Tech Reporter Pursues Spammer

girish writes "Technology reporter extrordinaire, Mike Wendland, is at it again tracking down spammers. Wendland conducted the infamous interview with Alan Ralsky, the alleged mega-spammer, a few years ago. That article spawned a lively discussion on Slashdot and eventually resulted in hundreds of pieces of junk postal mail flooding Ralsky's million-dollar home. Now Wendland is using a new tool from a service called Project Honey Pot to track email address harvesters. He posted on his technology blog this morning about catching a company that is holding itself out as a legitimate bulk mailer, but appears in fact to be sending to harvested addresses and conducting on the side some other seemingly seedy businesses. Interesting stuff."

The honey is everywhere

[bigberk]

Honeypots are lurking all over the net... spammers don't have a chance. They are so indiscriminate and stupid with their harvesting that they are just announcing their presence through a digital loudspeaker, "I AM A SPAMMER".

There might even be some on slashdot! Who knows?!

Re:The honey is everywhere

[commodoresloat]

There might even be some on slashdot! Who knows?!

That's crazy talk. This place is spam free. And your website can be spam free too! I'll show you how for just $19.95!!

Re:The honey is everywhere

[Phattypants]

What do you mean? Since I started reading my webmail, I've put all my company's mail-security needs into these miraculous services called hotmail and or yahoo! Why, it was but ten years ago that my penis was two inches shorter! Not only that, but now all of my debt has been consolidated! I can just pass on the tab to my next of kin! I decided contact you, Because I believe you are a reputable person and I feel You can help me and my mother over this confidential matter.

Re:The honey is everywhere

[s4m7]

That's crazy talk. This place is spam free.

I was spam free until I followed the lst three article links, where the pages promptly scanned my gmail and yahoo cookies and added me to their list.

Oh wait; I pressed "insightful" when I meant to press "funny" on my /. comment generator. here's what I was going for:

No, that's my brother, crazy talk.

Re:The honey is everywhere

[SagaLore]

Why does your signature say "I can see the ." That doesn't make any sense. See the dot? What?

darn!

[xhispage]

f*ck the spammers! They will ruin the best part of the internet or render it useless!

Re:darn!

[drg55]

There is one turkey who sends a picture of a guy spreading the cheeks of his ass to posters at a migraine forum (http://s-2000.com/bam/). This turkey continually creates new logins and sends the same picture over and over.

I guess he's just an a**hole!

Unfortunately the administrator seems to be on stress leave.

The spammers also send 100 junk mail per day to an email address of mine which has been rendered unusable.

Personally I think it is not regarded seriously enough as a criminal offence.

Re:darn!

[aussie_a]

I agree. It's people like them that gives porn a bad name.

Re:darn!

There is one turkey who sends a picture of a guy spreading the cheeks of his ass to posters at a migraine forum

Funny you say that, I'm told some turkey keeps on posting links on /. to a guy spreading his asshole so wide you could get your fist up there. I've never seen this pic but I'd be really interested to. Does anyone have a link?

Re:darn!

[Bri3D]

Sign up for the BAM Page Newsletter to receive notification when the new [privacy] statement is online.

Wow. That's one of the funniest things I've read in a long time.

That's nothing...

[cmowire]

One of my honeypot email addresses has received several trojan horse messages from our friends at the spamhausen.

Does it really take that much effort?

[Propagandhi]

Seems to me that this kind of thing should be fairly straight forward. I mean, sending millions of e-mails can't exactly be done "quietly" can it?

Re:Does it really take that much effort?

[Beryllium+Sphere(tm)]

>Seems to me that this kind of thing should be fairly straight forward. I mean, sending millions of e-mails can't exactly be done "quietly" can it?

Sure it can.

Creepy spammer approaches creepy trojan writer. Creepy trojan writer rents creepy spammer access to 10,000 compromised PC's on DSL and cable. Creepy spammer commands each compromised PC to send three emails per minute from 11PM to 7AM. Creepy spammer has now sent 1.44 million pieces of email without an obvious flood anywhere and without an obvious IP address to block.

Re:Does it really take that much effort?

But, with a honeypot address(es), you know it's been harvested, and who the mail was sent for. If you can keep track of all of the people that used the spammer, you may eventually find the spammer through his own ineptitude.

Re:Does it really take that much effort?

Creepy slashdot poster unwittingly reveals his creepy plan for spamming...

Re:Does it really take that much effort?

[jokumuu]

But repeat this across a few sites that check the sender, and ith crosscorrelation you can very fast get the addresses of those 10000.

Re:Does it really take that much effort?

[Secrity]

Creepy spammer approaches creepy trojan writer. Creepy trojan writer rents creepy spammer access to 10,000 compromised PC's on DSL and cable. Creepy spammer commands each compromised PC to send three emails per minute from 11PM to 7AM. Creepy spammer has now sent 1.44 million pieces of email without an obvious flood anywhere and without an obvious IP address to block.

After a while this activity develops a pattern that shows which broadband providers to block because they allow this to happen. This causes the IP addresses of the broadband providers who allow this to happen to be place in rbl's for blocking.

Re:Does it really take that much effort?

[imsabbel]

haha. "which broadband provider so block". LOL
How about ALL? Or do you think all people with vulnerable machines are grouped with one ISP, and the crackers only target one?

Re:Does it really take that much effort?

[AndroidCat]

Don't forget the creepy port scanner who looks for installed trojans and exploits them to install his own software. For months now, every morning at 7:42 & 8:42 EST a port scanner checks ports 5554, 9898, 1023 and 445 using several zombies per scan, mainly from Korean and Japanese IP addresses. (There are plenty of other scanners but none so damned punctual as :42 Zombie Charlie!)

Re:Does it really take that much effort?

Well, they certainly do put forth some effort due
to the $$$ lost from failed business ventures...

The fellow who owns Seattle Laptop tried to
recruit me to write some scripts and whatnot for
him when he overheard me in his store trying to
buy a laptop sans windows. I chatted him up and
he openly told me he was running a spam server or
three running Linux and he wanted to update and
expand his "business".

I can only guess he needed the money because of
his shite laptop shop...

Oh yeah: http://www.seattlelaptop.com/

Re:Does it really take that much effort?

[Secrity]

Responsible providers have their users remove or clean infected machines (or the users ar disconnected), which reduces the number of zombies available on a network. The biggest difference is what the provider does to prevent spam from leaving it's network. The single most effective measure is for broadband providers to block outgoing port 25 and require that all users who wish to send email via port 25 use the provider's mail relays. Responsible providers also take action to prevent it's relays from being used to relay spam from it's users. It is well known which broadband providers allow the most spam to be sent from their networks, and they are listed in several rbl's.

Re:Does it really take that much effort?

If only 640 emails were enough for any spammer...

Re:Does it really take that much effort?

[Cramer]

There are 2 obvious problems with port 25 redirects... 1) all it takes is one idiot to get the ISP's mail server(s) blacklisted, 2) any problem with the ISP's mail server(s) gives you no other option for sending email.

I've seen #1 so many times I've given up on the whole process. You cannot black list an ISP's mail server(s) because a handful of junk went through it -- that junk is less than 1% of what's moving through there. How many times have AOL's servers been blacklisted? I stopped counting years ago.

#2 is a serious pain in the ass. No ISP's mail farm can deal with my email faster or more reliablly than my own computers from my own connection. RR uses (used?) Microsloth's SMTP crap. I don't know what Earthlink uses, but it's much slower than handling it myself. Network Solutions (selling mail service for businesses!?) uses Mirapoint systems so mis-managed and overloaded, it can take most of a day for a single message to get through it (if at all.)

Most dynamic address ranges are already listed in various anti-spam blocklists. That works far, FAR better than port 25 redirection -- esp. when no one informs you of the trap (Cox, Rogers, The Hilton, ...)

Re:Does it really take that much effort?

[Secrity]

At the present time, port 25 filtering is being implemented by quite a few providers. Most providers who are not doing port 25 filtering at the present time have a major spam problem.

There are options for sending mail. One way that is gaining popularity is the use of port 587 to send mail to authenticated smart hosts. And then there is always the ever popular web mail.

ISP's mailservers do not normally get blocklisted for a handful of junk, it usually takes great gobs of junk to get then blocked. The only exception might be Spam Cop, which is a very dynamic list. Very little spam is reported coming from AOL's mailservers and I do not know of any widely used block list that is currently listing AOL's mail servers.

Much of the slowness caused by well managed ISP mail farms is due to the anti spam and anti virus checking that is being done. One problem that you didn't mention with ISP's mail servers is that some of them have started silently dropping outgoing mail if it trips the spam filters. Cox is doing this and it makes it impossible to report spam via email.

IF ALL providers would submit ALL of their dynamic IPs for inclusion in dynamic block lists, I would fully agree with you. Unfortunately many DSL providers don't segregate their dynamic IP customers from their static IP customers into identifiable blocks. Also, many providers do not voluntarily provide that information to list providers.

I also disagree with port 25 redirection. Port 25 should be filtered (port 25 access blocked to all IPs except for the ISP's mail farm), not redirected (all port 25 traffic is redirected to the ISP's mail farm).

I have no fear of spammers

[MichaelCrawford]

Harvest this, infidels:

• crawford@goingware.com

A long time ago I decided I wanted to make it as easy as possible for potential clients to email me, so I have never spam-protected my email. It's all over a lot of different websites. It's all over Usenet too.

On the other hand, I get a lot of spam. It's only just beginning to bother me. I have a friend, she gets maybe ten spams a day, and she gets so outraged that she reports them all to the abuse@ addresses and so on. Me, I get a few thousand spams a day. I read my email with elm because it's the only email client that can handle the huge mailboxes I get.

What's getting me down though are the viruses. At one point I was getting 400 MB a day of viruses. Now I've decided I'm going to set up a virus filter on my home linux box, and use fetchmail and spamassassin and clamav and what have you to filter it, and serve it with imap to my other computers.

My hosting service tried to filter all the viruses with clamav, but they got so many viruses that it was too much of a CPU load, so now they do only very simple virus filtering, to catch the most obvious viruses without much CPU consumption.

Re:I have no fear of spammers

[bigberk]

My hosting service tried to filter all the viruses with clamav, but they got so many viruses that it was too much of a CPU load

This is why renattach exists. You run that baby in kill mode, and you can handle millions of viruses a day without breaking a sweat (load average wise). This filter just drops mail when certain types of attachments (by file extension or file names inside a ZIP attachment) are found. Not as proper protection as a virus scanner, but coupled with spamassassin it will do the job.

Re:I have no fear of spammers

[jokumuu]

Well, my "public" email box gets about 5000 spam/virus messages a day having been active for 16 years. But ony a few get through the filters I was forced to setup three years ago. I think that address must be on every spammers list.

Re:I have no fear of spammers

[elgaard]

>What's getting me down though are the viruses

I can recommend running VirusSnag (http://www.spamless.us/vsnag) before spamassassin.

Re:I have no fear of spammers

[onepoint]

This is why I read slashdot every day. Someone always helps out with some common sense advice that helps the rest of us.

Onepoint

Getting off the spam list, a how-to video

A howto video on how to prent yourself so they will take you off their mailing list.

spamtraps...

[mmThe1]

An relevant note here would be to mention Spamikaze system (intro here).

In a nutshell, it sets up spamtrap e-mail addresses, and any IP that sends mail to that address is automatically added to the blacklist, and further mails from it are rejected at SMTP level. A false positive can be easily removed from the blacklist manually (example, PSBL).

Re:spamtraps...

In a nutshell, it sets up spamtrap e-mail addresses

We've got something similar here, if you get lots of spam on a UNIX account (with procmail and cron available), and if you have a very accurate filter, you can submit periodic (e.g. hourly) reports of spammers' IP addresses to our server. This doesn't eat up any additional bandwidth, but really helps out the Internet as a whole by locating new spammers. Contact us if you would like to turn your spammed address into a spamtrap/honeyput :)

Re:spamtraps...

[BP9]

One very minor problem with spamikaze is they do not (did not?) advertise SPF records for their honeypots. This leads to some bounces and 'ASK' style replies ("did you send this?" queries to get on a whitelist) getting ones mail server on the black list. Sure its easy to remove, but since T-Mobile and Danger use their blacklist it means everyone in my company loses email going to their wireless devices.

The guy running it is friendly, but I can't say I agree with the notion of these honeypots allowing spammers to send mail to my servers as them, then penalizing me for responding to the spam with a 'WTF' message (automated or not), esp since real money (our monthly services fees and wireless connectivity) is being flushed down the toilet when this happens.

Anyone with evil intent can pick a vitcim domain, send a buttload of 'spam' to it with a from address of one of these honeypots and get the victim domain blacklisted.

Yes, we asked Danger/T-Mobile to not do this to us. It would be pretty hilarious to imagine t-mobile even understanding the nature of the question much less doing something about it.

Re:spamtraps...

they would have to use the ipnumber of that certain host. Once mx owners are contacting us about it that mx will be whitelisted if possible.

Re:spamtraps...

[Rik+van+Riel]

Note that while Spamikaze is still pretty early in its development (we've got some fancy ideas on how to make it really fly), PSBL already seems reasonably popular.

I hope that means Spamikaze is going in the right direction... ;)

Re:spamtraps...

[Rik+van+Riel]

Most of the spamtrap domains (for PSBL, at least) do have SPF records. However, they get ignored by a lot of Challenge/Response Authentication Protocol (hey, that spells CRAP - coincidence?) software...

Whenever a false positive is pointed out to me, I add a regular expression to the software to make sure that challenge/response software, mailing list manager or MTA bounce type will not result in future listings. It doesn't help that many MTAs appear to be sending out bounces that aren't RFC compliant.

Note that I cannot control what other Spamikaze lists do - but they do tend to get most of my regular expressions whenever they update from CVS ;)

Re:spamtraps...

In a nutshell, it sets up spamtrap e-mail addresses, and any IP that sends mail to that address is automatically added to the blacklist, and further mails from it are rejected at SMTP level.

You mean if I don't like somebody, all I have to do is email them, and they perform a self-DOS by refusing to accept mail from anybody using my ISP?

The joys of large-scale filtering

the university where I work has some fairly effective spam-killing filters set up.

We frequently see the following interesting fun:
a) People emailing us from blacklisted domains asking what's up. We inform them to complain to their ISP or use a different one.

b) spammers wanting through our filters so they can spam the 20k folks on our network. These are the most fun. I got to watch as the senior network engineer composed a 4000 word message to totally demolish any sort of hope the spammer had, and actually locate the physical address of the spammer. We got an "oh, sorry" reply, and heard nothing since.

Re:The joys of large-scale filtering

[weijiao]

To some extent this is delusional thinking that suits the sysadmin - not business.

We, unfortunately, have this situation happen to us from time to time. In the worst cases the email is just dumped (not bounced) and we only find out about it when the client complains.

We are unable to change our ISP because they "own" the building but the real problem is further up line - again it cannot be changed by us or our ISP. Up-line they are presumably too busy running spam for US based spammers to care.

We just explain to our clients that their IT staff are probably not savvy enough to set up a system that detects spam but allows business email through. We refer them to people who are savvy. :-)

Once they realise that their IT person is actually preventing incoming business reaching them, things change.

Universities, of course, remain isolated from commercial pressures.

Re:The joys of large-scale filtering

[CritterNYC]

We are unable to change our ISP because they "own" the building but the real problem is further up line - again it cannot be changed by us or our ISP. Up-line they are presumably too busy running spam for US based spammers to care.

Perhaps it would be far more savvy of you to contract with a Good(TM) company on a clean network to run a mail server for you. It wouldn't matter who your ISP was.

Re:The joys of large-scale filtering

[sjava]

that's not necessarily possible in China where, unless I'm mistaken, he's from..

Hmmm

Then again Mail providers aren't do as much to stop the proliferation of trojans, let alone spammers. How about not-permitting the sending or receiving of .exe and .vbs attachments. I bet this would cut down nearly 50% of infected computers since many people I know get a virus/trojan through their hotmail or yahoo account because of their ignorance. And if people bitch...read the modified TOS, gotta love those :p

Re:Hmmm

.exe is scanned by yahoo, I am not sure about .vbs. However, vbs and exe's dont run on my system. They just get passed along.

Re:Hmmm

[nolife]

Hotmail uses Mcafee and Yahoo uses Norton to scan attachments for viruses. I know those scans are not 100% effective but orders of magnatude more effective then your claim of 50% infection from them. I think the people you know that are blaming Hotmail and Yahoo should be blaming themselves or the software on their own computers.

Postfix can help, even with no Spamassassin

[gtoomey]

I recently changed to Postfix as my Mail Tranfer Agent.

The Postfix Spam Controls have reduced my spam by 95% without using compex spam filters like Spamassassin.

Re:Postfix can help, even with no Spamassassin

Then you don't get much spam in the first place.

Re:Postfix can help, even with no Spamassassin

[Seraphim_72]

Uh...huh ....You let me know when postfix is easier to config than SpamAssassin ... I am betting that you will never call.

Sera

Re:Postfix can help, even with no Spamassassin

[gtoomey]

With Postfix, you just configure the spam controls once. It works straight away. Postfix is VERY easy to install/configure from sourfce.

With Spamassassin, you need to train/fiddle with rules after installation.

Re:Postfix can help, even with no Spamassassin

Comparing Postfix and Spamassassin is like apples and oranges. Postfix can stop lots of things spammers do but not everything. Those of us with any decent sized domains do use filters, simply because no type of basic checking the SMTP server does can cut it. This is coming from someone who does know what they are tlaking about, and I can assure you postfix alone isn't the end-all solution you make it out to be.

Re:Postfix can help, even with no Spamassassin

No actaully, you dont.

Just use a Whitelist

No spammer is going to authenticate individual messages to get them through a whitelist. Whitelists eliminate 99.9% of spam!

Re:Just use a Whitelist

[Eric+Giguere]

True, but if you're in a business (like book writing) where you want people you don't know to contact you, it's far from ideal. That's why whitelists don't appeal to me.

Eric
Palm Database Programming: The Free Electronic Edition

Re:Just use a Whitelist

[Tim+Ward]

Whitelists also eliminate 100% of approaches from potential new customers ... it's not entirely clear how I could earn a living if I did that.

Re:Just use a Whitelist

[bigberk]

Whitelists also eliminate 100% of approaches from potential new customers ... it's not entirely clear how I could earn a living if I did that.

I know what you mean. Free tip... SpamProbe (from procmail) with the PBL database option. I have three accounts with SpamProbe running on them, the database size is stable at 15 MB each, with accuracy rates on each account over the past week: 98.7%, 99.2%, and 99.5%. The filter is damn accurate, and very fast.

Spam from Media Dreamland, now from Big Time Fiber

[Serious+Simon]

During the past months I have been receiving on average 3 to 4 spams per day from the IP range of Media Dreamland. These spams are cleverly constructed so that they are difficult to filter out automatically, and as they use a whole range of IP adresses and varying domain names, these are not likely to wind up on a blacklist.

I added rules in my .procmailrc file to block all e-mails from the IP range of this company, this has worked very well for me (100%/0% positives/negatives)

Interestingly, since a few days I was again receiving quite similar spams, and this time they originate from the IP range of a company called Big Time Fiber. It turns out that the spams from Media Dreamland abruptly stopped after 10 november (spammer kicked out?) and after a few weeks the spammer apparently found a new hosting service.

I put the following lines in my .procmailrc:

:0 H
* ^Received:.*\[204\.9\.24[0-7]\.
{
LOG = "[!!!! Big Time Fiber] "
:0
/dev/null
}
and just this morning I found the following entries in my procmail log:

[!!!! Big Time Fiber] From rolffarris@newssign.net Sun Nov 21 00:16:08 2004
Subject: Would you like to stop smoking?
Folder: /dev/null 1550
[!!!! Big Time Fiber] From benniemilburn@minisaver.net Sun Nov 21 01:55:43 2004
Subject: Apple 17" iMac G5 Desktop!
Folder: /dev/null 1705
[!!!! Big Time Fiber] From rhettsmallwood@bigtopsavings.com Sun Nov 21 03:36:04 2004
Subject: Mortgage interest rates are at their lowest point ever.
Folder: /dev/null 1739
[!!!! Big Time Fiber] From bruce.tillery@e-goodstuff.com Sun Nov 21 05:20:55 2004
Subject: Women, something to rock your world
Folder: /dev/null 1565
[!!!! Big Time Fiber] From donovanragland@e-goodstuff.net Sun Nov 21 07:06:03 2004
Subject: Test & Keep an IBM Laptop - Product Testers Wanted
Folder: /dev/null 1623
[!!!! Big Time Fiber] From gilcolvin@bigfoodsavings.com Sun Nov 21 08:46:04 2004
Subject: You can be smart! Folder: /dev/null 1563

As you can see from the type of domain names these spams are probably from one spammer.

In the past I have received spams using the same trick from Webhostplus, Pharmakon and Aphrodite Marketing, but the spammer (now) operating from Big Time Fiber IP range appears by far the most active.

See also http://ws.arin.net/cgi-bin/whois.pl (fill in "204.9.240.164" in the search box)

What if...

[Christopher_Hansen]

we just ignore spammers, will they go away?

Re:What if...

[ForestGrump]

if "we" as in the slashdot crowd...no. We're peons when it comes to "the world".

If "we" as in the entire world...yes

Re:What if...

No. There's always some morons that buy crap and spoil it for everyone.

Re:What if...

[sjb21043]

There's more to it than that. You have to be ruthless in applying this rule to yourself. Have you ever spent money as a result of receiving an unsolicited email? Then you're part of the problem.

It's not good enough to say "Well, there was just that one time". That's what they want. If you respond to one in a million unsolicited ads, then the system works, for them, and won't stop.

Ignoring them won't make them go away - because "ignoring" them really means that a very large number of people have to be disciplined enough to refuse to buy something - no matter how much they want it - if they received spam on it.

Re:What if...

[HermanAB]

Yes, they will go away once Cisco makes spam rejecting routers and all ISPs use them to drop spam packets in /dev/null.

Spam and viruses only works because the majour ISPs are stupid and don't give a hoot.

Whois is useless in .AU

[MavEtJu]

Unlike the harvester, there's lots of information about the outfit behind the spam. The whois information points to an Illinois-based direct marketing company, Expedite Marketing Corporation.

Look at the output of "whois foo.com.au". It has absolutely no information at all. Yes, it gives two email addresses, but for the bulk of the domains the information of incorrect or outdated.

Ab-so-lu-te-ly useless if you're chasing problems.

what does work...

[bani]

...is forfeiture laws.

any property used in the commission of a crime (in this case, relay rape, botnets, spamming, etc) is seized and auctioned off to the public.

it's even better than destroying their property -- its taking their property away from them altogether. their home, their car, their computer, everything.

Re:what does work...

[ModernGeek]

Yeah, that idea sounds less illegial, and allows for us to benefit. Think: Cheap servers and cars for all!

Re:what does work...

[jokumuu]

But the problem is, a singl low end PC can send out quit many Spam messages. So the loss of such dos not hurt them a lot.

Re:what does work...

[bani]

im quite sure their house and car will make up for it.

ill gotten gains and all that. all forfeit.

Re:what does work...

[Dorsai65]

There's currently no penalty for being stupid/careless enough to let a machine be zombie-fied. Why not impound the zombie machines, too, for a while (say a couple months) for "investigation" before returning them. A few stories in the press about how umpteen hundred zombie machines were seized might accidentally motivate more folks into securing their systems.

Re:what does work...

[miskatonic+alumnus]

That is absurd. You have to be diligent to keep a machine secure. How many people have time for that? Who is going to train them? Do you jack up your car every week and check the bushings, differential grease, electrical connections, thickness of the tread on your tires, radiator fluid level, etc. Maybe the government should do that. If your car is out of spec it will be impounded.

Re:what does work...

[Dorsai65]

I'd expect that the majority of the zombie-fication could be stopped through the simple expedient of installing a firewall (or even firewall software). There's also the situation of the idiots that think antivirus software lasts forever, and don't keep it updated. Finally, there are the morons that click on any damn thing that shows up in their email.

Having a few machines seized for a couple of months would convince the rest that computers aren't as maintenance-free as they think. No, I don't jack up my car every week or any of the rest of that (other than checking the tires and fluid levels); but if the brakes start making noise, the car is pulling to one side or the other, and a fender is falling off, yes, I would get it tended to. Keeping a computer virus/trojan/zombie-free is no different than making sure the cars windows are clean, the brakes work, and that it isn't burning oil: basic maintenance that SHOULD be assumed when one assumes the liability of operating it "in public" (on the net for computers, on the highway for cars).

Re:what does work...

[WoBIX]

Forfeiture laws don't work. Look at the beginning of the "War on Drugs" when people actually lost their houses and cars for getting caught with POT, not just the hard drugs. People still kept buying and selling drugs. Deterrents don't work very well because people don't expect to get caught. It's always "the other guy" whose stupid enough.

Re:what does work...

"what does work ... is forfeiture laws"

What forfeiture laws do is provide an irresistable incentive to police to entrap other people, because they get to keep the money. It's the primary reason why 1 out of every 100 U.S. citizens is in prison right now, and why the majority of them are nonviolent small-time drug offenders.

Forfeiture laws are a really, really bad idea.

Idea for big honeypot

[bigberk]

What if you find some old domain that used to get substantial mail traffic, but hasn't been used in like 5 years or something (expired). Spammers don't stop sending spam when addresses disappear (contrary to intuition), so if you purchased that domain you would start getting a huge amount of spam, using a wildcard. Also, it would be virtually guaranteed pure spam! Would be neat... anybody know of any old domains like this?

Re:Idea for big honeypot

That's actually similar to what Brightmail does now (and has actually received a patent on).

While that works to get a lot of spam, what seems to be unique about Project Honeypot is that they are actually tracking down the IPs of the harvesters that are stealing addresses. What they could do at some point after they get enough data is create a new kind of RBL. Instead of blocking SMTP traffic they could block HTTP of known harvesters.

Imagine a day when you could safely put your email address back online. Maybe a pipedream, but seems like this service is the first step if it's possible.

Re:Idea for big honeypot

[iphinome]

sure just pay attention to myownemail.com the're bad about renewing, I bought one domain they didn't want because I wanted my email address back. Tons of spam. And tons of complains about spam from people who don't read headers and don't know there's ZERO outgoing mail from the domain

Re:Idea for big honeypot

[jms1]

That's what I'm doing with delete.net, one big honeypot. Anything sent to it is automatically forwarded to spamcop, and the sending IP is added to the "rbl.delete.net" blacklist, which I use for my own server, but do not recommend anybody else use because there is no automated removal process- it's all manual and it's all whenever I feel like getting around to it.

I'm also serving an SPF record for delete.net which tells any interested server that there are no valid IP addresses which are allowed to send mail claiming to be from that domain. Anybody whose server checks SPF for incoming mail will automatically know that any messages claiming to be "From: slashdot@delete.net " are forged. (And yes, I put what looks like a real email address just to bait any harvesters which may be reading this.)

I read the article.

[bs_02_06_02]

Curious, I punched up the IP address (69.6.66.17) in my web browser, and I get the default IIS page, telling me there is not a default web page... blah-blah-blah.

So this clown is either stupid and someone really has hacked his box and it's a zombie, or he's playing dead, and has set up the box to appear hacked, and is happily harvesting email addresses anyway. Either way, boxes like these should be shut down. Who leaves an unprotected IIS box exposed to the internet?

I'm curious if anyone is able to resolve that IP address to a street address. It has to be static. Get someone over to that address, see what's going on with this clown.

Re:I read the article.

[Christopher_Hansen]

The default page on my IIS server does not look like that, someone has made it. The line break is grey on mine (not blue) and the 'i' image is much smaller. Not to mention the content is different.

Re:I read the article.

They have a gateway page to keep prying eyes out. I've seen it quite a few times in recent spam. For example, the spammer can include links like:

spamsite.com/?code=A2LKJ34AOD012LNVLA9OO38

The codes can be generated in such a way that they are unique to each message sent (for example, they could be a hash of the TO address). Without a valid code, you get a page like that one you saw. Lets the spammers track who's visiting their sites, and block the prying eyes of anti-spam activists.

I bet there's a good chance that's what's happening here.

Re:I read the article.

[Technician]

Anybody run a trace route to the IP address 69.6.66.17? My pings are stopped at my ISP border. Routing information may give hints to the physical location.

Re:I read the article.

[hdparm]

21 papa.emcmailserve.net (69.6.66.17) 228.349 ms 227.518 ms 227.642 ms

21st hop from Auckland/NZ through AT&T

Re:I read the article.

[hdparm]

Forgot this:

Registrant:
Expedite Media Group
(DOM-1307088)
245 West Roosevelt Rd West Chicago
IL
60185 US
Domain Name: emcmailserve.net
Registrar Name: Alldomains.com
Registrar Whois: whois.alldomains.com
Registrar Homepage: http://www.alldomains.com

Administrative Contact:
Expedite Media Group
(NIC-1586933)
Expedite Media Group
245 West Roosevelt Rd West Chicago
IL
60185 US
abuse@expeditemg.com +1.6308768066 Fax- +1.6308768146
Technical Contact, Zone Contact:
Expedite Media Group
(NIC-1586933)
Expedite Media Group
245 West Roosevelt Rd West Chicago
IL
60185 US
abuse@expeditemg.com +1.6308768066 Fax- +1.6308768146

Created on..............: 2004-Sep-07.
Expires on..............: 2005-Sep-07.
Record last updated on..: 2004-Sep-07 10:20:30.
Domain servers in listed order:
NS.X-DNSSECURE.NET 69.6.66.8
NS.Z-DNSSECURE.NET 69.6.66.2

Re:I read the article.

[hackstraw]

Whats even worse are spam mails advertising URLs that dont even have a working forward DNS entry (or at least yet).

Fuckers.

Re:I read the article.

[eric1207]

the domains Dmkworld.net and E-mrktng.com are hosted off of 69.6.66.17 [according to whois.sc]

whois.sc also traces to like United States - Illinois - Bloomington - Expedite Marketing Corporation or something...

Re:I read the article.

[WoodstockJeff]

The 69.6.0.0/16 subnet has SO many spam sites in it that our policy is to "soft bounce" anything coming from within that subnet until we can determine if it is legitimate. If it isn't, we introduce a hard bounce on the /24 subnet in question. If it real, though, we add a bypass for the affected IP (sometimes subnet), so it can go through.

Checking our filters, there were 120 subnet listings within 69.6.0.0/16, and none are marked "OK"! I say "were", because I just took the time to consolidate a lot of the adjacent subnet listings. The 69.6.66.0/24 subnet was first added to our filters in June of 2004, because of proxy-like activities (faked HELO addresses, MAIL FROM the same as the TO address, etc.).

Re:I read the article.

[lemonjelo]

I do that with any website I setup as well. Actually, I deny any request that isn't to a valid domain (virtualhost) on the server.

It seems the order of Apache means that it still gets parsed though, so while the access_log isn't filled with worm requests, the error_log does show invalid URLs and such.

Ignorance of HTTP 1.1 vhosts

more than one website can be hosted on a single server with one IP address, so its not at all unreasonable to have a default page when you visit the IP address as the URL.

Distributed Harvesting

[tmk]

Why should a spammer harvester mail addresses by himself? There are so many viruses, trojans etc out there: The Army Of Lamers can do it for him.

Have a look at this.

Re:Spam from Media Dreamland, now from Big Time Fi

[Pathwalker]

As far as I can tell, bigtimefiber is media dreamland.
www.bigtimefiber.com resolves to 69.42.98.5 which resolves to host-98-5.approvednews.com.

A lookup on approvednews.com shows that it is owned by:

Media Dreamland Inc
5546 Camino Al Norte #2-278
N. Las Vegas, NV 89031

This can easily be defeated

[Ge10]

All the spammers have to do is to filter out the domains of known honey pots. Even with the donation of additional IP's by vounteers, this would be trivially easy to do.

Re:This can easily be defeated

In which case, if YOUR domain is one of them, you won't need to worry about spam anymore, will you?

Re:This can easily be defeated

yep - which is exactly why i just donated an mx entry on the site....

Re:This can easily be defeated

[jmv]

Except that:
1) How do they know the IPs of honeypots? Unlike harvesters, honeypots are passive.
2) All it would mean is that as long as you're hosting a honeypot too, the rest of your site is safe.

Re:This can easily be defeated

[WoodstockJeff]

What are they to do when the "honey pot" addresses are for the domains they're also targetting for spam? Our web pages serve up one trackable, but undeliverable, spam trap address per page view, which isn't visible to humans, but would be caught by any harvester. They're within the domain of the page being viewed, and would be obvious to a human as being fake.

One of these days, I'll automate the blacklisting of domains and IPs when these spam trap addresses are hit... Would save me a dozen manual postings per day.

The stakes are getting higher...

[Chordonblue]

You know, I think it's really cool that this guy is getting his jollies going after these scum but he may want to tone down his direct involvement with these people or at least do it more quietly. Why? Until recently, jail time wasn't even discussed as a possible punishment - now it's a harsh reality.

Faced with jail time I wouldn't be surprised to hear of some spammer tracker getting killed (or beat up) for his efforts to report them. We already know the kind of people that are mixed up in spam so it doesn't seem like to far a stretch...

Re:The stakes are getting higher...

[mOdQuArK!]

Frankly, I suspect it might be easier to find people who would do that to the spammer...

Re:The stakes are getting higher...

[scifiber_phil]

I had not considered these implications. I am so disgusted with the way things are going. So now fight back against the abuse, and YOU suffer the bad consequences, including physical harm? One thing though, if such a thing did happen, the public would probably really want the authorities to put the spammer's heads on pikes.

Re:The stakes are getting higher...

[bigberk]

I think it's really cool that this guy is getting his jollies going after these scum but he may want to tone down his direct involvement with these people or at least do it more quietly

The real risk is getting DDOS's by angry spammers. It is hurtful, costly, and yes it does happen a lot! Remember, spammers already have the zombie networks to conduct the attacks from. Victims to date include monkeys.com, osirusoft.com, SPEWS, Spamhaus, and even SpamCop. The first two services died as a result, but the rest are still running despite the attacks.

This should remind us as network admins why it's important to block access to known spamming/zombie IPs, as they are nothing but trouble. The compromised hosts are used to spam, conduct attacks, and steal information and resources. It's a major problem, do not expect this issue to go away as long as network security takes back seat to business and "convenience".

Re:The stakes are getting higher...

[saur2004]

Hmmm. Serious question. Has anyone setup or thought of running a blocking list based strickly on known zombies, kind of like the focus over at RFC ignorant?

I dont know if such a list could be made usefull though.

Re:The stakes are getting higher...

CBL is essentially that. It's also imported into spamhaus's XBL. Yes, we know where the zombies are.

Re:Spam from Media Dreamland, now from Big Time Fi

[MntlChaos]

::snip:: Folder: /dev/null ::snip::

::snip:: Folder: /dev/null ::snip::

::snip:: Folder: /dev/null ::snip::

::snip:: Folder: /dev/null ::snip::

::snip:: Folder: /dev/null ::snip::

::snip:: Folder: /dev/null ::snip::


Wow! I think that bit bucket might need to be emptied soon!

Education?

[miyako]

What I don't understand is, with all of the negative publicity that spam gets, why do people still buy stuff from spammers? Although everyone claims to hate spam, I recall reading an article on /. a while ago that said as many as 10% of people buy stuff from spam, this just seems ridiculous to me. If I were walking down the street and I saw what looked like a delapedated, possible condemned building, and as I walked by 50 guys with crudely made signs ran outside surrounded me screaming "buy our product" I sure as hell would do whatever I could to get out of the situation, spam is the digital equivilent of this, yet people still buy into it. I guess it's that too many people think GIGO means Garbage In Gosple Out. As long as there are people buying the products though, there will never be a technological solution to the problem of spam.
I guess stories like this could help by showing what creeps spammers are, but the only people who are going to read articles like this already know the evils of spam. Perhaps we need to get a bunch of donations and run a commerical during prime time reality tv equating spam to terrorism?
Anyway, sorry for the somewhat offtopic rant, just been rather upset with spam more than usual lately, an email address that i've had for almost 4 years that never got a single spam has finally been getting inundated with it because some fucktard had to go and put my address in a CC with 100 other people for some stupid chain letter, and then one of those machines got pwnd and now the address is out there (BCC PEOPLE, IF YOU HAVE TO SEND THOSE DAMNABLE CHAIN LETTERS TO SO MANY PEOPLE LEARN TO USE BCC FOR $diety SAKE).

Re:Education?

[adzoox]

The interesting thing is Slashdot seems to be the #1 place (that I have seen) that readers regularly bash SPAM, but that also participate in one of the the MOST MASSIVE email campaigns I have ever seen - the FREE iPOD DEALS.

Look in just about any thread here on slashdot - you'll see a dozen signatures with people linking to THEIR free iPod link so they can get their required 5 people to join.

What happen is your email is INSTANTLY sold to OptInRealBig when you sign up for this page. OptInRealBIg in turn - is also a harvester - but they can legitimately prove they buy email addresses. So, if quetioned by novice understanding authorities - they can prove they are legit.

Point is - the very people that complain about it [slashdotters] - as far as I can see - are the main contributors to it.

People also fall for these emails from websites like wotch.com that have little funny flash cartoons. People forward these sites to dozens of their friends - which in turn - each of those emails are harvested.

It kinda is like the election scenario - the people that complained the most either didn't vote or couldn't vote!

Re:Education?

[hugesmile]

There are some SPAM's that will continually entice people, regardless of the amount of education. And unfortunately, I think that there are reputable companies that are unwittingly behind them.

Spammer sends out millions of emails touting an unbelievably low "m or tga ge | r ate". Are you interested in a 30 year, no points fixed 1% interest rate? If you're shopping for a loan, then absolutely.

Suckers check it out. "Want information? Someone will be contacting you shortly. Just give us a little information.. name, phone number." The average person on the street - even SPAM haters - will think "This is probably too good to be true, but I'll check it out with a critical eye... I probably won't finance through this scum, but I better know what the going rate is, so I don't get screwed by my local bank...", and they submit their personal information

Now spammers have a huge list of people shopping for a mortgage. This list is transferred to a semi-legit shell company, who sells it to a completely legit Fortune 500-sized major banking institution. The major banking institution has no idea that these names are collected via SPAM. Under inquiry, the semi-legit company can claim that they "purchase lists of people shopping for mortgages and aggregate them".

Customer gets a call from some Fortune 500 size bank coincidentally asking if they are shopping for a loan, which they are. The Fortune 500 Bank has no clue that there was an offer of 1% 30 year loan, and the sucker has no idea how the major bank got their name. No one's pissed except the 99,999,999 people that were annoyed by the email. And the system continues.

You'll never rid yourself of that problem with education, unless we educate the major companies to consider their sources when buying lists! And even then, since the lists tend to work for the big companies, the problem won't go away anytime soon!

Re:Education?

[fdiskne1]

I was giving someone help with their email, saw a spam in their mailbox and commented that if they sent it to me, I'd adjust the filters so it doesn't get through in the future. This was most definitely from a spammer. They said, "No, I ordered something from them. I expect their email." When I told them the reasons they should never, ever buy anything from spam, they said, "But that's where I get the best deals." I re-iterated the reasons against it, but they didn't care. As long as they got a good deal, that's all that mattered to them. I suppose they won't learn until they get taken on one of their "good deals".

Re:Education?

[bergwitz]

Perhaps we need to get a bunch of donations and run a commerical during prime time reality tv equating spam to terrorism?

Though I wouldn't equate spam with terrorism (it doesn't kill people), a TV commercial campaign could actually have an effect. My guess is that it is the most uneducated internet-users who actually buy from spammers, so TV would be a better medium too reach them through.

Re:Education?

[pongo000]

What sigs? I don't ever see poster sigs...oh wait, that's probably because I chose not to...

Re:Education?

[lakeland]

There are a few flaws in your analysis.

1) You assume all slashdot readers are alike. While we are are all much more alike than a random cross-section of the population, we are far from being alike. Some of us could be seen to contribute to it while others are fighting against it.

2) You've say we're hypocrites for complaining about spam that we've caused, yet the two examples you give of us 'causing' spam have only the most tenuous causation link. Apparently by not reading the fine-print on the iPod deal we deserve to be spammed, and similarly for enjoying advantage of some flash gimmick.

The thing I see in both of these cases is that we wanted a free iPod and a free gimmick, and possibly didn't bother to read some fine print. Imagine going down to the hardware store and seeing a deal "Sign up for a free color consultation", then after the consultation you get dozens of phone calls selling products that match your color choices. You're going to be pissed, right? Essentially, you got suckered at the hardware store, and the slashdotters got suckered at the free iPod website. Yet because there was a contract of sorts in both cases, you believe it was legally ok, and therefore morally ok?

Around here, there is a provision in contract law that if the contract contains a clause which a reasonable amount of care would not have noticed, then that clause is automatically voided. Crudely put, buying a $20 phone you're not really expected to read the contract, but buying a $20,000 phone system you are, but if that contract refers to documents that weren't available at the time then you might not have been expected to read them. Now, I admit I sneered when I first heard about this -- if someone is stupid enough to sign away their rights, then I thought they deserved whatever they got -- maybe they'll learn next time. But, the older I get, the more I understand that people are busy with their own little corners of existence and are largely clueless outside those corners. So it is essential to have laws like this in order to protect people.

3) You say we contribute to the spam problem. Yet I fail to see how we have either spammed, or encouraged spammers through either financial or technical means. At worst, we have inadvertently providing them with a loophole. That doesn't count as encouraged in my book.

4) I have no idea how you're trying to draw parallels to the election.

Yuhu!

That particular spammer offers a newsletter on his homepage. Please wait, I will just sign in...

I also have no fear

[Pseudonym]

Spam this:

ajb@spamcop.net

I figure anyone who spams SpamCop deserves what they get.

Re:I also have no fear

By now, most of the address harvesters probably just add the address ajb@cop.net when they encounter that address.

Re:I also have no fear

[Pseudonym]

True. Apologies to the fine people at cop.net who have just had their bandwidth killed.

Contract in the email address

[subterranean]

Timestamped ip addresses will get you closer to the email address harvester, but I have another solution that targets the business claiming that you opted in to their spam. Make contracts in the email address enforceable by law. If you send a message to sender.agrees.to.pay.me.500.usd.for.processing@mys ite.com, I have the option to collect $500 from you.

"hundreds" ?

resulted in hundreds of pieces of junk postal mail flooding Ralsky's million-dollar home.

So what you're saying, is he gets just as much junk snail mail as the rest of us do? Doesn't sound like we made much impact, to me.

Address hiding

[Craig+Ringer]

I'm in a similar situation - a search for 'craig@postnewspapers.com.au' on Google returns a fairly hefty number of hits. Slightly more than your address, in fact :-P

I get massively less spam than you - around 300 a day, though most of it gets stopped dead at the mail gateway by ordb.org and dsbl.org checks. I get about 100 or so spam actually delivered, and SA (set to be pretty forgiving) filters out all but 10 or so per day. I don't envy being in your position.

Viruses, however, are another story. I haven't seen one in six months - it's fantastic. A combination of some postfix rules and ClamAV on the internal (sendmail) mail server did the trick. If you run postfix at your mail gateway, you can get it to check incoming mail for suspicious filenames before it even accepts the mail:

main.cf:
-----
mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks_pcre

mine_header_checks_pcre:
----
# Try to kill common Windows executables early, and give a useful message
/^Content-(Disposition|Type):.*name="?([^ >;]*)\.(exe|bat|com|pif|vb|lnk|scr|reg|chm|wsh|js| inf|shs|job|ini|shb|scp|scf|wsc|sct|dll)"?/ REJECT Microsoft Windows Executables (like suspect file "$2.$3") not accepted here. If you were sending a self extracting zip file, please send a non-self-extracting version instead.

(note: the regexp and message are all on one line, though I should move to an extended regex and split it up).

*blam*. There goes 99% of your incoming virus mail. ClamAV gets the rest, so I just don't get viruses anymore. Best of all, you're not generating bounces for virues, you're rejecting them instantly - so unless they're using some dumb bastard to relay, there won't be any mess of bounces to falsified addreses to worry about.

What about the new waves of self-zipping viruses, you ask? Yeah, that's an issue. I cheat and quarantine all zip files. I rarely have to retrieve one, and it's well worth the saved fuss.

As for mail programs, I'm happily using Evolution with IMAP over a 512k/256k effective link to work's Cyrus IMAPd server (all this stuff is set up for work). It works great, and I'm able to use 20,000 message mailboxes without noticable stress. Sieve (the cyrus IMAPd filter language) filters everything into the right mailboxes server-side, so if I'm in a hurry I just read my (always small and managable) INBOX without worrying about my lists.* folders, the (server-side filtered) Junk folder, or anything else.

It's great.

Re:Address hiding

[astrotek]

really? no virii? I get like 10-30 a day. They even even have "this has been cleaned by norton AV" or something similar.

Re:Spam from Media Dreamland, now from Big Time Fi

What? Why?

You work far to hard. Just use Spamhaus' sbl-xbl DNSBL zone and you'll never see this spam from Bill Waggoner.

Oh, if you were in Atlanta last week at the Inboxer show, you could have thanked Bill in person.

Not "Offtopic", but wrong anyway...

[Dogtanian]

Whilst I disagree with much of what you say, I disagree more with the mods who declared this "Offtopic". It's more on-topic than half the comments in your average Slashdot discussion. Anyway...

An individual imprisoning someone else without cause has done A Bad Thing, and should be punished.

Does this mean the state shouldn't imprison someone who has committed a serious crime (including the person just mentioned)?

In general, this means we can't punish anyone because it'd be unfair for anyone to have that happen to them without having done anything wrong.

No one should have to endure the pain and annoyance of spam: it's the scurge of the online world. Not even the spammer, who may be in his business because of factors outside his control like debt or bills for an illness in the family, etc.

Personally, I don't think spamming a spammer would be appropriate punishment, because it doesn't have the same effect as spamming a *large* number of *separate* people. But I disagree with the logic used in your argument against it (see above).

I also disagree with "poor spammer" argument; this could be used to justify all manner of crimes. If the spammer is poor and desparate, this should be taken into account by the courts when sentencing.

And if they're sitting on their lazy ass in a luxurious house with four expensive cars bought on the proceeds of their business, this should also be taken into account.

Spam == bad. Victimization == bad. Why do people conflate the two?

It's not victimisation. It's a punishment "appropriate" to something wrong being done. As mentioned above, I don't think it's as appropriate as it appears at first, but that's beside the point.

Re:I know if I had the physical address

[JaredOfEuropa]

That's what I miss on the Project Honeypot site statistics! It lists nr. of spams received, servers identified, etc, but I want statistics on the follow-through as well!
- Nr of scumbag spammers identified.
- Nr of bookclubs, cooky sects and mail order firms these spammers have been signed up with.
- Nr of spammers served/sued.
- Nr of spammers drawn & quartered by angry mob.
Come one... inquiring (and vengeful) mind wants to know.

It's a percentage

[Craig+Ringer]

Minor problem: A percentage stays the same if you multiply the base quantity it refers to.

5% is still 5%, whether over 100 messages or 100,000.

I can personally attest to good results with a wee bit of work on my Postfix config. I was unwilling to be as draconian in my policy as this poster must've been, so I was only able to block about 60%.

Tracking down a spammer in my home state

[adzoox]

I have been doing a little tracking down of a Spammer myself from my state.

A few months back, when the free iPod craze started - a company in my state started sending out emails from:

Product Test Panel
Consumer Research Corporation
Subscriberbase.com

Saying, "Product Testers Wanted". They would go from hot product to hot product. Sometimes, not even released products - like the Nintendo DS was advertised almost 2 months ago - claiming immediate shipment.

I found that they were in my state by reading the actual email and seeing a location in my state and then by confirming it with whois information.

I then sent off an email to the contact. I got an email from a guy named Brian Benehaley. In typical fashion, all of my accusations were denied.

Turns out, if you Google this guy's name - he has written a well respected piece [respected amongst bulk emailers] about how the Can Spam Act will bring a new renaissance in email marketing.

I have since written the Better Business Bureau about him, found the record for the company is now in the 1000's of complaints

I have contacted my state attorney general which is conducting thorough investigation

I contacted the host ISP - Exodus - they have over 12000 complaints lodged against Subscriberbase.com

I have written a piece that has gotten into Google searches - that receives a few emails and comments each week.

More info about Product Test Panel

It has been quite fun to research this guy and put various internet tools to my disposal.

This was a good story to see what techniques Mr. Wendland used.

Google, Whois, MY BLOG, The BBB online, My attorney general all helped me ...

Re:Tracking down a spammer in my home state

[hackstraw]

I used to get spams ALL THE TIME from SubscriberBase. Fortunately, they are located in the US, and after MANY calls to them I convinced them that it was in their best interest to stop sending me spam.

If you get spam from these guys give them a call at:

803-790-8381

Re:Tracking down a spammer in my home state

[AndroidCat]

Their history goes back 4 years. Currently on iWay Broadband at 64.119.200.36. Spamhaus has iWay listed, ROKSO for Dan and Rosalee Young / JDR MEDIA, and friend Scott Richter .

Bleh!

Harvesting?

bgates@microsoft.com bgates@microsoft.com bgates@microsoft.com
bgates@microsoft.com Don't harvest me! Bill Gates E-mail email

Doesn't make much sense

[Craig+Ringer]

It'd be nice if Postfix was as simple as SpamAssassin. Unfortunately, MTAs are complex - mostly because the Internet and eMail are complex, and because of all the ugly hacks and workarounds required to actually get mail to and from lots of the the utterly broken garbage that claim they're mailservers.

Postfix can, however, be a fantastic front line of defence for people who get so much spam that SpamAssassin alone can't cope, or who want to reduce the considerable system loads imposed by running SpamAssassin on a large volume of mail.

If SpamAssassin does the job well enough that learning advanced Postfix configuration isn't worth your time, that's fine. It _is_ worth it for some, though, and those people don't much care that it takes a wee while - they want to make sure they don't lose mail, and they want to save time in the long term by cutting down spam. Those goals are worth a bit of short-term time cost.

Few mail installations are the same, as few sites have the same requirements and make different choices on trade-offs like false positives vs block rates, and compatibility with broken mail servers. This means that Postfix needs to be configurable.

Given just how configurable it is, I think it does a good job of being fairly easy to configure.

How I stay spam free

[Examancer2]

This is how I keep spam from ruining my email while also catching spammers in the act:

I have a domain (examancer.com) and a cheap hosting company that allows unlimited email accounts. Every time I give out an email address I make up one that will remind me why I gave it out (like slashdot@examancer.com, nytimes@examancer.com, someotherservice@examancer.com, etc...). I don't actually have to set up each account because I have all undeliverable mail sent right to my main account. If I start receiving spam, I just look at which address its sent to and I know right away which company sold my address or which online forum my email was harvested from. If the spam gets too bad, I actually go and create a real mailbox for that address and route it to a black hole... viola, no more spam.

Re:How I stay spam free

But there is still spam flowing to someotherservice@examancer.com which is waiting your or your ISP's bandwidth.

Re:How I stay spam free

[colin_n]

I also do this. Sometimes it is tough when spammers spoof the recipient address. How do you know which address it is going to when the header is spoofed? Sorry if that sounds stupid, but I have never been able to figure it out.
By the way - here is a great quote from the spam website:

"I've got one thing to say about Expedite Internet Marketing, WEBTASTIC!"
-- Merry Black

Re:How I stay spam free

[Spazzz]

I do something similar: When I go to a site that requires a valid email address for "confirmation" or whatever, I append the site name to my email address with a + like this: username+slashdot.org@domain.com The email will go to usernam@domain.com and I can tell right away which site sold my email address to spammers. Doesn't keep me spam free, but certainly helps me track it. Alternately, if you run your own email server, you can just set up a one-time alias that's valid long enough to get your confirmation email. -J

Re:How I stay spam free

[WaterDamage]

I used to do what you do but I had to abandon that idea. That defensive tactic won't get rid of those who setup the spam server to autogenerate millions of addresses to your domain. I still get tons of spam to valid mail boxes where in the "TO" field I usually find 50+ different variations of addresses similar to the actual email address.

Re:How I stay spam free

[Examancer2]

bandwidth that would have been wasted anyways if I had just used one address. And, since I route the spam-laden addresses straight to the trash I'm saving my ISP server space and client bandwidth (since I'm not downloading the email).

Re:How I stay spam free

[Examancer2]

I don't get too much spoofed headers in my spam, and I just kinda hope that I don't start getting more, because tracking that down could be a real problem. If it becomes a problem then I would probably start setting up real mailboxes for the throw-away email accounts, and set up those mailboxes to forward to me, so that I still get the mail, but I can see which box it arrived in. Plus, there is always client side spam filtering (Thunderbird is what i've been using).

Re:How I stay spam free

[Examancer2]

yeah, that would cause me to abadon my plan too. Luckily my domain is under the radar at the moment, so this isn't an issue. If this happened I guess I'd have to start bouncing undeliverable mail instead of forwarding it to my inbox, and just manually set up a new mailbox or alias every time I need another throw away address.

Re:How I stay spam free

Please don't start bouncing that stuff. The addresses in the From: line that you bounce to are always some innocent 3d party, so you just spam for the spammer with your bounces.

Re:How I stay spam free

[gregmac]

I used to do what you do but I had to abandon that idea. That defensive tactic won't get rid of those who setup the spam server to autogenerate millions of addresses to your domain.

I use a subdomain, but otherwise do the same thing. It works well, because the sub-domain doesn't get directory harvest attacks, only the main domain (and I only have a couple valid addresses there). Certainly doesn't keep me spam free, but helps to filter out a lot of it.

Re:How I stay spam free

[Spoing]

If I start receiving spam, I just look at which address its sent to and I know right away which company sold my address or which online forum my email was harvested from. If the spam gets too bad, I actually go and create a real mailbox for that address and route it to a black hole... viola, no more spam.

I do almost the same thing. The mail to abandonded addresses is sent to a spam filter to help train it.

That way if the same spam gets sent to a good address, it gets filtered out.

Re:How I stay spam free

[Spoing]

I use a subdomain, but otherwise do the same thing.

Excellent idea. Thanks for the tip!

Unfortunately

[Bloke+in+a+box]

Unfortunately it's the computer-illiterate people who are are the target of spammers.

They are the ones that don't know how to set up proper spam filters, they are the ones who are stupid enough to give another website their banking details despite having been told by all their friends / family / news reports and other websites never to give their password out.

While there are stupid people with access to a computer out there, spammers will always make a fortune.

Re:I know if I had the physical address

[djdavetrouble]

I knew if I had the physical addresses of these spammers blah blah blah, links his moderngeek.com website, /me does a quick google or 2, hilarity ensues
Slashthugz. Listen, bad boy... I don't think that you, or your friends have the spammers quaking in their proverbial boots. I would be more scared of getting pwned, or molotov cocktailed from your types. Nice macquarium, though.

Alan Ralsky, the alleged mega-spammer

[AndroidCat]

What's with the alleged part? When Al Ralsky alleges it, and so does everyone else, and there's massive proof that he did, you can skip alleged.

Don't make the mistake that if it's not covered by the U.S. CAN-SPAM law, that it isn't spamming, or that someone has to be convicted in a court of law before they can be called a spammer. He hasn't been convicted of being a major asshole, but it's quite safe to call him that.

anti-spamming

[Dorsai65]

Personally, I use a combination of tarpits, poisoning their databases, and a website that is rumored to kill the little bastages.

On the same page where I do all this, I also include links to the House and Senate email address pages, figuring if I get spammed, Congress should, too :-)

Re:Spamgourmet for disposable addresses

[Anomalyst]

For those less technical, you can create unique and disposable addresses that forward to your real account with some other neat features to give you control of how each address is handled and the ability to send from the disposable. They even have open-source on how to setup the mechanisms for your own server. I have no affiliation with the site, just a satisfied user. http://www.spamgourmet.com/

... but its a DRY heave -- me

In my /etc/mail/access you will find

[mi]

[...] 550 EBuyer spams customers
[...] 550 Comp-U-Plus spam customers
[...] 550 Yahoo! turned to spamming

And more. So what if Yahoo! is not peddling "herbal viagra"? They are still spamming -- oh, yes, you can always unsubscribe -- but since I never subscribed in the first place, I don't see why I should be unsubscribing.

I keep a Yahoo! mailbox around -- just in case, and clean it up every once in a while. Yahoo!'s spamguard is a useful tool to keep the outside spam out, but Yahoo!'s partner Motley Fool always gets into my mailbox despite me classifying it as spam several times already.

If the "icons" like Yahoo! are spamming shamelessly, what's the point of going after the darker hats? Spam should be an outrageous incident, then there'd be hope.

As for honey-potting, the simple technique is to use a unique address each time you give your address out. Like mi+ebuyer@aldan.algebra.com (sendmail users don't even need to change anything on their servers for this). Once the address starts getting spam, you know, who squealed.

Want a cheap Rolex watch?

[hellRaven]

... I'm asked about 10 to 20 times a day.
Where has all the Viagra spam gone?

Re:Want a cheap Rolex watch?

You don't really want me to forward all my v14gR4 spam to you do you?

Re:Want a cheap Rolex watch?

[hellRaven]

No, thanks. I've got my own in the meantime (damn...)

-----------------
The L0west price of all med's is here.

V1a'gra - $199.95 (60 pil|s)
Va|ium - $259.95 (100 pil|s)
Cia|is - $189.95 (30 pi||s)
Xa'nax - $233.95 (100 pi|ls)
and many m0reeee.....
-----------------

Re:Want a cheap Rolex watch?

[Dorsai65]

I think I'm getting it on one of my public accounts. You want it back?

Legitimate bulk mailer?

Who the hell would outsource their mailing lists?

They ain't free!

[IO+ERROR]

OK, so I once got suckered in by one of those "free iPod" affiliate sites. And when my inbox went from one spam a week to 30 a day, I knew what happened.

Anyway, if you really want to get your free iPod, this is what you have to do:

• Sign up for AOL 9.0 for Broadband
• Buy $39.95 worth of miracle pills
• Subscribe to the New Yourk (sic) Times
• Opt in to about 412 "mailing lists"
• Enroll in about 32 other shady programs
• Wait 3 months

And if you've done all of that, you're a complete idiot who is going to get what you deserve, and if you think it's an iPod, ha yeah right. Enjoy your spam, sucka!

Save yourself the hassle and just go buy the damned iPod.

Re:They ain't free!

Dude, you forgot your affiliate code on that Amazon link!

Re:They ain't free!

[IO+ERROR]

Dude, you forgot your affiliate code on that Amazon link!

Oh, sorry, try this one instead: buy the damned iPod

:-)

Spammers in Toronto Area

Okay, I've decided to mete out some Vigilante Justice(tm). Does anyone know of a spam house in the Toronto area? Or does anyone know how I should go about researching to find one? As soon as I find one (and have verified it to be a spam source) I'll make my way over there and instill some serious fear in their hearts. Here's (some of) what I'll do:

1.) I'll destroy said spammer's car (or other mode of transport, unless publicly owned), through tire slashing, window smashing, paint scratching, and any other ideas you guys have.

2.) I'll spray paint said spammer's place of business, as well as his/her domicile (unless said spammer has a family present; it's not their fault, right?)

3.) I'll take photographs of said spammer, and follow him/her to his/her neighbourhood. I will subsequently post photographs around the neighbourhood identifying him/her as a spammer to friends and neighbours. I will request and enlist the aid of local merchants such as grocery stores in allowing me to post said spammer's likeness in public areas.

4.) I'll make a papier-mâché head in the likeness of said spammer, and place it on a pike outside said spammer's place of business, along w/ a note threatening that the life of said spammer will be forfeit should he/she send any further unsolicited mail or email.

5.) I'll do any other deeds this forum suggests that I think are viable and warranted.

6.) I'll post pictures of the entire process in an online forum somewhere and announce it for all to see.

So how about it? Anyone want to join my vigilante anti-spam army? I'd wager there's at least one slashdot reader within an hour's drive of any given spammer in north america, and indeed, perhaps even on Earth. Why don't we make a name for ourselves as the group who slayed spam where litigation and legislation couldn't.

Who's with me? Innocent owners of zombie machines can be educated (forcefully or otherwise) on proper operation of a computer, while the true spammers will be made to suffer.

And again... how do I find a spam-house in the Toronto area?

Re:Spammers in Toronto Area

I'll spray paint said spammer's place of business, as well as his/her domicile (unless said spammer has a family present; it's not their fault, right?)

The family of the spammer is living off of the avails of email prostitution. Spray paint them too.

That's what journalism is about

[Animats]

That's part of what journalism is about - taking that risk.

Beating up journalists is hazardous to your health. Some crooks have tried. What happens then is that hundreds of other journalists start investigating the story. TV trucks start showing up in front of the bad guy's house. Stories like "Why isn't this guy in jail yet" appear. Soon, there's heavy police attention focused on the crook.

Few crooks survive heavy press coverage. It's hard to stay in the shadows when there's a TV light in your face.

Dumbass

4000 words, huh? I'm sure he had nothing better to be doing. Let's hope this university isn't public... your tax dollars hard at work.

Re:Dumbass

original poster here:

Actually, there's a lot of downtime at the NOC, as you'd know if you worked anywhere near a network.

Tracking down and persecuting spammers, phishers, trojan distributors, and stalkers is about the best use of his time I could imagine. Would you prefer him to play flash games like most of his coworkers?

I have a slightly better version.

[Inoshiro]

/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\ .(ad[ep]|asd|ba[st]|c[ho]m|cmd|cpl|crt|dbx|dll
|e xe|hlp|hta|in[fs]|isp|lnk|js|jse|lnk|ocx|md[etw]|m s[cipt]|nws|ocx|ops|pcd|pi|pif|prf|reg|scf
|scr|s ct|sh[bms]|swf|uue|vb|vb[esx]|vxd|wab|ws[cfh]))"?\ s*$/ REJECT Files attached to emails
that contain or end in "$3" are prohibited on this server as they may contain viruses. The fil
e named "$2" was rejected.

This covers more executable types and is a bit more permissive in the matches to the content line.

Re:I have a slightly better version.

[HermanAB]

Eventually MS will probably have compromized the whole 3 letter permutation and we'll have to block .???

Both you and the previous poster make a mistake

[SmallFurryCreature]

You think of humans/slashdot as a group who all think the same. We are not. Not all /. members are intelligent. Just read at -1 and you will see what I mean.

As for the wider public. In holland we got a tv program "ook dat nog" wich is a copy of a bbc program that highlights people problems with businesses and goverment with what some call humor.

It is/was a pretty popular program with very high viewer ratings. It also been on for years.

At least once per season it would show the hosts informing us about people who been suckered into pyramid schemes and such. Year in year people have been warned that these schemes are pure scams. Year in year out people fall for them.

For the emails that are scams the old saying goes, "you can't scam an honest man". Like those nigerian emails. No honest person would fall for them.

Same with those work from home scams. Honest people who know about things like taxes and being self employed know that it can't be true. If you could make 75 an hour sitting on your couch then why do they have to recruit? You would think they needed to beat the applicants of them with sticks.

Finally you got the viagra and other stuff. This is just aimed at the stupid. You will be amazed how many there are. It is not even stupid as in trailer trash. It is stupid as in not being able to reason enough to see the logic flaws.

Lets face it if there really was a way to increase the penis with natural herbs then it would be sold all over. Men being men even Long Slong Silver would be popping the pills day and night.

Stupid people are everywhere and scammers know this. /. hides them at -1 but sadly there is no moderation system in the real world.

I never seen the ipod links you refer to, try setting your post limit higher. It is less adventurous but saves your sanity.

Re:Both you and the previous poster make a mistake

[Lost+Race]

Lucky you. I read at 4 with sigs turned off and I still see about one free[whatever]scam link a day. (It's not just ipods any more.)

Easy solution

Just walk into a KNOWN (and profiled) spammer's house and put two rounds into his head. Eventually the news will spread that someone is killing spammers and then the fear will get out there. Spam and quite literally end up dead. Sometimes the old ways that worked hundreds of years ago can still work today. When the law is broken, only the lawless will survive.

Re:Easy solution

[HermanAB]

No, bullets are too humane - Vlad Dracul's method is better - 20,000 spammers with stakes up their ying-yangs and all spam will stop...

100% Effective Way to End SPAM

[jayloden]

Stop buying crap from them. Seriously. If it wasnt' profitable for them, they wouldn't do it.

-Jay

Re:100% Effective Way to End SPAM

[hey]

Sadly, no... what about the new guy who want to launch a new business selling some crap and advertisizing with spam.

Re:100% Effective Way to End SPAM

[jayloden]

If no one buys anything from spam, where's the incentive to advertize with it? :)

-Jay

Re:I know if I had the physical address

[ModernGeek]

here is a better picture of me: http://users.moderngeek.com/preston/preston.jpg That one is about 4 years old, the macquarium was cool though.

email harvesters can be a valuable weapon!

[NewtonsLaw]

When it comes to spammers and their email harvesting software, why not fight fire with fire?

Set up your own payback page then check your server logs and smile every time those on that page get added to another spammer's list :-)

Joe Jobbed

[quackPOT]

That works fine until some idiot spammer joe jobs your domain. :(

Addresses aren't too hard to discover

Unfortunately the online records for Oakland County seem to go back to only 2003, at freep and the actual county site sucks ass:

http://www.freep.com/realestate/oakland/

but if you live in the area and you'd like to exact karmic justice by leaving unnecessary parcels up to and including firebombs, I'm sure you could call up the local Oakland County government and ask for access to information on ~$740,000 closings which took place in October or November of 2002, I'm pretty sure they have to give it to you:

http://www.co.oakland.mi.us/clerkrod/contact/

Register of Deeds: (248)858-0605

anyone know of a good exploit...

[the-build-chicken]

...in the harvesting programs? I mean, how seriously cool would that be...instead of publishing the ip addresses for blocking, circulate them for buffer overflowing?

Anyone comment on the practicality of exploiting the harversters?

Anyone know the harverster programs that are most used??

Scott Richter

Actually yes, Expedite, Wholesale Bandwidth, and ALL of that block are owned by Scott Richter. optinrealbig.com. I have been tracking him for months bc of the harvested addresses from my sites.

List of Phone numbers:
OptinRealBig.com: (303) 464-8164
Richter's Extention is: 742
Scott Richter's Cell phone number: 1.303.550.9828

Expedite Testimonials

..from their website. I noticed that the "click here for some of our satisfied customers" link was missing from the FAQ page, but here is a helpful testimonial from Sandra Swohn, a satisfied Expedite customer.

"Expedite Internet Marketing Expedite Internet Marketing Expedite Internet Marketing Expedite Internet Marketing Expedite Internet Marketing Expedite Internet Marketing Expedite Internet Marketing Expedite Internet Marketing Expedite Internet Marketing Expedite Internet Marketing Expedite Internet MarketingExpedite Internet Marketing ." -- Sandra Swohn

Indeed.

use mailinator

[Rastan_B2]

I picked up this link from a thread ages ago mailinator.com - you just make up any word and put it at mailinator dot com and you can go and check your mail at the site. I think the mailbox stays active for 24hrs or similar. Very very useful for registrations and stuff.

Vigilanty justice...

[torrents]

I doubt there is much that an angry band of nerds couldn't accomplish... So hunting down spammers as a hobby/game could help put a dent in spam...

Re:Easy solution-Just filter 'em out!

[iamcf13]

So murdering spammers is your solution to spam? What good will that do? the dead spammer's computing/spamming assets will likely find their way to individuals who can act as suppliers for spammers. It's like the illegal drug trade, the 'mules' are patsies that get busted, procecuted, and jailed while the drug kingpins remain at large ready and willing to entice another 'mule-to-be' with a wad of quick cash for risking their life and their freedom.

Your homicidal approach will only make the smart spammers become spammer suppliers and the dumb spammers doing the actual spamming potential targets for murder.

Ok, how do you go about killing notorious megaspammers who do not live in the USA where most the megaspammers live? By your rationale they deserve to die as well.

Going after spammers is a whack-a-mole proposition.

The best thing to do is to ignore them with effective email filtering. Mounting counterattacks like DoSing the spamvertised sites or filling webforms with mountains of digital garbage is, in the end, a waste of time and resources.

Just filter 'em out!

And nobody mentioned...

[RM6f9]

zwallet? I welcome UCE - I get paid to open and delete it.