Spamfighting Since the Death of MakeLoveNotSpam?

vacuum_tuber asks: "The now-defunct Lycos anti-spamsite screen saver, MakeLoveNotSpam, was extremely well received despite the whines and hand wringing from the no-one-should-ever-actively-defend-themselves crowd. There was speculation after its demise that Open Source spam-punishing tools would emerge. Other tools such as SpamVampire, LadVampire (punishes fake bank sites), Spam Research Tool and others were mentioned with increasing frequency, but there has been no coherent followup to gauge what people are doing since the death of the Lycos screen saver. What are you doing that you think is effective in punishing spammers or their spam-site sponsors?"

Don't join the mob

[IntenetStormCenter]

The vigilante mob created by Lycos was nothing more then a publicity stunt gone wrong.

Cooperation and user persistance has pushed spam already to the fringes of the Internet. Spammers have to just compromissed machines and other criminal methods to spread their messages.

Making them a victim will only make it harder to push them out, and it will take away resources from the actual problem: People buy the crap offered by spam! Spam is no longer free. If people would just stop buying based on spam, the problem would solve itself.

Spamvampire works

[DogDude]

I use Spamvampire almost constantly. It works great. It sucks up their bandwidth, and while it doesn't DOS them, it does make the business of spam a hell of a lot less financially viable. I regularly pound on spammer sites (the sites actually selling the garbage) for a few days, then the site dies. Now, there's no way to know if it's because these sites are only designed to be live for a week or so at a time, or if I really am hitting them in the pocketbook, but I'd like to think that it works. At the VERY least, it makes me feel better knowing that somebody is going to be very shocked when they see their bandwith bill at the end of the month. And, the info that the guy who wrote the SmapVampire scripts concerning the 97% billing is very true, so the results he describes are actually quite realistic.

Re:Spamvampire works

[Trepalium]

Seems that way, doesn't it. Why wait for the courts and laws to come into effect when we can be judge, jury, and executioner? Then again, the submitter of this story wrote to me, "There never seem to be any real cases cited, only hand-wringing by people who have not been joe-jobbed but who seem more concerned with hypothetical joe-jobbing of unnamed, unknown others that no one can point to". When I did name some specific joe jobs (such as the SpamCop and Spamhaus joe jobs), there was no reply, predictably.

But, I give up. I cannot convince someone who can't see beyond their own nose. Instead, I'll make this perfectly clear. I don't send spam, but if I ever get DDoSed by any of these holier-than-thou anti-spam vigilantes, I will do all I can to see the full force of the law fall upon them. You'd be no better than a script kiddie, and subject to the same punishment as far as I'm concerned.

Vigilante justice soils the good name of the anti-spam groups out there that are working hard to help the world control the spam problem. Attacking spammers with DDoS only changes them from being a criminal into being a victim, and we do not want that.

Two approaches.. ban buying, hit the websites

[speculatrix]

Why don't we consider the complete opposite: make it illegal to buy from spammers - kill the revenue stream, kill the spammer's business, stop the spam.

Another method is to hit the spammer's website... consider this perl fragment:
while (1)
{

• $sock = new IO::Socket::INET (
• 
  
  • Proto => 'tcp',
  • 
    PeerAddr => 'website',
    PeerPort => '80',
    Reuse => 1
    
  );
  $sock->autoflush(1);
  push @sockArray, $sock;
  

}

Naturally, the above code is for educational purposes only and is not intended to be used in anger :-)

What about -

[thewldisntenuff]

Forcing ISPs to turn off/temporarily disable the accounts of zombied, 0wned, computers? Isnt that where most of the spam comes from? How much spam could be stopped that way?

Doesnt have to be permanent, just cut it off and request the user run ad-aware/spybot/a decent virus scan and away they go......

-thewldisntenuff

Re:What about -

[maskedbishounen]

And then half of their users will, if I can use the term here, /. the telephone system trying to get through to their ISP, demanding to know how, what, and why. If you thought tech support jobs at ISPs were bad before, just you wait...

Still, if properly implemented, it's a great idea. Instead of cutting them off, drop any repeated, zombie-looking packets. Anything else, redirect it to a local site hosted by the ISP, for customers only.

It should read something along the line of..

"Our monitoring system has indicated that your computer has been infected with an internet virus, trojan, or worm. To prevent any harm to your privacy, computer, and personal information, we have temporarily disabled your account.

To clear this up as quickly as possible, below we have a wide ranging list of detection programs and simple instructions on how to clean up most problems. If you need further help, please use the form below of contact our support at ..."

Basically, forcing self-help to those that need it. Seems a whole lot better than "call us after you're secure" to me.

Respond to them

[Stephen+Samuel]

This is especially usefull for things like Mortage sites.

Give them info that at least looks real.
If you give them your real phone number, then you can keep them on the phone line for 1/2hour (if you've got a headset), while you play your favorite game.... then tell them you hate spammers.

Even if you don't give them your real time, it forces them to verify the data. People pay for info from those spams because it's mostly good data. from people who want mortages.

If you keep the S/N ratio from spams higher than random cold-calling, then the spam's useless.

For stuff like cheap viagra, it's mostly an attempt to get them to annoy their credit card company. or just wasting their time. If we (slashdot) can each get spammers to waste 10 seconds of their time, that's some number of spammer man-years. If we can each get them to waste 10 seconds a week, they're out of business.

It's using the statistics of spamming against them. They currently get about 1million-1 response ratio with a very high signal-noise ratio. If we can get that up to 1000-1 with a 1-1000 signal-noise ratio, then they'll drown in their own garpage.

Re:Respond to them

and i love it too. I comb their site and post virtual orders, contact info, customer surveys (its dangerous to ask my opinion about spamming ;) and grab all the customer support and sales email addresses and un-subscribe them to their own spammer, as well up to 50 other address collection sites (i keep a current list). That way they get their own spam (and much more) and get a taste of what their own dollars are doing to me. That way they can DoS themselves with spam.

Yea, it takes time to be a pain in the neck, but it feels so good. Am I an addict? Nah, compulsive, vengefull, and @n as$-h0l3 maybe...

8^>

Re:I don't punish spam.

[wwahammy]

I agree with nonviolence resistance and am a firm believer in it but I think using these people's bandwidth is the epitome of nonviolent resistance. You basically bother someone till they HAVE to change something (i.e.: SCLC's bus boycott, Gandhi's march to the sea, etc.) Of course I don't htink the term for this is nonviolent resistance because that really is for something much more serious but that concept fits.

wget+bash + SPAM = Fun

[cluge]

Or

LWP + PERL + SPAM = Fun

Take your pick, for something simple like a website that is hosted on compromised machines, simply loop the address through wget, use the output of ps -aux | grep wget | wc -l to keep the system load down to something reasonable - like 50.

Another fun game is when the spammer/phisher wants some personal information. Use LWP to walk through the order stages or web pages. Then give them the information that they asked for.

Name - Don't you know
Address - don't you wish you knew
City - not yet
State - that one
zip - 12345-678

Special order instructions:

Don't ever e-mail me again, ever, please. I'm begging you. In fact I'll be nice, i'll only send this very same message once for each attempted spam delivery. So far the machine that delivered this message has also made 150,000 connections, to try and deliver messages to users that don't exist.

Add random garbage to through off simply filters. Rinse and repeat until messages stop coming to you

Using the host command, with the name servers that show up in the whois. Walk the dns. It's trivial to repeat until server stops responding. Especially if the server is another zombie.

Tactics usually prove good at stopping sites hosted on compromised broadband connections. These machines generally have upload limits that run out quick. Sites hosted in China or Russia seem to have more bandwidth and can take more of a load. I only know this because I read around. I would never, ever advocate such a thing as returning the spam I receive to the spammer via his web sites order page. Doing what is suggested would probably get you in trouble.

My solution? Baseball bats, but my lawyer has told me that they may be illegal as well.

cluge

snail-mail spam right back at ya!

[Pretbek]

Posting the physical address of a spammer on /. and asking people to "please not sign him up for all the snailmail-spam you can find because that is so impolite" seems to have worked well in the past. Well, it worked at annoying the spammer, that is. I don't know if the amount of sent spam actually declined.

Forward the spam to the BSA

For the spam that sells software, I parse the html code (kmail shows the code, not the rendered page) for links to the spam sites selling the software. It's almost always Microsoft Office, Macromedia Dreamweaver (and/or Flash and I forget the other Macromedia software), Adobe suites, Intuit's Quicken or QB, Symantec's software, AutoCad (?) and a few other regulars I can't remember right now. Almost always, the software includes the big ones above, and sometimes a few others.

So I parse the links, removing the filler, isolate the links, then go to BSA's site, and fill out their piracy form. I provide the isolated links, along with the entire email itself including headers, so that they can investigate the spamvertisement themselves.

Then I add a few words of encouragement at the bottom. Three words are generally enough, you can figure out your own slogans as a substitute.

Keeps the BSA busy, their minds on other things, minimizes the amount of trojaned software that clueless users download via spam if BSA actually takes action to close the sites or go after site owners, and lets me kill some time.

I've been thinking of ratting out the criminals selling "pirated" software on Craig's List to the BSA piracy line as well. Maybe I'll make that the next step. It'll keep cheap "pirated" windows software off people's computers, and perhaps give the prospective buyers more incentive to use FOSS/Linux instead. Or at least OpenOffice on Windows, which makes it easier to get them on FOSS/Linux platform later.

The BSA is the greatest thing since sliced bread. Without them, why would most Windows users migrate to Linux? Because its a better platform? Bahhh! They don't even know they're running Windows, let alone why Linux is better or not.

Re:OpenBSD's spamd seems like a good idea

[kd3bj]

At jtan.com we have used spamd for about a year. We use it with an dynamic honeypot system to automatically identify and tarpit spammers.(We have publised this spamtrapd system as OSS).

All spamd/pf does, for those of you that don't know, is to stall the spam sender by sending replies v-e-r-y s-l-o-w-l-y using a daemon that runs alongside sendmail. The OpenBSD pf packet filter is used to redirect data away from the real SMTP daemon and to spamd. Some people call spamd a tarpit.

Typically we have about 200-300 spammers in our tarpit at a given time, with a mean time of stalling at a few minutes. At the end of the stalling, we send a 550 rather than a 450 -- a 450 temp fail IMHO is irresponsible and causes more problems than any spammer-punishing benefit it might have.

I'm not sure tarpits are punishing anyway. Rather tarpits reduce the effectiveness of the spamming by tying up the senders in the tarpit rather than sending more junk to people.

I assume that spammers are wise to tarpits. We see a large number of disconnects within a few seconds. Of course, lots of folks program a HELO or multi-recipient delay in their MTA. That is a complementary technique that helps tarpits be even more effective. The longer it takes for spammers to tell that they are tarpitted, the less spam they can send.

My payback? SPAMHAMMER 2.0

[SmurfButcher+Bob]

A long (long) time ago, I came home to find my wife pumping some online poll, somewhere. Vote, click, wait, back. Vote, click, wait, back. It seems that Marvel was running a "who's the coolest X-Man" poll, and the various fan-groups were doing their damndest to win. Since I wanted my computer back, SpamHammer was born. With a dynamic array of winsocks, it'd allocate as many as the target server could handle, and repeat the voting that you'd "taught" it xxx times. It did well, to the order of a thousand or so per minute if the target could handle it. I must say, the pained expressions on the faces of the various people who were NOT in my wife's fan-group was worth every minute spent coding it, if only I could have seen them. An army of them would spend an hour pumping in a few thousand votes... I'd throw in 10k votes in the time it'd take to make a cup of coffee. It was a few years ago, but it was the type of user-torture that lasts a lifetime.

Eventually, the phishing scams came out. And the mortgage quotes were flowing in. And I got tired of all of them. And I remembered SpamHammer.

So, a LOT of searching of the old file-tree to find it, a little tweaking, and V2.0 was born. This new version supports everything needed to pump tons of crap into any site, POST or GET, cookies or not. I spared no feature - from random emails, random name permutations from the USCB, junk mailing addresses that'll pass a city/state/zip xref, random credit card numbers with proper checkdigits, and even stuff picked from lists (think of med sites). Mortgage quoters want leads? Here, have a million. Just don't bitch when the lenders refuse to pay for those leads. Phishers want accounts and passwords? No problem - with the added benefit of DOSing the target host. Free viagra? Oooo... I get wood just thinking about it... here, have a hundred thousand orders for random crap on your site.

I'm not sure why, but there's something satisfying about getting a "write failure: access denied" after pumping a few million POSTs into a site, consisting of every major field being 32K each. The only thing more satisfying is knowing that certain med-sites simply email the order to an in-box... here, have a big pile of 1Meg emails.

No, a legal solution.

[www.sorehands.com]

I just returned from serving about 12 lawsuits on Avtech direct. With enough people suing spammers under their state's laws, it will tend to reduce much of the spam -- by making the spammers pay for spammers.

Even though spam may be international, the foreign companies can be sued. When you send spam into the USA (or the particular state) you are subject to the laws of the USA. After I sued Global Web promotions, the FTC sued them and siezed their funds. Even though they are in Australia, they are doing business here by sending spam.

Putting "cloaking service" operators in jail

[Animats]

RegisterFly, a service which "cloaks" domain registrations by using RegisterFly's contact information in place of the actual registrant, may be committing felonies by so doing.

From the CAN-SPAM act:

• Sec. 1037. Fraud and related activity in connection with electronic mail

  `(a) IN GENERAL- Whoever, in or affecting interstate or foreign commerce, knowingly-- ....

  (4) registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names, ....

  "or conspires to do so, shall be punished as provided in subsection (b)."

  (2) a fine under this title, imprisonment for not more than 3 years, or both, if-- ...

  (B) the offense is an offense under subsection (a)(4) and involved 20 or more falsified electronic mail or online user account registrations, or 10 or more falsified domain name registrations;

The CAN-SPAM act is soft on spamming, but tough on spam-related fraud. That can be useful.

Note the "or conspires to do so" clause. Knowingly assisting in a criminal offense satisfies the legal definition of conspiracy. "Cloaking services" are in deep trouble if they knowingly provide that service for a spammer. Unlike ISP's, there's no "safe harbor" for them.

As for the "knowingly" part, whenever you find a spam associated with a "cloaked" domain, send a note to the cloaking service, and post that you've done so to some public spam forum that's indexed by search engines. That will put them on record as knowingly cooperating in a criminal conspiracy. The next person who gets a spam from the same party will have that information as legal ammunition.

When you've got that info, report it as Internet fraud..

Spam Traps.

[qualico]

I get a lot of spam attempts on my kevin@qualico.ca email.

Using scripting, I've made myself a nice little spam trap.
If you test mail.qualico.ca, you'll see its an OPEN RELAY!

BUT, if you try to use it...your email will be dissected and automatic abuse notifications sent to the upstream ISP of the target site, the injecting IP's ISP and any other IP listed in the email.
Further, reports are sent to all the major blackhole listing sites.

Very effective at shutting down sites because the instant reporting reduces the time spammers rely on between site switching.

I've been responsible for taking down a lot of sites and will continue to fight spam with every tool at my disposal.

Now if I could only extend this functionality to Malware and Adware sites.

SandTrap is my tool

[tutwabee]

As a webmaster I decided my associates would not appreciate their email addressses being spammed because they were listed on a website but they still wanted their addresses listed on my website. I decided to develop SandTrap, which is now a SourceForge group. The way it works: 1. bots see an empty HTML link tag in the page source and follow it 2. The page they follow it to has meta tags instructing nice bots not to follow the links on the page (noindex,nofollow) 3. The bad bots of course ignore the warning and follow the links 4. The ip address of the bot is recorded and blocked from the server It's written in perl and I've only used it on one website so far but it seems to work in theory at least. Oh... I also replace at symbols in email addresses with an image of an at symbol. That is pretty fail proof.