Tech Reporter Pursues Spammer

girish writes "Technology reporter extrordinaire, Mike Wendland, is at it again tracking down spammers. Wendland conducted the infamous interview with Alan Ralsky, the alleged mega-spammer, a few years ago. That article spawned a lively discussion on Slashdot and eventually resulted in hundreds of pieces of junk postal mail flooding Ralsky's million-dollar home. Now Wendland is using a new tool from a service called Project Honey Pot to track email address harvesters. He posted on his technology blog this morning about catching a company that is holding itself out as a legitimate bulk mailer, but appears in fact to be sending to harvested addresses and conducting on the side some other seemingly seedy businesses. Interesting stuff."

Re:The honey is everywhere

[commodoresloat]

There might even be some on slashdot! Who knows?!

That's crazy talk. This place is spam free. And your website can be spam free too! I'll show you how for just $19.95!!

I have no fear of spammers

[MichaelCrawford]

Harvest this, infidels:

• crawford@goingware.com

A long time ago I decided I wanted to make it as easy as possible for potential clients to email me, so I have never spam-protected my email. It's all over a lot of different websites. It's all over Usenet too.

On the other hand, I get a lot of spam. It's only just beginning to bother me. I have a friend, she gets maybe ten spams a day, and she gets so outraged that she reports them all to the abuse@ addresses and so on. Me, I get a few thousand spams a day. I read my email with elm because it's the only email client that can handle the huge mailboxes I get.

What's getting me down though are the viruses. At one point I was getting 400 MB a day of viruses. Now I've decided I'm going to set up a virus filter on my home linux box, and use fetchmail and spamassassin and clamav and what have you to filter it, and serve it with imap to my other computers.

My hosting service tried to filter all the viruses with clamav, but they got so many viruses that it was too much of a CPU load, so now they do only very simple virus filtering, to catch the most obvious viruses without much CPU consumption.

Re:I have no fear of spammers

[bigberk]

My hosting service tried to filter all the viruses with clamav, but they got so many viruses that it was too much of a CPU load

This is why renattach exists. You run that baby in kill mode, and you can handle millions of viruses a day without breaking a sweat (load average wise). This filter just drops mail when certain types of attachments (by file extension or file names inside a ZIP attachment) are found. Not as proper protection as a virus scanner, but coupled with spamassassin it will do the job.

Getting off the spam list, a how-to video

A howto video on how to prent yourself so they will take you off their mailing list.

spamtraps...

[mmThe1]

An relevant note here would be to mention Spamikaze system (intro here).

In a nutshell, it sets up spamtrap e-mail addresses, and any IP that sends mail to that address is automatically added to the blacklist, and further mails from it are rejected at SMTP level. A false positive can be easily removed from the blacklist manually (example, PSBL).

Re:The honey is everywhere

[Phattypants]

What do you mean? Since I started reading my webmail, I've put all my company's mail-security needs into these miraculous services called hotmail and or yahoo! Why, it was but ten years ago that my penis was two inches shorter! Not only that, but now all of my debt has been consolidated! I can just pass on the tab to my next of kin! I decided contact you, Because I believe you are a reputable person and I feel You can help me and my mother over this confidential matter.

Re:Does it really take that much effort?

[Beryllium+Sphere(tm)]

>Seems to me that this kind of thing should be fairly straight forward. I mean, sending millions of e-mails can't exactly be done "quietly" can it?

Sure it can.

Creepy spammer approaches creepy trojan writer. Creepy trojan writer rents creepy spammer access to 10,000 compromised PC's on DSL and cable. Creepy spammer commands each compromised PC to send three emails per minute from 11PM to 7AM. Creepy spammer has now sent 1.44 million pieces of email without an obvious flood anywhere and without an obvious IP address to block.

The joys of large-scale filtering

the university where I work has some fairly effective spam-killing filters set up.

We frequently see the following interesting fun:
a) People emailing us from blacklisted domains asking what's up. We inform them to complain to their ISP or use a different one.

b) spammers wanting through our filters so they can spam the 20k folks on our network. These are the most fun. I got to watch as the senior network engineer composed a 4000 word message to totally demolish any sort of hope the spammer had, and actually locate the physical address of the spammer. We got an "oh, sorry" reply, and heard nothing since.

Re:The joys of large-scale filtering

[weijiao]

To some extent this is delusional thinking that suits the sysadmin - not business.

We, unfortunately, have this situation happen to us from time to time. In the worst cases the email is just dumped (not bounced) and we only find out about it when the client complains.

We are unable to change our ISP because they "own" the building but the real problem is further up line - again it cannot be changed by us or our ISP. Up-line they are presumably too busy running spam for US based spammers to care.

We just explain to our clients that their IT staff are probably not savvy enough to set up a system that detects spam but allows business email through. We refer them to people who are savvy. :-)

Once they realise that their IT person is actually preventing incoming business reaching them, things change.

Universities, of course, remain isolated from commercial pressures.

what does work...

[bani]

...is forfeiture laws.

any property used in the commission of a crime (in this case, relay rape, botnets, spamming, etc) is seized and auctioned off to the public.

it's even better than destroying their property -- its taking their property away from them altogether. their home, their car, their computer, everything.

Re:I read the article.

They have a gateway page to keep prying eyes out. I've seen it quite a few times in recent spam. For example, the spammer can include links like:

spamsite.com/?code=A2LKJ34AOD012LNVLA9OO38

The codes can be generated in such a way that they are unique to each message sent (for example, they could be a hash of the TO address). Without a valid code, you get a page like that one you saw. Lets the spammers track who's visiting their sites, and block the prying eyes of anti-spam activists.

I bet there's a good chance that's what's happening here.

Education?

[miyako]

What I don't understand is, with all of the negative publicity that spam gets, why do people still buy stuff from spammers? Although everyone claims to hate spam, I recall reading an article on /. a while ago that said as many as 10% of people buy stuff from spam, this just seems ridiculous to me. If I were walking down the street and I saw what looked like a delapedated, possible condemned building, and as I walked by 50 guys with crudely made signs ran outside surrounded me screaming "buy our product" I sure as hell would do whatever I could to get out of the situation, spam is the digital equivilent of this, yet people still buy into it. I guess it's that too many people think GIGO means Garbage In Gosple Out. As long as there are people buying the products though, there will never be a technological solution to the problem of spam.
I guess stories like this could help by showing what creeps spammers are, but the only people who are going to read articles like this already know the evils of spam. Perhaps we need to get a bunch of donations and run a commerical during prime time reality tv equating spam to terrorism?
Anyway, sorry for the somewhat offtopic rant, just been rather upset with spam more than usual lately, an email address that i've had for almost 4 years that never got a single spam has finally been getting inundated with it because some fucktard had to go and put my address in a CC with 100 other people for some stupid chain letter, and then one of those machines got pwnd and now the address is out there (BCC PEOPLE, IF YOU HAVE TO SEND THOSE DAMNABLE CHAIN LETTERS TO SO MANY PEOPLE LEARN TO USE BCC FOR $diety SAKE).

Re:Education?

[adzoox]

The interesting thing is Slashdot seems to be the #1 place (that I have seen) that readers regularly bash SPAM, but that also participate in one of the the MOST MASSIVE email campaigns I have ever seen - the FREE iPOD DEALS.

Look in just about any thread here on slashdot - you'll see a dozen signatures with people linking to THEIR free iPod link so they can get their required 5 people to join.

What happen is your email is INSTANTLY sold to OptInRealBig when you sign up for this page. OptInRealBIg in turn - is also a harvester - but they can legitimately prove they buy email addresses. So, if quetioned by novice understanding authorities - they can prove they are legit.

Point is - the very people that complain about it [slashdotters] - as far as I can see - are the main contributors to it.

People also fall for these emails from websites like wotch.com that have little funny flash cartoons. People forward these sites to dozens of their friends - which in turn - each of those emails are harvested.

It kinda is like the election scenario - the people that complained the most either didn't vote or couldn't vote!

I also have no fear

[Pseudonym]

Spam this:

ajb@spamcop.net

I figure anyone who spams SpamCop deserves what they get.

Address hiding

[Craig+Ringer]

I'm in a similar situation - a search for 'craig@postnewspapers.com.au' on Google returns a fairly hefty number of hits. Slightly more than your address, in fact :-P

I get massively less spam than you - around 300 a day, though most of it gets stopped dead at the mail gateway by ordb.org and dsbl.org checks. I get about 100 or so spam actually delivered, and SA (set to be pretty forgiving) filters out all but 10 or so per day. I don't envy being in your position.

Viruses, however, are another story. I haven't seen one in six months - it's fantastic. A combination of some postfix rules and ClamAV on the internal (sendmail) mail server did the trick. If you run postfix at your mail gateway, you can get it to check incoming mail for suspicious filenames before it even accepts the mail:

main.cf:
-----
mime_header_checks = pcre:/etc/postfix/maps/mime_header_checks_pcre

mine_header_checks_pcre:
----
# Try to kill common Windows executables early, and give a useful message
/^Content-(Disposition|Type):.*name="?([^ >;]*)\.(exe|bat|com|pif|vb|lnk|scr|reg|chm|wsh|js| inf|shs|job|ini|shb|scp|scf|wsc|sct|dll)"?/ REJECT Microsoft Windows Executables (like suspect file "$2.$3") not accepted here. If you were sending a self extracting zip file, please send a non-self-extracting version instead.

(note: the regexp and message are all on one line, though I should move to an extended regex and split it up).

*blam*. There goes 99% of your incoming virus mail. ClamAV gets the rest, so I just don't get viruses anymore. Best of all, you're not generating bounces for virues, you're rejecting them instantly - so unless they're using some dumb bastard to relay, there won't be any mess of bounces to falsified addreses to worry about.

What about the new waves of self-zipping viruses, you ask? Yeah, that's an issue. I cheat and quarantine all zip files. I rarely have to retrieve one, and it's well worth the saved fuss.

As for mail programs, I'm happily using Evolution with IMAP over a 512k/256k effective link to work's Cyrus IMAPd server (all this stuff is set up for work). It works great, and I'm able to use 20,000 message mailboxes without noticable stress. Sieve (the cyrus IMAPd filter language) filters everything into the right mailboxes server-side, so if I'm in a hurry I just read my (always small and managable) INBOX without worrying about my lists.* folders, the (server-side filtered) Junk folder, or anything else.

It's great.

Tracking down a spammer in my home state

[adzoox]

I have been doing a little tracking down of a Spammer myself from my state.

A few months back, when the free iPod craze started - a company in my state started sending out emails from:

Product Test Panel
Consumer Research Corporation
Subscriberbase.com

Saying, "Product Testers Wanted". They would go from hot product to hot product. Sometimes, not even released products - like the Nintendo DS was advertised almost 2 months ago - claiming immediate shipment.

I found that they were in my state by reading the actual email and seeing a location in my state and then by confirming it with whois information.

I then sent off an email to the contact. I got an email from a guy named Brian Benehaley. In typical fashion, all of my accusations were denied.

Turns out, if you Google this guy's name - he has written a well respected piece [respected amongst bulk emailers] about how the Can Spam Act will bring a new renaissance in email marketing.

I have since written the Better Business Bureau about him, found the record for the company is now in the 1000's of complaints

I have contacted my state attorney general which is conducting thorough investigation

I contacted the host ISP - Exodus - they have over 12000 complaints lodged against Subscriberbase.com

I have written a piece that has gotten into Google searches - that receives a few emails and comments each week.

More info about Product Test Panel

It has been quite fun to research this guy and put various internet tools to my disposal.

This was a good story to see what techniques Mr. Wendland used.

Google, Whois, MY BLOG, The BBB online, My attorney general all helped me ...

How I stay spam free

[Examancer2]

This is how I keep spam from ruining my email while also catching spammers in the act:

I have a domain (examancer.com) and a cheap hosting company that allows unlimited email accounts. Every time I give out an email address I make up one that will remind me why I gave it out (like slashdot@examancer.com, nytimes@examancer.com, someotherservice@examancer.com, etc...). I don't actually have to set up each account because I have all undeliverable mail sent right to my main account. If I start receiving spam, I just look at which address its sent to and I know right away which company sold my address or which online forum my email was harvested from. If the spam gets too bad, I actually go and create a real mailbox for that address and route it to a black hole... viola, no more spam.

I have a slightly better version.

[Inoshiro]

/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.+\ .(ad[ep]|asd|ba[st]|c[ho]m|cmd|cpl|crt|dbx|dll
|e xe|hlp|hta|in[fs]|isp|lnk|js|jse|lnk|ocx|md[etw]|m s[cipt]|nws|ocx|ops|pcd|pi|pif|prf|reg|scf
|scr|s ct|sh[bms]|swf|uue|vb|vb[esx]|vxd|wab|ws[cfh]))"?\ s*$/ REJECT Files attached to emails
that contain or end in "$3" are prohibited on this server as they may contain viruses. The fil
e named "$2" was rejected.

This covers more executable types and is a bit more permissive in the matches to the content line.