I'd have to say that while this scenario isn't out of the question, it's probably unlikely. How many spams do you get each day, and are the envelope sender addresses valid? In my case, I get 100 or more spams per day across my various boxes and typically all of them are from forged senders. If my ISP were mining the addresses of people who sent me mail, they'd have gigs of bogus email addresses by now.
The same goes for outbound email recipients, if there's any truth in numbers. I have the AOL screen name "File," and a lot of AOLers seem to believe that CC'ing their email to "File" is supposed to save a copy to their local drive. I presume this habit comes from some email client somewhere but after years of receiving such misdirected email I haven't been able to figure out which one. (If only these people knew what they were sending to a real person, instead of to their local "File!") Anyway, I skim almost all of the mail I receive on that box - thousands a month, 99% of which are accidental carbon copies - and you should see some of the email addresses that people are sending email to:
"www.jimbob@example.com" "JIM BOB @ EXAMPLE.COM" "jim bob example com @www.com" "mailto:jimbob@example.com"
It never ceases to amaze me; there really are a lot of clueless folks out there who truly don't know how the heck to format an email address. IMO, it would be a waste to attempt to mine the recipient addresses on outbound mails, since (from what I see) so many of those addresses are bogus.
I signed up for the site with a spamtrap address (just in case) and didn't check it recently. Totally forgot about the Meetup until I saw the story posted here, by then it was too late. D'oh! Reading over the comments, it sounds like 7 was a good turnout, I'll have to mark next month's on the calendar.
Funny thing is though, he's right! As anoying as it is, as much as I hate to admit it, spamming isn't really illegal anywhere yet.
There's a hole in this argument. In fact, there are twenty-five holes in the US alone, making it nearly impossible to send spam to a list of any size without violating the law somewhere. Half of our 50 states have laws which either prohibit spam outright or require some/all types of spam to conform to specific rules. In several states it's even illegal to create or distribute spamming software.
Spamming is illegal in quite a few places. The problem is that in most of those places, the remedy available to victims is too small for individuals to bother pursuing, and the laws are never used by state AGs to initiate criminal proceedings. In my state I'm entitled to collect $10 for every spam I receive which violates the law (no forged headers, must have valid contact information, must be properly labeled, etc). I get hundreds of such spams every week; if it were really possible to collect any money from the spammers, I'd be retired.
I wish the laws worked. They don't, and I'm not sure that they ever will; even if all 50 states had them, and even if a federal law were enacted. The pro spammers will move (as in physically expatriate) to China, Korea, or any number of other countries where their ill-gotten gains could buy them an extravagant lifestyle, and resume operations outside the reach of spam laws.
Shaun
Re:CIA sponsored software - prior to 9/11...
on
Triangle Boy Lives
·
· Score: 2
The CIA had their fingers into this software prior to 9/11 - I wonder what logs they are looking at nowdays...:(
I think you've got it backwards. To me that quote infers that the CIA is going to use anonymizing proxies, not monitor them, log them, or take them down... And indeed, the secondary headline for that article is: "Triangle Boy will let agents surf Web anonymously." The article goes on to mention that "the CIA will use the technology primarily to protect the anonymity of its own employees as they go about their jobs."
The only thing that bothers me is the idea that the CIA is just now learning about and considering open proxies:)
Clarke spoke to reporters as well as government and corporate officials to announce government-wide standards for securing Microsoft's Windows 2000, the most commonly used operating system for government and corporate computers.
The Pentagon, the National Security Agency and other private and government organizations devised the standards.
The NSA's security recommendations for Win2K have been available to the public for some time now. See here. They've also published security guides for NT and Cisco routers, as well as "best practice" suggestions for dealing with email and executables, see here. Yes, that's really an NSA site; I don't know why it's not hosted where you'd expect it to be.
The "announcement" of the Netsys list's creation was spammed to everyone who's posted to BugTraq lately. Let's see: unsolicited, bulk, advertising something, and sent to email addresses scraped from a webpage or mailing list. In my world, that's spam. What's worse, the list's owner - Len Rose from Netsys - said that people who were unhappy about the spam were "lunatic diehards". He then proceeded to tell one of them in particular to, quote, "FOAD."
I don't trust a spamming pompous ass to run a security list any more than I trust Symantec to do it. I'm sorry, but Netsys really dropped the ball on this one; I'm not about to hand my email address over to them.
What amazes me about the spam fight is how much it has led people to promote the idea of punishing the innocent in order to get at the guilty.
That's the rub, though; some of us don't see the "innocents" as innocent at all. Non-spamming customers of a spam-friendly ISP are paying money to that spam-friendly ISP, and thus supporting the spam-friendly ISP. That's not really innocent in my book.
People who would have fought with vigour against punishing the innocent in other fields seem willing to give it up, in of all places, the free speech question of who can email whom.
It isn't a free speech question. The internet is not owned by the government, my mail server is not owned by the government, blocklists are not operated by the government (at least not any that I'm aware). Thus the "free speech" argument doesn't apply. These are private servers owned by private companies and individuals who are free to make their own rules. Having your host or IP range placed onto a blocklist doesn't magically prevent you from sending email; someone on the other end has to willingly implement that blocklist, the intended recipient has already made the choice that they don't want to hear from you. So long as it's not the government doing the implementing, free speech is a red herring.
Yikes. We are willing to let murderers go to make sure we don't punish the innocent. Yet for some reason spam makes people think it's OK to trample on the free speech rights of the innocent to get not a murderer, but a spammer.
Murder is a crime. Murderers are often punished by being thrown in jail for life, or even executed in some places. There's absolutely zero room for false positives or collateral damage when it comes to these punishments. I think a comparison between murder and spam is a bit severe, especially at a point where spamming itself (ignoring common side effects like potentially criminal abuse of open relays, etc) is not a crime in many places. And again, it's not a free speech issue.
Since you mentioned murder, I'll add my own parallel to offline crime. When a strip club is caught offering "escorts" (wink) to customers who request them, what happens? Around here, the entire strip club is shut down. Law-abiding customers get caught up as "collateral damage" since they can't visit that club anymore. They wind up having to find a new shake joint, one that isn't a party to prostitution. While this analogy, too, is a bit tangential to the spam problem, I think it's a bit more in line with what blocklists accomplish. If you're using an ISP who proudly pimps for spammers, don't be surprised if the place is shut down (either in a literal sense, or an "I can't email anyone anymore" sense) and you have to find a new one.
The most common justification is the canard that it's not about speech it's about property. Problem is all use of the internet involves using somebody else's property. On the internet there is no speech without the use of other people's property, and thus no unsolicited communication without the unsolicited use of somebody else's property. This makes it very tough to solve by thinking of it as a property issue.
I don't find it tough at all. My server, my rules, I'll accept mail from whomever I want and I'll refuse mail from whomever I want. I don't receive legitimate communications from China or Korea so I don't see a need to accept mail from those places. I do get legitimate email from AOL, so (perhaps begrudgingly) I have to accept their traffic. You're free to do the exact same thing, suited to your own requirements. Where's the problem?
PacBell is going to be hit with a $27 million fine for "incorrectly billing" between 30,000 and 70,000 users
Suppose it was 30K users, the fine works out to $900 per user. Suppose it was 70K users, the fine works out to $386 per user. Suppose the median is a viable figure, at 50K users the fine works out to $540 per user. So who gets all this money? According to the article,
If approved, the $27 million would go to the state's general fund.
And I'm sure the state's general fund is going to reimburse everyone who was overbilled, or outright fraudulently billed for services they never received? Yeah, right:
Pacific Bell, part of SBC Communications in San Antonio, agreed to give customers a $25 credit or one-month of free DSL service
if it makes similar billing errors in the future.
Once again, the consumer takes it up the ass. PacBell has to pay $27 MILLION DOLLARS to the state, who will undoubtedly use the money for the war on drugs, purchasing unnecessary Oracle licenses, or some similar "laudable" cause; but PacBell doesn't have to pay the overbilled customers jack unless it happens again. The improperly billed customers get no legal recourse, aside from fighting PacBell for the charges on their own. Wonderful.
Color me unimpressed. Hey, California, how about standing up for your citizens instead of your own coffers?
The problem with current p2p networks is that the database is constantly churning. It's not like the web, where data is relatively stable. Two identical searches performed within minutes of each other will return different results. The problem, of course, is that polling the network with these huge searches inflicts a massive bandwidth cost.
And to add to this (excellent) point, even where the content may be fairly stable, the IP addresses aren't. Several times I've inherited the IP of someone who's been using P2P stuff, and each time I wind up getting hammered on Gnutella and Kazaa ports for hours - sometimes days - as a result of my predecessor's filesharing. (And even if I fire up a Gnutella servent so that inbound download requests get answered with "Not Found," the fscking servents don't care and will continue to hammer away as if the file might magically appear on my HD... But that's another rant altogether.)
So you might have a user who always shares the exact same files, and as such his "node" is static and the content is always available from him... Though if he gets a new IP address every time he reboots, any stored listing of his shared files will quickly become outdated.
I'm not sure a random crawler would be too effective for this application. It does work for network mapping, and I believe Limewire has been doing it for some time. In order to compile a reasonably accurate list of files, though, such a crawler would need to either a) purge any entries more than an hour or so old, or b) constantly verify the validity of each result. Choice a) would give us a listing that's no more accurate than what the network's own search functionality provides, and as you mentioned, choice b) would consume an enormous amount of bandwidth. Neither option seems too appealing.
Maybe if IPv6 ever kicks in, and IPs are reasonably static across the board, such a crawler might work; at least half of the problem would be solved.
>I'm not sure what you mean. Do you really think >P2P networks aren't just "plain old HTTP?"
I think he's referring to the propensity of the masses to use the term "website" to describe anything internet related. When Napster was in the news, you'd always hear the media calling it a "music-swapping website" when they should have been calling it a music-swapping program. Napster's website didn't swap anything, it was the program that did the swapping.
All that said, you're right; many P2P apps do use the HTTP protocol for file transfers (though that doesn't make "website" any less of a misnomer when referring to them). Gnutella file transfers, for example, are pure HTTP.
Unsettling signs of al Qaeda's aims and skills in cyberspace have led some government experts to conclude that terrorists are at the threshold of using the Internet as a direct instrument of bloodshed.
Fortunately, Sprint Nevada has absolutely no holes in their network! The claims that an attack would take place in Las Vegas on July 4th are clearly bogus;)
That's a ridiculous suggestion. I've purchased hundreds of products and services online over the past few years and I've only had a single instance of fraud (someone got my number and racked up over $600 in charges from Victoria's Secret of all places). Considering the number of times I've given out various credit card numbers online, versus a single incident of fraud, I'd say that avoiding online shopping is going seriously overboard.
There's a more fundamental problem with anonymous P2P networks, which is that there's no reward for good behavior, and no social penalty for bad behavior. Putting up a decoy song is just one example of antisocial behavior.
Personally, I think this is much more of an advantage than a problem, because no single group gets to decide what is or isn't "antisocial!"
Putting up a real song is antisocial behavior in the eyes of the RIAA. Putting up a copy of DeCSS is antisocial behavior in the eyes of the MPAA. Putting up a copy of satanic literature is antisocial behavior in the eyes of most Christians. Putting up a picture of a female statue with -::gasp:: breasts! - is antisocial behavior in the eyes of Herr Ashkroft. But on a P2P network, the "majority" doesn't rule; if you want to share material, you're free to do so and anyone is free to find and download it.
As an example, one of the things that normally stops child pornography from getting too popular is that people are embarrassed to look at it, and will express strong social disapproval of anyone who makes it or uses it.
Situations like this are the reason that I'm using the word "majority" in quotes. I suppose that people who enjoy child pornography don't go around admitting that in public, if questioned they would denounce it just as those who don't enjoy it; thus even the consumers of this material become a part of the "majority" that disapproves of it. Drug use is similar; time and time again we hear stories about anonymous doctors and lawyers who slip out onto the back porch for a joint every night, but would never speak out about it, so they fall into the so-called "majority" who oppose marijuana legalization. My point here is that the "majority" may not be so major at all, but merely a perceived majority; as a direct result of the social penalties you mention. Are you sure you want such stigmas extended to P2P networks?
P2P in its current state isn't perfect, and there will always be time wasted downloading something that isn't what you think. But I'd rather that, than trust some "majority" I don't know to determine what content should or shouldn't be available on the network. The idea of.*AA issuing payola to people who vote down real MP3s and vote up the fakes doesn't sound too far-fetched to me. I'd rather weed out the chaff on my own.
Sigh. This, I suppose, is what happens when Slashdot keeps stories in the queue too long:
2002-03-30 10:12:57 The Wayback Machine, friend or foe? (askslashdot,news) (accepted)
At the time, I was having severe problems getting in touch with anyone at The Wayback Machine. Yes, their site makes it quite clear how to have your site removed. Yes, I placed the appropriate entry in my robots.txt files. Yes, I submitted my sites for exclusion. Then nothing happened. After emailing them several times with a list of domains I'd prefer to have removed from the archive, I got a reply back saying they should disappear by the end of the following day. No go.
That's all changed. They've got the kinks worked out, as best I can tell, and have begun obeying robots.txt files. They weren't so diligent about it three months ago, or I wouldn't have gotten ticked at 'em.
BTW, my submission was edited in at least one place: I don't capitalize the word "SPAM," as the capitalized version is Hormel's trademark. (Maybe my submission was combined with someone else's; hard to remember what I wrote 3 months ago.)
Everything else I'd say has already been said, I wish I'd noticed the story sooner.
One of my favorite shortcuts in bash/csh is !$ which is expanded to the last argument you typed on the previous command line. If you often issue multiple commands on the same argument, e.g. to manipulate the same file several different ways, this can save you a ton of keystrokes.
I also find myself using this shortcut when I'm tracking down spam:
Beats typing the argument over and over - especially when it's long - and it's faster than hitting the up-arrow and editing the previous command. Hope someone finds this useful, I've already pulled a few great tips out of this thread myself.
Had you, or the editors of Slashdot, actually taken the time to read the bill you would have discovered that it only prohibits falsification of the information with the intent to defraud
I don't see how that narrows things down any. Intent to defraud who, and how so? That's not explained. Intent to get a domain for free by using someone else's credit card? It doesn't say that. Intent to hide who's behind 0daywarez.com by putting 31337 Cherry Lane in the WHOIS database? It doesn't say that. Intent to avoid getting junkmail postcards from competing registrars and webhosting companies? It doesn't make an exception for that.
The current language allows the courts to interpret "intent to defraud" any way they like. If this bill passes, I guarantee you that the first prosecutor to land a case in court will be claiming that entering false information is intent to defraud. And if I were the courts, I'd buy it. After all, when you type the fake information in, you know it's fake and you're doing it intentionally, presumably to prevent others from knowing who really owns the domain.
IANAL, nor am I the courts. Nor do I like this bill. I own a lot of domains and I don't want my full name and address available to the general public anywhere, much less in the WHOIS database.
>hasn't there been an IE variant to do this for quite a while?
No, but I believe Opera will do this; keeps your taskbar from getting so cluttered. Oh, and only Outbreak Express has variants, I think they still measure IE in revisions;)
While this law is cool, I wouldn't say MN has a clue. They are forcing everyone to pay for our new stadium by the imposition of a "sin tax".
I know this is roving off-topic, but it's worth the karma hit. For anyone who's concerned with their state politics, and especially for anyone living in a state that wants to raise sin taxes, please read this.
I don't know how Minnesota is faring financially, but my home state of Tennessee is broke, really broke. We have no state income tax, and several of the state legislators are trying to change that, but nobody wants it and the chances of a state income tax passing are about the same as the chances of Microsoft open-sourcing Windows. Zip, zero, nada.
So what's the alternate proposal? Sin taxes, of course. "Tax the people who buy cigarettes." "Tax the people who buy beer or liquor." I honestly don't understand why people like me (who smoke and drink) should have to bail the state out of debt. The fact that I smoke and drink does not mean that I have contributed to the state's debt any more than any other individual. Likewise, I should not be held any more responsible for our problems than anyone else. I don't support a state income tax, but if it's that or sin taxes, give me an income tax. At least that's spread equally among all residents.
I'm in Memphis, about 30 minutes from a ton of casinos in Tunica County, Mississippi. There are countless thousands of Tennessee dollars being spent (and lost) in Mississippi casinos every month. That money goes straight to MS. If TN would enact a state lottery, at least some of the casino money would stay in-state, and those who live further away from the casinos for a trip there to be convenient would buy lotto tickets instead, all of which would help to put us in the black... But it'll never happen, because we're in the middle of the bible belt. The Baptists won't let Tennessee have a lottery, because it's a "sin." And they seem to think the only way to bail the state out of debt is to tax "sinners" (aka smokers, drinkers). It bothers me to no end that the religious right feels they have no responsibility and that all the "sinners" should carry the state's financial weight.
Raising taxes for smokers/drinkers and nobody else is just as inappropriate as raising taxes for African-Americans and nobody else, or raising taxes for men only, or raising taxes only for people who own more than 1 acre of land. Just because I smoke Camels and drink Bud doesn't mean I should have to finance the state. Sin taxes are discriminatory.
Some of your state government representatives smoke, and some if not all of them enjoy a drink now and then. If you're living in a state that's considering raising "sin" taxes (since when is it the government's business to tax or regulate "sins" and believe me the government representatives call them "sin taxes" just like anyone else) please write your representatives - both your state legislature and your representatives to US Congress - and explain your distaste. Quote the previous paragraph in your letter.
I don't know much about DOCSIS and DHCP, so if that's where the issue lies, my comments are probably off-base. However, I have to wonder if perhaps the spike you're noticing is the result of some popular program's "auto-update" feature, or spyware phoning home en masse. Many programs set themselves to do updates at certain times of day, and assuming most of your customers' computers have their system clock set within a reasonable amount of variance, it might be something benign.
For example, all the Macs on my network are set to query Apple's network time server at midnight daily. And on my Windows machines, Windows Media Player is set to check for updates weekly. The amount of traffic involved in either example should be minimal, but you never know what's borked. There was a story here recently about some versions of Windows and MacOS causing too much DNS traffic, so it could even be something at the OS level.
Is this a recent phenomenon? Brilliant Digital said they were going to activate their leechware in May, and May is now more than half-over. Maybe they've flipped the switch and all your users with KaZaAaAaAaA are now sending uberpackets to BD at predetermined times.
Are there any specifics as to where the traffic is destined? Is the traffic burst from all of the nodes going to the same host, or to the same port on multiple hosts? Are ports 25 or 119 involved? There's been a fairly nasty Hipcrime attack (usenet sporgeries) over the past few days, and spam is always a problem; both of these abuse broadband relays as much as possible. Lots of possibilities, I guess - would help to get some more details, if they can be provided.
Shaun
How to Cancel AOL.. The 5-Minute Method
on
Disconnecting
·
· Score: 2
Here's how to cancel your AOL account in 5 minutes or less. Just follow these three easy steps:
1. Press Control-M to compose a new email. Address it to "TOSGeneral." In the subject and body of the message, type the first few four-letter words that come to mind.
2. Send the email message.
3. As soon as you get bumped, sign back on. Repeat steps 1-3 several times.
Your account will probably be terminated for "fraud" (i.e. they'll suspect that you had your password stolen) but it's easier than spending an hour on hold;)
Sounds to me, like you're defending or covering up for people who make sexual assaults on kids. Just by claiming that the assaults aren't valid. You sir are a pervert.
No, I'm not a pervert, I'm a Young Adult(tm). I'm 22 and I was a minor just 5 years ago. While 5 years might seem like ancient history to some, it isn't to me. I vividly remember the girls I dated and talked to when I was underage; and I remember the conversations I had with some of them. Let's just say that some of the chats were less than innocent. I'll admit to making sexual remarks without solicitation, but the girls made the same kind of comments to me. It's called flirting. And while I'm not exactly up on the high school scene today (vice principals are checking girls' panties now!?) I can't imagine that it's too much different.
You have to put this in perspective. Suppose you're a 16 year old girl. Suppose someone asks you, "have you ever received an unsolicited sexual comment while chatting online?" Suppose your parents raised you to answer truthfully. If you were IMing your [boyfriend|guy friend you like] yesterday and he told you that he wanted to lick you up and down, you'd answer "yes" to the survey question, even though his comment may have been perfectly OK by you. Even though you may have told him about a similar desire before he said that.
"Unwanted sexual solicitation" does not equal pervert, it does not equal adult, it does not equal predator, it does not equal pedophile. This is how surveys get skewed... By not asking the right kinds of questions. A more appropriate question would have been "have you ever been approached sexually by an adult online?"
I'm not defending anyone, and I'm certainly not defending adults who go after kids, either online or off. What I am tired of, and have been tired of for some 6 or 8 years, are the ideas that:
kids are stupid and must be sheltered
kids can't think for themselves or decide who to talk to (or not talk to)
underage == incompetent
anyone over 18 who talks to anyone under 18 about anything is a pervert, because nobody over 18 could possibly have friends who are under 18
the government has to protect kids from conversations with adults
A lot of my animosity in this regard dates back to the time when I was remote staff for AOL, and AOL issued an edict stating that remote staffers could not talk to anyone underage, period. As that rule was worded, remote staff weren't even allowed to have conversations with minors offline; not even their own kids. What if a child was approached by a pervert on AOL, and sought out a Host or Guide to help deal with the problem? If the remote staffer acted in accordance with AOL's policy, he'd close the message (since he's not allowed to talk to minors) and leave the child to fend for himself. Some protection. I was not AOL remote staff for long after.
I'm not a kid anymore, but I still remember being one. And I still remember being pissed that the government assumed I couldn't think for myself, that I couldn't ignore the random idiot who IM'd me asking if I wanted to get my dick sucked. A random sexual solicitation - even if it is from an adult - is not something that should invoke horror in the minds of parents, assuming the parents have done their job!
The occasional stories about Jane Q Minor accepting bus tickets from some pervert, those stories are as much the parents' fault as the pervert's fault. And yes, I seriously believe that. My parents raised me well enough to know when someone was trying to take advantage of me, they raised me well enough to know what is and isn't appropriate. Perhaps more parents should be as involved.
Laws are not the answer, especially when they're based upon bad survey questions and bad stats. It's a good thing IMO that the conclusion of this hearing was that no further legislation is needed.
19% had "received an unwanted sexual solicitation" (imprecisely defined) but only 3% had been solicited with "attempts or requests for offline contact" or actual offline contact. And precisely 0 of the 1,501 children said they had been sexually contacted or assaulted due to online solicitations.
These stats are both good and bad. While I'm happy to hear that none of the kids surveyed had been contacted sexually, I have to wonder about the 19% who received an "unwanted sexual solicitation." That phrase conjures up images of 50-year-old pedophiles, just like CNN and the local news hope for. It gets parents agitated and concerned, and it's good for the ratings. But let's get serious. How many of those "unwanted sexual solicitations" were more along the lines of:
Billy12345: Hey Jenny, do you have the answer to homework question #4?
Jenny12345: No I haven't done my homework yet.
Billy12345: Well what if I came over to your place and gave you the answer.. and maybe gave you a kiss too..
Parents - and the general public at large alike - please keep in mind that "unwanted sexual solicitation" is not representative of "sexual predators" much less "perverts" or "pedophiles." The unwanted sexual solicitations these kids are getting could very well be from classmates, not random perverted strangers.
Shaun
Re:That only answers half the question...
on
The Story of "Nadine"
·
· Score: 3, Informative
Is there an existing tool to automate the conversion of the collected spam-trap mail into denials of future mail deliveries (and perhaps also to purging of still-enqueued letters to real addresses earlier in their mailing list order)?
That I don't know. I do know that several blocklists, including the well-regarded SPEWS, use their own personal spamtraps to develop their lists of who's spamming. To the best of my knowledge, SPEWS translates their spamtrap mailboxes to their blocklist manually, not automatically; this assumption comes from several SPEWS errors, including one a few days ago which erroneously blocked a large portion of the internet (64.x.x.0/24 - 4.x.x.0/24).
I've never investigated the details, as I don't have the bandwidth to host my own publicly available blocklist. I would if I could. I contribute to the proxy.relays.osirusoft.com blocklist, but that's only because people don't hit me directly for the queries.
Better yet: It could also modify the behavior of the SMTP server so it spawns a (limited nubmer of) "sticky TCP connection" child process to hang the spammer's bulk-mailing tool. Deploy a bunch of these puppies around the net and spamming becomes impractical once the spammer's mailing list has acquired a few addresses on spam-trapping sites.
If I'm thinking what you're thinking, these are known as "teergrubes" which is the German word for "tarpits." A spammer connects, and his spamware becomes trapped in several hundred SMTP connections which don't close, but instead transfer something on the order of 1 byte per minute. The spamming program gets hopelessly hung up in sockets that won't close, preventing his machine from opening more connections. A lot of people who run SMTP relay honeypots also run them as "teergrubes."
But why doesn't someone do this deliberately? That is, create a domain for the sole purpose of receiving spam only, and automating a banned email list to other servers.
This is already a fairly widespread practice, though there's no need to use a special domain just for that purpose, or to keep that domain secret. In fact, you want the spamtrap to be quite public, otherwise spammers aren't going to find it. All you need is a dedicated mailbox - even a freebie Hotmail account - to create your own spamtrap. Seeding the spamtrap is simple, and can be done using any or all of the following methods:
Post "test" posts to a few newsgroups, I suggest alt.test and alt.business.multi-level, using your new spamtrap address as the From and Reply-To address. (Technically, test posts are not appropriate in alt.business.multi-level, but if you want a fast track to spam, that's the place to go.)
Visit the "remove" links in spam you already get at your existing mailboxes, and type your spamtrap address into the remove box. If you have the time or patience, you can do the same thing with spam which contains a remove address instead of a link; send remove requests from your spamtrap. Removal is spammerspeak for opting in, so this will grow your spam collection quickly.
Embed a mailto link to your spamtrap address on a couple of webpages you control. Make the mailto visible only to web-scraping robots by linking to a 1x1 pixel black image file in place of a period on your page; human viewers will see it as a period, harvesting programs will see it as fresh meat.
Whatever you do, don't give your spamtrap address to anyone for legitimate email, and don't sign up for anything using that address. If you follow those two guidelines, every single message that mailbox receives is guaranteed to be spam. This will give you the ability to archive, auto-report, etc. the incoming mail without fear of false positives.
Slashdot Mirror
I'd have to say that while this scenario isn't out of the question, it's probably unlikely. How many spams do you get each day, and are the envelope sender addresses valid? In my case, I get 100 or more spams per day across my various boxes and typically all of them are from forged senders. If my ISP were mining the addresses of people who sent me mail, they'd have gigs of bogus email addresses by now.
.COM"
The same goes for outbound email recipients, if there's any truth in numbers. I have the AOL screen name "File," and a lot of AOLers seem to believe that CC'ing their email to "File" is supposed to save a copy to their local drive. I presume this habit comes from some email client somewhere but after years of receiving such misdirected email I haven't been able to figure out which one. (If only these people knew what they were sending to a real person, instead of to their local "File!") Anyway, I skim almost all of the mail I receive on that box - thousands a month, 99% of which are accidental carbon copies - and you should see some of the email addresses that people are sending email to:
"www.jimbob@example.com"
"JIM BOB @ EXAMPLE
"jim bob example com @www.com"
"mailto:jimbob@example.com"
It never ceases to amaze me; there really are a lot of clueless folks out there who truly don't know how the heck to format an email address. IMO, it would be a waste to attempt to mine the recipient addresses on outbound mails, since (from what I see) so many of those addresses are bogus.
Shaun
I signed up for the site with a spamtrap address (just in case) and didn't check it recently. Totally forgot about the Meetup until I saw the story posted here, by then it was too late. D'oh! Reading over the comments, it sounds like 7 was a good turnout, I'll have to mark next month's on the calendar.
Shaun
Spamming is illegal in quite a few places. The problem is that in most of those places, the remedy available to victims is too small for individuals to bother pursuing, and the laws are never used by state AGs to initiate criminal proceedings. In my state I'm entitled to collect $10 for every spam I receive which violates the law (no forged headers, must have valid contact information, must be properly labeled, etc). I get hundreds of such spams every week; if it were really possible to collect any money from the spammers, I'd be retired.
I wish the laws worked. They don't, and I'm not sure that they ever will; even if all 50 states had them, and even if a federal law were enacted. The pro spammers will move (as in physically expatriate) to China, Korea, or any number of other countries where their ill-gotten gains could buy them an extravagant lifestyle, and resume operations outside the reach of spam laws.
Shaun
The only thing that bothers me is the idea that the CIA is just now learning about and considering open proxies
Shaun
Shaun
The "announcement" of the Netsys list's creation was spammed to everyone who's posted to BugTraq lately. Let's see: unsolicited, bulk, advertising something, and sent to email addresses scraped from a webpage or mailing list. In my world, that's spam. What's worse, the list's owner - Len Rose from Netsys - said that people who were unhappy about the spam were "lunatic diehards". He then proceeded to tell one of them in particular to, quote, "FOAD."
I don't trust a spamming pompous ass to run a security list any more than I trust Symantec to do it. I'm sorry, but Netsys really dropped the ball on this one; I'm not about to hand my email address over to them.
Shaun
Since you mentioned murder, I'll add my own parallel to offline crime. When a strip club is caught offering "escorts" (wink) to customers who request them, what happens? Around here, the entire strip club is shut down. Law-abiding customers get caught up as "collateral damage" since they can't visit that club anymore. They wind up having to find a new shake joint, one that isn't a party to prostitution. While this analogy, too, is a bit tangential to the spam problem, I think it's a bit more in line with what blocklists accomplish. If you're using an ISP who proudly pimps for spammers, don't be surprised if the place is shut down (either in a literal sense, or an "I can't email anyone anymore" sense) and you have to find a new one. I don't find it tough at all. My server, my rules, I'll accept mail from whomever I want and I'll refuse mail from whomever I want. I don't receive legitimate communications from China or Korea so I don't see a need to accept mail from those places. I do get legitimate email from AOL, so (perhaps begrudgingly) I have to accept their traffic. You're free to do the exact same thing, suited to your own requirements. Where's the problem?
Shaun
Heidi's there, alright; your browsing skills just aren't up to par. Does this, uh, ring a bell? :)
Shaun
Color me unimpressed. Hey, California, how about standing up for your citizens instead of your own coffers?
Shaun
So you might have a user who always shares the exact same files, and as such his "node" is static and the content is always available from him... Though if he gets a new IP address every time he reboots, any stored listing of his shared files will quickly become outdated.
I'm not sure a random crawler would be too effective for this application. It does work for network mapping, and I believe Limewire has been doing it for some time. In order to compile a reasonably accurate list of files, though, such a crawler would need to either a) purge any entries more than an hour or so old, or b) constantly verify the validity of each result. Choice a) would give us a listing that's no more accurate than what the network's own search functionality provides, and as you mentioned, choice b) would consume an enormous amount of bandwidth. Neither option seems too appealing.
Maybe if IPv6 ever kicks in, and IPs are reasonably static across the board, such a crawler might work; at least half of the problem would be solved.
Shaun
>I'm not sure what you mean. Do you really think
>P2P networks aren't just "plain old HTTP?"
I think he's referring to the propensity of the masses to use the term "website" to describe anything internet related. When Napster was in the news, you'd always hear the media calling it a "music-swapping website" when they should have been calling it a music-swapping program. Napster's website didn't swap anything, it was the program that did the swapping.
All that said, you're right; many P2P apps do use the HTTP protocol for file transfers (though that doesn't make "website" any less of a misnomer when referring to them). Gnutella file transfers, for example, are pure HTTP.
Shaun
Shaun
That's a ridiculous suggestion. I've purchased hundreds of products and services online over the past few years and I've only had a single instance of fraud (someone got my number and racked up over $600 in charges from Victoria's Secret of all places). Considering the number of times I've given out various credit card numbers online, versus a single incident of fraud, I'd say that avoiding online shopping is going seriously overboard.
Shaun
Putting up a real song is antisocial behavior in the eyes of the RIAA. Putting up a copy of DeCSS is antisocial behavior in the eyes of the MPAA. Putting up a copy of satanic literature is antisocial behavior in the eyes of most Christians. Putting up a picture of a female statue with -
Situations like this are the reason that I'm using the word "majority" in quotes. I suppose that people who enjoy child pornography don't go around admitting that in public, if questioned they would denounce it just as those who don't enjoy it; thus even the consumers of this material become a part of the "majority" that disapproves of it. Drug use is similar; time and time again we hear stories about anonymous doctors and lawyers who slip out onto the back porch for a joint every night, but would never speak out about it, so they fall into the so-called "majority" who oppose marijuana legalization. My point here is that the "majority" may not be so major at all, but merely a perceived majority; as a direct result of the social penalties you mention. Are you sure you want such stigmas extended to P2P networks?
P2P in its current state isn't perfect, and there will always be time wasted downloading something that isn't what you think. But I'd rather that, than trust some "majority" I don't know to determine what content should or shouldn't be available on the network. The idea of
Shaun
That's all changed. They've got the kinks worked out, as best I can tell, and have begun obeying robots.txt files. They weren't so diligent about it three months ago, or I wouldn't have gotten ticked at 'em.
BTW, my submission was edited in at least one place: I don't capitalize the word "SPAM," as the capitalized version is Hormel's trademark. (Maybe my submission was combined with someone else's; hard to remember what I wrote 3 months ago.)
Everything else I'd say has already been said, I wish I'd noticed the story sooner.
Shaun
I also find myself using this shortcut when I'm tracking down spam:Beats typing the argument over and over - especially when it's long - and it's faster than hitting the up-arrow and editing the previous command. Hope someone finds this useful, I've already pulled a few great tips out of this thread myself.
Shaun
The current language allows the courts to interpret "intent to defraud" any way they like. If this bill passes, I guarantee you that the first prosecutor to land a case in court will be claiming that entering false information is intent to defraud. And if I were the courts, I'd buy it. After all, when you type the fake information in, you know it's fake and you're doing it intentionally, presumably to prevent others from knowing who really owns the domain.
IANAL, nor am I the courts. Nor do I like this bill. I own a lot of domains and I don't want my full name and address available to the general public anywhere, much less in the WHOIS database.
Shaun
>hasn't there been an IE variant to do this for quite a while?
;)
No, but I believe Opera will do this; keeps your taskbar from getting so cluttered. Oh, and only Outbreak Express has variants, I think they still measure IE in revisions
Shaun
I don't know how Minnesota is faring financially, but my home state of Tennessee is broke, really broke. We have no state income tax, and several of the state legislators are trying to change that, but nobody wants it and the chances of a state income tax passing are about the same as the chances of Microsoft open-sourcing Windows. Zip, zero, nada.
So what's the alternate proposal? Sin taxes, of course. "Tax the people who buy cigarettes." "Tax the people who buy beer or liquor." I honestly don't understand why people like me (who smoke and drink) should have to bail the state out of debt. The fact that I smoke and drink does not mean that I have contributed to the state's debt any more than any other individual. Likewise, I should not be held any more responsible for our problems than anyone else. I don't support a state income tax, but if it's that or sin taxes, give me an income tax. At least that's spread equally among all residents.
I'm in Memphis, about 30 minutes from a ton of casinos in Tunica County, Mississippi. There are countless thousands of Tennessee dollars being spent (and lost) in Mississippi casinos every month. That money goes straight to MS. If TN would enact a state lottery, at least some of the casino money would stay in-state, and those who live further away from the casinos for a trip there to be convenient would buy lotto tickets instead, all of which would help to put us in the black... But it'll never happen, because we're in the middle of the bible belt. The Baptists won't let Tennessee have a lottery, because it's a "sin." And they seem to think the only way to bail the state out of debt is to tax "sinners" (aka smokers, drinkers). It bothers me to no end that the religious right feels they have no responsibility and that all the "sinners" should carry the state's financial weight.
Raising taxes for smokers/drinkers and nobody else is just as inappropriate as raising taxes for African-Americans and nobody else, or raising taxes for men only, or raising taxes only for people who own more than 1 acre of land. Just because I smoke Camels and drink Bud doesn't mean I should have to finance the state. Sin taxes are discriminatory.
Some of your state government representatives smoke, and some if not all of them enjoy a drink now and then. If you're living in a state that's considering raising "sin" taxes (since when is it the government's business to tax or regulate "sins" and believe me the government representatives call them "sin taxes" just like anyone else) please write your representatives - both your state legislature and your representatives to US Congress - and explain your distaste. Quote the previous paragraph in your letter.
Please.
Thanks,
Shaun
I don't know much about DOCSIS and DHCP, so if that's where the issue lies, my comments are probably off-base. However, I have to wonder if perhaps the spike you're noticing is the result of some popular program's "auto-update" feature, or spyware phoning home en masse. Many programs set themselves to do updates at certain times of day, and assuming most of your customers' computers have their system clock set within a reasonable amount of variance, it might be something benign.
For example, all the Macs on my network are set to query Apple's network time server at midnight daily. And on my Windows machines, Windows Media Player is set to check for updates weekly. The amount of traffic involved in either example should be minimal, but you never know what's borked. There was a story here recently about some versions of Windows and MacOS causing too much DNS traffic, so it could even be something at the OS level.
Is this a recent phenomenon? Brilliant Digital said they were going to activate their leechware in May, and May is now more than half-over. Maybe they've flipped the switch and all your users with KaZaAaAaAaA are now sending uberpackets to BD at predetermined times.
Are there any specifics as to where the traffic is destined? Is the traffic burst from all of the nodes going to the same host, or to the same port on multiple hosts? Are ports 25 or 119 involved? There's been a fairly nasty Hipcrime attack (usenet sporgeries) over the past few days, and spam is always a problem; both of these abuse broadband relays as much as possible. Lots of possibilities, I guess - would help to get some more details, if they can be provided.
Shaun
Shaun
You have to put this in perspective. Suppose you're a 16 year old girl. Suppose someone asks you, "have you ever received an unsolicited sexual comment while chatting online?" Suppose your parents raised you to answer truthfully. If you were IMing your [boyfriend|guy friend you like] yesterday and he told you that he wanted to lick you up and down, you'd answer "yes" to the survey question, even though his comment may have been perfectly OK by you. Even though you may have told him about a similar desire before he said that.
"Unwanted sexual solicitation" does not equal pervert, it does not equal adult, it does not equal predator, it does not equal pedophile. This is how surveys get skewed... By not asking the right kinds of questions. A more appropriate question would have been "have you ever been approached sexually by an adult online?"
I'm not defending anyone, and I'm certainly not defending adults who go after kids, either online or off. What I am tired of, and have been tired of for some 6 or 8 years, are the ideas that:
- kids are stupid and must be sheltered
- kids can't think for themselves or decide who to talk to (or not talk to)
- underage == incompetent
- anyone over 18 who talks to anyone under 18 about anything is a pervert, because nobody over 18 could possibly have friends who are under 18
- the government has to protect kids from conversations with adults
A lot of my animosity in this regard dates back to the time when I was remote staff for AOL, and AOL issued an edict stating that remote staffers could not talk to anyone underage, period. As that rule was worded, remote staff weren't even allowed to have conversations with minors offline; not even their own kids. What if a child was approached by a pervert on AOL, and sought out a Host or Guide to help deal with the problem? If the remote staffer acted in accordance with AOL's policy, he'd close the message (since he's not allowed to talk to minors) and leave the child to fend for himself. Some protection. I was not AOL remote staff for long after.I'm not a kid anymore, but I still remember being one. And I still remember being pissed that the government assumed I couldn't think for myself, that I couldn't ignore the random idiot who IM'd me asking if I wanted to get my dick sucked. A random sexual solicitation - even if it is from an adult - is not something that should invoke horror in the minds of parents, assuming the parents have done their job!
The occasional stories about Jane Q Minor accepting bus tickets from some pervert, those stories are as much the parents' fault as the pervert's fault. And yes, I seriously believe that. My parents raised me well enough to know when someone was trying to take advantage of me, they raised me well enough to know what is and isn't appropriate. Perhaps more parents should be as involved.
Laws are not the answer, especially when they're based upon bad survey questions and bad stats. It's a good thing IMO that the conclusion of this hearing was that no further legislation is needed.
Shaun
Billy12345: Hey Jenny, do you have the answer to homework question #4?
Jenny12345: No I haven't done my homework yet.
Billy12345: Well what if I came over to your place and gave you the answer.. and maybe gave you a kiss too..
Parents - and the general public at large alike - please keep in mind that "unwanted sexual solicitation" is not representative of "sexual predators" much less "perverts" or "pedophiles." The unwanted sexual solicitations these kids are getting could very well be from classmates, not random perverted strangers.
Shaun
I've never investigated the details, as I don't have the bandwidth to host my own publicly available blocklist. I would if I could. I contribute to the proxy.relays.osirusoft.com blocklist, but that's only because people don't hit me directly for the queries.
If I'm thinking what you're thinking, these are known as "teergrubes" which is the German word for "tarpits." A spammer connects, and his spamware becomes trapped in several hundred SMTP connections which don't close, but instead transfer something on the order of 1 byte per minute. The spamming program gets hopelessly hung up in sockets that won't close, preventing his machine from opening more connections. A lot of people who run SMTP relay honeypots also run them as "teergrubes."
Shaun
- Post "test" posts to a few newsgroups, I suggest alt.test and alt.business.multi-level, using your new spamtrap address as the From and Reply-To address. (Technically, test posts are not appropriate in alt.business.multi-level, but if you want a fast track to spam, that's the place to go.)
- Visit the "remove" links in spam you already get at your existing mailboxes, and type your spamtrap address into the remove box. If you have the time or patience, you can do the same thing with spam which contains a remove address instead of a link; send remove requests from your spamtrap. Removal is spammerspeak for opting in, so this will grow your spam collection quickly.
- Embed a mailto link to your spamtrap address on a couple of webpages you control. Make the mailto visible only to web-scraping robots by linking to a 1x1 pixel black image file in place of a period on your page; human viewers will see it as a period, harvesting programs will see it as fresh meat.
Whatever you do, don't give your spamtrap address to anyone for legitimate email, and don't sign up for anything using that address. If you follow those two guidelines, every single message that mailbox receives is guaranteed to be spam. This will give you the ability to archive, auto-report, etc. the incoming mail without fear of false positives.Shaun