Slashdot Mirror
New Attacks on Spam
AttackOfTheDictionaries writes "Project Honey Pot started operating back in November. The Project provides its participants with a script that generates fake webpages with unique honeypot email addresses. The end result is that Project Honey Pot can connect email harvesters' IP addresses with the spam received by those honeypot email addresses. Which is pretty nifty, but left some people asking how that would help legal attacks on spam. Well, it seems that some lawyer over at SecurityFocus has an answer."
Yay.
You now have an IP address, and a known port number.
;)
You're going to sit here and ask a crowd of slashdotter what to do with that list?
Publish it. Right here baby.
Karma: Chameleon (mostly due to the fact that you come and go).
I donated a few MXs (10 different domains), and setup a few honeypots. It's fairly easy to do assuming you have a basic understanding of DNS, and you don't mind enabling short PHP tags (if using their PHP script).
I do have some concerns though. Just from a few minutes with it, it seems like it'd be fairly easy for spammers to detect. They only have a limited number of MXs the spam can go to. You could just check where the spam was going, and stop it if it's hitting a honeypot. It'll probably work for a little while before the spammers have time to adapt.
Also, while you can start tracking spammers at this point, you don't really get much out of it, yet. They apparently may set up some sort of HTTP RBL so people can stop bad crawlers, but it doesn't exist at this point.
...this story passed through the lameness filter with something like 4:1 link:text ratio?
Seriously, the Mafia can solve all our spam problems. They have computer experts who could track spammers and they aren't afraid to whack anyone. I'm not talking about killing people here, just frightening them. All they have to do is track down spammers and give them an offer they can't refuse. Get out of the spam business or they get a couple of broken collarbones.
Problem solved.
That leave's me wondering, why did you leave 10% of the article text without links when you could have very easily had all the text in the article link to something?
Is it just me or half the story is one big long link??
AttackOfTheDictionaries writes "Project Honey Pot started operating back in November. The Project provides its participants with a script that generates fake webpages with unique honeypot email addresses. The end
result is that Project Honey Pot can connect email harvesters' IP
addresses with the spam received by those honeypot email addresses. Which is pretty nifty, but left some people asking how that would help legal attacks on spam. Well, it seems that some lawyer over at SecurityFocus has an answer."
"WebTV: bringing the Internet into the shallow end of the gene pool since 1995" - Martin Bishop
Well, what if their program generates a real email?
I have enough hard time setting up my website with decent security while allowing only Googlebot to come. Is it me or does this seem like alot of work to fight spam. Seriously shouldn't my ISP do that for me. Comcast does a mediocre job. The idea is to have me do nothing.
When they farm out the harvesting work to zombies, it'll make this rather useless, no?
500GB of disk, 5TB of transfer, $5.95/mo
It just seems to me that if you punish the money, there would be little to no incentive to spam. Any IANALs (or IAALs) like to comment on why this would/wouldn't work?
So wait, the spider/e-mail harvester's access of your web pages are illicit, YET the license on those pages is now binding? Including paying fees and agreeing to be sued?
If this isn't an abuse of our legal system, then honestly, I don't know what is!!
In the future, I would want to not be isolated from my friends in the Space Station.
Did someone forget to editorialize the article writeup? I'll do it for you:
It's clear that Bush and the Republican are responsible for all spam. It's just a neoconservative plot to destroy the American economy so that the value of all the Republican's foreign holdings will rise. What better way to destory the economy than through spamming the Internet to oblivion. Then they'll take over the world!
(I'm just asking for it, aren't I)
Here's a hint: website indexing as we know it will be completely destroyed the instant site owners can claim complete discretion about how their website information is used even though the websites are publically disclosed. Any automated webcrawling process could potentially subject the person running it to liability. Which means any future indexing will have to be vetted by hand.
I could be misinterpreting this, but I think it would be very bad news to allow websites to bind people to contracts they aren't able to read or understand (even if we have a similar horrendous system for end-users of software). It's one thing to write a law restricting such behavior on a general basis, or specifying some way for people to opt-out of information collecting with a robots file, but even that is subject to confusion.
Technical answers are needed for technical problems.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
It would be too easy to threaten a company to send "fake" spam on his behalf.
perception is reality
Tell the [RI/MP]AA that they are actually super-secret encoded BitTorrent file transfers...
Can you imagine if this guy were alive today, and surfing the internet (NRA website no doubt), and gets all kinds of spam in his Outlook? He would go nuts!
Seems like just the man we need now ;)
Anyone see the irony of the comment spam at the bottom of one of the linked articles?
Bleh!
The list is linked to right in it
http://www.projecthoneypot.org/bots_and_servers.ph p
This sounds like a great step, however I am wondering what happens if the collecting spider is running from a 'bot running on a hijacked machine. We are seeing more and more SPAM coming from SMTP engines installed through viruses and worms. It seems a natural next step to use these armies of zombies to run spiders. Then, the honeypot picks up the IP address of the harvester, but not of the real person behind the SPAM.
Your Servant, B. Baggins
Is it just me, or does "Project Honeypot" sound like a spring-break porn video?
Transistors and Beer!!
There are all kinds of issues when trying to deal with spammers themselves.
First, you have to find them. And prove that they sent the spam knowingly (and it wasn't a virus or worm or something). Then you have to hope and pray their local government and/or ISP (if outside the US) gives a damn about their activities.
That's a pretty big feat to accomplish in itself.
Then you have to be able to prove (probably in court) that it was their spam operation. That can be harder without judicial help.
You might get some satisfaction if their operation is shut down after all this, but they probably have others in on it, ready to take the business over. Start from scratch.
Spammer pays his court-ordered dues, and goes right back to spamming, being a little more careful.
This is too lengthy a process for spammers. I think that if the ISP doesn't do anything, and the local government doesn't care, it should be up to the users of the internet to stop the spammer. Now, this can be RBLing the spammer, or causing his hard drive to detonate inside of its case. Some society should be set up to reward people that take down spammers. Kind of like a mercnet, only with emphasis on not physically injuring the person, but rather on shutting down their operation.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Ethan Preston, the lawyer that is linked to in the article above, mentions that the harvesters are forced to 'click through' a license agreement that has legal ramifications if broken. While this is a neat trick to put the screws to spammers, isn't it a bad idea in the grand scheme of things, as it lends more credibility to the 'click through' agreements that are packaged with software? If this were taken to court and upheld as valid, it could be used as a precedent.
Now, admitidly, there is an important difference in that in one case you cannot read the agreement before buying the product, but the overall premise that such agreements can be legally binding would be the same. Also, since this is a tactic that has been developed to target harvesters, who the developers know will not be able to read or comprehend the agreement, wouldn't that invalidate the agreement. Simply: If I trick you into agreeing to a legal contract, is it any good in court?
Also, as a side note, it would fall victim to all the same problems as EULAS. For example, if I was an evil spammer, I could probably get out of the clause by hiring a 17 year old to run the harvester for me, since a minor cannot enter into a legal contract, it would be no good.
HA! I just wasted some of your bandwidth with a frivolous sig!
Google now returns crap web pages! As if it wasn't bad enough that google doesn't filter out the retail sites for non-retail searches.
Always going forward, 'cause we can't find reverse.
From RFC 2616,
Clicking a link, or fetching any page with GET by any means does not sign a contract. That is the rule set forth by the HTTP protocol.
I was generating tc-`date +s`@mydomain.co.nz email addresses about 6 years ago.. Recieve spam, convert address nack to date, find spammers IP in apache logs. It's also interesting to see how much spam is from mailing-list CD's and how much is scrape-send-throw away. Lots of those scraped addresses resulted in spam hours or days later but never got used again.. which means that removing or obfuscating your email address on the web even if it's previously been in the clear CAN significantly reduce the amount of spam you get now.
455fe10422ca29c4933f95052b792ab2
I smell BS in this article.
I mean, according to this, that means that someone could put a fancy legal document under a manhole cover saying "if you drive over this manhole, you agree to such and such".
It's about the same thing - you never saw the agreement, so how could you have ever agreed to it? Surely they can't argue that a software program can enter into a legally binding agreement on its own - that would open up a whole other can of worms.
And herein is the weak point. A stupid harvester grabs the e-mail addresses and runs. A smarter harvester sees the exact verbage of the Model Agreement (which is likly copied verbatim) and says, "Hey, not this one." This article even has a helpful link to see just what a fake page looks like.
So much as even getting rid of the dumb harvesters is can only be a Good Thing, this is not the magic bullet by itself.
And even smarter harvester revisits the page later and realizes that the e-mail address has changed on every visit. Red Flag here!
Of course, a smarter honeypot sees the same harvester make a return visit and gives it the same data each time.
And all this took me, oh, about 3 minutes to figure out. And this isn't even my field.
The arms race continues.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I proposed arbitration of disputes between spammers and anti-spammers last year in a spam related Usenet group.
I'm setting up a new and faster server, and won't give the URL out till I see how it responds. Please give me about an hour or so. Thanks, Pete
Pete Carr Owner Chatmag.com
A couple points:
1: Pretty much any regular Comcast account shouldn't be running a web-server to start with.
2: You bring up a fascinating point of favoring one search engine over others. What would happen if people en masse started only allowing their sites to be indexed by search engine companies they favor? Could, for example, MSN Search be hobbled by people just deciding not to play along with them?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Address harvesting is illegal in some jurisdictions. If you're running a honeypot in that jurisdiction, and you can prove someone harvested an email address from you using the honeypot, it makes no difference whether they agreed to your license. They broke the law. If you go after them, you can nail them.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
How's censorware.org coming along?
I wish I could think of a way to make this work for me ...
I have my own domain name, I have had it for about ten years, and a uucp name before that. I am also on dialup. Up until about 6 months ago, the only spam I got was the usual, and since I can use whitelists, it was pretty easy to weed out.
Then some scumbag decided to send spam to all possible names he could think of at my dowmain. It started out slowly, but has been increasing all the time, and I now receive about 50,000 (yes, it will soon overflow a 16 bit counter) spams a day. These are pure unadulterated spams, to accounts that have never existed, which have never opted in or surfed the web or anything. I have a friend who wants it for his own spam analysis, so I have been bzip2ing it and saving it until I can get it to him.
But this is starting to be a real pain. If I bounce it, my ISP deals with it, since I am only online a few hours a day. It's not seeing it that bothers me, I never see it or do anything other than save it for my friend or delete it, it's the bandwidth hog on dialup. When I first connect after several hours offline, it becomes a flood which interferes with everything else, even with my qmail throttled back to just a few simultaneous connections. I can't configure PPP with on-demand because the constant spam resets the idle timer, so I have to explicitly bring ppp up and down.
I'd love to reject these connections, but most of it comes from my ISP having saved it up as secondary MX. I can't get broadband here, or I'd be happy as a clam at high tide in bogging the spammers down with slow tarpit connections or just plain rejecting the email or dropping the connections. I have thought of doing this to the few spams that come in while I am online, but that would only cut a small fraction of the volume, since most of it comes from my ISP as secondary MX.
I hate spammers. Burnt to death with matches, one at a time, is a just reward, and I'd be more than happy to do it myself, except for the time involved. Hang 'em by their toes with their heads in a bucket until they drown in their own vomit sounds more efficient. They are scum.
Infuriate left and right
Your post advocates a
( ) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which vary from
state to state.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires cooperation from too many of your friends and is counterintuitive
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
( ) Ideas similar to yours are easy to come up with, yet none have ever worked
(x) Other: Extremely limited approach
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
( ) Other:
and the following philosophical objections may also apply:
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures cannot involve wire fraud or credit card fraud
( ) Countermeasures cannot involve sabotage of public networks
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
( ) Other:
Furthermore, this is what I think about you:
(x) Nice try, dude, but I don't think it will work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
I'm not a lawyer, but it seems outlandish to me that simply stating "By accessing this web page you have automatically agreed to the following conditions..." in the text of your web page constitutes any sort of legally binding agreement. Perhaps if there was some sort of click-through process like with software EULAs I could buy it, but simply saying "Welcome to my web page - hey, guess what you just agreed to!" sounds pretty far-fetched.
I'm pretty sure that if I tried to sue people who had accessed my web page that said "By accessing this web page you have agreed to send me $50" I would be laughed out of court. I don't really see what the difference is. Simply viewing a contract doesn't imply that you've accepted it.
... it will mean even more traffic for people getting joe-jobbed as they will have even more bounces (and double-bounces) hitting their mail server.
This post is the property of SlashDotMeNow. By moderating it (either up or down) or posting a reply to it you agree to pay me $50 for each mod point you use or reply you post.
You are hereby notified that by archiving the copyrighted text of this posting on any sort of digital storage device you agree to pay me $10. Also, Google is hereby informed that by archiving the text of this post in any form for internet search purposes they agree to pay me $100,000. Further, anyone who replies to this post hereby agrees to pay me $100. Just as long as we're clear on that...
put a cron job wget -r (put website that spam wants you to visit here) rm-rf (saved directory)
rinse and repeat.
Total Spam Received: 509
Spam Received (This Week): 98
I get about 140 on my main account daily. Fortunately my spam filter catches about 98% of that...
From my observation most spammers don't generate their own lists - they buy them from someone else. It can take years of having a public email address before you get on the real big ones.
My newer accounts generally don't get too much spam - even through they're very public.
My older, less public account get tons of crap. I've actually had a "spammers list" in my hands - and low and behold it was on it.
IAAL...
if there was a standard that robots could read and be required to adhere to, i.e. robots.txt, then there shouldn't be a problem with a eula on a website since the only spiders that would be violating the eula would be ones that were ignoring the robots.txt file in the first place. Give the robots.txt files some legal standing as far as automated programs scraping a site goes then you wouldn't have to worry about the ramifications of a eula on a website.
http://shit.slashdot.org/article.pl?sid=05/01/14/2 030202
1. It's hard to catch spammers
Totally not true. The truth is very few entities are actively trying to catch spammers. If you think that spammers can't be caught, simply set up an un-patched PC on a broadband connection and within 24 hours, the PC will be zombied. Worried about jurisdiction? You will have so many sources compromising your PC, you can pick and choose which ones are easiest to pursue.
If there is a reason spammers are hard to catch this is because the authorities do not pursue the cases. Most Attorney Generals avoid these types of cyber crime... it's not that they can't find these people, they just prioritize this stuff much lower than, say, someone who sells bongs on a web page.
2. Civil action is effective against spammers
This is BS. If these people had money, they wouldn't be spamming. It's a myth that most spammers make a lot of money... maybe by their own standards they do, but that doesn't say much. If spammers were really making lots of money, they'd be a lot easier to target. They don't. Spamming is like network marketing: it's filled with lots of lowlifes who make quick bursts of money, mostly through hoodwinking others to pay them, and then move around rapidly before they get caught.
Show me a spammer and I'll show you: a) a guy that has no money, b) a guy that has declared bankruptcy several times and plans to again, c) a pathological criminal who moves from one get-rich-quick scheme to another. These guys laugh at civil lawsuits.
Every once in awhile there may be a high-profile guy who seems to have some money, but they are the rare exception to the rule.
Almost all spammers break criminal laws in virtually every jurisdiction. The fact that groups are pursuing civil action is a testimonial to how totally apathetic the authorities are to pursue criminal charges. They can find these people; they can bring them up on criminal charges. What you need to do is contact your local Federal Attorney Generals and demand they start doing this. A zombie'd PC is a felonious crime, and these people CAN be tracked.. it's not difficult at all. Yes, some may route through Asia or other countries, but there are plenty that can be made example of before anyone has to begin to pull logs from foreign areas.
Effectively, what they are doing is forcing the spammers to do their harvesting through compromised boxes. So what they are really building is not a list of spammer IP addresses, but ratber a list of IP addresses of people to stupid to firewall their machines. Sure, contacting these people might be useful, but how are you going to win a court case against anyone when everyone will just claim "sorry, but my machine was 'owned' at the time"?
I've abandoned my search for truth; now I'm just looking for some useful delusions.
This seems like an easy way to trick a web server to block google requests. Google the site, then use the cached page to get the email. Bam, site looks at logs and blocks google. I hope that this has been considered in making the honeypot so that legitimate searches are not hindered. The simple solution would be to determine whether the search is from google's IP addresses and react accordingly. I guess the ips are reversed lookuped but if these are not human audited, legitimate searches could be banned by crafty individuals.
2*31*37*263
an investor could buy stock in a company (a small one to get direct effect as possible) and having a friend spam for that company you would get the profit from the ompanys increased income hopefully (someone has to reply to make it worth their time) and there is no direct link between any party making profit and those spamming. and the black mail issue too, like that story about the guy threating to send child porn in name of some company unless they paid him.
"This is totally insecure, but very convenient."
That's what I read the first time through.
Honest.
Blame it on all that v1agra spam.
Part of the enforcement provision in 17529.5 starts:
IAAL in CA, and I am using this law to go after a few spammers. It is quite fun.No Inflation Taxation without Representation
1. Buy an island. tonga, for example, is a poor pacific country with 7000 islands, they can probably make you a deal. 2. Elect island council. Pass ordinance making spam punishable by death via organ harvesting. 3. Revise arbitration terms such that spammer agrees to jurisdiction on island, agrees to appear voluntarily or to be billed for costs of bounty-hunters and plane ticket. 4. Recruit bounty hunters from slashdot, publish updated lists of spammers. 5. Arrest spammers at arbitration hearings, sentence to death, harvest organs, can what's left, sell canned spammer over internet. 6. Profit!
This is a critical point, it's the Catch 22 that makes the contract binding.
A true idiot.