Security Firm Creates Chatbot To Respond To Scam Emails On Your Behalf

An anonymous reader shares a report: Chatbots. They're usually a waste of your time, so why not have them waste someone else's instead? Better yet: why not have them waste an email scammer's time. That's the premise behind Re:scam , an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time.

An interesting tactic

[Baron_Yam]

Anything that increases the cost of spam scams relative to the returns is worth investigating to see if it's practical, because ultimately you have to attack the economics to kill the beast.

I'd actually like to see this run on my local system, though.

Re:An interesting tactic

[boudie2]

Unless of course they end up selling your email addresses to spammers. What guarantee do you have that they won't? Or someone hacks them. Or a "rogue employee". This is 2017, you can't take anything at face value. Even though plenty do.

Re:An interesting tactic

[gnick]

What guarantee do you have that they won't?

None, but it doesn't seem likely. Unless there are buyers looking specifically for the demographic of people that would forward spam to anti-scammers, there are much easier ways to harvest e-mail addresses. Any group that you share your email address with is subject to the risk of hacks or "rogue employees". We all set our own threshold for risk when we decide where to disclose our personal information. Developing a chat bot designed to frustrate scammers in an effort to collect data to sell to those scammers just seems like too bizarre a business model to worry about. Nothing to do with whether I trust them or not.

Re:An interesting tactic

[gnick]

The summary says that they'll reply using a "proxy e-mail address". TFA gives little details and I'm not going to explore their site at work. It's not clear whether there will be enough information in Rescam's reply for the scammer to identify where the original message was sent. Is it common to include your target's information in the body of your initial scam invitation?

TFA does acknowledge that their efforts will result in a lot of bots talking to other bots.

Re:An interesting tactic

[Obfuscant]

Is it common to include your target's information in the body of your initial scam invitation?

Of course. With HTML-ized email, it is almost standard practice to include at a minimum a 1 pixel blank image with an encoded URL. You don't see it, but the website logs that you retrieved it. That not only tells them that the email address is valid, but that someone reads the email going there.

And when the question is asked about "selling your email address to spammers", it's not the Re.scam people you need to worry about. It's the spammer who sent you the probe to see if the email address was valid. Getting a response, any response, means the address is. That makes it more valuable to spammers, and they pay for that info.

TFA does acknowledge that their efforts will result in a lot of bots talking to other bots.

Yeah, and you'll be the middleman, forwarding all the spam you are getting to Re.scam so they can validate your email address to the spammer for you, which results in more spam to be forwarded. Aren't you pleased to become a pipeline for these people?

Now ask this: what is the Re.scam business model? Where are they making money? They can't sell ads because nobody thinks sending ads to "bots" is worth anything. Where does the money come from?

Re:An interesting tactic

[tlhIngan]

Anything that increases the cost of spam scams relative to the returns is worth investigating to see if it's practical, because ultimately you have to attack the economics to kill the beast.

I'd actually like to see this run on my local system, though.

There was an older tool that was basically an automated version of FormF*cker. Basically it went to the spam web pages and filled in the forms with crap. After all, back then spam sent you a link to get more information from you, so the tools would fill in the data with plausible looking but crap data.

It apparently worked so well the companies behind it got DDoS'd because it completely corrupted the marketing databases when they realized 90% or more of it was pure made up data. And since a human had to go through it all, it turned the spam campaigns completely useless since they ended up with databases full of useless data.

I did something like this some time ago and...

[CustomSolvers2]

... got quite surprised with the persistence and poor-understanding skills of some spammers/scammers. I was doing it manually and just for fun (+ kind of contributing to reduce crap). I think that this was one of the first times when I realised about how deep stupidity can go. Although I prefer the current much-clearer-ideas myself, some times I kind of miss those moments when I was still expecting other outputs rather than stupidity always remaining stupidity.

Jolly Roger

See: http://www.jollyrogertelco.com/ . Keep telemarketers on the phone talking to a bot.

Brilliant idea

[ilsaloving]

The only reason these phishing scams work is because they are so low effort on the part of the scammer. You just vomit spam and then handle the responders.

This idea will turn the tables on them by making them do the same thing they're trying to do to others. Of course, it will turn into a cat and mouse game as the scammers figure out what's going on, and implement a cheap test to weed out the automation as quickly as possible.

Of course, then I wonder if the scammers will start automating their own responses... it'll be like watching cleverbot talk to itself.

Re:Brilliant idea

[goose-incarnated]

These Nigerians are barely computer literate and barely literate at all. They will struggle to pass a Turing test themselves. I think that even Eliza level chatbots will fool them. The idea is that they will have to manually sift through thousands of emails per day to find the real mark, and I think that this idea will work.

Chatbot to Chatbot?

[ripvlan]

I thought that many of the chat scams are via chatbots already. So won't this be like Google Go AI playing Google Go AI ?

That'll be the future of the internet. A bunch of angry AI bots battling it out in a deadly embrace. That will be how the world ends !!

Re:Love the idea

[pr0nbot]

Sir,

I am having many!! such ideas. In fact I have been a succesfull businesman more than 23 years and am in possession of a substantial!! quantity of monies. But, unfortunately I, am most Sorrowfully in dispute with the Ghanaian tax authorities who have frozen my accounts. However my esteemed solicitor, Dr Goodlove Simons III has assured me that through the payment of a fine of no more than $250US I will be able able to transfer these monies with much expeditiousness to an overseas bank account. I am prepared to offer a reward of $2500 in exchange for your immediate trnafser of $250US to the following account: IBAN002300203 Acct holder Ghanaian Tax Authorities, Apt 3b Rhodes House N2389 Lagos, Nigeria

In anticipation of your excellent assistance, and with many!! thanks, Rev Alfons Dauphine

Similar: https://spa.mnesty.com/

[akeeneye]

Forward your spam to sp@mnesty.com . Hilarity ensues, once in a while (low response rate).

Re:Skeptic

[Aighearach]

It may be that figuring out what the email addresses are is not the hard part of scamming.