Slashdot Mirror
New Attacks on Spam
AttackOfTheDictionaries writes "Project Honey Pot started operating back in November. The Project provides its participants with a script that generates fake webpages with unique honeypot email addresses. The end result is that Project Honey Pot can connect email harvesters' IP addresses with the spam received by those honeypot email addresses. Which is pretty nifty, but left some people asking how that would help legal attacks on spam. Well, it seems that some lawyer over at SecurityFocus has an answer."
You now have an IP address, and a known port number.
;)
You're going to sit here and ask a crowd of slashdotter what to do with that list?
Publish it. Right here baby.
Karma: Chameleon (mostly due to the fact that you come and go).
I donated a few MXs (10 different domains), and setup a few honeypots. It's fairly easy to do assuming you have a basic understanding of DNS, and you don't mind enabling short PHP tags (if using their PHP script).
I do have some concerns though. Just from a few minutes with it, it seems like it'd be fairly easy for spammers to detect. They only have a limited number of MXs the spam can go to. You could just check where the spam was going, and stop it if it's hitting a honeypot. It'll probably work for a little while before the spammers have time to adapt.
Also, while you can start tracking spammers at this point, you don't really get much out of it, yet. They apparently may set up some sort of HTTP RBL so people can stop bad crawlers, but it doesn't exist at this point.
I have enough hard time setting up my website with decent security while allowing only Googlebot to come. Is it me or does this seem like alot of work to fight spam. Seriously shouldn't my ISP do that for me. Comcast does a mediocre job. The idea is to have me do nothing.
When they farm out the harvesting work to zombies, it'll make this rather useless, no?
500GB of disk, 5TB of transfer, $5.95/mo
It just seems to me that if you punish the money, there would be little to no incentive to spam. Any IANALs (or IAALs) like to comment on why this would/wouldn't work?
So wait, the spider/e-mail harvester's access of your web pages are illicit, YET the license on those pages is now binding? Including paying fees and agreeing to be sued?
If this isn't an abuse of our legal system, then honestly, I don't know what is!!
In the future, I would want to not be isolated from my friends in the Space Station.
Did someone forget to editorialize the article writeup? I'll do it for you:
It's clear that Bush and the Republican are responsible for all spam. It's just a neoconservative plot to destroy the American economy so that the value of all the Republican's foreign holdings will rise. What better way to destory the economy than through spamming the Internet to oblivion. Then they'll take over the world!
(I'm just asking for it, aren't I)
Here's a hint: website indexing as we know it will be completely destroyed the instant site owners can claim complete discretion about how their website information is used even though the websites are publically disclosed. Any automated webcrawling process could potentially subject the person running it to liability. Which means any future indexing will have to be vetted by hand.
I could be misinterpreting this, but I think it would be very bad news to allow websites to bind people to contracts they aren't able to read or understand (even if we have a similar horrendous system for end-users of software). It's one thing to write a law restricting such behavior on a general basis, or specifying some way for people to opt-out of information collecting with a robots file, but even that is subject to confusion.
Technical answers are needed for technical problems.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
And what makes you think the Mafia isn't involved in actually sending the spam in the first place? Take a step back and look at the kinds of technical and organisational infrastructures that are used in spamming. We have address harvesting, botnets and the worms and malware to generate them, scams, counterfeiting of goods, moving goods (pills) from one country to another, hosting of services in countries all over the world. Oh, and much of this illegal too, and not just under legislation like CAN-SPAM. If that's not organized crime, then I don't know what is.
UNIX? They're not even circumcised! Savages!
Tell the [RI/MP]AA that they are actually super-secret encoded BitTorrent file transfers...
Can you imagine if this guy were alive today, and surfing the internet (NRA website no doubt), and gets all kinds of spam in his Outlook? He would go nuts!
Seems like just the man we need now ;)
The list is linked to right in it
http://www.projecthoneypot.org/bots_and_servers.ph p
Is it just me, or does "Project Honeypot" sound like a spring-break porn video?
Transistors and Beer!!
There are all kinds of issues when trying to deal with spammers themselves.
First, you have to find them. And prove that they sent the spam knowingly (and it wasn't a virus or worm or something). Then you have to hope and pray their local government and/or ISP (if outside the US) gives a damn about their activities.
That's a pretty big feat to accomplish in itself.
Then you have to be able to prove (probably in court) that it was their spam operation. That can be harder without judicial help.
You might get some satisfaction if their operation is shut down after all this, but they probably have others in on it, ready to take the business over. Start from scratch.
Spammer pays his court-ordered dues, and goes right back to spamming, being a little more careful.
This is too lengthy a process for spammers. I think that if the ISP doesn't do anything, and the local government doesn't care, it should be up to the users of the internet to stop the spammer. Now, this can be RBLing the spammer, or causing his hard drive to detonate inside of its case. Some society should be set up to reward people that take down spammers. Kind of like a mercnet, only with emphasis on not physically injuring the person, but rather on shutting down their operation.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Ethan Preston, the lawyer that is linked to in the article above, mentions that the harvesters are forced to 'click through' a license agreement that has legal ramifications if broken. While this is a neat trick to put the screws to spammers, isn't it a bad idea in the grand scheme of things, as it lends more credibility to the 'click through' agreements that are packaged with software? If this were taken to court and upheld as valid, it could be used as a precedent.
Now, admitidly, there is an important difference in that in one case you cannot read the agreement before buying the product, but the overall premise that such agreements can be legally binding would be the same. Also, since this is a tactic that has been developed to target harvesters, who the developers know will not be able to read or comprehend the agreement, wouldn't that invalidate the agreement. Simply: If I trick you into agreeing to a legal contract, is it any good in court?
Also, as a side note, it would fall victim to all the same problems as EULAS. For example, if I was an evil spammer, I could probably get out of the clause by hiring a 17 year old to run the harvester for me, since a minor cannot enter into a legal contract, it would be no good.
HA! I just wasted some of your bandwidth with a frivolous sig!
From RFC 2616,
Clicking a link, or fetching any page with GET by any means does not sign a contract. That is the rule set forth by the HTTP protocol.
I smell BS in this article.
I mean, according to this, that means that someone could put a fancy legal document under a manhole cover saying "if you drive over this manhole, you agree to such and such".
It's about the same thing - you never saw the agreement, so how could you have ever agreed to it? Surely they can't argue that a software program can enter into a legally binding agreement on its own - that would open up a whole other can of worms.
Address harvesting is illegal in some jurisdictions. If you're running a honeypot in that jurisdiction, and you can prove someone harvested an email address from you using the honeypot, it makes no difference whether they agreed to your license. They broke the law. If you go after them, you can nail them.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
Your post advocates a
( ) technical (x) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which vary from
state to state.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
(x) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires cooperation from too many of your friends and is counterintuitive
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
( ) Ideas similar to yours are easy to come up with, yet none have ever worked
(x) Other: Extremely limited approach
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
( ) Other:
and the following philosophical objections may also apply:
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures cannot involve wire fraud or credit card fraud
( ) Countermeasures cannot involve sabotage of public networks
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
( ) Other:
Furthermore, this is what I think about you:
(x) Nice try, dude, but I don't think it will work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
I proposed arbitration of disputes between spammers and anti-spammers last year in a spam related Usenet group.
I propose a steel-cage-death-match style of arbitration.
Part of the enforcement provision in 17529.5 starts:
IAAL in CA, and I am using this law to go after a few spammers. It is quite fun.No Inflation Taxation without Representation