Slashdot Mirror
A Day In The Life Of A Spammer
kaip writes "Internetnews.com has a story of a spammer. The individual sends 60 million spam emails for four days worth of work and claims that one in 19 of AOL users clicks the links in his mortgage spam (this number should however be taken with a grain of salt, see rules 1 and 2). Maybe not
everybody has heard of the Boulder
Pledge... The article also tells how the CAN-SPAM Act,
which legalises spamming, is turning the US into the spam haven of the world. Currently, 86 percent of the total spam volume is coming from the States."
SPAM will continue to exist until people stop making spam profitable. It's a bad side effect to greed. People will do anything for a buck.
Legislation won't help. Technology hasn't been able to help that much yet. Basically, advertising is here to stay, and you can do one of two things, make yourself invisible so you can't be advertised to, or accept it.
Companies want you to be a consumer, so that they can keep being producers. There's too many companies, so they are going to fight hand over foot to get their product into your mind in whatever method they can.
-Eric
hrrm.
Thank god for Instant Message applications, otherwise I'd be lost.
Actually, one of my accounts only gets one or two spams a day, but my main business address gets 1000 - 3000 a day now (after spamassassin, however I need to enable some blacklists, sod the customers that get accidentally blocked) - earlier this year it was 100 - 300, and last year 10 - 50. So in my experience, volumes of bandwidth wasting time wasting productivity wasting SPAM has gone up ONE HUNDRED TIMES in a year or so. Where will it be in 3 years time? It will be unmanageable, enough is sent from compromised machines these days and it will only get worse.
The USA needs to sort out its spam problems, and soon.
I just don't get it. I mean, Congress bending over backwards to legitimize obnoxious behaviour by big corporations I can understand; that's pretty much what it's for, these days.
But spammers? They're not particularly organized, as far as I know. It's not as if the Viagra-and-penis-extension lobby is a major campaign contributor. So what gives? Are Congresscritters really so consistently stupid right across the board, AND their staff, AND all the IT and telecoms industry lobbyists who must have had something to say?
Or were they worried about the effect of (useful) legislation on political direct-email campaigns? Maybe. But I can't see how that would benefit one party more than the other, so why care?
The article also tells how the CAN-SPAM Act, which legalises spamming, is turning the US into the spam haven of the world.
I think CANSPAM is an awful law. It overrides much better and stricter state laws, and it doesn't really do anything to reduce SPAM.
However, it seems like a stretch to say that CANSPAM is turing the U.S. into a SPAM haven. I think most spam recieved in the U.S. is tied to U.S. businesses, even if it's sent or bounced through servers abroad. Just because spam from US servers have increased doesn't mean CANSPAM is the cause - you can use logic like that to "prove" that pr0n is good for kids.
I wouldn't be surprised if part of the reason for the increase is that there are more virus-laden compromised computers in the U.S. to relay spam off of.
I have blog like everyone else
It is amazing to me that the ultimate benefactors of mortgage spams are generally banks, one of the stodgy, conversative types of organizations around. (And rightfully so). Now, they need several layers of spam-laundering in order to hide themselves with plausible deniabilty from the spammers. But, it seems to me that an organized campaign to lobby and educate banks and other financial institutions ought to be able to eliminate mortgage spam.
It is the same sort of rage that you feel at someone who cuts you off in traffic, or listens to their voice mail with the volume cranked up. Hatred is a common reaction to extreme rudeness and spam is rudeness taken to the nth degree.
The gut reaction of hatred caused by spam has very nothing to do with logic. When I think about spammers logically I think they should be fined to the point at which their business case is destroyed and in extreme cases (fraud, illegal merchandise) they should go to jail. When I waste 30 minutes filtering mail or miss an important mail because of spam then, just for a second, I'd like to bloody the nose of the assholes responsible for it.
[Set Cain on fire and steal his lute.]
Secondly, and this is the show-stopper at the moment, it relies on there being an effective micropayment system that can be easily integrated into SMTP, so far there isn't really a viable micropayment system, let alone one that works with SMTP. Hopefully the likes of iTunes etc. will change that, but Penny Black would need to handle several orders of magnitude more transactions than iTunes, which might pose problems. The vast majority of spammers also don't care much for the law, so the payment system would need to be proof against stolen credit card numbers, abuse of compromised PCs, faked domain names...
It's a nice idea, and I might even use it if it were to happen, but somehow I just can't see something like Penny Black ever getting off the ground.
UNIX? They're not even circumcised! Savages!
Oddly enough, many people on Slashdot tend to think laws and technology will never help the RIAA, MPAA, and the BSA stop online piracy. Guess what? It won't help stop spam either and while I agree with your premise, especially concerning print advertisements, I still think there is a way to fix uwanted e-mail.
I subscribe to a few sites newsletter, Apple and Amazon.comn being just two examples. Both occasionaly send me information about specials I might be interested in. In the case of Amazon.com, they recommend similar items I might like based on past purchases. Basically, an opt-in system would solve most unwanted advertisements. There will be a small percentage that will ignore ANY law put in place and these people should be prosecuted accordingly.
Now, I'm very careful to only give out my e-mail address to trusted sites. The only reason I seem to get even this spam is due to the fact that apsmmers datamined the whois database. I've since subscribed to an anonymizing service through my DNS provider so no more spammers can get my e-mail address. Luckily the e-mail address they do get is going to expire in December so my spam should drop to only 5-10 spams e-mails a week. Blocking this Whois hole would contribute to eliminating a lot of spam too. Why my private information needs to be made public just because I want to run a website with a personalized domain name is beyond me. I shouldn't have to pay to have this information made private, it shoudl be private by default.
However, there are many other types of spam that are not going to stop, phishing scams being one. These are by and large the largest kind I tend to get. Generally I don't get much spam at all, about 5-10 a day, 15-20 if you include my hotmail account I use specifically for spam catching. What I do get tends to be autogenerated and contain nonsense "words", such as sjwiersa or fxtjkxxzzqw. These are immediately deleted and I go on to read the rest of my e-mail. I believe these spam e-mails were sent to my e-mail address grabbed off the Whois database prior to my actions to anonymize the information.
No, seriously. If 80+% of spam originates in the USA, and the US congress is daft enough to pass laws like CAN-SPAM global ISPs should hold a "cut the link" week and block email traffic from the USA. Just imagine the chaos and media attention that would cause. And it would be media attention is something that makes politicians squirm. A question, though. Can anyone explain to me what would make US lawmakers vote in favour of this bill? It seems like the kind of thing that any semi-sentient 14 year-old would be able to critically dissect as narf idea in about 12 seconds.
...allow me to pimp two of my favorite projects. First up is the Unsolicited Commando project. It's a little java app that spends its day quietly and merrily filling out forms on spamvertised websites with completely bogus - and yet totally real looking - data. It's especially effective against - surprise! - mortgage/refinance spammers, which seems to be the specialty of the dirtbag mentioned in the article. Go check it out, and the source code is available just in case you think something fishy is going on.
The second page I'd like to point you to is here. It's a 'Lad Vampire' antispam page that also targets spamvertised websites, but in a different way. The page links to individual images on the sites and constantly reloads them without caching, thereby burning up the spammers' bandwidth and driving them out of business (or at least costing them some money and forcing them to sell their children on the black market). Be forewarned that the page has no help, no documentation, and *only* works in IE, so don't yell at me about that. The source code is available for that as well, so here's hoping someone can make it more usable in Moz, Opera, ThunderFireBunnyChicken, or whatever browser is your fave.
I'm currently working on a new filtering solution. The first step is SPF record checking. If the sender forged the address of a site that publishes an SPF record, I reject the mail. The second step is all mail now goes through postgrey. Postgrey is a greylist that tells the sender to try again in a while. That actually seems to work pretty well, though it does delay my mail by about an hour. The third step, which I'm still working on, performs two checks. It checks to see if the sender's on a whitelist and if he is, it lets him through. If he's not, it checks to see if the mail's encrypted to my personal GPG key. If it's not, the mail gets rejected (At the MTA, so I don't have to send a bounce message.) I can always eliminate the second step if the spammers ever figure out how to deal with that. I'll be changing the GPG key on a regular basis to keep the target moving.
It's a pretty extreme solution, but all of about 3 people in the world send me legitimate E-Mail and I was getting 200K+ of spam a day. With that S/N ratio, I may as well just turn my E-Mail server off. This is the next best thing.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
High-speed badnwidth is qidely availible and not too expensive in Sweden, yet I haven't received any spam from Sweden, as far as I can see. Of course, they can fake their identities but still... Most stuff is about American products for American citizens. Clearly something that doesn't concern me even if I was interested in the product itself.
but I was on hotmail then, on yahoo, my bulk folder does a good job, so I rarely see their junk and I am not annoyed as much. A good spam filter is like Tivo...
After having been a victim of the jacked up job market, How is a man to survive? I can see why some of em do what they gotta do.
The original idea of cable TV was to be commerical free. We pay for cable TV just like we do for our internet connection. I consider TV commericals SPAM. I did not ask for it, but likewise they advertisers always go, "We have to make profit." Why is it that people put with cable commericals but not spam? Then there is the movie theaters. It use to be that if you went there, the previews start a few minutes before the movie time, and the movie starts on time. But today? commericals come first at the time the movie is suppose to start, then the previews, then the movie.
Spam is here to stay. It is NEVER going away. The day SPAM can be completed eliminated from the net, well, I certainly wouldn't be on it, cuz it must not be a free net. One of the pain of freedom is that those you do not like are also free to do the things you do not like for them to do.
We should battle SPAM the right way, not by banning it or attempting to. Suing the company for wrong advertisment (if they did.) Ordering from the company then returning the product. Credit card charge backs are in the average range of $20 per charge back for internet companies. Imagine if 1,000 people ordered then cancelled their orders. $20,000 in extra fees for the company selling the junk.
------ Curiosity killed the cat. {satisfaction brought it back | it didn't die ignorant | lack of it is killing mankind
Let's get a collection have this man removed from the planet in a very slow and painful way.
It amazes me just how ineffective our government can really be at times.
- Zav - Imagine a Beowulf cluster of insensitive clods...
The most effective tool I have seen so far is greylisting. greylisting reduced the amount of spam from 3000 to 6000 a day to 5 to 10 spam a day. Include spamassassin and the spam that does get through greylisting gets nailed. spam problem solved.
Now if everyone greylisted the spammers would be out of business. But people here, which should be technologically knowledgable, seem to just complain about spam. Implement greylisting on your servers along with spamassassin! You will not regret it.
Since doing this I have actually been able to get back to real work instead of worrying about spam.
My ISP is helping me a bit with this one. They add a custom header to mark things that have been RBLed so I now have set one of the labels (purple in my case) as "known spammer". I then added a message rule that reads essentially if "X-Warning RBL" = "Listed" then label message "known spammer", mark as read, and move to "Junk" folder.
This way when spam comes in that Thunderbird does not detect on its own, but my ISP has flagged, I don't get notified that I have mail, it gets moved into the Junk folder, and turned purple to verify WHY it's there. This has simplified my life.
Hey!!! the parentheses are good for something
I have been running an experiment on spam reduction. I have been checking every spammers's whois and filing a report on false data at http://wdprs.internic.net/. If their email bounces or their US address are not in the http://zip4.usps.com/zip4/welcome.htm/ I rat them out. The results are not in yet but it has so far yielded about a 25% reduction. The 15 day waiting period is still pending on my largest sources of spam.
I at least have the pleasure of thinking that I have annoyed some spammer at least as much as they have annoyed me. When the new TV season starts I think I will loose interest in this but it is something to do for an hour when it is too hot outside.
It may annoy you that you have to have a valid whois but it is a useful tool to attack spammers with. No bucks comming in to a web site, not as much spam.
[Whois information is made public in order] to provide contact info for complaints. A domain name is governed by similar rules to a business. If you want to operate (the domain) in public, you need to make public your contact info.
That's just silly though. I would be MORE offended by someone calling me directly to complain about content on my web site than anyone could possibly be offended by what's on all of my web sites (and trust me, there is some very offensive material there, no, not porn). MAYBE a phone number, ok, but no one needs my personal address. If someone was offended enough, they could hunt me down and kill me. That's kinda scary
I'd probably rather have a person file a complain with whatever govt. entity would deal with such a thing. People get offended by the stupidest shit these days, I think the govt. would put the smack down and tell them to shut the fuck up, unless it was actualyl legitimately offensive, which you know 99% percent of the time it wouldn't be.
Luckily all my domains were registered several years ago when I lived in another city. You think I'm going to take the time to update the whois information? HA. Fuck that.
For that matter, phone numbers are the same way. By default, your number, name, and address are public info. One must pay extra to get an unlisted number.
By default, yes they are, that doesnt make the default a good thing though, does it? I used to have Qwest, who we've all heard wonderful things about, they charge 75 cents per month for an unlisted number. They say it "costs them extra money" to not include your name/number in the phone book. Yah right, bastards, it takes the click of a mouse to check that box that says "Dont include in phonebook" and it's done.
Joseph?
Because of the Boulder Pledge and my unwillingness to become a spammer myself to promote these two programs, I ask you all this question: Will you reward my efforts and purchase my shareware mailserver program after trying it out first? When properly installed and configured, see for yourself how it blocks spammers altogether or 'safes' hostile email content and clearly and symbolically identifies the message's 'spamlike' attributes on the email message 'Subject: 'line. Email containing content unwanted by the recipient is automatically 'deleted' and *NEVER* appears in their inbox! In doing so, you will help reduce email spam and malware and reward my efforts to provide you the tools to do so. If both programs were in wide use on the internet, spam and malware would be 'almost impossible' to distribute.
Bryan Taylor
iamcf13@hotpop.com
SpamByte code: 7
(see http://www.cf13.com/game-over-spammers.htm )
http://www.cf13.com/press-release.htm
All email containing unwanted content will be summarily deleted or reported as spam.
Your post advocates a
( ) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(x) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
"You could possibly build this waiving into the sign-up process - "click here to confirm your subscription and waive all Penny Black costs"."
That's backwards. Build the sign-up into the waiver process instead, "Click here to waive all Penny Black costs and send a subscribe message to the new sender." Thus, the opt-in management server will manage the subscription as well. Security is much easier in that direction. Further, the server that bears the burden if security fails is the one responsible for security.
ObAOL: you're absolutely correct on the issues with integrating micropayments into SMTP. It's an elegant solution on paper, but not one that has a simple implementation.
I'm tired of the argument you make honestly. A little "collateral damage" does not cause a business to go "out-of-business".
I host a mail server for 2 (small) businesses, both rely on their web site to win customers. Both sell products which require communication with the customer (usually through email).
The mail server gets about 6000+ emails per day. As of now:
- Spamhaus SBL blocked 1084 (16%)
- Spamhaus XBL blocked 2014 (30%)
- Spamassassin caught 2067 (31%)
- The virus scanner caught 105 (2%)
only 1337 (how funny) or 20% were delivered today.
Are there falso positives? Maybe. Are they killing the businesses, which rely on customer communication - NO!
Going throught 1000+ spam emails a day would CERTAINLY have them go out of business. In fact, both business owners decided to have the Spamassassin spams discarded serverside. As in, they dont even want to go through them to check for false positives (anymore). Why? Because once again, if they had to check 1000 emails a day for false posisitves, they would never be able to read their legitimate emails.
Also, maybe there are some customers who try emailing them once and then give up, but I would suspect that most people are smart enough to pick up the phone or try a different form of communication.
Both businesses, are doing fine.
So it's a business tradeoff. Maybe you lose a few people through false positives, but you're gonna get your other customers served quicker and can build a reputation for good service.
YMMV
Cheers,
Andre
Isn't that handy! I already have enough messages in my inbox since yesterday that I can probably train it pretty damn well. Those ~3500 messages will do it wonders!
Wow... isn't that ironic. While classifying the messages, I found one from the 'Christian Ideals Foundation', offering to give me a loan. The domain of the return address sells herbal viagra, and the address they sent the message to has only been given out to a porn site (just one porn site... every place I give out my address (porn or not) gets a diffirent one). How's that for Christian Ideals?
ND
This statement is forty-five characters long.