Slashdot Mirror
New Attacks on Spam
AttackOfTheDictionaries writes "Project Honey Pot started operating back in November. The Project provides its participants with a script that generates fake webpages with unique honeypot email addresses. The end result is that Project Honey Pot can connect email harvesters' IP addresses with the spam received by those honeypot email addresses. Which is pretty nifty, but left some people asking how that would help legal attacks on spam. Well, it seems that some lawyer over at SecurityFocus has an answer."
You now have an IP address, and a known port number.
;)
You're going to sit here and ask a crowd of slashdotter what to do with that list?
Publish it. Right here baby.
Karma: Chameleon (mostly due to the fact that you come and go).
I donated a few MXs (10 different domains), and setup a few honeypots. It's fairly easy to do assuming you have a basic understanding of DNS, and you don't mind enabling short PHP tags (if using their PHP script).
I do have some concerns though. Just from a few minutes with it, it seems like it'd be fairly easy for spammers to detect. They only have a limited number of MXs the spam can go to. You could just check where the spam was going, and stop it if it's hitting a honeypot. It'll probably work for a little while before the spammers have time to adapt.
Also, while you can start tracking spammers at this point, you don't really get much out of it, yet. They apparently may set up some sort of HTTP RBL so people can stop bad crawlers, but it doesn't exist at this point.
When they farm out the harvesting work to zombies, it'll make this rather useless, no?
500GB of disk, 5TB of transfer, $5.95/mo
It just seems to me that if you punish the money, there would be little to no incentive to spam. Any IANALs (or IAALs) like to comment on why this would/wouldn't work?
So wait, the spider/e-mail harvester's access of your web pages are illicit, YET the license on those pages is now binding? Including paying fees and agreeing to be sued?
If this isn't an abuse of our legal system, then honestly, I don't know what is!!
In the future, I would want to not be isolated from my friends in the Space Station.
Here's a hint: website indexing as we know it will be completely destroyed the instant site owners can claim complete discretion about how their website information is used even though the websites are publically disclosed. Any automated webcrawling process could potentially subject the person running it to liability. Which means any future indexing will have to be vetted by hand.
I could be misinterpreting this, but I think it would be very bad news to allow websites to bind people to contracts they aren't able to read or understand (even if we have a similar horrendous system for end-users of software). It's one thing to write a law restricting such behavior on a general basis, or specifying some way for people to opt-out of information collecting with a robots file, but even that is subject to confusion.
Technical answers are needed for technical problems.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
And what makes you think the Mafia isn't involved in actually sending the spam in the first place? Take a step back and look at the kinds of technical and organisational infrastructures that are used in spamming. We have address harvesting, botnets and the worms and malware to generate them, scams, counterfeiting of goods, moving goods (pills) from one country to another, hosting of services in countries all over the world. Oh, and much of this illegal too, and not just under legislation like CAN-SPAM. If that's not organized crime, then I don't know what is.
UNIX? They're not even circumcised! Savages!
Ethan Preston, the lawyer that is linked to in the article above, mentions that the harvesters are forced to 'click through' a license agreement that has legal ramifications if broken. While this is a neat trick to put the screws to spammers, isn't it a bad idea in the grand scheme of things, as it lends more credibility to the 'click through' agreements that are packaged with software? If this were taken to court and upheld as valid, it could be used as a precedent.
Now, admitidly, there is an important difference in that in one case you cannot read the agreement before buying the product, but the overall premise that such agreements can be legally binding would be the same. Also, since this is a tactic that has been developed to target harvesters, who the developers know will not be able to read or comprehend the agreement, wouldn't that invalidate the agreement. Simply: If I trick you into agreeing to a legal contract, is it any good in court?
Also, as a side note, it would fall victim to all the same problems as EULAS. For example, if I was an evil spammer, I could probably get out of the clause by hiring a 17 year old to run the harvester for me, since a minor cannot enter into a legal contract, it would be no good.
HA! I just wasted some of your bandwidth with a frivolous sig!