Security Firm Creates Chatbot To Respond To Scam Emails On Your Behalf

An anonymous reader shares a report: Chatbots. They're usually a waste of your time, so why not have them waste someone else's instead? Better yet: why not have them waste an email scammer's time. That's the premise behind Re:scam , an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time.

An interesting tactic

[Baron_Yam]

Anything that increases the cost of spam scams relative to the returns is worth investigating to see if it's practical, because ultimately you have to attack the economics to kill the beast.

I'd actually like to see this run on my local system, though.

Re:An interesting tactic

Interesting yes, but is there a bingo night?

Re:An interesting tactic

[boudie2]

Unless of course they end up selling your email addresses to spammers. What guarantee do you have that they won't? Or someone hacks them. Or a "rogue employee". This is 2017, you can't take anything at face value. Even though plenty do.

Re:An interesting tactic

Plus, if the spammer actually gets a reply, how do you know they don't send you on to their friends or mark the address as a "known good" address or a "possible sucker" address. Or heck, lots of the early emails are probably computer generated, so what you really get is bots replying to bots.

Re:An interesting tactic

[gnick]

What guarantee do you have that they won't?

None, but it doesn't seem likely. Unless there are buyers looking specifically for the demographic of people that would forward spam to anti-scammers, there are much easier ways to harvest e-mail addresses. Any group that you share your email address with is subject to the risk of hacks or "rogue employees". We all set our own threshold for risk when we decide where to disclose our personal information. Developing a chat bot designed to frustrate scammers in an effort to collect data to sell to those scammers just seems like too bizarre a business model to worry about. Nothing to do with whether I trust them or not.

Re:An interesting tactic

[gnick]

The summary says that they'll reply using a "proxy e-mail address". TFA gives little details and I'm not going to explore their site at work. It's not clear whether there will be enough information in Rescam's reply for the scammer to identify where the original message was sent. Is it common to include your target's information in the body of your initial scam invitation?

TFA does acknowledge that their efforts will result in a lot of bots talking to other bots.

Re:An interesting tactic

[boudie2]

How many things happened in the last year that "didn't seem likely" or were "too bizarre"? They could be 100% honest, but when someone says "Here, I'll take care of that for you." beware.

Re:An interesting tactic

Unless of course they end up selling your email addresses to spammers.

Yes, because it would be an absolute travesty if your email address (you know, the one at which you are currently receiving spam) fell into the hands of a spammer.

Re:An interesting tactic

[gnick]

Of course, an event being unlikely to occur does not guarantee it won't. But I decide on my actions based on perceived likelihood. If I think there's a 99% chance that Rescam will sell my email address to scammers, I won't use them. If I think there's a 1% chance (I think it's lower), I'll be much more inclined to use them. You can't go into every situation you encounter planning on the worst possible outcome, however unlikely. Well, you can, but I don't; you do you.

Re:An interesting tactic

[boudie2]

Just saying be careful. Lots of pitfalls out there. Can't remember the last time I was 99% sure of anything.

Re:An interesting tactic

Anything that increases the cost of spam scams relative to the returns is worth investigating to see if it's practical, because ultimately you have to attack the economics to kill the beast.

I'd actually like to see this run on my local system, though.

Until it gets too effective, and then the scum band together to stamp it out.

Re:An interesting tactic

[gnick]

Can't remember the last time I was 99% sure of anything.

When I left for work this morning, I was 99%+ sure I'd make it to work alive. Not 100% sure, but sure enough to take the risk. I'm less sure that Rescam wouldn't sell my email address, but still beyond 99% because it makes that little sense to me.

Re:An interesting tactic

[boudie2]

Good luck and bon voyage on your drive home. Hope you didn't jinx yourself.

Re:An interesting tactic

[Aighearach]

how do you know they don't send you on to their friends or mark the address as a "known good" address or a "possible sucker" address.

That's a feature, it makes it like a virus!

Re:An interesting tactic

[Obfuscant]

Is it common to include your target's information in the body of your initial scam invitation?

Of course. With HTML-ized email, it is almost standard practice to include at a minimum a 1 pixel blank image with an encoded URL. You don't see it, but the website logs that you retrieved it. That not only tells them that the email address is valid, but that someone reads the email going there.

And when the question is asked about "selling your email address to spammers", it's not the Re.scam people you need to worry about. It's the spammer who sent you the probe to see if the email address was valid. Getting a response, any response, means the address is. That makes it more valuable to spammers, and they pay for that info.

TFA does acknowledge that their efforts will result in a lot of bots talking to other bots.

Yeah, and you'll be the middleman, forwarding all the spam you are getting to Re.scam so they can validate your email address to the spammer for you, which results in more spam to be forwarded. Aren't you pleased to become a pipeline for these people?

Now ask this: what is the Re.scam business model? Where are they making money? They can't sell ads because nobody thinks sending ads to "bots" is worth anything. Where does the money come from?

Re:An interesting tactic

[tlhIngan]

Anything that increases the cost of spam scams relative to the returns is worth investigating to see if it's practical, because ultimately you have to attack the economics to kill the beast.

I'd actually like to see this run on my local system, though.

There was an older tool that was basically an automated version of FormF*cker. Basically it went to the spam web pages and filled in the forms with crap. After all, back then spam sent you a link to get more information from you, so the tools would fill in the data with plausible looking but crap data.

It apparently worked so well the companies behind it got DDoS'd because it completely corrupted the marketing databases when they realized 90% or more of it was pure made up data. And since a human had to go through it all, it turned the spam campaigns completely useless since they ended up with databases full of useless data.

Re:An interesting tactic

[pr0fessor]

I would say the business model is you freely send them information about Spam you have received so that they can improve security services like a spam filter that they sale but they appear to be a non-profit that receives support from various local and state government departments that they work with so I guess not.

Re:An interesting tactic

How does that seem unlikely? Do you know these people?

Unless you are naive, you have to assume that anybody that you don't know (and a good number of people that you do know) will be willing to stab you in the back for a few bucks. Never forget that.

I tried to check the Re:scam site, but it just comes up with a blank page that says "Re:scam" in the centre. I wanted to see if they offered this email chatbox and source code for download or if they want it all going through them. If it's the latter, then they certainly do have an ulterior motive for monetizing your data.

Re:An interesting tactic

[gnick]

Unless you are naive, you have to assume that anybody that you don't know (and a good number of people that you do know) will be willing to stab you in the back for a few bucks. Never forget that.

I refuse to live like that. Consequences be damned.

Love the idea

[joshtops]

We need more of such ideas.

Re:Love the idea

A voice chat bot like this on the phone system? *666 and some bot can talk about all my detected viruses and overdue tax problems

Re:Love the idea

How about a bot that responds to credit card phishing with fake credit card info? Especially if the CC companies can recognise these as poisoned?

Similar for other kinds of phishing.

Re:Love the idea

[pr0nbot]

Sir,

I am having many!! such ideas. In fact I have been a succesfull businesman more than 23 years and am in possession of a substantial!! quantity of monies. But, unfortunately I, am most Sorrowfully in dispute with the Ghanaian tax authorities who have frozen my accounts. However my esteemed solicitor, Dr Goodlove Simons III has assured me that through the payment of a fine of no more than $250US I will be able able to transfer these monies with much expeditiousness to an overseas bank account. I am prepared to offer a reward of $2500 in exchange for your immediate trnafser of $250US to the following account: IBAN002300203 Acct holder Ghanaian Tax Authorities, Apt 3b Rhodes House N2389 Lagos, Nigeria

In anticipation of your excellent assistance, and with many!! thanks, Rev Alfons Dauphine

Re: Love the idea

That already exists, HI It's Lenny https://toao.net/595-lenny

I did something like this some time ago and...

[CustomSolvers2]

... got quite surprised with the persistence and poor-understanding skills of some spammers/scammers. I was doing it manually and just for fun (+ kind of contributing to reduce crap). I think that this was one of the first times when I realised about how deep stupidity can go. Although I prefer the current much-clearer-ideas myself, some times I kind of miss those moments when I was still expecting other outputs rather than stupidity always remaining stupidity.

Re:I did something like this some time ago and...

[hankwang]

Did you post your correspondence here? http://www.419eater.com/

Re:I did something like this some time ago and...

[CustomSolvers2]

No and I should definitively have done it. All this happened some years ago, but this site has been running since 2003!

Skeptic

The skeptic in me says that this is a great way to harvest legitimate e-mail addresses for a future purpose.

Re:Skeptic

[Baron_Yam]

True - that purpose being to feed it into a system that doesn't trigger the spam responder system.

It's an arms race.

Re:Skeptic

[Aighearach]

It may be that figuring out what the email addresses are is not the hard part of scamming.

Re:Skeptic

[BlacKSacrificE]

This was my first thought. A great way to demonstrate your email address is valid and being used, and that the person on the end of it is a "rube" who will engage, thus making your address even more of a target. Pass.

Automation ok?

[duke_cheetah2003]

Can I program my mail system to automatically forward spam?

Re:Automation ok?

Can I program my mail system to automatically forward spam?

Do you want SkyNet? Because that's how you get SkyNet.

Re:Automation ok?

[thewolfkin]

Can I program my mail system to automatically forward spam?

Um.. .yeah of course. It's trivially easy.

Re:Automation ok?

[Obfuscant]

Um.. .yeah of course. It's trivially easy.

If it were so trivially easy then I wouldn't still be getting spam and there wouldn't be valid emails showing up in my spam filters.

It is trivially easy to automate forwarding of email, that is true, at least for some email systems. What is hard is perfect detection of what is and is not spam. I doubt your friends would appreciate getting some chat-bot response to an email they send you that was improperly classified.

Re:Automation ok?

[apoc.famine]

Sometimes hard to believe that this used to be a tech site which had the tagline News for Nerds.

Re:Automation ok?

[HiThere]

The problem is false positives. Otherwise it's trivial on any decent email system. But the false positive problem can be significant.

Jolly Roger

See: http://www.jollyrogertelco.com/ . Keep telemarketers on the phone talking to a bot.

Re:Jolly Roger

[real_b0fh]

love it!

spam the spammers

[FudRucker]

just start replying using lots of fake email addresses and sending them what starts out as clear readable text that quickly degenerates in to nonsense like lorem ipsum or something like that

Brilliant idea

[ilsaloving]

The only reason these phishing scams work is because they are so low effort on the part of the scammer. You just vomit spam and then handle the responders.

This idea will turn the tables on them by making them do the same thing they're trying to do to others. Of course, it will turn into a cat and mouse game as the scammers figure out what's going on, and implement a cheap test to weed out the automation as quickly as possible.

Of course, then I wonder if the scammers will start automating their own responses... it'll be like watching cleverbot talk to itself.

Re:Brilliant idea

[goose-incarnated]

These Nigerians are barely computer literate and barely literate at all. They will struggle to pass a Turing test themselves. I think that even Eliza level chatbots will fool them. The idea is that they will have to manually sift through thousands of emails per day to find the real mark, and I think that this idea will work.

Re:Brilliant idea

[Obfuscant]

The idea is that they will have to manually sift through thousands of emails per day to find the real mark,

If Re.scam is to engage them in an ongoing conversation to waste their time, then Re.scam must use a valid, replyable email address. The "proxy address" that the summary refers to.

If you and I can filter email based on a domain, why don't you think that a spammer can do that, too? Especially spammers who don't care what your email reply is, they're looking for you to visit their website to order their scam products or log in or whatever?

Re:Brilliant idea

This "proxy address" worries me. NetSafe get MY valid email from the forward (concerns about data collection, NZ in 5-eyes, how long before they get Yahoo-hacked, etc), the spammer sees a reply not from the address they had originally sent to. Why would the spammer, even one with an IQ lower than a brick, engage with a different reply address? If re|:spam, re|;scam or whatever explain this part of the operation, maybe it can be a useful tool in the battle against spam.

Re:Brilliant idea

[Gussington]

These Nigerians are barely computer literate and barely literate at all.

So where do they get their list of email addresses from? And how do they send bulk email (since any mail relay known for spam would be blacklisted immediately).
There's clearly some smarts in the equation somewhere...

Re:Brilliant idea

[Obfuscant]

Why would the spammer, even one with an IQ lower than a brick, engage with a different reply address?

How do you know what email address will appear in a reply to something you send someone? If you think it will always be the address you sent the email to, then let me introduce you to the concept of "email forwarding service", such as those run by IEEE, ACM, ARRL, and thousands of other organizations and companies. I have an email address at all three of the ones I listed, plus a dozen more, and I am likely to reply using a completely different address if I do reply. It's more effort to change my outgoing email address than it is often worth.

Even without such a service, many email providers (like corporate ones) have multiple domain names that all route to the same mailboxes, with just one of them on outgoing email.

Since the goal of the spammer is often just to validate the recipient's address, having Re:scam reply on your behalf accomplishes that. Even if the main goal is not just validation, any reply can help the spammer. Given that a lot, if not most, spam these days is trying to get the victim to buy something at a website, the reply will not start an exchange and not waste anyone's time. The reply address is either completely invalid, or will be used only to scan for addresses to validate. After validation, the recipient's address can be sold as valid and the amount of spam goes up, not down.

Chatbot to Chatbot?

[ripvlan]

I thought that many of the chat scams are via chatbots already. So won't this be like Google Go AI playing Google Go AI ?

That'll be the future of the internet. A bunch of angry AI bots battling it out in a deadly embrace. That will be how the world ends !!

Re: Chatbot to Chatbot?

So replace humans with bots and nothing will have changed? Just a bunch of non sentient creatures yelling at each other

Cat Facts

[Hal_Porter]

Someone needs to do a Cat Facts bot to keep spammers busy

https://www.reddit.com/r/AskRe...

email DoS

[kiviQr]

Like that will lower the spam sent.... That sounds more like distributed email DoS.

Re:email DoS

[Aighearach]

Right, but it is the human scammer who is the point of failure being DoSed. When you say "email DoS" you make it sound like the email system is being DoSed, which would be bad. But that isn't the case.

Facebook needs this

Scamming is a huge "industry" on social media. The worst part is, there are various tactics that could be automated to detect and ban (or occupy) the people involved in it.

They all use the same stock images of celebrities, the same love-letter copypastas, and if facebook can snoop enough to link a privacy-aware hooker with her clients, it can sure as hell figure out who's logging in with 20 other people in a cafe in Nigeria.

They will continue to rake in tens of millions every year (low estimate) for one simple reason: facebook doesn't care. Neither does anyone else in the industry.

The bot is more coherent than the scammer...

[wardrich86]

Holy fuck - the bot is actually more coherent than the scammer.

Re:The bot is more coherent than the scammer...

[apoc.famine]

Way more coherent. I went and looked after seeing your comment, and I'm really surprised. I've had emails back and forth with customers who were less coherent than that.

Problem with this idea is,

Most often the sending and reply to addresses are spoofed, and you would be "entertaining" the wrong party.

I was one of the early internet vigilante Paul Vixie Spam Fighters. I spent hours researching each turd that landed in my inbox and complaining to all the site hosting and system operators connected with the tripe.

I discovered that besides getting my name on a spammers black list there was no gain, my hours spent were squandered as the vulnerable spammers quit sending me crap new spammers sprung up or older spammers got smarter, A zero gain the turdlets still found their way to my box.

In the end the laws and system policies that are supposed to protect me don't, just like my phone number on the "National do not call list" protects me from robo-callers.

The bitter end is the scammers/spammers have money to lobby legislation and I have none to spend on a problem I should not have.

So to preserve my mental health and prioritize my time my only option is to hit the delete button. The services I pay for have already been hijacked for someone else's profit, if I add any extra effort beyond using the delete button it only increases the cost to me without any satisfaction or gain on a solution.

Given the uncertainty of the sender or reply to address I cannot be a party to adding to the problem by sending garbage replies to an unconfirmed and possibly innocent address. Wasting my time and someone else's time, wasting my time complaining about someone else's waste of resources I pay for, is a waste. There is no win.

If I get a human on my phone I at least get the satisfaction of asking some sorry looser why they are calling a number that is posted on the national do not call list!
This I know is a real burden on the scammer and I can derive some measure of satisfaction from tying up their equipment and irritating a human and wasting their time (while they waste mine). Sending email replies is not the same and the cost to the asshole is much less than tying up a phone line and wasting an operators time.

Re:Problem with this idea is,

[Aighearach]

You seem to lack comprehension. If they don't provide a usable contact, it wasn't a real scam, it was just a mistake spam.

As regards your past activities, you were part of a distributed effort. You had no information as to the number of people attempting to be spammers, or how many messages they were sending. So you had no way of knowing if your efforts should be expected to decrease the number of spams in your box, or if it would decrease the overall number in a way you can't detect, or if it would slow the rate increase.

It is not really any surprise that when your own lessons learned are lessons based on ignorance you end up with a nihilistic result.

Pointless, just a way to harvest email addresses

This is just a way to harvest good email addresses so what are they going to do with the address once they have them?

This would be pointless.
The bulk of spam I receive has spoofed or obviously invalid sender addresses or my own address as the sender in the header.

They rely on web bugs, clicking on or opening malicious content.

For your consideration.
www.419eater.com/html/
I used to have an acquaintance a few years back who was basically an honest person but with the heart of a larcenist and confidence man.
He derived an enormous amount of sadistic pleasure messing with these people. He would spend hours replying to emails string them on for as long as he could.
Telemarketers were like crack or heroin to him. He had a solid gold tongue for bull shit. He would gleefully torment telemarketers trying to see how long he could keep them on the phone.
The best part was he could do several convincing vices like different old ladies, old men, little kid, teen age girls and cartoon characters voices.
Listening in on his calls were historical. We would sit in 1 room with the speaker phone on mute while he did his thing in another room some of the best entertainment ever.

Terrible Idea

Any response (from any address) confirms to the spammer that the email account they sent to exists and is being read. Using a service like this will result in you getting more spam, not less.

Similar: https://spa.mnesty.com/

[akeeneye]

Forward your spam to sp@mnesty.com . Hilarity ensues, once in a while (low response rate).

This is my new favorite thing

[roc97007]

Now if we could get our spam filters to automatically route spam to the spambot, we'd really have something. Either a significant number of spammers would go out of business, or the universe would enter a recursive sequence and pop like a balloon.

Not sure

[nospam007]

In the day, we got chewed up when we mailbombed the scammers, is it OK now?

Why are phiching emails not blocked

[Stan92057]

why is google delivering phishing emails?? they are sent to the LOL spam folder. well that's DELIVERING the email, why? I have reported 1000s of phishing emails to google email and ya know what they do? they put a stupid tag on it this MAY be phishing scam instead of just deleting it or allow us users to truly BLOCK an address or domain. i get tons of .jp phishing emails why cant we block them and by block i mean delete so it never getting into any folder ya ask me google in league with these phishing scammers by delivering them. when anyone blocks an email address with gmail its just moved to the spam folder that's not blocking.

Re:Why are phiching emails not blocked

[rot16]

You can set up filters according to tags or domains. Why are you even on /.?

Always thought this was the way to fight this stuf

[Solandri]

Lower the signal to noise ratio.

• For scams, as in TFA.
• For spam, don't just block it. Everyone's spam filter should reply to every spam email they get. If a spammer gets one reply per 10,000 spam emails they send, well now they have to dig through 10,000 fake replies to find each real one. If the spammers start wising up and blacklisting your email, well problem solved. They're not sending you spam anymore.
• For sites that harvest your browsing data, pollute their data. Don't just block their cookies. The cookie they leave on your computer should be duplicated on a bot built into your browser which visits hundreds or thousands of random sites in the background per hour. Good luck to the harvester trying to pick out which sites you visited vs which ones the bot visited.
• For malware that tries to copy your contact list, security software shouldn't just block it. It should hide your real contact list, and generate a fake one in its place populated with random names and email addresses. The malware should be allowed to copy the fake contact list.

etc.

So, James Veitch replaced by a robot?

[Walt+Sellers]

I guess James will have to shift to making videos about being replaced by robots....

Re:Always thought this was the way to fight this s

[SigmundFloyd]

Everyone's spam filter should reply to every spam email they get.

No, it shouldn't. The From: address is almost always taken at random from the same database where the To: address came from!

I bet they are using the APK ANN chat bot

I bet they are using the APK ANN chat bot that gets stuck in loops and repeats itself continuously.

Dimwit, when you provide an Intel ME/AMT fix?

See subject: As I have https://linux.slashdot.org/comments.pl?sid=11338175&cid=55522717/ (you'd be useful then vs. being an UNIDENTIFIABLE troll who spews shit about me all day long - you must really HATE yourself & I don't blame you - you're useless & YOU KNOW IT, proving it now again)

Get our /. PEERS to say they like & use your work as they do mine https://it.slashdot.org/comments.pl?sid=11338113&cid=55523291/

I provide a NATIVE low complexity (1 moving part w/ no errors in it proven since 1973 in hosts & my program being "bulletproof & bugfree" to populate hosts) low resource use way to more speed, security, reliability & anonymity online for free!

* What I put up above? A tiny very PARTIAL list only of what I could put out to MY CREDIT in full summation...

APK

P.S.=> ... & you have a 'hardon' for me? I tell it HOW IT IS with "your kind" (truth hurts & YOU don't like it - hence your UNIDENTIFIABLE ac troll bs)... apk

Scamalot ... comedian replies scam emails

[bongey]

https://www.youtube.com/watch?...

Not working

[kristofer.vesi]

I tried to email it, but it haven't responded