the global watchdog of the internet, what would stop the US from 'providing' the UN with their patriot technology, because it would really 'make things simpler' to monitor and police spam and those damn 'terrorists'...
Gekido's Lair
Don't confuse "the US" with the current administration and president. Many of us are working very hard right now to make sure he doesn't get elected again. The rest of your claims ("horrific record on just about every topic that you could possibly list") just don't hold any water.
Yes, they do. For awhile, I sent spam complaints from an address used for no other purposes - spamcomplaint@ (my domain). That address now receives spam. They havested the address that I used to send complaints about spam, and they use it to send more spam.
What we really need is a registry of spam-unfriendly email addresses.
Spammers have been known to trade lists of known anti-spammers, known spam-trap addresses, and such. Some of my addresses have (correctly) been on those lists. It doesn't seem to lower the spam, though.
Your basic idea is to create a one-stop "do not spam" list. That's been tried by spammers, by anti-spammers, and even the FTC can see that it won't be effective. You, of course, believe this to be a new concept - but that doesn't change facts.
They're not evil.
Yes, they are. That's why I get bounces because they forge my addresses. Almost all spam is sent using forged addresses because these people are dishonest, unwilling to admit who they are, unwilling to deal with the bounces they cause, unwilling to pay their own bandwidth costs. They don't give a shit if they ruin email for everyone else. They'll do anything they can if they think it *might* get them what they want. Just like a rapists decides that he doesn't care if the woman doesn't want to have sex, he does it anyway to get what he wants. Just like a thief doesn't care that he's screwing some honest citizen when he robs them - as long as he gets what he wants. And just like the rapist and the thief, the spammers are evil, out to get what they want, regardless of the damage it does to others.
As current events go, I can quite easily and unreasonably extend this analogy to the actions of coalition forces in Iraq, with such things as prisoner abuse. But I suppose we shouldn't go there. I better not as I wouldn't want to be labelled as a troll.
All mail admins out there take note. Rejecting connections from blacklisted open relays saves spammers money! Whereas accepting mail from blacklisted relays means the spammer has to pay!
Don't block China, accept all the mail you get from there and stream it to
Thats the thing about collatoral damage. Those doing the damage have the arrogant assumption that it is acceptable because the greater good is served and do not think that they have to take responsibility for it.
So ISPs that allow criminal activities on their network shouldn't have to accept the consequences of their actions, that being that no legitimate networks want their traffic?
As current events go, I can quite easily and unreasonably extend this analogy to the actions of coalition forces in Iraq, with such things as prisoner abuse. But I suppose we shouldn't go there.
No, you shouldn't. No one is forcing anything upon the rogue ISPs. Blacklists are a way for a network to protect itself from the criminal actions perpetuated by ISPs that don't care about their criminal customers by voluntarily refusing traffic. There is absolutely no paralell to voluntarily rejecting packets from a known 'net sewer and torturing Iraqi prisoners. Only a moron would suggest that an effective analogy could be constructed from that.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
the current administration and president ARE what the rest of the world sees as far the general outlook of the US, after all it is the economic policies and foreign policy directions that they provide that affect the rest of the world the most.
;}
of course every american isn't the same, but every american isn't in control of the largest military force the planet has ever seen either
Gekido's Lair
but they aren't all evil.
You're right. Some of them are just too damn stupid to understand that what they are doing is stealing. They're mentally incompetent. I guess that they should be instutionalized rather than jailed.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
With all this talk about it being important to hit the big boys instead of just small fry spammers... I was just googling when I saw the AdSense link to this company that sells, essentially, spamming lists.
They've got a snappy site design, and obviously shelled out enough to be a top google hit, so they're obviously doing well for themselves. Call them at 1-800-395-7707 (number from the page) to let them know how you feel (*wink* *wink*).
Schmiddy
http://cltracker.net -- powerful craigslist multi-city search
I pay for traffic.
80% of my traffic is mail.
50% of my mail is spam.
Therefore, 40% of my bandwidth costs are spam.
Comprende?
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
My previous posts are in support of measures to stop SPAM but I argued that the methods should be reasonable to stop innocent parties from being hurt. I believe that no amount of harm done to innocent parties is acceptable.
Okay. Let's take a hypothetical ISP, we'll call it "Vertigo" or "Qworst" or "SpewYou Net", doesn't really matter. They allow their customers to engage in unethical, criminal activities. Not only do they let their customers spam, but they also allow their customers to use proxy hijacking to illegally hide the true location of their webservers by using hijacked machines as web proxies. They let their customers engage in DDoS attacks against anti-spam websites without action. They are openly abusive toward people who report the abusive activities of their customers, to the point of threatening lawsuits.
Now lets say that an organization -- an anonymous organization -- publishes a list of known crime-ridden ISPs run by corrupt management. They support the claims of the list with documentation of the criminal activities of the ISP's customers. This list is then used by responsible ISPs to block all traffic from the crime-ridden ISPs, since the ISPs who voluntarily use these lists have decided that they do not want to trade packets with known criminals.
Now let's say that you are a "legitimate" customer of SpewYou Net (now WorldCon). You're not actually doing anything unethical, you just happen to be giving money to a company that openly enables criminal activities in exchange for network space. Unfortunately, you discover that -- because your ISP has allowed their IP space to become a cesspit -- no one wants to trade packets with you.
Who is at fault here? The people who compiled the list of IP addresses owned by crime-friendly ISPs, the ISPs that voluntarily choose to reject your packets, or your ISP for allowing the netspace that they rent to you to become so undesirable to the outside world?
I agree that it's unethical to allow antispam activities that cause harm to third parties. I'm just a little better at assigning appropriate blame.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
If you start complain on the protocol level you'd better understand it first!
SMTP is for the delivery of messages. There is nothing insecure about it.
I dare you to sketch how a protocol that doesn't deliver spam would work! Remember you are dealing with spyware-infested machines out there spewing out e-mail and you must somehow differentiate it from the normal e-mail they send. Plus there are the twin problems open proxy and open relay, but blackhole lists have taken care of them pretty well -- they were made around seven or eight years ago.
There IS a perfect technical solution, it's called PGP and was invented over ten years ago. Simply filter out non-trusted e-mail and you'll be all fine.
There you have it. Just as an example I've shown you TWO successful methods against spam. Exactly NONE has anything to do with SMTP.
I get my email bounced sometimes because AOL and some other ISPs have blacklisted mine; meanwhile I still get tons of spam. So I'm getting screwed by both the spammers and anti-spammers.
Or to put it another way: there's always going to be spam as long as there's a profit to be made out of it. No matter what measures are taken, technical or social, it will only be an escalating arms race of spammer vs anti-spammers (whoever they are). Look at all the wrong things for sale out there: arms dealings, drugs, people and so on. As long as there's someone buying, the incentive remains. The harder it is to sell those things, the bigger the risks, the bigger the profit. The fewer the sellers, the harder they try. The answer to stopping spam is simple: ordinary people must stop responding to spam, stop buying the things they advertise because of the aggressive manner in which they are advertised. The moment the profits are not there anymore because spam itself kills it, spam will go away.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
If you're worried about trivial the amounts of radiation found on scottish moors you also might want to consider abstaining from eating any animals grazing on plants growing on granite bedrock and any fish caught in the north sea. Also you should avoid going within a few miles of any unfiltered coal fired power station as the dust it generates can be highly radioactive depending on where the coal came from. But then paranoia isn't best friends with rationality is it?
"...and nothing ever could."
You can't even be vaguely serious with what you are saying.
As much as I hate spam, I can not agree with calling for cruelty and violence. Is that the spirit of our ages? Torture and abuse grown into a trend? Violence as an appropriate mean? Shock and awe as social corrective measures? Is there not other way?
Somehow in my naive mind I had the impression that we had left this behind in the middle ages, but these days I am disillusioned more and more.
Even with the smiley I can not find funny what I read there.
-silence
Dyslectics of the world, untie!