I (via my subscription fee) am subsidizing the cost of a spammer's business
And by blocking spam, you are making the spammers business more profitable by filtering yourself out of the group of people that use the bandwidth of the site through which he is selling products.
Re:I have said it before and I will say it again..
on
In Pursuit Of A Spammer
·
· Score: 3, Interesting
Filtering spam out of your inbox helps to make it more profitable for spammers. Anyone who is smart enough to filter spam is smart enough to ignore the products anway. Instead, route it into a holding bin, regex it for URLs and once or twice a day, download everything from those URLs to the bit bucket.
Get all your friends to do the same thing. Bandwidth costs spammers money, so make them pay for sending spam by using that bandwidth. They sent you are URL, so they can hardly complain if you take advantage of it.
Wanna make the spammer pay? Do what I do and install a program to parse all the URLs out of your incoming spam and download their entire website every day.
Not enough to be a nusiance all by your lonesome (eliminating any problems with false positives or abuse charges), just enough to wiggle the bandwidth meter on the spammers website. Tell all your friends to do the same.
Spamming works because its nearly free, its up to us to fix that. Spammers can falsify headers, ignore bounce messages and provide no return address, but they almost always include a web address. Use it. Extensively.
Ok, so we know that you and I are clueful enough to not buy spam products. We are so clueful that we install filters so we never even see spam. What about all the people who aren't that smart?
We can keep shooting at moving targets, taking out spammers where they show up, but there are alot more spammers than there are people willing to spend the time to track down and knock over the spammer again (and if he is good, he'll just move on to another ISP, and we'll have to knock him down again.
What is another solution, one that doesn't take as much effort?
I wrote a program for my windows box that parses the spam folder in my mozilla and Outlook Express mailboxes (I use Popfile to filter spam into other mailboxes, and mozilla mail does a pretty good job of identifying it itself). The program pulls out anything that looks like a URL, then downloads the page and any images and etc on the page. It does this twice a day, every day.
The object is not to single-handedly DOS the spammers website. It is to incur on the spammer a small cost for sending me email. Spam is only profitable because advertising to uninterested parties is nearly cost-free. Raise the cost of spamming, in this case by raising the bandwidth required, and fewer spammers will be interested.
The best part is that for most tech-savvy users its very simple to impliment. Since its not an attack, a few false positives are ok, and because its automatic, no effort is required. Rather than spending hours data-mining google and whois for personal details of a spammer, I can just be content that every message costs them money.
Ignoring spam will not make it go away. This is just another tool in the spam-fighters toolbox.
THe real attractiveness of this technology is that if it can be as efficient or almost as efficient as propellers and varients ( jets ) are this would present far fewer moving parts and hoepfully be more reliable
And for an air vehicle, it doesn't have to carry around a motor and fuel. As per the article, NASA is interested in possibilities such as airborn Mars explorers that fly by receiving power from an orbital platform.
I dunno how effective a lifter would be in Mars' thin atmosphere, but its an interesting idea. What also might be interesting is when photovoltaic cells reach very high efficency and can be produced in very thin, light coatings. Then instead of beaming power to a platform, it can generate its own electrical power.
Haven't you been thinking about this a little too precisely? I'm not saying that what you said is suspicious; just don't answer the door for the next few days.
I always wonder about that when I post something like this. The first time I posted it, some months ago, it took only a few moments to come up with the idea. I've avoided posting other more nefarious schemes, also easily invented, because posting them would serve no purpose but to possibly draw unwelcome attention to myself.
I figure if I can identify a vulnerablity and come up with a potential way to exploit it in under five minutes, so could anyone who has the mentality to actually complete planning for and carry out such an act.
The most important part is identifying targets that satisfy the goal, which the map in the original article could definately help with, but my point is that even without such a map, it is still nearly trivial to come up with targets that will have a large impact with relatively little effort.
I think that the teams would be highly exposed by visiting 500 sites. After one or two explosions the authorities might be on to them in almost no time
Thats why the bombs should be time bombs, all set to go off on the 3rd or 4th day, after the lunchboxes have been picked up and returned to the school's lost-and-found. The caps on the thermous should be epoxied shut of course, so only the most stubborn of people would figure out that there was a bomb inside.
It also might be more likely to just piss us off instead of terrorize us.
It would definately piss everyone off. It would also show every mother in america that their children are not safe at school (although this particular plan would likely hurt school employees more than children, that doesn't matter, when a bomb goes off at school, most parents don't consider the details).
The plan seems flawed
I hope so. As someone else replied, this is just one example of thousands that anyone who wants to can come up with on a few minutes notice. It would only take a little cash and a few people to carry out an attack like this.
What kind of idiot would use a memory system for a voting machine that can be written to more than once?
Election official installs the blank chip into the voting machine and locks it in. Voting machine inits the chip with its own GUID and the digital signature of the offical. Machine records votes onto the chip by buring out non-resettable fuse bits, and prints a human and machine readable paper ballot (verifed by voter) as backup. Election offical enters ID, machine finalized the chip with the ID and its GUID and burns out any unused bits. Chip now cannot be modifed in a way that will skew the vote.
What is wrong with recording votes onto write-once media (like fuse memory, burn out the bits you want unset, and use values that are mutually exculsive)? A physical chip that is inserted into each machine by election officals and sealed in with that holographic tamper-proof tape, then locked into the machines alarmed case, which cannot be opened until the election official tells the machine to finalize the media, which zeros out any remaining write space, so that it is physically impossible to change the media.
You still have software issues though, so you still have to print a human and machine readable paper backup ballot.
Maybe election officials should be required keep digitally signed copies of every set of ballot data that goes through their custody, so that there is a digitally signed chain of custody for every block of ballot data. So the weakest place would be during data recording, and that would be backed up with difficult-to-tamper-with paper ballots.
thats almost exactly the Mercuri system. User manipulates a control to cast their vote, system prints a ballot that is human and machine readable, user verifies that the ballot is correct, ballot is stored. Additionally, it is possible to give the user a receipt that can be used to verify that their vote was cast correctly, but without revealing what the vote was, which might be an important thing to put on the receipt.
In the short term I am not trying to receive less spam. I can do that with existing filters. I want spamers to put big, pretty, expensive-to-download graphics on their pages and send me the URLs.
Its extremely unlikely that I'll ever receive enough spam that it will impact my bandwidth to download their web pages, but they could certainly receive enough page views to kill all their profits and send them looking for new scams.
For the record, your information is false, most of the URL's in the spam I receive does not include any kind of unique ID. Extracting the URLs from about 10,000 messages that have been sent to my email address (spam from newsgroup harvesters and Hotmail spam), very few have anything that resembles a unique ID.
There are some obvious reasons for this. Spaming is all about doing as little work as possible to reach as many email addresses as possible. Including unique IDs in every URL would of course be insane. Blocks of addresses could identified, but thats not particularly useful. Spammers don't really care what individual addresses are live. They harvest fresh addresses constantly, and autogenerate common addresses. Offloading email to open relays saves even more time, with no penalties for bad addresses.
It should not be a surprise to anyone reading slashdot that given a social security number and...
Heck, just a social security number by itself will give a pretty good idea of where and when the person was born (issued the number actually, but thats frequely the same).
If 25 telcos happen to be sharing the same 'pipe' of fibre, it may not be a terrorist that breaks that connection... regardless of who severs that line, it ain't good for the telcos -- and the telcos should be using his data to reduce risks.
Whats sad is that the guys down in the bowels of the IT department already know this problem exists, probably along with dozens of other single points of failure, but middle managment won't spend or can't get the money to fix it, and won't tell upper management because it would make them look bad.
Its a little more serious than you make it out to be, but it would take a well organized attack to cause really life and economy threating problems.
Electrical power is an obvious one. One evening with a few cases of dynamite and a map like the one in the article could cause widespread power outages for several days in a medium sized city. Concurrent attacks against water supplies and shipping routes (take out highway bridges and their alternates coming into the city), and the inconvienance is compounded and makes for serious disruptions.
At this point you would have severly reduced capacity for power and water, and it would be difficult to truck supplies and repair equipment in. Do it during hot weather so its uncomfortable for people to be outside, and throw in a few bombings and sniper attacks, and you could really get people in a panic.
Of course you can't be completely immune to these sorts of attacks, but its important to know how to handle them. Nearly all emergency response is set up to deal with accidental or small scale emergencies, not deliberate infrastructure attacks. Strategy and training for larger failures would be a good thing.
This seems like a simple exercise in paranoia to me.
I agree. Particularly since it has already been shown that terrorists can choose and utterly destroy a high-profile target.
If a terrorist wanted to really upset things now, they'd next show that Anytown, USA was also vulnerable. Three days, three teams each with a van, 500 childrens lunchboxes with a timebomb inside the thermos and a road trip past small town schools in east, west and central USA should do it.
You are not safe at work, you are not safe at school, panic.
Exactly why I'm working on a tool that works with outlook express and mozillas email client that pulls web url's out of my incoming spam and spiders the pages once a day.
Not very high usage, so false positives in the spam are not a problem, and not an obvious DOS attack from an identifiable IP, so difficult to block at the web site. It just removes some of the asymetry that spammers enjoy and forces them to pay for what they do in the only way I can make them pay.
This is exactly why I have written my latest program. Its simple. My mail gruns through POPFile a filter system that adds a spam header to my email's subject lines. Using an Outlook Express filter I sort those messages into a 'spam' folder. Very simple.
Next I parse Outlooks DBX file and read the messages, decode them, and run the bodies through a regex to extract everything that looks like a web URL and save it to a data file (removing dups).
Every day the datafile is fed to a program that spiders each URL, downloading every file it can find on that site (up to a sane and reasonable limit). If false positives get in the list, no harm is done, because I'm not DOSing the site, just running through it once.
Thats it. My intent is not to attack the spammers server. It is not to consume more bandwidth than is reasonable for a single user. My intent is to force the spammer to pay a fair cost for advertising to me. This removes the only advantage spam has over other advertising, the asymetrical aspect.
Do not do the spammers work for him, filtering yourself out of the result set. Eat a little of his bandwidth for each message he sends you.
I intend to release this tool with processors for outlook's DBX files and hopefully something for mozillas mail (which I understand has its own spam filter built in). Hopefully someone will think its a good idea and build a similar system for linux. Should be easier for linux than for windows, given the tools available.
Ha! You are streaming it to him over a public distribution medium in analog format!
If you made your friend a copy of the CD and gave it to him, *then* you'd be guilty of infringement.
Actually, as I understand copyright laws in the US, thats legal. They hammered that stuff out back with cassette tapes. The problem is when you start giving copies to anyone that asks (and they don't get a cut of the sales from the distribution medium).
I wonder what exacly makes something a public performance? If I have a 72" HDTV outside on my deck, and I decide to watch a movie with the sound turned up to 11, is that a public performance?
Easily circumvented by distributing more files across more hosts. I regularly download the same file from over a dozen seperate hosts so I can use my ~3Mbit downstream bandwidth to get large files in a reasonable time.
It will require more storage space, but that hardly seems like a problem with the way HD's are going.
I suppose you could argue that they are initiating the actual copy by activating software running on your computer (be it p2p software, an ftp server or a publically accessable SMB/NFS share), but I think it would be hard to argue that you were not distributing the files. Either way, its a very fine distinction that I think would be lost on most people.
Hmm, I can see that being an interesting problem. Instead of worms installing IRC bots, they'll install p2p services that work like freenet. What kind of legal defense would that give you?
Slashdot Mirror
I (via my subscription fee) am subsidizing the cost of a spammer's business
And by blocking spam, you are making the spammers business more profitable by filtering yourself out of the group of people that use the bandwidth of the site through which he is selling products.
Filtering spam out of your inbox helps to make it more profitable for spammers. Anyone who is smart enough to filter spam is smart enough to ignore the products anway. Instead, route it into a holding bin, regex it for URLs and once or twice a day, download everything from those URLs to the bit bucket.
Get all your friends to do the same thing. Bandwidth costs spammers money, so make them pay for sending spam by using that bandwidth. They sent you are URL, so they can hardly complain if you take advantage of it.
Wanna make the spammer pay? Do what I do and install a program to parse all the URLs out of your incoming spam and download their entire website every day.
Not enough to be a nusiance all by your lonesome (eliminating any problems with false positives or abuse charges), just enough to wiggle the bandwidth meter on the spammers website. Tell all your friends to do the same.
Spamming works because its nearly free, its up to us to fix that. Spammers can falsify headers, ignore bounce messages and provide no return address, but they almost always include a web address. Use it. Extensively.
Solution: Don't buy anything you get a spam for.
Ok, so we know that you and I are clueful enough to not buy spam products. We are so clueful that we install filters so we never even see spam. What about all the people who aren't that smart?
We can keep shooting at moving targets, taking out spammers where they show up, but there are alot more spammers than there are people willing to spend the time to track down and knock over the spammer again (and if he is good, he'll just move on to another ISP, and we'll have to knock him down again.
What is another solution, one that doesn't take as much effort?
I wrote a program for my windows box that parses the spam folder in my mozilla and Outlook Express mailboxes (I use Popfile to filter spam into other mailboxes, and mozilla mail does a pretty good job of identifying it itself). The program pulls out anything that looks like a URL, then downloads the page and any images and etc on the page. It does this twice a day, every day.
The object is not to single-handedly DOS the spammers website. It is to incur on the spammer a small cost for sending me email. Spam is only profitable because advertising to uninterested parties is nearly cost-free. Raise the cost of spamming, in this case by raising the bandwidth required, and fewer spammers will be interested.
The best part is that for most tech-savvy users its very simple to impliment. Since its not an attack, a few false positives are ok, and because its automatic, no effort is required. Rather than spending hours data-mining google and whois for personal details of a spammer, I can just be content that every message costs them money.
Ignoring spam will not make it go away. This is just another tool in the spam-fighters toolbox.
THe real attractiveness of this technology is that if it can be as efficient or almost as efficient as propellers and varients ( jets ) are this would present far fewer moving parts and hoepfully be more reliable
And for an air vehicle, it doesn't have to carry around a motor and fuel. As per the article, NASA is interested in possibilities such as airborn Mars explorers that fly by receiving power from an orbital platform.
I dunno how effective a lifter would be in Mars' thin atmosphere, but its an interesting idea. What also might be interesting is when photovoltaic cells reach very high efficency and can be produced in very thin, light coatings. Then instead of beaming power to a platform, it can generate its own electrical power.
The tea has to be hot, and you have to put the dangly bit into it then flip the switch.
And wheres that thing your aunt gave you that you don't know what it is?
Haven't you been thinking about this a little too precisely? I'm not saying that what you said is suspicious; just don't answer the door for the next few days.
I always wonder about that when I post something like this. The first time I posted it, some months ago, it took only a few moments to come up with the idea. I've avoided posting other more nefarious schemes, also easily invented, because posting them would serve no purpose but to possibly draw unwelcome attention to myself.
I figure if I can identify a vulnerablity and come up with a potential way to exploit it in under five minutes, so could anyone who has the mentality to actually complete planning for and carry out such an act.
The most important part is identifying targets that satisfy the goal, which the map in the original article could definately help with, but my point is that even without such a map, it is still nearly trivial to come up with targets that will have a large impact with relatively little effort.
I think that the teams would be highly exposed by visiting 500 sites. After one or two explosions the authorities might be on to them in almost no time
Thats why the bombs should be time bombs, all set to go off on the 3rd or 4th day, after the lunchboxes have been picked up and returned to the school's lost-and-found. The caps on the thermous should be epoxied shut of course, so only the most stubborn of people would figure out that there was a bomb inside.
It also might be more likely to just piss us off instead of terrorize us.
It would definately piss everyone off. It would also show every mother in america that their children are not safe at school (although this particular plan would likely hurt school employees more than children, that doesn't matter, when a bomb goes off at school, most parents don't consider the details).
The plan seems flawed
I hope so. As someone else replied, this is just one example of thousands that anyone who wants to can come up with on a few minutes notice. It would only take a little cash and a few people to carry out an attack like this.
What kind of idiot would use a memory system for a voting machine that can be written to more than once?
Election official installs the blank chip into the voting machine and locks it in. Voting machine inits the chip with its own GUID and the digital signature of the offical. Machine records votes onto the chip by buring out non-resettable fuse bits, and prints a human and machine readable paper ballot (verifed by voter) as backup. Election offical enters ID, machine finalized the chip with the ID and its GUID and burns out any unused bits. Chip now cannot be modifed in a way that will skew the vote.
What is wrong with recording votes onto write-once media (like fuse memory, burn out the bits you want unset, and use values that are mutually exculsive)? A physical chip that is inserted into each machine by election officals and sealed in with that holographic tamper-proof tape, then locked into the machines alarmed case, which cannot be opened until the election official tells the machine to finalize the media, which zeros out any remaining write space, so that it is physically impossible to change the media.
You still have software issues though, so you still have to print a human and machine readable paper backup ballot.
Maybe election officials should be required keep digitally signed copies of every set of ballot data that goes through their custody, so that there is a digitally signed chain of custody for every block of ballot data. So the weakest place would be during data recording, and that would be backed up with difficult-to-tamper-with paper ballots.
thats almost exactly the Mercuri system. User manipulates a control to cast their vote, system prints a ballot that is human and machine readable, user verifies that the ballot is correct, ballot is stored. Additionally, it is possible to give the user a receipt that can be used to verify that their vote was cast correctly, but without revealing what the vote was, which might be an important thing to put on the receipt.
Great, they can send me more URLs to vist.
In the short term I am not trying to receive less spam. I can do that with existing filters. I want spamers to put big, pretty, expensive-to-download graphics on their pages and send me the URLs.
Its extremely unlikely that I'll ever receive enough spam that it will impact my bandwidth to download their web pages, but they could certainly receive enough page views to kill all their profits and send them looking for new scams.
For the record, your information is false, most of the URL's in the spam I receive does not include any kind of unique ID. Extracting the URLs from about 10,000 messages that have been sent to my email address (spam from newsgroup harvesters and Hotmail spam), very few have anything that resembles a unique ID.
There are some obvious reasons for this. Spaming is all about doing as little work as possible to reach as many email addresses as possible. Including unique IDs in every URL would of course be insane. Blocks of addresses could identified, but thats not particularly useful. Spammers don't really care what individual addresses are live. They harvest fresh addresses constantly, and autogenerate common addresses. Offloading email to open relays saves even more time, with no penalties for bad addresses.
It should not be a surprise to anyone reading slashdot that given a social security number and ...
Heck, just a social security number by itself will give a pretty good idea of where and when the person was born (issued the number actually, but thats frequely the same).
If 25 telcos happen to be sharing the same 'pipe' of fibre, it may not be a terrorist that breaks that connection... regardless of who severs that line, it ain't good for the telcos -- and the telcos should be using his data to reduce risks.
Whats sad is that the guys down in the bowels of the IT department already know this problem exists, probably along with dozens of other single points of failure, but middle managment won't spend or can't get the money to fix it, and won't tell upper management because it would make them look bad.
Its a little more serious than you make it out to be, but it would take a well organized attack to cause really life and economy threating problems.
Electrical power is an obvious one. One evening with a few cases of dynamite and a map like the one in the article could cause widespread power outages for several days in a medium sized city. Concurrent attacks against water supplies and shipping routes (take out highway bridges and their alternates coming into the city), and the inconvienance is compounded and makes for serious disruptions.
At this point you would have severly reduced capacity for power and water, and it would be difficult to truck supplies and repair equipment in. Do it during hot weather so its uncomfortable for people to be outside, and throw in a few bombings and sniper attacks, and you could really get people in a panic.
Of course you can't be completely immune to these sorts of attacks, but its important to know how to handle them. Nearly all emergency response is set up to deal with accidental or small scale emergencies, not deliberate infrastructure attacks. Strategy and training for larger failures would be a good thing.
This seems like a simple exercise in paranoia to me.
I agree. Particularly since it has already been shown that terrorists can choose and utterly destroy a high-profile target.
If a terrorist wanted to really upset things now, they'd next show that Anytown, USA was also vulnerable. Three days, three teams each with a van, 500 childrens lunchboxes with a timebomb inside the thermos and a road trip past small town schools in east, west and central USA should do it.
You are not safe at work, you are not safe at school, panic.
at a rather large bank, the vault was accessed by an elevator that had no security controls whatsoever
So how much did you make?
Exactly why I'm working on a tool that works with outlook express and mozillas email client that pulls web url's out of my incoming spam and spiders the pages once a day.
Not very high usage, so false positives in the spam are not a problem, and not an obvious DOS attack from an identifiable IP, so difficult to block at the web site. It just removes some of the asymetry that spammers enjoy and forces them to pay for what they do in the only way I can make them pay.
See my previous posts for more details.
This is exactly why I have written my latest program. Its simple. My mail gruns through POPFile a filter system that adds a spam header to my email's subject lines. Using an Outlook Express filter I sort those messages into a 'spam' folder. Very simple.
Next I parse Outlooks DBX file and read the messages, decode them, and run the bodies through a regex to extract everything that looks like a web URL and save it to a data file (removing dups).
Every day the datafile is fed to a program that spiders each URL, downloading every file it can find on that site (up to a sane and reasonable limit). If false positives get in the list, no harm is done, because I'm not DOSing the site, just running through it once.
Thats it. My intent is not to attack the spammers server. It is not to consume more bandwidth than is reasonable for a single user. My intent is to force the spammer to pay a fair cost for advertising to me. This removes the only advantage spam has over other advertising, the asymetrical aspect.
Do not do the spammers work for him, filtering yourself out of the result set. Eat a little of his bandwidth for each message he sends you.
I intend to release this tool with processors for outlook's DBX files and hopefully something for mozillas mail (which I understand has its own spam filter built in). Hopefully someone will think its a good idea and build a similar system for linux. Should be easier for linux than for windows, given the tools available.
because it's not being reproduced and distributed
Ha! You are streaming it to him over a public distribution medium in analog format!
If you made your friend a copy of the CD and gave it to him, *then* you'd be guilty of infringement.
Actually, as I understand copyright laws in the US, thats legal. They hammered that stuff out back with cassette tapes. The problem is when you start giving copies to anyone that asks (and they don't get a cut of the sales from the distribution medium).
I wonder what exacly makes something a public performance? If I have a 72" HDTV outside on my deck, and I decide to watch a movie with the sound turned up to 11, is that a public performance?
Easily circumvented by distributing more files across more hosts. I regularly download the same file from over a dozen seperate hosts so I can use my ~3Mbit downstream bandwidth to get large files in a reasonable time.
It will require more storage space, but that hardly seems like a problem with the way HD's are going.
I'm not copying it, they are
I suppose you could argue that they are initiating the actual copy by activating software running on your computer (be it p2p software, an ftp server or a publically accessable SMB/NFS share), but I think it would be hard to argue that you were not distributing the files. Either way, its a very fine distinction that I think would be lost on most people.
Hmm, I can see that being an interesting problem. Instead of worms installing IRC bots, they'll install p2p services that work like freenet. What kind of legal defense would that give you?
most bookstores and other merchants account for "shrink" from theft, so why doesn't the RIAA?
Seems like consumers are accounting for 'swell' from monopolistic behaviour by adjusting the amount of goods they get for a given price.