Sure, baseball bats and nuclear weapons are fun, but there are probably more productive things to do the spammer groups, if perhaps less satisfying.
Can we take the lists of available machines and feed them to block lists?
Can we take the lists of available machines and shut them down, either by using their backdoors to grab the "off" switch or by notifying their ISPs?
Has anybody written a program that pretends to be an exploitable machine, but really traces the connection or silently eats the email it's asked to forward, runs a slow teergrube, etc., and can infiltrators start spreading those lists around to the real spammers?
What other poisoned data can you think to give spammers?
Can the infiltrators invite other infiltrators to join?
How many of these attacks would the spammers be bright enough to notice? Would they be organized enough to deploy detection attacks?
Once a couple of anti-spammers get into one of these clubs, can they go conspire to invite other anti-spammers, or "trusted" writers of "31337" spamware products which leak out useful information (e.g. it does send the spam but it also sends a message to Spamhaus with the IP address and to Vipul's Razor with the message signature?)
Some spammers do make their money retailing the junk they advertise to suckers. They typically make their money by marking up junk, though if the products don't work, they have to find new suckers every month.
Many spammers make their money by selling advertising service to retailers by promising to deliver eyeballs which can be turned into sales, but don't handle delivery of the product. Sometimes they're getting paid a commission, so they make money if and only if they're successful at attracting suckers to the retailer's products or websites - whether that's pills or pr0n.
But for many other spammers, the sucker is the retailer who's expecting to get high-quality sales leads, rather than the spammees. Retailers who've learned from the experience usually don't provide repeat business, or at least not without changing the price structure to only pay for actual sales.
And many spammers make money from fraud. Besides the currently popular Nigerian 419 and the pump&dump stock scammers, there's the old-fashioned pyramid game in its many guises. That used to be more popular than it is today, but it still seems to work. One variation on this is selling spamware to wannabee spammers.
Iotashan - Thanks for posting the GIF! I see they also have another number to call to remove yourself (or to Slashdot...)
I don't see Flamingo Travel's name in there anywhere, but I'm guessing they've got multiple versions of their spam ad. There's some stuff scrawled down the side which I can't read in the fax - I'm guessing that it's whatever fax machine headers they're doing? Is it legible?
It's still a bit annoying, because they've got to discard a bunch of 1-bits, but it's not the same as running their fax machine empty of toner overnight, leaving a stack of black paper, and running them out of toner. With typical paper fax machines, you can run them out of paper in ~100-200 pages, and at speeds of 10 pages/minute, that'll take you 10-20 minutes, rather than tying up the phone all weekend.
After all, unlike spam, where the big cost is wasting the time of the recipients, fax spam has direct costs to the recipient, such as paper and toner, as well as risking running the recipient's fax out of paper or toner overnight, preventing them from receiving real faxes. That was especially annoying back when most faxes used thermal paper (expensive) or other special paper, and it's annoying now if your fax machine uses inkjet printing (expensive ink.) And that's why junk fax laws got passed long before email spam laws - you can credit Spamford with both of them:-)
Without a copy of the original spam fax, it's hard to know exactly what to say to these spammers to get their attention. Do they want you to call them or fax them? What are they advertising? Did the fax have an ostensible originating fax number? (Faxing black pages to their voice line isn't all that useful:-)
OK, it's obvious how to implement this with paper faxes, but you _should_ be able to do more interesting things with fax-modems....
And they're almost certainly receiving the fax on a fax modem, so sending lots of black bits just uses up jpeg space, not human attention. You really want to send them lots of faxes that _look_ like they're real requests, so humans need to waste time reading them.
Phone calls from the UK to the US have gotten very cheap these days - the typical telephone card you buy from a convenience store was under 5 cents per minute for US to UK five years ago, so I assume that high-volume business minutes are close to 2-3 cents, not much different from calling within the US. So it could be cheap.
However, spammers always lie - if they're using an 800 number, there's a high probability that it really _is_ in the US, and they're just claiming to be in England to make you go away. Or the 800 number could be going to a VOIP box in the US which connects them to a call center in the UK. So trace the call - at least with callerid, if nothing else (though that's often inaccurate) and see if you can find out where it's from. If the call is coming in on a direct analog phone line, you can also use one of the phone company features like *69 or your local telco's call tracing versions to check further.
As long as the voter has an opportunity to verify that their printout was correct, it's ok if almost everybody is lazy and doesn't bother. The computer system will prevent most of the mistakes that happen when humans try to put ink on stuff (e.g. enforcing rules against choosing more than one candidate in a race, or N candidates in an N-seat race, or making black marks that don't quite line up with the blanks on the form), and can remind the voter if they left some offices blank.
If you want to use human readers to verify that the ballots were being read correctly by the machines, that probably has some occasional value, but it really _is_ helpful to have the computer print out the ballot.
Bad survey design is _so_ common. Sure, their survey showed whether people think smoking is good, but did they remember to ask _what_ people wanted to smoke?
Here in San Francisco, you can't smoke tobacco at the local music halls. But it's a health regulation, not a fire department regulation, so rock concerts still have plenty of smoking, and it smells a lot better than that nasty tobacco stuff.
An asbestos sandwich wouldn't be particularly dangerous, any more than a similar quantity of other indigestible fiber. Asbestos air freshener, on the other hand, would be a seriously bad idea, especially if you smoke.
However, the problem isn't just that the public maybe uninformed - they're usually misinformed as well, and industries like Diebold certainly want to keep them that way.
State and local election officials like this stuff because the Feds voted billions of dollars in FREE MONEY for them to buy the machines if they call before midnight tonight! And no, they didn't realize that they were going to be under extreme scrutiny; they were pretty much blind-sided by it, because all the election officials grabbed for the money real fast, before the computer security crowd noticed what an incompetent scam the stuff they were buying was, and much of the negative press has happened precisely because the stuff had serious problems after it was deployed. Apparently lots of politicians were surprised that computer people overwhelmingly distrust this stuff - after all, we're the folks who keep telling them that computers are cool and that they ought to buy more of them.
John82's point that elections officials don't want to be the next ridiculed Florida Elections Commission is appropriate also, but a big factor is that the Republicans in Congress and the Bush Administration wanted to be perceived as "Doing Something" to fix the big embarassment that they came into office with. (Oh, and also the Diebold folks were big Republican contributors, so they of course wanted to help out their friends.)
One big advantage of competently designed electronic voting machines is accessibility for blind people, which is a real problem with most voting systems. This lets the election officials help out blind people, and others with limited sight or hand-eye coordination (e.g. old people.)
Re:American opinion is no measure of truth
on
Evoting in the News
·
· Score: 3, Funny
No, no, Truth and Science in America are Republican! Just ask Rush Limbaugh....
..
BTW, one reason that Ireland rejected electronic voting machines is that the "Change the vote to Republican when nobody's looking" feature was only tested in America, and it doesn't accomplish the same thing in Ireland....
Don't worry. According to the article, "NASA says it won't hit for at least the next six centuries." So there's enough time to let Bruce's nanotech-built clones make "Die Hard 300" before they need to go asteroid-hunting again. Well, ok, at least for _this_ asteroid...
"Think of it as Evolution in action." The first couple of years of the DotCom boom were partly about exploring new technology, and partly about learning the value of different advertising models, since many of the companies were funded based on the unknown value of eyeballs, clickthroughs, banners, transient coolness-factor and brand loyalty creation, or on the ability to provide services to implement those. (The other main model, which had a much bigger impact on the world, was using the low cost of communications to disintermediate traditional distribution channels and reintermediate other channels.) The advertising models that were explored included counting banner impressions, counting clickthroughs, and counting actual sales - all of them have some value, and the lower-value services were easier to count and bill for, but harder to measure the effectiveness of and thus harder to price accurately, and they were also easier to fake if you were a rip-off artist. One reason clickthrough is a common price element is that it's a closer approximation to measuring real customer interest, and banner impressions are fuzzier as well as easier to fake.
Yes, it's usually unscrupulous, but if the ad banner companies get customers to pay them by the clickthrough, and don't provide adequate mechanisms for the customer to know whether they're cheating them, and the customer doesn't insist on contractual provisions and technical terms to know whether their ad service is cheating them, then it's pretty much guaranteed that there will be firms out there whose real business plan is based on suckers being born every minute. (And yes, I realize I just said that customers have to depend on their advertising services to provide many of the tools to detect whether or not they should trust them, and that that's pretty dodgy.)
Another occasional user of such services is evil third parties - companies that run their competition out of business by swamping their ads with clickthroughs and running up huge charges, though that's much more likely to use scripts and bots than to pay humans to do the work, since the benefits are only indirect, plus they want to hit their victims hard and fast, while greedy admongers want to inflate the hit rates slowly enough that they're believable. Similarly, evil third-party ad banner companies may want to drive their ad-banner competitors out of business, and creating large bogus bills that drive away customers is an obvious way to do that, since it trashes the ad company's reputation whether the end customer pays them or not. This was a more popular attack on banner-impression sales than clickthroughs, again because it was much easier to fake.
The methods used for clicking banners and the methods used for detecting fraud evolve together. If easy scripts can do the job, somebody will pound on them fast and hard and they'll die, and this used to happen a lot. So there's some complexity that needs to be built in, but a lot of it is economics - the cost of paying Americans and West Europeans and Japanese to click on banner ads is high enough that it's not a very cost-effective way to rip off your customers, compared to the amount of work it would take to simply do a better job of advertising. But if you can outsource it to parts of the world where the wage scale is much lower, and you can still avoid getting caught, maybe you can get away with it for a while - Darwin takes out overly virulent parasites, but parasites that aren't greedy enough to kill off their hosts can sometimes do pretty well.
How do you detect this sort of thing if you're a customer? Well, you need marketing people who can do a good evaluation of the effectiveness of their marketing campaigns (you need them anyway, sinc e you need to make sure your ad banners or annoying popups or search engine keywords or snail-mail CD-ROMs are attracting enough customers to pay for themselves), and you need engineers to help your marketing people measure and correlate the sources of clickthroughs and any sales that might result and optionally try to detect cheating, and you need some business managers (possibly the marketing folks) to check on the reputations of the advertising companies, and you need some lawyers to help you with the contracts.
Send one to Scott Richter, too
on
Robosaurus
·
· Score: 1
Your post advocates a ( ) technical ( ) legislative ( ) market-based (X) vigilante approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)... Specifically, your plan fails to account for... and the following philosophical objections may also apply:.... (X) Feel-good measures do nothing to solve the problem (X) Killing them that way is not slow and painful enough
You're missing another converse
on
Spammer Sues SpamCop
·
· Score: 4, Insightful
Pathetic wacko sues company while representing himself, or using one of those cheapo ambulance-chaser lawyers who advertise on late night cable TV channels, because he feels his hair dryer shouldn't have exploded when simply plugged into the wall 10 feet away from the shower, or because he feels that emitting toxic carcinogens from burning plastic is not usual behaviour for a minor appliance. And he loses, because he doesn't have adequate legal representation to go against the company's $5million legal staff.
In a loser-always-pays system, if he sues them and fails, he loses big, so he can't risk suing them even when he's right, because he doesn't have the resources to be 99% sure of beating them, and he knows that they can generate near-infinite legal costs that he'll have to cover. This seriously chills lawsuits by little guys against big companies.
In today's system in the US, he can risk suing them, because if he does at least a halfway-adequate job of making his case, the judge probably won't award legal costs to the winner. On the other hand, if he does try a case that's obviously pretty bogus and frivolous, he'll probably have to pay their legal costs, unless his case is _so_ bogus that it gets thrown out very early in the process, long before getting to trial.
whois moosq.com reveals that moosq.com belongs to OptInRealBig. I've gotten about 200 spams from them this week (if I'm not double-counting any in my logfiles.) Mostly you'll find it in the From: line of the spams, either as in a short address or else in a long name string that encodes your email address in it. You can ENHANCE YOUR (filter's) PERFORMANCE by including it. My logfile summaries don't show if that's part of the envelope header or not; you may just need to filter on it after the message arrives, but at least you don't need to read the mail yourself.
Using Discovery in lawsuits to nail plaintiff
on
Spammer Sues SpamCop
·
· Score: 1
So the alleged spammer sues you for alleging that the spam he sends was actually spam, because you must have opted in to one of his customers. That means that the names, web sites, and contact information of all his customers are obviously relevant to the lawsuit, so you subpoena them as part of discovery process, and similarly, since the spammer alleges that your tortistically interfering with his contracts, those contracts that were allegedly interfered with are obviously part of the case. And the names of all his businesses that you're allegedly interfering with are germane, so you can discover them too. And the mechanisms that the spammer uses for delivery, such as the IP addresses he sends mail from, and the ISPs he contracts with that your alleged libel might be interfering with, they're part of the relevant facts also. Get them all, and publish them all. And then there's the list of ISPs who've rejected his email, allegedly because of your allegedly libelous interference, with the specific IP addresses and dates that he attempted to send messages to, and the messages that he was attempting to send. The mere fact that he'd be giving ISPs the details they need to sue him for spamming them and their customers shouldn't stop that from being part of the discovery, because after all, he's claiming that these messages weren't spam, so he shouldn't mind if anybody knows he sent them.
Oh, and then there's his list of email addresses that really have opted in, which you're alleging that he's spamming - they're certainly part of an affected class of users who might want to sue him later. That's a little tougher to use, because how are you going to contact them all? Send them bulk email?:-) But you could do something like putting up a web page with a "Check if I'm on the list" query.
Getting your honeypot address published is ok
on
Spammer Sues SpamCop
·
· Score: 2, Informative
It's really ok to have an address like that get published. If more spammers start sending it spam, that's more entries for your spam filter tables, more IP addresses and sender domains you can blacklist, more hashes to feed Razor with, etc. If it gets flooded too heavily, you may have to kill it off and replace it with another address. On the other hand, if it becomes sufficiently well-known among spammers that this address is a honeypot that they actually stop selling it to each other, you can also get another address, and meanwhile, maybe your spam load will go down a bit.
I mean, wasn't the address 'canned-spiced-meat-products@example.com' a bit obvious anyway?:-)
Scanning for compromised nodes is an aggressive and dangerous activity. But the compromised nodes you care about are already scanning you (like Soviet Russians) so you're safer just scanning the machines that contact you with spam or viruses. It's still Not Recommended, and it's somewhat susceptible to Joe Jobs if not done carefully, but there are days that it's got some appeal. Mostly you ought to feed the results to blacklists.
Some of the viruses leave easy-to-locate proxies or back doors, which let anybody just take over the infected machine. But others, perhaps most, use some sort of password protection or polymorphism to hide their activities, so you can't just hand them a better payload to work with, like LILO or FORMAT C: or ROUTE -F. They may still leave the original Windows weakness unpatched, or they may close it, though appallingly many of the weaknesses are located between the keyboard and the chair - mail the user another picture of dancing penguins and you can install whatever you want. (Doobie doobie doo...)
How many of these attacks would the spammers be bright enough to notice? Would they be organized enough to deploy detection attacks?
Once a couple of anti-spammers get into one of these clubs, can they go conspire to invite other anti-spammers, or "trusted" writers of "31337" spamware products which leak out useful information (e.g. it does send the spam but it also sends a message to Spamhaus with the IP address and to Vipul's Razor with the message signature?)
Many spammers make their money by selling advertising service to retailers by promising to deliver eyeballs which can be turned into sales, but don't handle delivery of the product. Sometimes they're getting paid a commission, so they make money if and only if they're successful at attracting suckers to the retailer's products or websites - whether that's pills or pr0n.
But for many other spammers, the sucker is the retailer who's expecting to get high-quality sales leads, rather than the spammees. Retailers who've learned from the experience usually don't provide repeat business, or at least not without changing the price structure to only pay for actual sales.
And many spammers make money from fraud. Besides the currently popular Nigerian 419 and the pump&dump stock scammers, there's the old-fashioned pyramid game in its many guises. That used to be more popular than it is today, but it still seems to work. One variation on this is selling spamware to wannabee spammers.
I don't see Flamingo Travel's name in there anywhere, but I'm guessing they've got multiple versions of their spam ad. There's some stuff scrawled down the side which I can't read in the fax - I'm guessing that it's whatever fax machine headers they're doing? Is it legible?
After all, unlike spam, where the big cost is wasting the time of the recipients, fax spam has direct costs to the recipient, such as paper and toner, as well as risking running the recipient's fax out of paper or toner overnight, preventing them from receiving real faxes. That was especially annoying back when most faxes used thermal paper (expensive) or other special paper, and it's annoying now if your fax machine uses inkjet printing (expensive ink.) And that's why junk fax laws got passed long before email spam laws - you can credit Spamford with both of them :-)
Without a copy of the original spam fax, it's hard to know exactly what to say to these spammers to get their attention. Do they want you to call them or fax them? What are they advertising? Did the fax have an ostensible originating fax number? (Faxing black pages to their voice line isn't all that useful :-)
Well, of _course_ I called them from my modem line, not that I bother connecting it to a modem these days :-)
And they're almost certainly receiving the fax on a fax modem, so sending lots of black bits just uses up jpeg space, not human attention. You really want to send them lots of faxes that _look_ like they're real requests, so humans need to waste time reading them.
However, spammers always lie - if they're using an 800 number, there's a high probability that it really _is_ in the US, and they're just claiming to be in England to make you go away. Or the 800 number could be going to a VOIP box in the US which connects them to a call center in the UK. So trace the call - at least with callerid, if nothing else (though that's often inaccurate) and see if you can find out where it's from. If the call is coming in on a direct analog phone line, you can also use one of the phone company features like *69 or your local telco's call tracing versions to check further.
If you want to use human readers to verify that the ballots were being read correctly by the machines, that probably has some occasional value, but it really _is_ helpful to have the computer print out the ballot.
Here in San Francisco, you can't smoke tobacco at the local music halls. But it's a health regulation, not a fire department regulation, so rock concerts still have plenty of smoking, and it smells a lot better than that nasty tobacco stuff.
However, the problem isn't just that the public maybe uninformed - they're usually misinformed as well, and industries like Diebold certainly want to keep them that way.
Well, if you're not sure your vote's being counted, you'll just have to solve the problem in the traditional manner, by voting early and often....
John82's point that elections officials don't want to be the next ridiculed Florida Elections Commission is appropriate also, but a big factor is that the Republicans in Congress and the Bush Administration wanted to be perceived as "Doing Something" to fix the big embarassment that they came into office with. (Oh, and also the Diebold folks were big Republican contributors, so they of course wanted to help out their friends.)
One big advantage of competently designed electronic voting machines is accessibility for blind people, which is a real problem with most voting systems. This lets the election officials help out blind people, and others with limited sight or hand-eye coordination (e.g. old people.)
..
BTW, one reason that Ireland rejected electronic voting machines is that the "Change the vote to Republican when nobody's looking" feature was only tested in America, and it doesn't accomplish the same thing in Ireland....
Don't worry. According to the article, "NASA says it won't hit for at least the next six centuries." So there's enough time to let Bruce's nanotech-built clones make "Die Hard 300" before they need to go asteroid-hunting again. Well, ok, at least for _this_ asteroid...
Yes, it's usually unscrupulous, but if the ad banner companies get customers to pay them by the clickthrough, and don't provide adequate mechanisms for the customer to know whether they're cheating them, and the customer doesn't insist on contractual provisions and technical terms to know whether their ad service is cheating them, then it's pretty much guaranteed that there will be firms out there whose real business plan is based on suckers being born every minute. (And yes, I realize I just said that customers have to depend on their advertising services to provide many of the tools to detect whether or not they should trust them, and that that's pretty dodgy.)
Another occasional user of such services is evil third parties - companies that run their competition out of business by swamping their ads with clickthroughs and running up huge charges, though that's much more likely to use scripts and bots than to pay humans to do the work, since the benefits are only indirect, plus they want to hit their victims hard and fast, while greedy admongers want to inflate the hit rates slowly enough that they're believable. Similarly, evil third-party ad banner companies may want to drive their ad-banner competitors out of business, and creating large bogus bills that drive away customers is an obvious way to do that, since it trashes the ad company's reputation whether the end customer pays them or not. This was a more popular attack on banner-impression sales than clickthroughs, again because it was much easier to fake.
The methods used for clicking banners and the methods used for detecting fraud evolve together. If easy scripts can do the job, somebody will pound on them fast and hard and they'll die, and this used to happen a lot. So there's some complexity that needs to be built in, but a lot of it is economics - the cost of paying Americans and West Europeans and Japanese to click on banner ads is high enough that it's not a very cost-effective way to rip off your customers, compared to the amount of work it would take to simply do a better job of advertising. But if you can outsource it to parts of the world where the wage scale is much lower, and you can still avoid getting caught, maybe you can get away with it for a while - Darwin takes out overly virulent parasites, but parasites that aren't greedy enough to kill off their hosts can sometimes do pretty well.
How do you detect this sort of thing if you're a customer? Well, you need marketing people who can do a good evaluation of the effectiveness of their marketing campaigns (you need them anyway, sinc e you need to make sure your ad banners or annoying popups or search engine keywords or snail-mail CD-ROMs are attracting enough customers to pay for themselves), and you need engineers to help your marketing people measure and correlate the sources of clickthroughs and any sales that might result and optionally try to detect cheating, and you need some business managers (possibly the marketing folks) to check on the reputations of the advertising companies, and you need some lawyers to help you with the contracts.
Oh, wait, you meant the RIAA wanted to use them, not that the RIAA needs to be visited by a dozen of them? Naah, just not the same thing at all....
On the other hand, Cory Doctorow's Spam Solution Form Letter unfortunately applies to you.
In a loser-always-pays system, if he sues them and fails, he loses big, so he can't risk suing them even when he's right, because he doesn't have the resources to be 99% sure of beating them, and he knows that they can generate near-infinite legal costs that he'll have to cover. This seriously chills lawsuits by little guys against big companies.
In today's system in the US, he can risk suing them, because if he does at least a halfway-adequate job of making his case, the judge probably won't award legal costs to the winner. On the other hand, if he does try a case that's obviously pretty bogus and frivolous, he'll probably have to pay their legal costs, unless his case is _so_ bogus that it gets thrown out very early in the process, long before getting to trial.
whois moosq.com reveals that moosq.com belongs to OptInRealBig. I've gotten about 200 spams from them this week (if I'm not double-counting any in my logfiles.) Mostly you'll find it in the From: line of the spams, either as in a short address or else in a long name string that encodes your email address in it. You can ENHANCE YOUR (filter's) PERFORMANCE by including it. My logfile summaries don't show if that's part of the envelope header or not; you may just need to filter on it after the message arrives, but at least you don't need to read the mail yourself.
Oh, and then there's his list of email addresses that really have opted in, which you're alleging that he's spamming - they're certainly part of an affected class of users who might want to sue him later. That's a little tougher to use, because how are you going to contact them all? Send them bulk email?
I mean, wasn't the address 'canned-spiced-meat-products@example.com' a bit obvious anyway? :-)
The alternative reference is something about "Restaurant at the End of the Unibus"
Some of the viruses leave easy-to-locate proxies or back doors, which let anybody just take over the infected machine. But others, perhaps most, use some sort of password protection or polymorphism to hide their activities, so you can't just hand them a better payload to work with, like LILO or FORMAT C: or ROUTE -F. They may still leave the original Windows weakness unpatched, or they may close it, though appallingly many of the weaknesses are located between the keyboard and the chair - mail the user another picture of dancing penguins and you can install whatever you want. (Doobie doobie doo...)