Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tech Reporter Pursues Spammer

Posted by ryuzaki0 on from the idle-hands-do-the-devil's-work dept.

girish writes "Technology reporter extrordinaire, Mike Wendland, is at it again tracking down spammers. Wendland conducted the infamous interview with Alan Ralsky, the alleged mega-spammer, a few years ago. That article spawned a lively discussion on Slashdot and eventually resulted in hundreds of pieces of junk postal mail flooding Ralsky's million-dollar home. Now Wendland is using a new tool from a service called Project Honey Pot to track email address harvesters. He posted on his technology blog this morning about catching a company that is holding itself out as a legitimate bulk mailer, but appears in fact to be sending to harvested addresses and conducting on the side some other seemingly seedy businesses. Interesting stuff."

12 of 183 comments (clear)

  1. I have no fear of spammers by MichaelCrawford · · Score: 4, Interesting
    Harvest this, infidels: A long time ago I decided I wanted to make it as easy as possible for potential clients to email me, so I have never spam-protected my email. It's all over a lot of different websites. It's all over Usenet too.

    On the other hand, I get a lot of spam. It's only just beginning to bother me. I have a friend, she gets maybe ten spams a day, and she gets so outraged that she reports them all to the abuse@ addresses and so on. Me, I get a few thousand spams a day. I read my email with elm because it's the only email client that can handle the huge mailboxes I get.

    What's getting me down though are the viruses. At one point I was getting 400 MB a day of viruses. Now I've decided I'm going to set up a virus filter on my home linux box, and use fetchmail and spamassassin and clamav and what have you to filter it, and serve it with imap to my other computers.

    My hosting service tried to filter all the viruses with clamav, but they got so many viruses that it was too much of a CPU load, so now they do only very simple virus filtering, to catch the most obvious viruses without much CPU consumption.

    --
    Request your free CD of my piano music.
  2. The joys of large-scale filtering by Anonymous Coward · · Score: 4, Interesting

    the university where I work has some fairly effective spam-killing filters set up.

    We frequently see the following interesting fun:
    a) People emailing us from blacklisted domains asking what's up. We inform them to complain to their ISP or use a different one.

    b) spammers wanting through our filters so they can spam the 20k folks on our network. These are the most fun. I got to watch as the senior network engineer composed a 4000 word message to totally demolish any sort of hope the spammer had, and actually locate the physical address of the spammer. We got an "oh, sorry" reply, and heard nothing since.

    1. Re:The joys of large-scale filtering by weijiao · · Score: 3, Interesting

      To some extent this is delusional thinking that suits the sysadmin - not business.

      We, unfortunately, have this situation happen to us from time to time. In the worst cases the email is just dumped (not bounced) and we only find out about it when the client complains.

      We are unable to change our ISP because they "own" the building but the real problem is further up line - again it cannot be changed by us or our ISP. Up-line they are presumably too busy running spam for US based spammers to care.

      We just explain to our clients that their IT staff are probably not savvy enough to set up a system that detects spam but allows business email through. We refer them to people who are savvy. :-)

      Once they realise that their IT person is actually preventing incoming business reaching them, things change.

      Universities, of course, remain isolated from commercial pressures.

  3. Distributed Harvesting by tmk · · Score: 2, Interesting

    Why should a spammer harvester mail addresses by himself? There are so many viruses, trojans etc out there: The Army Of Lamers can do it for him.

    Have a look at this.

  4. Education? by miyako · · Score: 3, Interesting

    What I don't understand is, with all of the negative publicity that spam gets, why do people still buy stuff from spammers? Although everyone claims to hate spam, I recall reading an article on /. a while ago that said as many as 10% of people buy stuff from spam, this just seems ridiculous to me. If I were walking down the street and I saw what looked like a delapedated, possible condemned building, and as I walked by 50 guys with crudely made signs ran outside surrounded me screaming "buy our product" I sure as hell would do whatever I could to get out of the situation, spam is the digital equivilent of this, yet people still buy into it. I guess it's that too many people think GIGO means Garbage In Gosple Out. As long as there are people buying the products though, there will never be a technological solution to the problem of spam.
    I guess stories like this could help by showing what creeps spammers are, but the only people who are going to read articles like this already know the evils of spam. Perhaps we need to get a bunch of donations and run a commerical during prime time reality tv equating spam to terrorism?
    Anyway, sorry for the somewhat offtopic rant, just been rather upset with spam more than usual lately, an email address that i've had for almost 4 years that never got a single spam has finally been getting inundated with it because some fucktard had to go and put my address in a CC with 100 other people for some stupid chain letter, and then one of those machines got pwnd and now the address is out there (BCC PEOPLE, IF YOU HAVE TO SEND THOSE DAMNABLE CHAIN LETTERS TO SO MANY PEOPLE LEARN TO USE BCC FOR $diety SAKE).

    --
    Famous Last Words: "hmm...wikipedia says it's edible"
  5. Re:The stakes are getting higher... by mOdQuArK! · · Score: 2, Interesting

    Frankly, I suspect it might be easier to find people who would do that to the spammer...

  6. Address hiding by Craig+Ringer · · Score: 3, Interesting
    I'm in a similar situation - a search for 'craig@postnewspapers.com.au' on Google returns a fairly hefty number of hits. Slightly more than your address, in fact :-P

    I get massively less spam than you - around 300 a day, though most of it gets stopped dead at the mail gateway by ordb.org and dsbl.org checks. I get about 100 or so spam actually delivered, and SA (set to be pretty forgiving) filters out all but 10 or so per day. I don't envy being in your position.

    Viruses, however, are another story. I haven't seen one in six months - it's fantastic. A combination of some postfix rules and ClamAV on the internal (sendmail) mail server did the trick. If you run postfix at your mail gateway, you can get it to check incoming mail for suspicious filenames before it even accepts the mail:
    main.cf:
    -----
    mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks_pcre

    mine_header_checks_pcre:
    ----
    # Try to kill common Windows executables early, and give a useful message
    /^Content-(Disposition|Type):.*name="?([^ >;]*)\.(exe|bat|com|pif|vb|lnk|scr|reg|chm|wsh|js| inf|shs|job|ini|shb|scp|scf|wsc|sct|dll)"?/ REJECT Microsoft Windows Executables (like suspect file "$2.$3") not accepted here. If you were sending a self extracting zip file, please send a non-self-extracting version instead.
    (note: the regexp and message are all on one line, though I should move to an extended regex and split it up).

    *blam*. There goes 99% of your incoming virus mail. ClamAV gets the rest, so I just don't get viruses anymore. Best of all, you're not generating bounces for virues, you're rejecting them instantly - so unless they're using some dumb bastard to relay, there won't be any mess of bounces to falsified addreses to worry about.

    What about the new waves of self-zipping viruses, you ask? Yeah, that's an issue. I cheat and quarantine all zip files. I rarely have to retrieve one, and it's well worth the saved fuss.

    As for mail programs, I'm happily using Evolution with IMAP over a 512k/256k effective link to work's Cyrus IMAPd server (all this stuff is set up for work). It works great, and I'm able to use 20,000 message mailboxes without noticable stress. Sieve (the cyrus IMAPd filter language) filters everything into the right mailboxes server-side, so if I'm in a hurry I just read my (always small and managable) INBOX without worrying about my lists.* folders, the (server-side filtered) Junk folder, or anything else.

    It's great.
  7. Re:Tracking down a spammer in my home state by AndroidCat · · Score: 2, Interesting
    Their history goes back 4 years. Currently on iWay Broadband at 64.119.200.36. Spamhaus has iWay listed, ROKSO for Dan and Rosalee Young / JDR MEDIA, and friend Scott Richter .

    Bleh!

    --
    One line blog. I hear that they're called Twitters now.
  8. anti-spamming by Dorsai65 · · Score: 2, Interesting

    Personally, I use a combination of tarpits, poisoning their databases, and a website that is rumored to kill the little bastages.

    On the same page where I do all this, I also include links to the House and Senate email address pages, figuring if I get spammed, Congress should, too :-)

    --
    --- Asking inconvenient questions for over 30 years...
  9. Re:spamtraps... by BP9 · · Score: 2, Interesting

    One very minor problem with spamikaze is they do not (did not?) advertise SPF records for their honeypots. This leads to some bounces and 'ASK' style replies ("did you send this?" queries to get on a whitelist) getting ones mail server on the black list. Sure its easy to remove, but since T-Mobile and Danger use their blacklist it means everyone in my company loses email going to their wireless devices.

    The guy running it is friendly, but I can't say I agree with the notion of these honeypots allowing spammers to send mail to my servers as them, then penalizing me for responding to the spam with a 'WTF' message (automated or not), esp since real money (our monthly services fees and wireless connectivity) is being flushed down the toilet when this happens.

    Anyone with evil intent can pick a vitcim domain, send a buttload of 'spam' to it with a from address of one of these honeypots and get the victim domain blacklisted.

    Yes, we asked Danger/T-Mobile to not do this to us. It would be pretty hilarious to imagine t-mobile even understanding the nature of the question much less doing something about it.

  10. Re:I read the article. by WoodstockJeff · · Score: 2, Interesting
    The 69.6.0.0/16 subnet has SO many spam sites in it that our policy is to "soft bounce" anything coming from within that subnet until we can determine if it is legitimate. If it isn't, we introduce a hard bounce on the /24 subnet in question. If it real, though, we add a bypass for the affected IP (sometimes subnet), so it can go through.

    Checking our filters, there were 120 subnet listings within 69.6.0.0/16, and none are marked "OK"! I say "were", because I just took the time to consolidate a lot of the adjacent subnet listings. The 69.6.66.0/24 subnet was first added to our filters in June of 2004, because of proxy-like activities (faked HELO addresses, MAIL FROM the same as the TO address, etc.).

  11. Re:This can easily be defeated by WoodstockJeff · · Score: 2, Interesting
    What are they to do when the "honey pot" addresses are for the domains they're also targetting for spam? Our web pages serve up one trackable, but undeliverable, spam trap address per page view, which isn't visible to humans, but would be caught by any harvester. They're within the domain of the page being viewed, and would be obvious to a human as being fake.

    One of these days, I'll automate the blacklisting of domains and IPs when these spam trap addresses are hit... Would save me a dozen manual postings per day.