Could Fake Phishing Emails Help Fight Spam?

Glyn Moody writes "Apparently, the US Department of Justice has been sending out hoax emails to test the security awareness of its staff. How about applying a similar strategy to tackling spam among ordinary users? If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary. The system would be cheap to run — spam is very efficient — and could use the latest spam as templates."

Seriously?

[jeffasselin]

The spam problem will not be solved with laws or pretty tricks like this.

It is a technological problem, and as such will be solved by technological changes: the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.

Re:Seriously?

[caffeinemessiah]

Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.

Sigh...it's so tiring to hear people on /. say things like "it's a technological problem" about spam. Do you know how easy it is to get a personal digital certificate from Thawte? Fill out a few forms, download your PKCS certificate. What's to stop your sooper-dooper anti-spam system if you can authenticate a spammer? Remember, if you can legitimately receive an e-mail message from ME (a stranger to you, presumably), you haven't "solved" spam. If you can't legitimately receive an e-mail message from me, I can't tell you that I'm your long-lost twin brother (i.e. your email system is then useless).

Re:Seriously?

[IBBoard]

If the zombie box has username/password on a legit account (or whatever the authentication is) then no protocol will help. It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem). I don't think anything can solve the "spammer signs up for asdfghjkl.com and starts sending email through that server" spam.

I don't see how this'll help, though.

1) The people who fall for this won't actually learn until they're actually stung, not just an email that says it is from a government agency
2) Chances are they'll probably be more suspicious of the 'Government Agency' email than the "get stuff cheap" email because they're interested in getting stuff cheap, but why would they get an email from the Government
3) Spam is spam is spam
4) Spammers/phishers will piggyback the Government emails, clone them and send out similar emails saying they'd been caught by one of these traps, so go to [insert site]
5) Despite what I said in 1), some of these people will never learn (see the people who get conned out of thousands of £/$/etc)

Re:Seriously?

[Elledan]

How is this a technological problem? How is a user failing to properly read and/or comprehend that the email he or she just received is trying to scam him/her out of money or (personal) information or worse a technological problem? What if a user gets infected by a virus/trojan/worm/rootkit because he had to click on the executable attached to the email received from either a stranger, or from a person who would never send such an email (at least not unannounced)?

Spam is a matter of social engineering, of convincing someone to buy a product, give out information or click on a random executable, even though every rational fibre in that person's body should warn against doing so. Yes, using something more robust than SMTP would help, but it's no cure against stupidity and botnets.

I like this initiative, I just wish it would target those who are already at risk of 'stupid-clicking' instead of those with more than one braincell. It's disappointing that those who do respond to spam emails (twice or so...) don't get taken out of the gene pool either :(

Re:Seriously?

[IBBoard]

It's probably a good idea overall, but it would get a lot of criticism as either a) people with email sending addictions sent too many emails and got caught or b) people with infected machines probably wouldn't know/care about what to do and would just object to being blocked.

ISPs blocking ISPs is potentially asking for trouble, though. It's like IP blacklisting, but it leaves a lot of innocents getting hit just because the ISP hasn't dealt with some trouble makers to some arbitrary degree to make another ISP happy.

Re:Seriously?

[Chyeld]

And for that I refer you to this comment.

Why is it so many otherwise perfectly intelligent people act as if a solution which doesn't solve 100% of the problem must be completely worthless?

"You know, it's 20 below out, and you are standing in a swimming pool slowly freezing. You could get out and go inside.

"Nah, I'd still be wet and cold."

Yes, a 99% effective solution (i.e. something that reduced the actual volume of spam by 99%) would likely not result in any fewer people clicking on spam. But it would mean a 99% reduction in spam.

How, in the great wild wild world of the web, do you look at that as a bad thing. Do you know how much of the current traffic in the world is spam?

Re:Seriously?

[grumbel]

The point of authentication is to get accountability, not to get instant filtering. If a spammer is using a fake certificate, that certificate can be blacklisted. If some company isn't checking for fake date, certificates by that company can be blacklisted. If random joe is sending me good mail, I could white list him. If random-mail-provider.com is doing good at stopping fake accounts, I could whitelist them as well. And when you would send your twin mail via a good email provider it would arrive just fine.

Today you have the issue that you can't really do much, because you can't tell where a mail did come from. Most of the data in the headers is completly fakable and useless, and yet they get used a lot for mail filtering because its the only data we have.

Re:Seriously?

[1u3hr]

The problem with spam is that there is no accountability. If you can't find the guy who sends the mail, you can't punish him,

Most spam is motivated by profit: trying to sell something to the recipient. There is therefore a money trail. Law enforcement could simply respond to a small proportion of spam and track where the money goes, and then prosecute for fraud, selling unregistered drugs, tax evasion -- it;s a good bet they are breaking some existing laws, no new "cyber laws" are needed. But they don't because governments really don't care about it. Each spam is a fleabite, and below the threshold for which they take action (I've heard at least $5000 for the FBI). And various business lobby groups have made sure that there are plenty of loopholes so their marketing material can get through.

My point is that they CAN find the spammers. They don't even try. Slashdottes foam at the mouth and talk about lynching. We imagine the rest of the world shares our hatred for spammers. But really, most people don't care. Governemnt leaders don't care, if they use email at all it's filtered by their staff and they never see spam.

Re:Seriously?

Exactly,

Follow the MONEY.

To make it worth "the government" following up on it they (we, who ever) set up 10,000 "monitored" addresses on various domains, preferably already existing ones. (I would gladly give the project an email address or two on all 3 of my domains for free...)

All the spam from those addresses gets collected by central server and pattern matched to determine if they have the same reply to/web link/whatever.

You then follow the money back to the seller and fine them $1000 per email.

Even if only 10% of companies that use spam as a sales tool got fined $5,000,000 it would cause the others to seriously reevaluate their marketing strategy, and 5 mill should be more than enough to make some LEA decide that this is a worthwhile plan.
 

Re:Seriously?

[Ironica]

I'm not a kernel developer, but every mailing list to which I once subscribed moved to web based forums, which I find much, much more convenient to use. I think mailing lists are a relic which some are reluctant to give up, and I'm sure there may be good reasons for that. I just don't know what they are.

Here's some of the reasons I prefer my mailing lists to forums:

* I don't have to remember to go there; it comes to me.

* I KNOW what I've read already.

* I can set up filters to mark my own "posts" as read automatically, to delete posts from people I'd rather not hear from, to flag items with particular subject lines, etc.

* Thunderbird has a good search tool. Online forums often don't, and it's luck of the draw whether they do or not.

* If the internet is down, I can still find that post that tells me how to do what it is I want to do right now.

* I can (with the original poster's permission) forward all or part of a message to an individual or another list.

* I can (with discretion and an x-post note) post the same text to multiple lists at the same time.

I'm sure there are other reasons, but those are the reasons I've advocated against email lists I belong to switching to online forums. Since most of them are Yahoo groups, though, people *can* read them as web forums if they want to instead.

Re:Seriously?

[Chyeld]

First off, if the item is in the "what if" pool and isn't effective, then loosing it shouldn't matter.

Secondly, if the sole argument you are going to present is "It's hopeless! Just give up!", then frankly I wish you would.

Our current system for email is virtually 100% open and unsecured. No, I don't think we'll ever eliminate spam. And yes, we may take steps in the search for the 'optimal plan' that end up being a total waste of time.

But at the end of the day, the only thing you have presented so far is pessimism. That doesn't prove your case or make your point.

Even if we never get around to tearing down SMTP and replacing it with something designed to be secured from the start (and why the hell not given we could use that for MTA-MTA connections and still present an SMTP emulation for MUA's) there are plenty of aveneues for us to take in locking down what we do have to work with.

And regarding the "now people will trust spam more" malarky. Stupid people do stupid stuff. News at 11. The point of SPF isn't to ensure the email is trustworthy, it's to ensure the email was meant to come from example.com. The folk ignorant enough to trust spam aren't going to know enough to ever realize or care about SPF or any other measure put in place. They are going to click it regardless. But at least now, those of us who aren't vying for Darwin Awards will have another tool in the arsenal of cutting the volume of what we are receiving and have absolutely no intention of ever clicking.

Nah, dumb idea....

[King_TJ]

In my experience, many of the people clueless enough to respond to some spam email are also the ones who wouldn't understand the reply that came back to warn them of their behavior.

(Heck, you wouldn't believe how many people I've had to help out, because a free version of their Windows anti-virus software expired, and they couldn't figure out what to do with the windows popping up to tell them they needed to download the newer version. They thought that stuff meant their anti-virus "broke" because they got a virus!)

Dumbass idea, man

[Eggplant62]

Sending more spam in the name of eliminating spam is not eliminating spam. It's still creating a mess on people's email servers and personal computers, and storage for much of it adds up, especially at the server level. How about we simply improve our educational system and teach marketing majors a bit more about business ethics and ethical advertising?

Re:Dumbass idea, man

[gurps_npc]

This isn't spam. It LOOKS like spam. But just as spam looks like a legitiamte message, but isn't, this looks like spam but isn't. It is a message from your BOSS. What you want to do is to force everyone, even those of us smart enough to ignore spam to take meaningless, boring classes about things we already know. As others said, it is targetted training. It is carefully and SUPERBLY designed so that those that don't need the training are not bothered by it. But those idiots that need it, get the training.

Re:Dumbass idea, man

[vagabond_gr]

I'm really surprised that phishing and viruses are confused with spam, they are very different things:

- viruses/phising: really "dangerous" messages. Opening them might lead to a comprimised bank account, PC, etc. In this case fake viruses/phising emails might help, educating people not to open such emails.

- SPAM: useless but harmless messages that are merely an annoyance to 99.9% of people. The problem is not opening such emails but the mere fact that you receive them. If someone opens spam then he might be actually interested in the advertised products, which is not bad, the problem is only that the same email is sent to thousands of people who are not. Sending fake spam to educate people not to open spam is just stupid. I don't think spam has anything to do with this article, the word has been just incorrectly used.

Re:Dumbass idea, man

[Ajaxamander]

The point isn't to eliminate spam TODAY, the point is to eliminate spam TOMORROW. If people who don't understand that it's a scam are taught that it is a scam, then there will be fewer of them. What better way to improve spam/scam education than to target it to those who need it most? The fewer suckers^Wtargets there are, spam becomes a lot less viable of a business model.

I find your complaints (and, frankly, suggestions) myopic. You can teach ethics all you want, but the basics of human nature show time and time again that it's not guaranteed to stick.

Re:Dumbass idea, man

[PitaBred]

Spam is in the eye of the beholder... hell, look at how many marketing emails that people request are subsequently marked as "spam" because they no longer want them, not because they somehow magically turned from "good" to "spam".

Besides, we're talking about companies sending these fake messages to their own employees, a local, controlled list. If it's your own network, it's not spam. It's an approved, system-wide message. Get off your high horse.

Re:Dumbass idea, man

[Mr.+Underbridge]

Go back to my original response and read the first sentence again: Sending spam to eliminate spam is not eliminating spam. If that's too overly simple for you, I don't know of any other way to get the point across.

That's a great sound bite for an audience with an IQ of about 80, but it doesn't hold up to analytical rigor. If you decrease the spam response rate, you make spamming less lucrative, and you have fewer spammers.

That's still pretty simple, even for sound-bite based logic such as you seem to prefer.

Awful

[mtrachtenberg]

This idea is awful for the same reasons that I don't want the local police department entering my home to show me how easy it is to pick my locks.

The idea smells of John Ashcroft appointees.

Phishing side-effect

[paulthomas]

Let me get this straight -- we should suggest to people who are highly credulous that there is the possibility that they might receive legitimate email from "suitably important-looking government address"?

That will never cause bigger, more successful phishing scams.

not a tech problem - it's a PEOPLE problem

[petes_PoV]

> It is a technological problem,

No.

Spam persists because a tiny (absolutely, infinitesimally small) proportion of the recipients actually respond to it. Whether that's due to stupidity, greed (oooh - I might get something for nothing), boredom, accident or simply curiosity (hmm, I've never replied to SPAM before, I wonder what happens).

The costs of sending it are so low, that it is still worthwhile, providing there's one idiot in a million who takes the bait.

How do you cure this people problem? I don't know. Even if you spend you whole life telling children not to put dirt in their mouths, some still will. You'll never get rid of spam until all the dirt-eaters and spam-responders get a dose of common sense, and that'll never happen.

Re:not a tech problem - it's a PEOPLE problem

[Chyeld]

Disease is a biological problem. You can't eliminate disease from the world using a purely technological approach.

However, if you have an internet connection to post to /., then chances are good that you and I both have living conditions that are far far more livable and comfortable thanks to the fact that people did use technology when it was possible to prevent what could be prevented and aliveate what couldn't.

You and I get the flu, pneumonia, or even TB, we are likely to live through it. That wasn't the case in 1809 or even 1909.

Spam is not a purely technological problem, you are right about that. But it's also not completely divorced from technology, and there are plenty of things out there that could be done that would cut down on the volume and the 'sting' of spam. Someday, I hope we implement them.

Actually, ...

[hummassa]

to go right with your metaphor, the "condom police" picks up a girl/guy in a bar, takes s/he to a hotel room, asks if they can go bareback, s/he says yes, receives a fine and a slap on the wrist (possible mandatory safe sex lessons) and goes home. Seems sensible to me.

Re:actually, this works fairly well.

[philspear]

my school district did the same thing, and it works great.

Really? Sounds ridiculous to me.

Sounds to ME like there's a testable hypothesis here, which someone should think about testing rather than just saying it SOUNDS ridiculous.

A couple of corrections

[pikine]

Your post advocates a

( ) technical ( ) legislative ( ) market-based (X) vigilante

Sending out spam to counter spam is bringing justice by breaking a law.

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses

(X) Mailing lists and other legitimate email uses would be affected

These mailing lists as well as end users would have to deal with additional volume of spam.

( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

(X) Laws expressly prohibiting it

( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes

(X) Eternal arms race involved in all filtering approaches (you need to compete with spam filters)
(X) Extreme profitability of spam

( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians

(X) Extreme stupidity on the part of people who do business with spammers (they never learn)

( ) Dishonesty on the part of spammers themselves

(X) Bandwidth costs that are unaffected by client filtering (you're adding to the volume of spam bandwidth)

( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored

(X) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks

( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:actually, this works fairly well.

The person just told you it worked and you reject it anyway!? It's stubbornness like yours that prevents simple solutions like the one the article proposes from even being considered.

Its unfortunate how this problem has been labeled "impossible" and now slashdotters spend enormous energy to explain why "No spam solution will ever work.", but its all BS from the pseudo experts. The fact is that not much has even been tried. Its like the misguided fools who say you can't find every bug in a program. Of course you can, you silly fool. Don't project your failures on the problem itself!

The simple solution to spam is to require intelligent throttling of all email coming from downstream internet connections. Noncompliance results in blocking. And yes, you could resolve a number of other problems, like zombie DoS bots, with this simple and obvious solution.

Yes, this would require ISPs to actually show some responsibility and to actually communicate with their peers and customers, but it would work. Its not too hard to find the sources of spam and block it if everyone does their part. But ISPs aren't doing their share because they've built the $9.95 a month business model that does not budget for responsibility. Screw them. They can go bankrupt and maybe internet will cost $11.95 a month but at least somebody will answer the phone.

The top level ISPs can implement this solution by policy alone and that is all you need because the policy can be required to be applied downstream by contract.

Of course, stupid people will flail around trying to explain why this won't work. I might even get the "Why your Spam solution won't work" form filled out for me by some loser script kid, but you know, it really isn't funny anymore.