Slashdot Mirror
Cyber Crime Hits Big Time This Year
An anonymous reader writes to point out the Washington Post's analysis of this year's spike in junk email and online attacks, such as botnets and worms. Image-embedded spam emails made up an amazing percentage of all messages sent in the months of October and November, and something like four million bots are actively adding to that total. These botnets are also increasingly connected to organized crime, as are 'independent' hacker groups. The article goes on for three pages, and doesn't have a lot of hope that 2007 will look a whole lot better. From the article: "Experts worry that businesses will be slow to switch to the [Windows Vista]. And even if consumers rush to upgrade exiting machines or purchase new ones that include Vista, Microsoft will continue to battle security holes in legacy versions of Microsoft Office, which are expected to remain in widespread use for the next 5-10 years."
"Experts worry that businesses will be slow to switch to the [Windows Vista]. "
Maybe because Vista isn't written for security or for the businessess, or for anyone who buys it, its written for DRM and for the RIAA and MPAA.
As the number of people online grow, the crime scene grows with it (at a slight delay).
A large enough number of people for crime to be viable online will stay gullible, no matter what we do.
This is another one of those "Wars" we simply cannot win. We can try to educate the masses, but in general it will not work.
A number of people within any social network will be defrauded somehow, and as they tell their stories (which most of them won't, afraid to seem a fool in the eyes of their peers), eventually these networks will become more resistant to attacks.
We can design tools to help this process. But there will never be a technical tool to stop all, or even a significant amount of the crime and fraud that goes on out there.
It's the American dream - everyone can make it rich, and some people will always think that it's the mail/phonecall/whatever they just received that'll make it happen for them.
I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
Not much on specifics in TFA, but apparently the major increase in spam (mainly those pump'n'dump stock scams) appears to due to the Spamthru trojan which is being dropped by Warezov.
We've had a few stories on this before here and here.
henry -- the human evolution news relay
Yet, with a boot CD on Linux, I can inventory everything on the local hard drive and quarantine any suspect files. Yes, including loadable modules for the kernel.
Why aren't we seeing that for Windows? Running an anti-virus app on the system itself is useless if the system can be compromised at a more privileged level than the app is running at.
Not to mention that the users are notorious for NOT keeping their anti-virus apps updated.
And ISP's really should be looking at blocking or actively monitoring outbound connections to port 25. Come on! It's not that difficult.
Seriously. I have like 5 email accounts, and I doubt that's a lot compared to some people who use e-mail more than me. Three of which I will drop at a moments notice. The other two I consider untouchable. They are whitelisted. You want to get to my good ones? You gotta go through the other three. Then, and only then, will you get to my inner e-mail sanctum.
So bots and spam and worms and identity phishers don't get to me. Part of the reason is that I simply don't pay attention to e-mails from unsolicited sources. That's half the reason cyber crime works at all: people are idiots when it comes to computers. Odds are you know someone who sees a pop-up disguised to look like an authentic Windows message box and clicks on the buttons thinking they are actually talking to Windows and not some porn-site-based phisher and thief. Odds are you know someone who thinks those e-mails are from someone with an actual product instead of a phishing scam, like a second chance offer from www.ebay.cra.cz or something similar.
These criminals are simply separating stupid people and their money. I know, I know, it's a harsh perspective. You know somebody who got nailed so you want to mod me down because I called your friend stupid. Well, hopefully they learned. The saying goes, fool me once, shame on you, fool me twice, shame on me. It's true.
TLF
I do not respond to cowards. Especially anonymous ones.
At a certain point internet users are going to have to get down with the fact that spam isn't like weather, it's not an environmental effect. They're going to have to learn to make sensible choices: like not using Outlook express, IE, not exposing their email on their websites in clear text, mass CC'ing friends and realising that by using operating systems like Windows they are supporting a broader economic machinery that provides a ready platform for the widest possible proliferation of spam, despite the empty pledge of our self-elected baysean martyr, Sir Gates.
Only then will we start to see a real reduction in spam in general. Spam is, in part, a supply and demand system. We're getting alot of spam because statistically speaking, it's justifying the expense of its implementation and distribution. Windows especially is actively a part of the macro-economics of spam, the multi-billion dollar cat and mouse game that it is. Stop supporting the proliferation of spam. Companies, schools, organistions ought to take responsibility for educating the users of the computer terminals they provide and make sane choices come time for them to spend their technology budget.
Microsoft will continue to battle security holes in legacy versions of Microsoft Office
Right now, Microsoft has a number of known documented security holes in Office, and they don't seem to be doing very much about it.
Microsoft's suggestion, not opening office documents from other people, isn't realistic with most companies.
What we need is more effective law enforcement. There aren't that many spammers any more. Look how few different spams show up. The top three or four spams represent most of the volume. We need a law enforcement effort aimed at finding the top ten spammers and putting them in jail.
...so there is more article than ads.
c le/2006/12/22/AR2006122200367_pf.html
http://www.washingtonpost.com/wp-dyn/content/arti
Until some jackass forwards you an article, includes you on a mass email, sends you an e-card, etc.
Like you, I've got an array of email address (scores of them, actually), with one final true "use this if you must reach me" email address known only to a very few close, personal, and technologically savvy friends. Gradually I blacklist the ones that get too much spam, but sadly the primary general-acquaintances email address is in full spammer rotation now, and I may have to drop it soon. That will be painful. The filter I use keeps it to a tolerable level, but just barely.
Furthermore, don't wait around for fscking Vista to fix problems that Microsoft cannot afford to fix.
Protecting computers from vulnerabilities that need not be there in the first place is a multi-billion dollar business encompassing thousands of product and service vendors world-wide that ultimately trickle capital back up the vulnerability supply chain.
This bizarre altruistic myth of Microsoft working around the clock to solve these problems, to deliver the customer a trouble-free computing experience, is to be awash on the shoals of pure reason. It is idiocy. No monopoly in it's right mind can afford to produce a flawless, self-obsolescing product. MS is all about creating a sickness and providing itself as the only cure. There's no reason that given time, Apple would do otherwise either - such is the legacy of these old proprietary software corporations and their rental operating systems.
If you want to step out of this self-flagellating pit, try a desktop quality BSD or find peace in the sanity of a certain brownish distribution of Linux.
And don't forget that one cracker can find one exploitable hole and make a lot of money off of it. Either in "identity theft" for by creating a zombie army and selling those services.
If s/he went legit and tried to sell anti-virus software, s/he would need to be as good or better than all the other virus/worm/trojan writers out there. The payoff vs effort quickly becomes worthless. A little effort for a big payoff is what crime is all about (and a number of other endeavors).
I think that 2007 is the year we'll see action from ISPs to proactively neuter zombies on their network. It's been several years of DDOS's now and the technology to compile which IPs have been hacked is available. All we need is some incentive to push ISPs to look after their own network. Maybe make a public list of the worst ISPs for sending SPAM?
The attached image is my own personage representing me as a reasonable and trusted person. My truthful intentions are above reproach and presented to you in a reasonable and trusted manner.
I get one of these about every other two or three months. I just build another filter and notify my ISP.
The only thing new in this world is the history that you don't know.[Harry Truman]
I know I've sent a lot more spam this year. So far on the order of 100,000 emails.
But most of you will be happy. Its all been on Myspace.
Read his post again for the solution to your problem - a whitelist. I have one "top level" email that is whitelisted, and of course doesn't get more then a message or two a day. Then I have 2 or 3 "main" emails with simple, decent, blacklist filters that see real use (and are rotated, very rarely) and then one "open" hotmail address that dies like weekly... when I have to register for something I know is bad I remake it, use it once, then leave it alone to die under space limits and inactivity in a week or two.
If they hadn't made such an insecure operating system, we wouldn't have any of these problems!!
I hate that argument, because its completely incorrect. The vast majority of people who use computers have little idea how they work, or the difference between viruses and spyware and adware. If it's easy for them to do what they need to do, they'll be happy. Linux may be extremely secure, but the reason it is hardly used as a desktop OS is because the vast majority of people don't know how to easily do what they need to do using it. To meet all users desires, you'll always have to sacrifice some security for ease-of-use. IMHO, Microsoft has done quite a decent job of making this balance in Windows. For all the people who do know how to use a computer and want security, there's Linux and OS X.
The fact is that you'll always have a lot people who use the easiest thing available, even if it is insecure. You'll always have the people who turn off the firewall because it makes their IM program not work, you'll always have the people who ignore the 'This file may harm your computer!' dialog. As a result, malware, worms, etc. will always be a problem.
An anonymous reader writes to point out the Washington News's analysis of this year's spike in telemarketers gulling lonely old people, such as lonely old men and lonely old women, out of their life's savings.
As long as there is prey, there will be predators. Stamping out the predators is a game of whack-a-mole, so the best solution is to try to educate the prey. And if you can't, well, what are you going to do? Legislate against it? Pfft!
--Rob
Towards the Singularity.
Spamhous! http://www.spamhaus.org/statistics/networks.lasso/
The only thing new in this world is the history that you don't know.[Harry Truman]
A series of entries on my discovery of click fraud, how I detected it.
o g?catname=%2FClickFraud
I'm planning to work it into a Defcon 15 submission.
http://www.realmeme.com/roller/page/realmeme/Webl
A series of entries, logs & graphics about how I detected suspicious network traffic. I'm hoping to expand it into a Defcon 15 submission on click fraud.
http://www.realmeme.com/click
Ahem. I believe the correct quote is... "Fool me once, shame on you... uh, fool me... you won't get fooled again." With apologies to George Bush ;)
I wish that ISPs would cleanup the bots, but they won't because it would be too expensive. How would an ISP neuter a zombie without disrupting the idiot customer's PC? And if they sever the net connection of bot-infested machines, then who pays for the customer service costs of telling customers that it's the customer's fault that their PC was knocked offline. I'm thinking that each cranky bot-infested customer will cost the ISP $10-$30 in customer service costs (= long calls to explain why they were knocked off the net, what they need to do about it, etc.) for each and every time the customer gets pwned (some customers will probably get infected several times a year or more. Not to mention, the first ISP that does this will get hammered by crime syndicates that don't want there botnets disrupted. Something tells me that the cost to an ISP for letting bots survive is much much lower than the cost of trying to kill them.
It may feel good to blame the idiot that let their machines get infested, but that doesn't pay the salaries of the customer service munchkins (even at low India call center prices).
Two wrongs don't make a right, but three lefts do.
ma sminu di'e
What is your point? There is a technical tool to stop the crime and fraud. Unplug the net. Write in Lojban to close friends, or just yourself. Oh, you weren't expecting that answer, were you?
Honestly, if you eagerly waiting for Vista to accomplish anything for you other than make you $200 poorer, you're fooling yourself.
Schwab
Editor, A1-AAA AmeriCaptions
The vast majority of people don't need to run an SMTP server at home. Just block troublesome IP addresses from sending to random IP addresses and let them use only the ISP's SMTP servers. The few folks who run a full mail server at home, like me, can find an alternate solution, like SMTP Smart Hosting - aka forwarding to the ISP's mail server.
This wouldn't do anything to reduce DDOS's though.
One of the problems is that most home ISP's do not design their networks with security in mind.
If I were doing it, I'd setup multiple networks. Different clients have different characteristics so why shouldn't they be on different networks that support those characteristics? And each with its own outbound email servers.
a. The cheapest monthly rate would go to customers who would accept a block on all outbound port 25 traffic. They only route to your email server and that is monitored. Anyone suddenly sending more than X amount of mail (or X times as much mail than their average) is flagged.
b. For $5 or so MORE a month, you can be on a network with metered outbound port 25 access. Metered by message count, not size. And monitor the email sent through your server the same as in "a".
c. Finally, we have the "other" network. This is where machines get placed when the network monitoring indicates a problem with that machine. Remember the 80/20 or 90/10 rule. Most of your "problems" will be caused/reported by a small sub-set of your users. So you move them to their own network. And the email server monitoring the same as in "a".
Example, you have three T-1's coming in. Each network gets its own T-1. The people on "a" see lots of bandwidth because none of them are spewing spam or worms or stuff.
The people on "c" see lots of congestion, even though there are fewer of them and they have the same total bandwidth as "a".
There, now anyone looking to block spam coming from your network should have an easy time. There will be no outbound connections from "a" except from your mail server and that is monitored. The worst that can happen from this would be the targeted phishing attempts. And that's not very likely because they tend towards the free accounts.
Yet anyone can (and should) block crap from your "c" network except from your mail server (which should be subject to increased scrutiny via SpamAssassin and such).
So, under the auspices of Economic Security, some random ideas to rebuild confidence in the email network:
The domain name is the primary reference point for a reputation base. If a domain can be spoofed, reputation fraud ("Identity theft") becomes more likely. So, harden DNS with some ubiquitous public key crypto. If you want a domain, you must provide a public key; the key authenticates you to modify the entry. If you lose the key, tough cookies; you'll have to wait for the registration to expire before you can regain control of it.
All clients presenting mail for delivery must present credentials. No credentials, no delivery. In an ideal universe, the client's credentials (public key?) would be presented as part of the SSL connection, so the SMTP server wouldn't have to do anything special.
If you're not on the local subnet, and your IP is not registered as a Mail Exchange, then no relaying for you without prior arrangement. Assuming a hardened DNS, we can reasonably rely on the authenticity of the MX record.
Blanket blocking of connections on port 25 is excessive -- some people have a legitimate need to drop mail on smarthosts outside the local subnet. However, if the routers observe an internal IP address spraying port 25 connections to, say, a dozen different IPs over the course of a minute, then that's probably something the network admins would want to look at more closely. This would do nothing to thwart a parallel "shadow" network of compromised hosts acting as spam relays for the subnets on which they're located. But for a while you'd get a pretty good map of machines to clean up.
Schwab
Editor, A1-AAA AmeriCaptions
I'm really fucking tired of seeing this garbage on Slashdot every time MS release a new OS.
It doesn't matter how crappy Vista is, it will still become the new "standard"!
Just as all the previous MS OSs did (excepy WinME), so ditch the whole "Nobody will use Vista!" wishful-thinking shit already!
Yes, I can agree with that.
And it is not going to change. Which is why it is necessary for the OS vendors to ship their product so that the default configuration is as locked down as possible. In my opinion, Ubuntu achieves this in an admirable fashion.
Actually, that would be because of Microsoft's monopoly on the desktop. Breaking free of the monopoly takes a LOT of effort.
Nope. Look at a Mac. Talk to Mac users. They don't need to become experts on their systems to use them more securely than Windows. This is because Apple has implemented a more effective security model than Microsoft.
But it is Microsoft that is using the monopoly to restrict access to more secure systems. Don't blame the users if the monopoly is actively trying to limit the options.
Why do you have to turn off the firewall so you can run your IM program? Would you accept a car that you had to disable the air bag in order to play a CD? Ubuntu is effectively immune to worms because it, by default, does not have any open ports.
Microsoft is skipping the FIRST rule of security: do not run anything that is not absolutely necessary.
The reason that so many Windows machines are infected is NOT because they're running some IM client without a firewall. It's because the default configuration was insecure. Too many services that were not needed were running and vulnerable.
If 100% of the Windows boxes start vulnerable - you need a LOT of extra work to secure them.
If 100% of the boxes start without open ports - you'll need a LOT of extra work just to make them vulnerable.
In the end, it all comes down to how much effort is needed. Start secure and you'll always win that scenario.
What would you think if professionals in these various areas figured you were a moron because you did a stupid in their field of expertise? The stupid isn't the guy who got suckered - the stupid is the guys that were supposed to provide a solid system (EG: Microsoft) who failed utterly at their task.
Ask yourself - what if a doctor gave you a lightweight antibiotic to treat pneumonia? Well, it happened to my wife - and I don't blame my wife for not knowing the different kinds of antibiotics. Computer technology is, for most users, not much different. And the computer industry as a whole is generally lacking in professional competetence in providing reasonable security measures, and the leader of the pack is Microsoft.
I don't think you realize how protected YOU are from fraud and the like by an active legal system and rather strict laws (that vary from state to state) on the subject of "merchantability". When a store takes back something you purchased in the last 30 days, it's partly because IT IS ILLEGAL TO SELL SOMETHING as "new" and refuse to take it back if the customer isn't happy within 30 days of the sale. (In California)
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I just set the remote users to use 587 or 465 (depending upon whether you're a Microsoft shop or not) instead of 25.
The only real limitation here is what the client software will accept as a configuration option. Various versions of Outlook (including many of the PDA's and phones) will only allow you to set "must use SSL" which gives you port 587. If you limit those connections to ones that require a username/password, that solves that problem.
So far I haven't found a single ISP that blocks either 465 or 587.
There really is a need for ideas for the next generation of e-mail.
If reports are to believed we're closing in on a point when nearly 100 percent of messages will be spam. The spam blockers that were effective a year ago are becoming increasingly leaky.
Whitelists may work for some people, but not for anyone running a business. Proposals that require tens of thousands of ISPs to significantly change how they handle mail probably aren't going to fly unless legislated. And legislation will only work within the boundaries of one country.
Besides, ultimately it is only the recipient of an e-mail message that can judge it's legitimacy or usefulness.
So how do you create a an e-mail replacement that's as easy as what exists now, immune to spam, and is an easy upgrade from what we have now?
Three Squirrels
... thinks Vista will change anything? The exploits are already being marketed and published. It reminds me of the "use XP SP2" chorus, when the only thing that did was break existing applications and push more obnoxious EULAs and DRM. We will soon see the Vista added to the list of threats which currently list XP, 2000, XP, 98 etc back to the earliest version the watchers care to add. The reason those threats typically break every previous version of Windoze is because M$ rarely rewrites anything and the same old binaries are passed on from version to version. Vista was made the same way the other versions were and the same old process is going to yield the same old results. Vista is the same old same old.
Friends don't help friends install M$ junk.
So spam will diminish in 2007? Happy to hear that.
So, let me get this straight, even if customers rush to upgrade exiting machines.... wait, brainfry.
Let me try that again.... Exiting machines...
Nope, there goes my brain.
"Women are just like ninjas; They lie even when it is more convenient to tell the truth." ~ Unknown
"Are you a competent attorney? Tax accountant? Automotive Mechanic? Manufacturing supervisor? Medical doctor?
What would you think if professionals in these various areas figured you were a moron because you did a stupid in their field of expertise?"
These are not cases of being a moron because you don't know how to do something, it's because you ignore that you are not smart enough to do them. A lot of people get their cars fixed for them, hire lawyers, have people do their taxes, etc... How many people forward their emails to people to make sure they are legit? None. People who don't know how to drive but drive anyway and crash the car have only themselves to blame, this case is the same.
Emails are too easy to get, if it was harder; cases of this would drop by a LOT, because people who didn't know how to use emails wouldn't be using them. Not like that's going to happen, or if it would even be a good thing, but it does say people should avoid messing with things they can't comprehend.
Great Intellect...
And if they can fix security problems with One Care, why couldnt they fix them in the OS in the first place?
So first, we pay MS for the OS... then we have to pay them again to make it secure? Sounds like a scene from The Godfather.
Now, I know someone already tried to write an anti-botnet botnet for code red, but couldn't someone start hijacking computers that would monitor honeypot spam addresses for spam, then by reading the headers, see what exploited machines were spewing spam, then hack into them, patching the security holes and shutting off the spam trojans?
Of course, with as much money as there is in hacking type stuff, I'd be afraid of the enemies I'd be making.
-Bucky
...ah so desu...he bigger problem than the software may be the wetware. "Social engineering" is still the most reliable attack vector.
Shut down bots. Only option to get rid of the networks. Make people care. Pass a law that forces ISPs to shut down known bot-infected customers until they've cleaned up, on penalty of severe fines. I work for an ISP. We can do it, but won't for fear of customers becoming angry and moving elsewhere. That's why it has to be a law so there is no elsewhere to go and the rules are the same for every ISP.
Assorted stuff I do sometimes: Lemuria.org
Considering the cost of Windows Upgrades in General I realy cannot see Vista taking over on a consumer level any way other than new machine purchases.
What are you apologising for? We all know that George Bush can't read
Good point. But I think you can at least consider e-mail a social avenue. With that said, social engineering over e-mail is quite common. And learning how to adequately filter and deal with the harmful messages becomes the same as being able to deal with somebody who calls 'from the IT dept.' because they need to fix your account at work but they don't have your password. Neh?
TLF
I do not respond to cowards. Especially anonymous ones.
They actually mention that the botnets and security flaws they are talking about are Microsoft problems, and not some flaw with the Internet or "PCs" in general. Seriously, every last single dire article about the state of internet security that appears in the Edmonton Journal (for eg) steadfastly refuses to lay the sorry state of home users security at the feet of the company almost entirely to blame. It's amazing how general they keep the articles in order not to admit the obvious.
Fiat Homos et Pereat Theos
Along these lines, last Wednesday the INquirer ran a piece of mine, an interview with Scott Chasin, CTO of MX Logic, talking about the techniques in use by the spammers (branching out into p2p architecture). Chasin, too, believes things will get worse. And, from the sounds of it, the measures taken by service providers and others will continue to make the Net a far more restrictive place than it was originally designed to be.
wg
No offense mate, but the argument you state is a specious one at best;
>"Are you a competent attorney? Tax accountant? Automotive Mechanic? Manufacturing supervisor? Medical doctor? What would you think if professionals in these various areas figured you were a moron because you did a stupid in their field of expertise?"
I'ld think they were right.
-Not reviewing a contract your signing is dumb (but common)
-Not keeping your receipts and 1040's and tax returns in order is dumb (but common)
-Not changing your oil on time and burning out your engine is dumb (but common)
-Not wearing your safety gear on the job is dumb (but common)
-Not going to see your doctor when something abnormal happens is dumb (but common)
Its called personal responsibility mate, and alot of people don't have it, and cry woe is me when they get nailed. I wish they *could* learn from their (or better yet other peoples) mistakes, but, sadly
they are dumb.
> ... the only program I ever had to install by hand was ies4lin.
:-(
Wow!, now how did you know you need to run "dfs3dse". Oops, sorry, it was "ies4lin". How did you know this?
I really wish I could use Linux. Well, I managed to use it a little bit, but not in a very useful way. After Mandrake 9 failed to install completely leaving me with the task of providing a graphics driver for my very common ATI card from 1998 that it could not provide, and leaving me with a text only interface but with no instructions on how to proceed from there (and no instructions on how to just make it use a standard vga driver like win98 did on the same PC until the manufacturer's driver was installed from CD), I tried Knoppix 3.7 which worked slowly but provided some functionality. Then Knoppix 3.9 failed to work on the same PC. Then I tried Ubuntu that came nicely and showed a blank screen that reminded me of why I stopped using university UNIX in the late 20th century and intead brought my own private laptop with win98. It was because of the way UNIX provides info to users: everything is documented. In the most sensible way. Alphabetically. I can find anything I want. Like I could just type "man ies4lin" and I would get all the info on it. EVERYTHING! Every little options, all conveniently listed alphabetically. I just have to scroll down to the option I want to know about. Now how do I know what I want to know about? Well, I thought I could just install some standard distribution, start using it and learn along the way, but I tried several times and it didn't work out
Not that I know nothing about computers. I can read email headers and I can read RFCs. I can write html and css and a little javascript. I know enough to use WinXP under a non-admin account and behind a hardware linux based firewall (that a student of mine installed for me). I did a lot of fortran programming in the past, and used Unix for many years (but someone else maintained it). I still wasn't able to install a single distro in spite of trying several times, and I don't believe someone without any computer experience can. And even when I could run a live CD distribution getting help on trivial things like keyboard shortcuts was very difficult. Usually you need to know the name of an app that does something to find out how to do it.
I still want to use Linux. I just don't seem to be able to get to the starting point where I can start learning while doing some real work.
No ammount of eduacation to users will stop spammers.
You may think that spammers send you their spam because they are trying to sell you something, and that you outsmart them by filtering their spam out, or by recognizing it and refusing on principle to buy from them (if perhaps they are selling something you wanted).
Spammers are not sending their spam to you. They are sending to someone else who will never learn and will buy whatever they are selling. The fact that you are getting spam is a side-effect. If they could avoid sending it to you at a reasonable cost to them they would not send it because they never meant to send you email. However, since they happen not to know the eamil address of their customer (that someone else that is not you that is the intended spam recipient) it is more cost effective for them to issue instructions that deposit a copy of their message in every existing mailbox, and since they don't know what mailboxes exist, it is easier for them to issue routing instructions that route their message to every known string that contain an "@" sign. Some of those strings are working routing instructions, and some of those routing instructions are instructions that deposit email messages in mailboxes, and a few of those mailboxes happen to be the mailboxes of their customers, that could have been located by the old fashion way of market reasearch, but the old fashioned way was replaced by the modern more cost effective way of stealing computer and network resources and using them to issue routing instructions to every string that contains an "@" sign.
Now there's a faults in this new method: there are lots of side effects (like you getting a copy of this message. Like bounces prodiced from routing instructions that failed to work etc.) Spammers cannot deal with the consequences of all these faults. Their resources can deal with the few customers they really did try to contact. Luckily for them they don't have to deal with the consequences, because you actually don't respond to their messages in the same way that a real customer would, and as their real customers are distinguishable from side effects they only have to locate the resources to serve their intended customers.
No matter how much people will be educated about not dealing with spammers, spam would remain effective, perhaps even more effective. There will always remain a small percentage that would still make money for the spammers, and these are the real recipients of spam. The mistake in believing that educating people would starve spammers is in actually believing that the millions of spam recipients play any role in the spammers' business model. They don't! They are side effects, and they are actually helping spammers by spending lots of money to filter spam so it only goes to the spammers intended audience. If you want to really hurt the spammer's business model, you have to stop being a side effect, and join the spammer's audience. You have to respond to spam in a way that indistiguishable from real responses from interested customers. You have to make them have to serve you the same way they do serve those real customers of them but withoutproviding them with any real valuse. That would increase their costs top the point where thei business fails. You have to fill their contact forms with info that is indistinguishable from real interested customers' info (until manual contact is made and fails). You have to fill their purchase forms with info that is indistiguiahble from real purchase info (until the point when the credit card company says the cc number doesn't match the billing address/name). The only way to hurt spam is to cause spammers to have real extra costs. And the only way this can work is by real people who aer not their intended audiences posing as real customers and require service but creating no revenue.
That of course doesn't deal with all kinds of spam. That kind of image spam that recommends petty stocks has no contact info. And some people that "fall for it" actually make a profit (
Stas Bekman wrote a good article on the subject - http://www.onlamp.com/pub/a/onlamp/2006/10/12/asyn chronous_events.html
... just charge 0.5 cents for sending an email. Once Joe Sixpack gets a bill for $5000 for emails sent by his Windows bot, a.k.a. PC, he will start to take security seriously. His first question is going to be" What can I do to stop this?", and then maybe he'll listen to the advice we've been trying for years to get through to him. Secondly, even if spammers send out emails from their own accounts, charging for it would quickly raise the bar to the point that it's no longer profitable.