Could Fake Phishing Emails Help Fight Spam?

← Back to Stories (view on slashdot.org)

Could Fake Phishing Emails Help Fight Spam?

Posted by Soulskill on Monday February 2, 2009 @02:50AM from the hello-sir-madam dept.

Glyn Moody writes "Apparently, the US Department of Justice has been sending out hoax emails to test the security awareness of its staff. How about applying a similar strategy to tackling spam among ordinary users? If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary. The system would be cheap to run — spam is very efficient — and could use the latest spam as templates."

28 of 296 comments (clear)

Seriously? by jeffasselin · 2009-02-02 02:54 · Score: 4, Insightful

The spam problem will not be solved with laws or pretty tricks like this.
It is a technological problem, and as such will be solved by technological changes: the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.

--
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
1. Re:Seriously? by characterZer0 · 2009-02-02 03:04 · Score: 4, Interesting
  
  Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?
  
  --
  Go green: turn off your refrigerator.
2. Re:Seriously? by oldspewey · 2009-02-02 03:09 · Score: 4, Interesting
  
  There are advantages to thinking of (and addressing) spam as a social problem rather than a technological problem. For starters, treating it as a technological problem leads to an arms race mentality in which spammers are continually driven to "outsmart" technological safeguards as they are developed.
  Personally, I have no problem with an approach in which "purchasers" (in other words, anybody who responds to spam in any way) are exposed and educated by any means necessary ... with education consisting of an escalating series of measures until the recipients finally comprehend just how fucking stupid their actions were.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
3. Re:Seriously? by caffeinemessiah · 2009-02-02 03:12 · Score: 4, Insightful
  
  Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.
  Sigh...it's so tiring to hear people on /. say things like "it's a technological problem" about spam. Do you know how easy it is to get a personal digital certificate from Thawte? Fill out a few forms, download your PKCS certificate. What's to stop your sooper-dooper anti-spam system if you can authenticate a spammer? Remember, if you can legitimately receive an e-mail message from ME (a stranger to you, presumably), you haven't "solved" spam. If you can't legitimately receive an e-mail message from me, I can't tell you that I'm your long-lost twin brother (i.e. your email system is then useless).
  
  --
  An old-timer with old-timey ideas.
4. Re:Seriously? by IBBoard · 2009-02-02 03:16 · Score: 4, Insightful
  
  If the zombie box has username/password on a legit account (or whatever the authentication is) then no protocol will help. It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem). I don't think anything can solve the "spammer signs up for asdfghjkl.com and starts sending email through that server" spam.
  I don't see how this'll help, though.
  1) The people who fall for this won't actually learn until they're actually stung, not just an email that says it is from a government agency
  2) Chances are they'll probably be more suspicious of the 'Government Agency' email than the "get stuff cheap" email because they're interested in getting stuff cheap, but why would they get an email from the Government
  3) Spam is spam is spam
  4) Spammers/phishers will piggyback the Government emails, clone them and send out similar emails saying they'd been caught by one of these traps, so go to [insert site]
  5) Despite what I said in 1), some of these people will never learn (see the people who get conned out of thousands of £/$/etc)
5. Re:Seriously? by Elledan · 2009-02-02 03:20 · Score: 4, Insightful
  
  How is this a technological problem? How is a user failing to properly read and/or comprehend that the email he or she just received is trying to scam him/her out of money or (personal) information or worse a technological problem? What if a user gets infected by a virus/trojan/worm/rootkit because he had to click on the executable attached to the email received from either a stranger, or from a person who would never send such an email (at least not unannounced)?
  
  Spam is a matter of social engineering, of convincing someone to buy a product, give out information or click on a random executable, even though every rational fibre in that person's body should warn against doing so. Yes, using something more robust than SMTP would help, but it's no cure against stupidity and botnets.
  
  I like this initiative, I just wish it would target those who are already at risk of 'stupid-clicking' instead of those with more than one braincell. It's disappointing that those who do respond to spam emails (twice or so...) don't get taken out of the gene pool either :(
  
  --
  Site & blog: http://www.mayaposch.com
6. Re:Seriously? by CompMD · 2009-02-02 03:28 · Score: 5, Funny
  
  The real solution is to simply tell all respondents that they have won an all expense paid vacation. Send them some fake e-ticket to print out and tell them where to go, and then just put them all on a rocket to the sun. Problem solved.
7. Re:Seriously? by B3ryllium · 2009-02-02 03:36 · Score: 5, Funny
  
  "Congratulations! By responding to this test email, you've received an IRS coupon for a FREE TAX AUDIT. Enjoy!"
  That's one way to teach them. Granted, it's a bit Pavlovian, but ... if it works, it works.
8. Re:Seriously? by IBBoard · 2009-02-02 03:42 · Score: 4, Funny
  
  You mean it'll make people salivate for food at the sound of a bell if they get a tax audit? Now that's some crazy conditioning!
9. Re:Seriously? by Hordeking · 2009-02-02 03:59 · Score: 4, Funny
  
  Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?
  RFC 3514 does propose a solution to this sort of thing...
  
  --
  Disclaimer: The opinions and actions of the US Gov't are in no way representative of those held by this author or its ci
10. Re:Seriously? by Cthefuture · 2009-02-02 04:04 · Score: 4, Informative
  
  It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem).
  Note there is already a system for doing this. It called the Sender Policy Framework (SPF) and uses DNS records to tell mail servers which machines are allowed to send mail for your domain.
  This is not a perfect system though because often there is a legitimate need to use a different e-mail domain address than where your mail came from (eg. forwarding, etc). For that reason it doesn't appear that many mail servers are configured to check SPF records.
  At the very least it seems like they would be good for pre-tagging SPAM (ie. still deliver it but add something to the header that says it could be spam).
  
  --
  The ratio of people to cake is too big
11. Re:Seriously? by 1u3hr · 2009-02-02 05:23 · Score: 4, Insightful
  
  The problem with spam is that there is no accountability. If you can't find the guy who sends the mail, you can't punish him,
  Most spam is motivated by profit: trying to sell something to the recipient. There is therefore a money trail. Law enforcement could simply respond to a small proportion of spam and track where the money goes, and then prosecute for fraud, selling unregistered drugs, tax evasion -- it;s a good bet they are breaking some existing laws, no new "cyber laws" are needed. But they don't because governments really don't care about it. Each spam is a fleabite, and below the threshold for which they take action (I've heard at least $5000 for the FBI). And various business lobby groups have made sure that there are plenty of loopholes so their marketing material can get through.
  My point is that they CAN find the spammers. They don't even try. Slashdottes foam at the mouth and talk about lynching. We imagine the rest of the world shares our hatred for spammers. But really, most people don't care. Governemnt leaders don't care, if they use email at all it's filtered by their staff and they never see spam.
12. Re:Seriously? by Ironica · 2009-02-02 06:20 · Score: 4, Insightful
  
  I'm not a kernel developer, but every mailing list to which I once subscribed moved to web based forums, which I find much, much more convenient to use. I think mailing lists are a relic which some are reluctant to give up, and I'm sure there may be good reasons for that. I just don't know what they are.
  Here's some of the reasons I prefer my mailing lists to forums:
  * I don't have to remember to go there; it comes to me.
  * I KNOW what I've read already.
  * I can set up filters to mark my own "posts" as read automatically, to delete posts from people I'd rather not hear from, to flag items with particular subject lines, etc.
  * Thunderbird has a good search tool. Online forums often don't, and it's luck of the draw whether they do or not.
  * If the internet is down, I can still find that post that tells me how to do what it is I want to do right now.
  * I can (with the original poster's permission) forward all or part of a message to an individual or another list.
  * I can (with discretion and an x-post note) post the same text to multiple lists at the same time.
  I'm sure there are other reasons, but those are the reasons I've advocated against email lists I belong to switching to online forums. Since most of them are Yahoo groups, though, people *can* read them as web forums if they want to instead.
  
  --
  Don't you wish your girlfriend was a geek like me?
Nah, dumb idea.... by King_TJ · 2009-02-02 02:54 · Score: 4, Insightful

In my experience, many of the people clueless enough to respond to some spam email are also the ones who wouldn't understand the reply that came back to warn them of their behavior.
(Heck, you wouldn't believe how many people I've had to help out, because a free version of their Windows anti-virus software expired, and they couldn't figure out what to do with the windows popping up to tell them they needed to download the newer version. They thought that stuff meant their anti-virus "broke" because they got a virus!)
actually, this works fairly well. by gandhi_2 · 2009-02-02 02:57 · Score: 5, Informative

my school district did the same thing, and it works great.
It's the best form of targeted training. Only those who fall for shit like this get a lesson, and follow-up fake scams had a MUCH lower success rate.

--
THL phish sticks
Dumbass idea, man by Eggplant62 · 2009-02-02 02:58 · Score: 5, Insightful

Sending more spam in the name of eliminating spam is not eliminating spam. It's still creating a mess on people's email servers and personal computers, and storage for much of it adds up, especially at the server level. How about we simply improve our educational system and teach marketing majors a bit more about business ethics and ethical advertising?
1. Re:Dumbass idea, man by Ajaxamander · 2009-02-02 03:30 · Score: 4, Insightful
  
  The point isn't to eliminate spam TODAY, the point is to eliminate spam TOMORROW. If people who don't understand that it's a scam are taught that it is a scam, then there will be fewer of them. What better way to improve spam/scam education than to target it to those who need it most? The fewer suckers^Wtargets there are, spam becomes a lot less viable of a business model.
  
  I find your complaints (and, frankly, suggestions) myopic. You can teach ethics all you want, but the basics of human nature show time and time again that it's not guaranteed to stick.
Been there done that. by Lumpy · 2009-02-02 03:03 · Score: 5, Interesting

I did that back in 2001 to the sales force at Comcast. we in the IT department formed and sent a email with a exe file payload. when ran it reported back to us who opened it and pooped up a message on their screen that said, "IF I WAS A REAL VIRUS ALL YOUR FILES WOULD BE DELETED"
we sent it from outside the company with a yahoo.com address
85% opened and ran the attachment. we used this as a part of our It education to our users. after the classes that month we repeated it 45 days later.
we had a 90% opening rate this time. you really can not teach the users. Most people who are not IT professionals dont care. If they hose their own computer they dont have to fix it, you do.
The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.

--
Do not look at laser with remaining good eye.
1. Re:Been there done that. by u38cg · 2009-02-02 03:08 · Score: 4, Interesting
  
  There was also that university that sent all their students an email to warn them about phishing. Included in the email was a typical phishing text, along with comments on style and grammer. I think the guy that sent it out got something like forty or fifty usernames and passwords back.
  
  --
  [FUCK BETA]
Your post advocates a.... by mindstorms · 2009-02-02 03:05 · Score: 5, Funny

Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

--
Fighting ignorance with ignorance.
Re:it's already in use... by ericspinder · 2009-02-02 03:08 · Score: 4, Informative

And it's called more exactly honey-pots.
Actually, honey pots are more about collecting spammer addresses, not identifying their targets.

--
The grass is only greener, if you don't take care of your own lawn.
Phishing side-effect by paulthomas · 2009-02-02 03:10 · Score: 5, Insightful

Let me get this straight -- we should suggest to people who are highly credulous that there is the possibility that they might receive legitimate email from "suitably important-looking government address"?
That will never cause bigger, more successful phishing scams.
Self identification might help zombies by goombah99 · 2009-02-02 03:33 · Score: 4, Interesting

The "good" spam is sort of like a public education campaign about STDs. It's part of a well rounded solution in raising public awareness. Your's may not need raising but you will benefit if the awareness of others' is raised so put up with it.
Now then there's the post infection detection problem. We could take a simmilar approach of turning a bad thing to our advantage. Presumably these Zombie bots try to hit a series of predefined URLS to announce their availability. Once some of those are known, when not sieze them and use them to get infected computers to self-identify then notify the owners or if unresponsive their ISPs?
That would not cure all infection. But there is a well known principal in medial virus infection called the R-factor and that is the minimum number of infections needed in a population before the disease becomes self sustaining or growing in infections. We don't have to eliminate all zombies before we reach a point where the infection rate is highly damped.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Self identification might help zombies by oldspewey · 2009-02-02 03:55 · Score: 4, Funny
  
  Now that's what I call a stimulus package!
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
Infotainment by freedumb2000 · 2009-02-02 03:42 · Score: 4, Interesting

If anyone really, the media (TV, print ect.) should step in and educate. I bet if Regis did a bit on some common sense ways to spot and avoid spam and phishing, that I am sure would go a long way to educate the average joe/mom about the dangers. Or a 60 minutes on Spam. A bit on MSNBC. I column in a monthly rag. In my experience people are very curious and/or afraid of getting infected or spammed and enjoy any helpful information that they can put to use right away to protect themselfs.
Proposed Name for Fake Phishing by srussia · 2009-02-02 04:26 · Score: 4, Funny

Catch-and-Release

--
Set your phasers on "funky"!
Re:Actually, ... by hobbit · 2009-02-02 04:27 · Score: 4, Funny

No, because your metaphor doesn't take account of the fact that the proposed solution causes a lot of spam to be sent.
It's more like that the condom police just have sex with you bareback, and afterwards they say "okay well this time it was just genital warts... next time it might be AIDS".

--
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
A couple of corrections by pikine · 2009-02-02 06:07 · Score: 4, Insightful

Your post advocates a
( ) technical ( ) legislative ( ) market-based (X) vigilante
Sending out spam to counter spam is bringing justice by breaking a law.

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
These mailing lists as well as end users would have to deal with additional volume of spam.

( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(X) Laws expressly prohibiting it

( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches (you need to compete with spam filters)
(X) Extreme profitability of spam

( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers (they never learn)

( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering (you're adding to the volume of spam bandwidth)

( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
(X) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks

( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

--
I once had a signature.