Slashdot Mirror
Review:Stopping Spam
I've put the proverbial pen to paper and taken a look at Alan Schwartz and Simson Garfinkel's book Stopping Spam, the (of course) pig book from our friends at O'Rielly. Short, and to the point, this is a good book for those who want to stop some of that spam that seems to flow through. At least I don't get anything from Bull's Eye anymore. (grin)
Stopping Spam
author
Alan Schwartz & Simson Garfinkel
pages
publisher
O'Reilly & Associates
rating
8.5
reviewer
hemos
ISBN
summary
Quick & dirty ways to stop spam.
The Scenario
Schwartz and Garfinkel (of HotWired fame) have got together to write a book basically high-lighting ways to stop spam, why spam needs to be stopped, implications of spam for the Internet, and what you can do. Well writte, they also rely on some of their experiences with it, which adds a personal touch to things. The book also talks about some of the history of spam-Spam King, what people are doing, and how Spam works. The book itself is relatively short, but packs good information into it.
What's Bad? I would preferred something longer. The book itself does a good job of covering the basics of stopping spam, but something that's more definitive for the sysamdins in the crowd would have been appreciated. This is truly a nutshell review of things-it doesn't go into a huge amount of detail, but provides more of a general overview.
What's Good? The book does a good job of covering how spam works, and how to stop spam. Some of the advice is basic-things like avoiding putting your e-mail address on web pages. It also talks about spoofing in newsgroups, how cancel messages work, why they work. To people who like context, the history and comments they give are well recieved, and well written. I particularly enjoyed some of the history of UDPs. Filters are covered, in a variety of different e-mail programs, which is useful for many people.
So What's In It For Me? Basically, if you are looking to slow/stop spam this is good. It's a good introduction for moderators of newgroups, small-time syadmins and such. I wouldn't say that this book is the definitive source, but for 80% of us, this book will more then do the job. Things like filtering mail and Usenet, safeguarding addresses, and also spam stopping for administrators. That's good stuff.
Buy this over here.
Table of Contents
- Preface
- What's Spam and What's the Problem?
- Slapped in the Face
- What's Wrong with Spam
- A Taxonomy of Spam
- The History of Spam
- Prehistory
- Early Bulk Email
- Usenet and the Spam Cancelers
- In Their Own Words
- Spamming Today
- The Players
- The Technology
- Spamming in the Future
- Internet Basics
- Addresses
- Protocols
- Usenet News
- Instant Messages
- A User's Guide to Email Spam
- Safeguarding your email Address
- Filtering Junk Mail
- Responding to Junk Mail
- A User's Guide to Usenet Spam
- Filtering News
- Responding to Spam
- Spam Stopping for Administrators and ISPS
- Policy Choice
- Blocking Incoming Spam
- Stopping Outgoing Spam
- Community Action
- Sharing Information
- Group Action
- Legal and Legislative Action
- Informing the Public
- A: Tools and Information
- B: Cyber Promotions Timeline
- Index
Forge e-mail replies using the reply address of other spammers to spam received. Forge replies in the names of postmaster and abuse at the spammers feed site (since abuse and postmaster at the spammer's site probably route to /dev/null).
Do the same with paper spam too. Remove anything with your name on it and stuff the junk mail into the postage-free "Business Reply" envelope and send their junk back to 'em! If enough people do this (this costs them postal fees), they'll start mailing out less spam.
Is he still whining about UNIX?
Bill Gates will be on Martha Stewart on Friday, January 22, 1999. All you Linuxers should lissen up and learn how to market.
You'll learn about things like user interfaces, business programming, how to scope out customer needs, database design, price points, affirmative advertising, word processors, scripting, and responding to negative feedback.
One thing that William Gates has NEVER done is publicly run down the competition (He's learned that much from Ronald Reagan).
So instead of bashing the greed of M$, why don't you offer up some of the benefits of Linux?
The world can't wait to find out how you respond to feedback that does something other than lick your boots. You've had too much Outcomes Based Education!
So when is O'Reilly going to release a book on "Stopping Trolls"?
I called the number. There is so much sarcasm in his voice that I find it hard to believe this guy is for real.
Jonathan
The problem with spam is that it is a one-way thing. They can write you but you can't write them back. Or they are not dealing with you as an individual but as insignificant item in a massive list.
:)
Here's the solution : Have a email proxy program that intercepts email. If the email is "from:" a friend (a list you maintain, or a source you have sent mail to in the past). Now if it's not a from someone you know, the email proxy program automatically replies to the letter with an message.
"You are attempting to send mail to Such and Such, but he does not have any record of knowing you. If this is a legitimate inquiry please, attach this message to your letter and resend it.
NO_SPAM_ID=0x940322
"
Then the proxy program records the id and the "from:" email address. If it later gets a letter from the same person with that id, it means a human operate actually wants to talk to you and it's probably not spam, or at least you know that they are reading your replies and you can curse them out if it is!
Jonathan
My friend hacked this spammer's PBX. Give it a listen, pretty amusing. 1 800 409-8302 x1288
You do realize, of course, that every time you dial a toll-free number, the party that owns the number is able to record the calling (i.e. your) phone number. Even if you dial the code to block caller ID.
Personally, there's no way giving my home phone number to spammers this way. Caveat dialer.
My friend hacked this spammer's PBX. Give it a listen, pretty amusing. 1 800 409-8302 x1288
You do realize, of course, that every time you dial a toll-free number, the party that owns the number is able to record the calling (i.e. your) phone number. Even if you dial the code to block caller ID.
Personally, there's no way I'm giving my home phone number to spammers this way. Caveat dialer.
Well, there are about 13+ messages on there now from fellow spam-haters. At 7-8 cents/minute, he probably is now regretting his bulk e-mail campaign.
Moral of the story: If you're going to propogate SPAM that refers to an 800 number with voicemail, it's a good idea to change your voicemail password from its default, 0000. Everyone knows you can just press * during the greeting, right?
Check the mutt manual (http://www.mutt.org). There's a toggle you can set to have headers show up when editing messages.
Stop trolling people with MS bullshit
too bad not accessable from Canada, or has it /.ed?
been
mailing random debris is great fun.
I ususally get SPAM that has a P.O. box
address (and a non-working reply to).
Would it be mail fraud to send a bill to
the P.O. address for my time with a note
and a copy of the email saying that the
email was resulted in a request for "service"
and thus they are obligated to pay the bill?
Plus with perhaps a threat to report them
to the credit (can you get the P.O. box
listing froma post office?)
Perhaps send them some kiddie porn or drugs
or bombs to that P.O. and tip off the USPS?
how about puting ziplockbags full of suger?
or little discordarn notes? for ex. "not legal tender"
maybe send those aol disks... [so thats spamming one spammer with anothers spam. ]
but porn has to be the best!
I would never try to reach you again. Doesn't my time count?
Many people have email setup such that when they get it, it sounds a bell or shows a graphic and they immediately read it. If this email is spam you might think it just takes 15 seconds to read enough to delete it. But studies show it takes a programmer a full 10-15 mintues to recover intellectually from an interruption.. or get back into the grove of things.
:)
Now you substract 15 minutes from your life/business for every spam you get and delete and you will get pretty pissed. It's worse than cigarettes!
How do I check a valid mail address?
/^[\w.-]+\@([\w.-]\.)+\w+$/. It's a very bad idea. However, this also throws out many valid ones, and says nothing about potential deliverability, so is not suggested. Instead, see http://www.perl.com/CPAN/authors/Tom_Christiansen/ scripts/ckaddr.gz , which actually checks against the full RFC spec (except for nested comments), looks for addresses you may not wish to accept mail to (say, Bill Clinton or your postmaster), and then makes sure that the hostname given can be looked up in the DNS MX records. It's not fast, but it works for what it tries to do.
You can't, at least, not in real time. Bummer, eh?
Without sending mail to the address and seeing whether there's a human on the other hand to answer you, you cannot determine whether a mail address is valid. Even if you apply the mail header standard, you can have problems, because there are deliverable addresses that aren't RFC-822 (the mail header standard) compliant, and addresses that aren't deliverable which are compliant.
Many are tempted to try to eliminate many frequently-invalid mail addresses with a simple regexp, such as
Our best advice for verifying a person's mail address is to have them enter their address twice, just as you normally do to change a password. This usually weeds out typos. If both versions match, send mail to that address with a personal message that looks somewhat like:
Dear someuser@host.com,
Please confirm the mail address you gave us Wed May 6 09:38:41
MDT 1998 by replying to this message. Include the string
"Rumpelstiltskin" in that reply, but spelled in reverse; that is,
start with "Nik...". Once this is done, your confirmed address will
be entered into our records.
If you get the message back and they've followed your directions, you can be reasonably assured that it's real.
A related strategy that's less open to forgery is to give them a PIN (personal ID number). Record the address and PIN (best that it be a random one) for later processing. In the mail you send, ask them to include the PIN in their reply. But if it bounces, or the message is included via a ``vacation'' script, it'll be there anyway. So it's best to ask them to mail back a slight alteration of the PIN, such as with the characters reversed, one added or subtracted to each digit, etc.
Why does Slashdot want us to buy books to a higher price, through a link on their name?
t opping+Spam
8 X/slashdotorg0f/
It has been brought up several times earlier in discussions about books, that Bookpools prices are lower, so now when I once again saw a link to Amazon, I wondered if Slashdot has taken any of the criticism to heart, so I checked if Bookpool has got the book:
http://www.bookpool.com/.x/3jptfjpd56/ss/1?qs=S
List Price: $19.95
Our Price: $13.95
You Save: $6.00 (30% Off)
And this is where slashdot thinks we should buy the book:
http://www.amazon.com/exec/obidos/ISBN=15659238
List Price: $19.95
Our Price: $15.96
You Save: $3.99 (20%)
Who more are Slashdot giving publicity to, to make profit? How can I ever trust anything I read, without knowing if it is bias anymore? Maybe Slashdot gets a copy of the product for their own personal use, if they are giving it publicity, from one company, but not from another. Looking at the above, makes me think that the the company who doesnt pay Slashdot in a way are less likely to get the publicity, than the one who does, even though it is a better product for us who are dedicated slashdot readers..
How can I ever trust their journalistic judgement and independency from things like this?
Is there anyone else out there who recognize any of these feelings I have?
Why does Slashdot want us to buy books to a higher price, through a link on their name?
t opping+Spam
8 X/slashdotorg0f/
:(
It has been brought up several times earlier in discussions about books, that Bookpools prices are lower, so now when I once again saw a link to Amazon, I wondered if Slashdot has taken any of the criticism to heart, so I checked if Bookpool has got the book:
http://www.bookpool.com/.x/3jptfjpd56/ss/1?qs=S
List Price: $19.95
Our Price: $13.95
You Save: $6.00 (30% Off)
And this is where slashdot thinks we should buy the book:
http://www.amazon.com/exec/obidos/ISBN=15659238
List Price: $19.95
Our Price: $15.96
You Save: $3.99 (20%)
Who more are Slashdot giving publicity to, to make profit? How can I ever trust anything I read, without knowing if it is bias anymore? Maybe Slashdot gets a copy of the product for their own personal use, if they are giving it publicity, from one company, but not from another. Looking at the above, makes me think that the the company who doesnt pay Slashdot in a way are less likely to get the publicity, than the one who does, even though it is a better product for us who are dedicated slashdot readers..
How can I ever trust their journalistic judgement and independency from things like this?
I really like slashdot, and I dont want it to go this way
Is there anyone else out there who recognize any of these feelings I have?
You'd think that just returning a bounce would get you off the list, wouldn't you?
Spammers break all the rules of sending mail - in particular, they invariably don't care whether the mail really arrives or not, as long as they can say to the sucker customer that "yeah, it went out to 10,000 addresses!"
The bounces, and there are many, usually only end up in the mailbox of some innocent postmaster (since, pre-spam, this was a problem that the postmaster could intervene to fix).
--
Dave Wilson www.angwels.com
Do you really believe that Slashdot is obligated to only link to the lowest cost suppliers? Maybe bookpool has no interest in Advertising on Slashdot, did that ever occur to you? You need to realize that in order for sites like this to exist they need to generate some income. This site cost you nothing to visit but it cost a hell of a lot to maintain. They have no responsibility to make sure that you get the best deal on anything. Perhaps you could donate some money to Slashdot so that they wouldn't need advertising. Quit whining and think next time.
Please don't forge postmaster mail. It'll only end in tears.
If you go for the dialup ISP that the mail came from, they usually do read postmaster and abuse, and sometimes even act on it.
Dammit, I know I do, and it only makes the whole job harder if people start abusing the abuse addresses.
--
Dave Wilson www.angwels.com (not my day job)
Most paper spam comes WITHOUT the postmark across the postage. If you drop it back in the mailbox, it runs through again. Each time it goes through, it gets charged against the advertisers account.
Anything that costs them money is fine with me.
All they sell around here are the ink kind.
... you could just fake a bounced message back to them.
I just need a scriptable mail client (or a mail client in which I can say "send this message to this script, and read the output into a new message"). I could probably do it in Mutt/vi & perl but I can't seem to get the headers to show up in the message when I edit it.
Anyone know any solutions to this?
It makes sense - they don't want bounced messages, you don't want spam.
I remember reading about an anti-spam technique called "Teergrubing", which is done in a non-biased manner... Is it mentioned in the book?
-----------
-----------
100% pure freak
I have a PO Box, and it peeves me no end that the post office accepts money from me for the privilege of owning it and then accepts money from advertisers for the privilege of stuffing unaddressed advertising in it. For goodness sake -- surely I'm saving them leg-work by having a PO box in the first place: how much so-called "cost recovery" do they want to gouge me for?
My policy with junk mail: snatch pen out of shirt pocket, inscribe "return to sender" somewhere on the offending item, and pop it straight back in the letter delivery box. Some folks prefer to just toss it back in through the PO box -- litter the mail room, not the street. I guess I'm just a bit more formal in my mode of protest.
> You'll learn about things like user interfaces,
> business programming, how to scope out customer
> needs, database design, price points,
Don't you mean "customer's available cash"? One of my greatest needs is stability, but Microsoft's plan (keep introducing new features (gotta sell everyone on the newest release) rather than fixing the existing ones) doesn't exactly tend toward the creation of reliable software.
> scripting, and responding to negative feedback.
Responding to negative feedback (of the bug report variety) is easy - "just upgrade to the newest version (whenever it comes out) and that bug will be fixed - ummm ... except for 'insufficient memory to update display' - that's a feature, not a bug"
Will we also learn about FUD, the Windows 2000 "deathmarch" (including the REAL release date), and Bill's plan to defeat OSS? I doubt it.
> One thing that William Gates has NEVER done is
> publicly run down the competition.
You're right. He leaves that job up to Ed Muth, "Steve Barkto" and other Microsoft employees.
Even Jesse Berst is starting to suggest Linux as an alternative to Microsoft. Doesn't THAT tell you something about Microsoft's reputation and prospects?
I wonder how much money this little slashdot plug is going to cost them...
2) Sendmail 8.9's anti-spam code
3) Killfiles
4) identd (most spam uses fake e-mail headers)
5) Forward the spam to the spammer's postmaster
6) Send Router announcements of a new zero-hop route to the spammer's site, via any dead route.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Spamtrack is by no means a finished product, and still needs some work before it's suitable for everyone. I encourage users to try test@spamtrack.978.org to make sure the results are appropriate for your situation before making heavy use of the service. As always, suggestions, comments, and bug-reports are welcome: you can email them to brianr-slashdot.org@osiris.978.org
In response to Mr. Anonymous Coward's Comments:
1.It will send the spam complaint to the contacts of every domain in every legitimate-looking Received: header.
Correct. This results in a contact to every site involved or fraudulently represented as involved with the tranmission of the unsolicited commercial message. ISP's that were involved want to hear about it so they can avoid having their resources wasted by the spammer. ISP's that were fraudulently represented as being involved by forged headers want to know so they can stop the spammer from misusing their name again in the future.
This is a bad thing because it will also send the spam complaint to your ISP...
Sending a copy of the complaint to the spammed user's ISP could be either good or bad depending on the circumstances and the ISP's policy, and should probably be turned off by default.
This is not the case at all. Some ISP's like to know about abuse of their resources by spammers (even if they're not being used as a relay) and will actively pursue the matter.
2.It spams every internic contact for the domains it decides are involved. It's hard to tell from the tests I have tried, but it may send mail to every contact for each domain....
The Internic whois database is only used when the domain has not registered their preferred spam-complaint contact address with one of the major abuse contact lists. If no contact is on file and the whois lookup fails, then the message is sent to postmaster and abuse at the offending domain. Even if the same address appears as a contact more than one time, only a single complaint message will be sent.
3. It mangles the subject
Spamtrack merely prepends text to the subject. The subject is not mangled, and can still be matched by automated tracking systems.
Any sane spam-report handling program will match the first RFC822 object it finds in the body of the message or its attachments. Including a complaint or "speech" in the body of the message should not interfere with this process.
The same complaint message and "speech" is also BCC'd to the spammer, just in case they don't understand the implications of what they've done. The envelope sender address on that message is written in a manner that makes it easy to keep track of which spammers actually send more spam to people who ask them not to send any spam at all.
A lot of people used to tell me that they didn't like to report spammers. When I asked them why, there were two major reasons they always cited: 1. I don't know who to report it to, and 2. If I report them, my mailbox will only fill up with dozens of "Yes, we got your spam complaint" messages. Spamtrack, a free service powered by all Free Software is my answer to the problem.
Using spamtrack is easy. Simply forward the spam message with full headers (preferably as an attachment) to report@spamtrack.978.org. A list of all the contact addresses for the offending domains will be compiled. You will be sent a report, and the domain contacts will be sent complaint messages. All complaint messages will have the return addresses rewriten so that responses will end up in the database instead of filling up your inbox.
Spamtrack uses a modified Ricochet and the PosgreSQL database to track complaints and their responses. An online interface where you can view responses and statistics on worst offenders, response times, and number of resolutions is in the works.
Please use the report@spamtrack.978.org address only to report actual unsolicited commercial messages. You can forward test messages to test@spamtrack.978.org.
Danny.
I have written over 900 book reviews
I try to avoid the practice of obfuscating or protecting my e-mail address, on the grounds that there are better ways to protect yourself from spam. Hiding your e-mail address is just dodging the main issue. No matter how much you hide it, they will get your address. You'll have to put up sooner or later.
Here's what I do to avoid e-mail spam. I think these steps work rather well. My e-mail address is publicized on slashdot, my home page, Usenet archives, and various other places, and yet I get very little spam (once a month at most, never more than once from the same place).
- Subscribe to the Realtime Blackhole List to dodge known spam hosts.
- Use the Spam Bouncer to filter out all the spam that the author of the program knows about (which is quite a lot; 200 kb of filters at last count), and send simulated bounce messages back to the spammers.
- Run blackmail over sendmail to block relays and allow for additional manual filtering (e.g. if Netscape, Microsoft, or some loser sends me unwanted mail, they're not ever mailing me again
:)
Between all of these, I live a nearly spam-free life without having to worry about hiding my mail address. If this sounds like heaven to you, then, well, why don't you try these things too ^_^Amazon $15.96
BarnesAndNoble $15.96
Bookpool $13.95
Shopping $12.96
Spree $14.97
Regards, Ralph.
My friend hacked this spammer's PBX.
Give it a listen, pretty amusing.
1 800 409-8302 x1288
"Reactionaries must be deprived of the right to voice their opinions; only the people have that right." - Mao
Very cool, worth calling for a laugh. And it's on the bad guy's bill. :)
One easy way to avoid spam is to not publish your address on websites? Geez, that's kinda lame. How do you make an easy mailto: for customers or potential contacts on a webisite? Sorry, I don't think so.
I also use my real address in newsgroups and everywhere else. I'd rather be easy for people to contact (good and bad) than be a pain to contact. I know other people who munge their addresses to newsgroups, and I always forget to change their addresses before mailing them. So I get bounce messages back. I hate that.
But I've been on the net 6 years now, so I remember the good old days pre Canter and Seigel.
Other odd things: I get a few pieces of spam now and then from a GTE mail account that I don't think I've ever publicized the address on. The spams all have a very similar format in the subject field.
Then of course, there was the time Mute (the record label) spammed some people with a 2 meg attachment or some such. I use Unix, so I just deleted it easily. I can't even imagine what it must have been like for PPP users.
(I managed to really piss off a few sysadmins with my crontab mailbombers before I learned to chill out and focus my complaints more... ;-)
Your Servant, B. Baggins
That was amusing.. as far as the worries about your number being recorded and saved for phone spam, just call from work, silly. :]
So who changed the message?
--
driph
I actually phoned them once and threatened their lives. Quite cathartic.
Avi Norowitz slashdot@ice.tj
- Open spam snail mail and look for Business Reply Envelope (BRE) and the Acceptance/Order Form (AOF).
- Stuff BRE with all of the spam (including the outer envelope that it arrived in) except the AOF.
- Use an indelible marker (preferably black) to scribble out the part that says "Yes!
..." and anything else except your name and address which should be preprinted on it (note that it will usually include some kind of account number). - Write "please remove me from your mailing list" in plain block letters next to your address.
- Put AOF in BRE, seal the BRE and mail it.
Some snail spammers are wising up and only including postcards for Business Reply Mail. Doing the scribble & return thing on these usually works, tho.I used to work at a mailbox rental site (not one of the big chain places, tho). The USPS will not return anything sent Bulk Rate (if the postmark says "BULKRT" or anything like that).
I seem to remember somewhere seeing that if you request such removal in writing, the sender is obligated by law to do so, but don't remember where I saw it...
Something I've always wanted to do, but never done, is to order "bill me later" Franklin Mint dishes and dolls and subscriptions to Hustler, etc. for spammers who only give their snail-mail addresses. Maybe I'll do it one day...
Switch the . and the @ to email me.
I don't know. I understand that Spam sets a bad precedent and uses up valuable bandwidth, but I found a simple solution a long time ago: I just delete it, unread. The subject lines are pretty obvious. And even when they aren't and I read one by mistake, I just delete it. No harm.
Thankfully, I've never gotten any really long spams which would require excessive time to download. Maybe that would change my mind.
In the end, I believe in the "goodness" of the net and like to make it easier for people to find me, by keeping my real e-mail address in newsgroup postings and my web site.
-Augie
Yup, that is an end-user POV.
Your points are good, though. I just wouldn't get the book for my own purposes. Maybe as a SysAdmin it would be helpful, but is that who the book is aimed for? I flipped through it at the store when I saw it once and it seemed aimed more towards the end-user.
-Augie
I'm not sure if bouncing will do a whole lot of good though, as lots of the spam out there is forged, so the spammers don't get the bounces. It's a lose-lose situation. :-(
I've been pretty gassy lately, so my message was a poem without words. HAHA :]
My program, SpamCop does a much better job of reporting spam. It has a web interface and an email interface, and by using the web interface, you can see what it's doing ahead of time. It dosn't have any of the problems listed above, and it is well loved by users and system admins alike. It's fast, accurate and it dosn't spam unrelated parties. It dosn't even complain to relay admins - although that might be added as an option later.
Good idea on the extra header fields. Anyone know if there is a defined namespace I should be careful of - like mime or whatever? I guess just start with an X and I should be OK.
The thing about the 'extraneous' information though, I think this is important.
First of all, I like to put the ID in the subject, because I automatically filter all incomming replies and sort them by complaint - and the subject line is sometimes the only thing left of the complaint when I get back a response - then you can tell if 'your' complaint has been answsered without giving away your REAL address. I also CONCEAL your address in the outgoing complaint.
Secondly, although many complaints fall on the jaded ears of experienced complaint-desk jockeys, I find that many of my complaints are sent to clueless lusers. I don't want them to confuse my complaint for a stupid spam. I also give the tracking URL to these guys so they can see WHY I decided to complain to them.
Besides, my boilerplate gives 'em the info they need right up front - IP and datestamp. Eventually, I hope ISPs will come to trust spamcop more than reading headers themselves - at least for day-to-day stuff.
-=Julian=-
p.s. The url again! Bookmark it!