I have a copy of my work email redirected to my fastmail.fm account. I only access it using webmail/firefox.
The usual way people do it is using Outlook that is of course running over a Windows admin account. So what's safer: using a webmail service that defangs html before displaying it or using a client that's happy to do anything requested by an email message in an environment that allows it to alter the OS (and set so by the IT staff)? Not to mention that the usual mode of work is to receive MS Office documents from outside and open them (in an admin account, of course).
About 100$ of employees using networked computers at work use an old P2P protocol called TCP/IP...
However, in most cases doing so is not in violation of IT policy, except perhaps technically if the people who recorded the policy in documents did not realize that the company's network infrastructure is actually based on P2P protocols.
>... IMAP doesn't map well to gmail's style of doing things already >... Do you know if Google has any plans to develop a newer protocol...
I was hoping that when Gmail offers IMAP access they would implement "labels" through IMAP flags, and was very disappointed to see how they implemented it as "folders" (called "mailboxes" in the IMAP4 specification, and for a good reason). Messages with more than one label applied are just broken into multiple copies, and any attempt to use multiple labels to create some structure in the online email store or subfolders to create structure on the local store is flattened on the other side. As I recall there were several discussions of implementation of label/keywords/somthing of the sort in FastMail.FM forums, and a major reason that was mentioned (I guess by Rob) is that those IMAP clients that do have such a mechanism don't implement it in a consistent way (with each other), so it's quite impossible to implement a "labels" feature that would work with more than one major client.
If Gmail had chosen to implement labels so it would work with just one or a few mail client, it would have pushed the standardization of this forward. The way Gmail has done it would not work smoothly for people who regularly apply multiple labels.
IMAP4 is quite an old standard, and I think we in need of an "IMAP5" that would be more appropriate for people that use IMAP mailboxes as subfolders of a folder they consider as their "mailbox", and also want to be able to apply multiple labels and to search mail in multiple folders, things the present IMAP specification just doesn't have.
I have never received any spam with copyright notice except for the spam I regularly receive mentioning L. Ron Hubbard as copyright holder and claiming they are not affiliated and only have permission to distribute from the copyright holder.
But then perhaps I'm lucky. Do others regularly receive spam promoting other religions?
> Their government will NEVER think to make their own proxies > and anonymous spam to catch users...
Isn't this exactly PHISHING? Creating a fake service and tricking people into thinking they are using the real service? Would the Chinese government stoop so low as to break their own law...
On the other hand, the Chinese government would have no problem blocking the "proxy spam" by blocking the source, unless the source is disguised using exploits (botnet, open proxy etc.) So the question becomes not if the end justifies sending spam but if it justifies breaking laws all over the world and stealing and exploiting third parties' resources.
>... and once some of those computers go to class (or to sleep, for example,) > take over the MAC address and ask for a new DHCP lease...
Is it really necessary to ask for a new lease? I thought one can just take over both the MAC address and the IP address and use it. Shouldn't be a problem as long as the other computer is off. (or just take the IP address. Behind my NAT router at home I just assign static IP addresses and they of course work as long as they are in the same subnet. When in the distant past I asked to use my own laptop in the (university) department network the helpdesk guy just told me to make up an IP address in the network and there should be no problem.)
If all ISPs block port 25 then botnet operators would program their zombies to use whatever email settings are there on the PC and send through the ISP's relay. As long asa few ISPs block port 25 sending directly is a better strategy for spammers. When the percentage of networks blocking port 25 would get higher than some threshold sending through the ISP servers with whatever filtering it has would become a better option for the spammer and the spammer would switch. This would be much more problematic for ISPs: dealing with a massive amount of spam trying to get out of their servers (instead of directly) might overload their outgoing email servics, would require huge resources in filtering outgoing mail, would create false positives with customers' legitimate outgoing mail being blocked on the way out.
So as much as blocking outgoing port 25 sounds nice and effective, it doesn't scale. On ther other hand port 25 "sniffing" might be good, expecially if it can lead to connecting the hijacked PCs to whoever uses them. But for this to work abuse fighters first need to abandon the idea that the most important goal is to catch the people that actually control the botnets. If a botnet is used to send spam on behalf of someone that paid someone else that hired yet another guy that paid a botnet operator for the service of using stolen resources then the one that provided the money for the operation should go to jail. And t's quite easy to determine who the advertiser is. So what's needed is to collect the data on actual spam messages going out of zombie PCs, choose those that are easier to locate, and put them in jail because they hired a criminal to work for them. If they can make excuses that they "didn't know" a crime is commited and without providing enough info to get the criminal then they should end up in jail. With just a few such cases there would be much less money flowing into spammers' pockets, and they'd be looking for another job...
Sometimes the food doesn't make it all the way to the back. Last time I fleww Iberia I was seated in the back and when they got to our seat there was n food left. They apologized, promised that perhaps we can get some leftovers from the first class but we have to wait till they finished their meal. Actually the first class leftovers were quite good (or whatever they were - some kind of special meals...)
But then, perhaps not getting the airline meal is good...
> the recipient bears the majority of the cost > (actually, the ISP does, in terms of increased > bandwidth and storage requirements,...
Actually I did the math, and the costs in terms of bandwidth and storage are much much lower than the cost of the recipient's time.
"Just hit delete" is very expensive if you just multiply the the few seconds it takes to read a bit of the mail and think just a little bit to make sure you don't delete real email.
Snail mail spam is not a real time waster for me because the time use to junk it is wasted time anyway. Most of it go straight to the garbage can we have near the mailboxes for that purpose, and the rest of it to the other garbage can we keep next to the elevator. the time it takes to walk from the mailboxes to the elevator is usually enough, and is wasted time anyway. In addition most snailmail junkmail I see is actually quite targetted. That is someone put in some thought and money into trying to locate relevant audiences. Email spam is not sent to people. It is sent to strings that contain a "@". There is no effort to limit the sending to recipients that might be interested as it is cheaper to send glbally than to research the market. Spam lets the market "research itself", and that's what's wrong with it. What should have been outlawed is the sending of bulk communications to lists of addresses (or "routing instructions") that are not positively identified with individuals.
Telemarketng is very annoying, in that it is actually harrassment. It makes you get up and go to abswer a phone, and when there's too much of it it robs you of the functionality of a phone as a means to call you in an emergency (it cannot be used in this way if most of the times you pick up the phone you find out it's commercial harassment. Anyway, with telemarketing the cost to the recipient (time it takes to get up and answer the phone, and the indirect cost of interfering in one's routine and in harassment) is much higher than the cost to the caller, of a single phone call, probably with great discount for bulk usage.
The real solution is to make the advertisers costs higher, and the way to do it is to respond: use their 1-800 numbers to tell them their advertising is unwanted. Use their inquiry forms to force them to contact you to hear you're not interested (or just provide false info they have to follow because they have to find the real customers out of all the inquiries they receive). Bulk mail/telemarketing is built on the assumption of low percentage of responses that are "high quality", i.e. that they only have to allot expensive resource (handling by a human) to whoever is going to purchase the service. The way to make this nuisanse go is to respond negatively much more often, swo the the costs of handling responses does not justify the campaign.
Botnet herders are there for the money, and spam is "good money". So most spam is sent using botnets and sending spam is the major income for botnet herders. See the very recent two article series called "Botconomics" on Cnet: Part 1 (http://reviews.cnet.com/4520-3513_7-6748100-1.htm l), Part 2 (http://reviews.cnet.com/4520-3513_7-6749973-1.htm l).
Now the botnet herders might be hard to reach, behind multiple layers of proxies or whatever, and the money trail perhaps would not lead all the way to them, but stopping much of the flow of money can suffocate them, or at least keep them from growing. You cannot easily stop them from sending spam advertising illegal things like porn' gambling etc. But you can keep the big money out, and the big money is in legitimate businesses. If they can get away from being accused of crimes they paid to commit (using trojaned machines to send their spam) by saying they got the service on the internet from someone unreachable and unidentifiable then it's very bad. It's like someone who bought a stolen TV set going away unpunished because he says he bought it "from this guy in this van and there's no way he can identify the seller because the seller was wearing a mask". So if an business gets spamming services from an unidentifiable provider and it turns out it was sent using trojaned machines that business owner should pay a price (jail time) because it's not much different from buying a TV set from a masked man in a van. If they can lead to the service provider then they might be able to claim that they have been tricked into buying this service. The spammer I am folowing has sold his services to legitimate businesses: big businesses that require their service providers to work legally, provide paperwork such as receipts that show that tax was paid etc. The spammer works openly and looks like a legitimate business. So the only problem is to get the data that can be used to prove the use of trojaned machines in a way accepted by a court of law (and statistics showing hundreds of spam messages coming from any corner of planet Earth that has some kind of internet connection is not enough, it seems).
So if a "luser" got trojaned", the thing to do is exactly what that journalist did: not panick, and see what evidence about the people abusing the computer can be retrieved from the computer. If they wanted your personal info stored on the computer they already got it by the time you found out you've been trojaned. You shouldn't store it openly on your PC anyway. A burglar can take the PC and then get the info out of the stolen PC. On the other hand a trojan that's part of a botnet has no interest in harming your PC. The trojan's interests are keeping a low profile and not being discovered so they can do their work. Lately some trojans have been seen to install anti-virus software on the machines they infected to keep out other (competing) malware. So it seems you do not have to worry too much about the damage a trojan will do to your computer nowadays, at least if you don't store sensitive information and have backups. You can watch what the trijan does and since it's there to be hired out to real people eentually you'd find out who hired it, and hiring it is just as illegal as controlling it, or at least should be illegal.
The IP address doesn't lead to the spammer. The IP address leads to the victim whose computer was infected by malware that allows a criminal (spammer or worse) to use the computer. The fast that 29% of the IP addresses used by a spammer (that was not US-based) were in the USA reflects the fact that approximately 29% of the computers the botnet operator managed to take over are in the USA. So you cannot just come to the PC owner and jail her.
But it doesn't mean that the US law authorities don't have an "advantage" in having 29% of the botnet US-based. It means that they can probably get physical access to enough machines to have hard evidence that can be used to get to the spammer. The problem as I described it is of how to enable the law enforcement people to get this info: how to let them get to the compromised machines in time to be able to watch them being abused, how let people know they can help law enforcement catch the criminals that take their PCs over and make the process as smooth as possible, and how to cooperate across jurisdictions.
So somehow people should be educated that if their PC is found sending out spam and they are not the ones doing it, then they should not run and hide so they are not caught sending spam. Instead they should know they can cooperate by having the info on their infected machine available to law enforcement and be content that at least they contributed something that can help stop the criminals, just as they would if a burglar entered their house.
"A Turing machine with a black box, called an oracle, which is able to decide certain decision problems in a single step" (http://en.wikipedia.org/wiki/Oracle_machine)
The solution to the problem of bypassing Captcha tests was known before they were introduced, and is taught in almost any reasonable undergraduate textbook on computational models. Spammers just did their homework...
I would suggest 1 second in jail, for each single piece of spam, non-overlapping.
And I would suggest that the spammer allowed to appeal (each term individually. That is, they would be able to opt-out of being punished using the provided "removal mechanism").
Or perhaps they can even be provided with a release order, that they would have to find in a mailbox full of millions of pieces of spam. They would need to "just hit delete" for everything except the release order.
I have been following only one Israeli spammer, so my statistics are perhaps not as good as Spamhaus statistics, but out of 270 pieces of spam received over more than a year, sent by the same spammer using 268 different IP addresses in 40 different countries, 79 unique pieces of spam (29%) came from IP addresses of US providers. Western Europe (Spain, France, Germany etc.) came in second with 27%, Eastern Europe with 14.5%, South America with 13%, Midle east with 7% (within it 4% from Israel) and the far east came last with 6% (about half from China, which is 10 times less than the USA). Detail (alas in Hebrew) are here: http://israblog.nana10.co.il/blogread.asp?blog=383 074&blogcode=6741471 and the IP addresses themselves (webpage in Hebrew, but IP addresses and links to dnsstuff still usable) are here: http://israblog.nana10.co.il/blogread.asp?blog=383 074&blogcode=5950596.
Now all this shows quite definitely that this spam operation is botnet-based, so can law enforcement get this spammer and put him in jail? I didn't think so, so for several months I have been asking ISPs to check and confirm that the machines are actually infected machines that are sending out spam without the owner's permission. Only one ISP replied. First reply said:
> I can confirm that I have other reports from this system, including what > appears to be german stock pump spam.
Reply to my further inquiry said:
> It will take a few days. There's no way for sure to verify outside of asking the > customer. However, we've not had any issues with this customer sending spam in > the past. They are also located in a small rural town in Oklahoma. I will try > and get the customer to report to me which viruses and trojans are removed by > A/V supposing they don't reformat. > > I guess I'm saying that the spam is sent without their permission. I'm just not > completely sure how to prove it.
and then:
> I'm not sure if the customer will get me the proper virus/trojan information, > but I can attest to them being infected. They were caught scanning 137 and 445. > They also had 2 open ports which were handing out binary code, most likely the > payload of the virus. > > 5468/tcp open unknown > 50507/tcp open unknown > > This machine is definitely compromised, we just don't know by what.
Now with this I went to the computer crime division of the Israeli police (and with the spammer's contact info - cellphone number, list of some of the spammer's customers, including publicly traded companies and a government agency, samples of spam with forged headers etc.) and they said they are not sure there's a lot they can do with it, but they will investigate to see if perhaps there can do something. In particular having the information that an abuse team of an ISP from another country say that it looks like an unknown virus is an indication, but practically they need someone that they can call to testify in a court, so what they really need is a local infected machine that they can actually check and link to the spammer (that is: they need evidence that can be brought to the court that this particular person accessed and used another person's PC and the other person can actually say it was without permission). They did ask me and I provided all the particular pieces of spam that were sent from local (Israeli) IP addresses.
This is an example to the problem faced by law enforcement: they need to establish a direct link between the abused machine and the abuser, and actually prove it was without permission. They cannot just say that using so many IP addresses show that it is illegal. And there are many other hurdles, including definitions in the laws defining computer based cri
You are lucky! You actually got to contact support! (or something named "support").
When I tried to contact my bank's "interent support" about the email they sent being marked as a phishing attempt (because a link specified one domain and pointed to another) I never got through. Something in their support system was not functioning.
The email itself was really sent by the bank, to a unique address I gave them only they know, and the domain their email linked too was their domain (figuring that out required some DNS+whois detective work. More than one query).
Anyway, they seem clueless, and I wouldn't trust them in anything related to internet (though I do trust them with all my savings...)
Does this means understanding what DNS is and how it works, what a web server and web client are and how they interact? Or does it mean just being acquainted with the metaphor of a website as a bunch of pages shown in a web browser that appear to be related to each other?
Judges make decisions that affect more than just the case they are considering, and making those decisions based on a description by an attorney of what the attorney comprehends as "being a website" which most often would have little to do with what a website is or what a website might be five years from now might very well lead to decisions that would complicate the future in unwanted ways.
The internet and the web are not just another fact of life. The internet is a universal communications medium and the web is a universal repository of information. Communications is converging into the internet and information is converging into the web as universal platforms, and all aspects of life become related to these technologies, because of their universality.
So I see a need that people such as judges and decision makers be more thoroughly educated about what these mean. They don't need to get to know the bits. They do need to get to know the concepts and the infrastructure so whan they make decisions they are not just based on the superficial knowlege of what things look like (a website, a message etc.) but also on what they really are and how a decision about them can affect other related concepts.
I think legal minded people should know a bit on how it works behind the scene, such as how there's a network of computers that have numbers, and tables that map names to these computers, how computers ask each other to send information, and how this information is constructed to create a metaphor of a website or an email message. Show them a few RFCs (such as the one the defines MUST, SHOULD etc that they can relate to) so they understand there are standards working in a way quite similar to the laws they are enforcing, only they work to make computers get along with each other while laws work to make people get along with each other. Then they can make better decisions, or at least they can grasp Lessig's "Code".
I regularly follow one particular local (Israeli) spammer whose operation seems to be botnet-based. I report every single message received from that spammer using SpamCop (spamcop.net). Recently I started adding text asking the ISP that receives the notification to confirm if the sending IP address can be confirmed to be a spam sending zombie. I still hadn't received any kind of response (I have also asked several times domain owners whose adresses were forged to confirm the addresses were used without permision and no one has ever replied).
So what do I have: hundreds of email messages, coming from almost the same number of IP addresses spread all around the world, and with email addresses in numerous domains that seem to be irrelevant to the advertised service. And not one can be positively confirmed to really be a zombie (or forged identity). So it's obvious it's a criminal spammer, but I doubt anything legal can be done using just the evidence that each message is sent using a different IP address in a different country, and practically all of these are in dynamic consumer broadband ranges (there was one instance I know of that is recorded on the web of someone whose domain was forged on spam by this spammer that had actually filed a complaint with the police and blogged about it, but AFAIK nothing happenned).
So I know about an Israeli spamming operation. I know the spammer's cellphone number that is included in their self promoition messages. I have a list of many clients that have hired their services, including financial services, academic colleges, Some IT companies, many others, and even one government agency (i.e., my tax money paid to a botnet operator to steal computing and network resources!) but I doubt if I can do much with it. I informed all the Israeli ISPs about this spammer. I know others are getting this spam. The ISPs could probably collect hundreds of thousands of spam messages and map the botnet, and provide all the evidence needed to put the spammer in jail for many years. Yet they haven't. So it seems they're not that interested.
There's a list of all the spam messages I received from this spammer including sending IP addresses and their geographic locations plus info identifying the advertisers for each spam message that I posted (In Hebrew. Only the IP addresses and dnsstuff.com links are usable to none Hebrew speakers) here: http://israblog.nana.co.il/blogread.asp?blog=38307 4&blogcode=5950596
> we need to come up with a solution that ensures safety for the user who don't have a clue...
Certainly! I don't expect my parents to fool around with addresses in their "own domain". What I think can work is the type of thing Sneakemail does: email is coming to sneakemail to an address that looks randomized. Sneakemail rewrites some headers, specifically the "From" and "To" headers, and then the recipient sees what Sneakemail put there, and that serves as a "seal" that tells you who sent it.
Now Sneakemail is not suitable for the general public "as is". It is componentised and you need some understanding of the inner working to build what you want. But the concept works. It just needs a "dumbed down" UI that limits the user to what the user needs. So this sort of functionality can form the basis of a rather simple system that an ISP can provide to users, and from the user's point of view it would be that instead of giving the email address used for work/fun, the user gets a "secret encoded email address" to give to the bank, and the user knows that email coming to the bank first goes through the ISP and gets a "seal of approval", that the user learns how to recognized.
I think that financial institutions should adopt this model. If there's cooperation between servers and recipients (i.e. banks and email providers can agree on some protocol) then the RCPT address of SMTP that is the only component that cannot be arbitrarily forged can be used to create secure "SMTP channels" without changing the protocol. Only cooperation between the recipient and sender is needed to do it within the existing protocol. The only thing needed is for the financial sector to show some interest. Once the concept is adopted they have plenty of resources to develop additional tools around it (such as ways for communicating the "keys" from ISP to bank or any other security gadget they want to communicate so that the user can safely rely on ISP telling "this is OK").
The simple way to avoid phishing is to use the authentication that is built into SMTP.
SMTP has only one form of built in authentication: the email is sent to the recepient specified, and to no one else (that is to the envelope-recipient, aka RCPT, not the the address in the "To" or "Cc" header field).
So the way to authenticate email that claims to be from your bank is not to use the same email address with your bank as with anyone else. Then email that comes to the address you provided to your bank is from your bank, and any other email that claims to come from your bank and was not sent to the address you provided to your bank is not from your bank.
Personally I gave my bank a sneakemail.com address. I gabve another financial institution a unique address in my own domain. Both are good ways to authenticate the sender as long as no one else knows about the address.
I was using UNIX all thru the 90's, and most of the time on a VT-220 text terminal. Then came X-terminals. I got a different GUI depending on host I loginnd to from my teminal, and the choice usually depended on finding one that's not overloaded. Customizing the commandline environment was easy (just define some aliases etc.) Customizing the GUI required more learning, but the worst part was that it broke whenever the GUI was changed. So I went to the helpdesk for help about using the default GUI I saw, but the usual answers were "that WM sucks. I use this one that's much better" and "RTFM" or actually check the man page. So I happily used "man" to look for different WMs and then used "man...wm|lpr" to get them all printed so I can take it home and see what the options are and see what I want. But what I had was hundreds of pages listing options alphabetically, with no idea about what's important and what should be skipped. Eventually I gave up, and instead of using the Xterminal on my desk that was just working I brought my own heavy laptop with win95 preinstalled and miles of ethernet cables, conected to the network, and didn't have to RTFM.
man pages were nice in the old days of not too many options, but you cannot call them "help" when they list thousands of options with descriptions that can only be comprehended by people who know the inner working of the OS or the describes software, that are prioritised based on alphabetical order of the option's code (which was often chosen based on what letters remained available at the time the option was added.
man pages are good for developers. For years I was trying to switch to using LINUX on the desktop, but I don't have infinite time, and to this time most trials I made were failures, though not completely unuseful. And it's not that I born in the Windows environment. I was using Unix when it was just commandline and someone else did the system maintenance.
What Linux/FOSS needs is a standard way to cooperate on writing documentation and prioritising it, and to recruit people who are not developers into writing documentation without having to first learn how to do it. SOmething that none technical people can easily use to contribute.
The main flaw with the Berne convention as I see it is that in almost all cases it does not respect for the creator's wishes for their work. By default it makes every work uncopiable unless explicitly licensed by the author, and it doesn't provide any means of locating the author. Almost all content on the web was posted by authors who don't expect to make money by selling their content, who don't care about their content being copied (at least when proper attribution is made) and usually prefer that their ideas be diseminated this way. Most of who posts on the web is not reachable to give explicit permision, and if reachable now will not be reachable by the same means next year (say when they abandon their old email address in favor of a new spam-free one).
The first thing that needs to change is that there should be a requirement that legal protection for copyright holders should be restricted for those who claimed they want such protection in advance, before they can claim infringement, in a standard way that could be used by the accused infringer to check and know that there are restrictions on use. Such a standard way should also require that any proted work be made available in a way that allows fair use, or at least allows the passage of the work to the public domain when time comes (i.e., there should not be legal protection for works diseminated only in a way that prevents access after the work has legally entered the public domain).
In a world where most published work was not meant by the content creators to be restricted, the law should not restrict it by default. If anyone wishes to control their work, they should state so. It is not difficult. ----- License: I am the copyright holder of this post. I wish to retain my rights to this post. As the copyright holder of this post I hereby explicitly grant the permision to anyone who so wishes to copy all of part of this post and to include it in their work. This notice would hold until 70 years after I cease to be alive, and after that time this post will pass into the public domain regardless of any changes in copyright laws. If in doubt consult my death certificate if you are able to find it. If you cannot find it assume I am alive and well.
> Credit cards? 30 seconds windows during which my money is accessible? > We already have things that are better than this.
I think the only thing that's really needed is some kind of mechanism that ensures the merchant only gets info that's good for the particular transaction. so it should be a mechanism that replaces the credit card that receives info that includes things like amount, merchant code, time+date, unique transaction id created by the merchant (can be sequential number, random, doesn't matter), adds the customer's info (CC number + internal code not available to the merchant) and creates a hash that is then included with the transaction record.
No need for complete security. Just to eliminate the current situation where using a credit card for purchase means the customer has to provide the merchant with info that can be used by whoever has that info to impersonate the customer and make other transactions. Anything that avoids this can then be insured against fraud at rates that are negligible compared to what is happenning today.
The most interesting facts are in the end of this post. Keep reading...
I am reporting some of the spam I get, but not most of it. Mainly spam sent by advertisers in my country. Some of it is sent by spammers that tend to use the same ISP and I don't see that the ISPs are doing anything against these spammers. I use SpamCop to report, both because its easier for me, and because I believe it is better service to the receiving abuse desk that gets a reliable report. This is one thing I would like to hear more about: how helpful are spamcop reports, and do abuse desks use the tools spamcop provides for them.
Then there are botnet spammers. I am following one such spammer. Reporting seems pointless but I was glad to see the parent post and several others that indicate that sometimes the info is used to help a customaer clean their PC. However, I am interested in another aspect: I have a list of several hundred IP adresses this spammer has used to send email that are scattered all around the world. It seems to suggest use of a botnet, but I have no positive evidence that any of these IP addresses represents an infected PC. There might be anther explanation, such as they are using open relays/proxies, but it seems most of these IP addresses are not listed as open relays/proxies at the time of reporting, and they are almost all identifyable in consumer dynamic IP ranges. So I would really like to somehow get a positive reply from an ISP that can actually say "yes, we identified that this is a hijacked PC and we detected it spewing out tons of spam similar to the one you reported.". I have the spammer's cellphone number and list of clients, collection of hundreds of spam messages sent from different IP addresses and all with forged sender credentials, but the missing part is actually being able to tell that one of these hundreds of IP addresses have been positively detected to be hijacked and controlled by the spammer. I also tried several times to contact owners of domains forged in headers to get an actual response saying they did not agree for their identity being used and never got a response, but at least I know one blogger that complained about his own identity being forged by this spammer (and he complained to the police but AFAIK nothing much happenned).
Finally, I premissed in the first sentence that the best part would come in the end, and that is why I would want to follow this one spammer. Well, it looks like a botnet operator, but the real story is the sort of clients that hire the botnet operator to use a botnet to send spam with forged identities on their behalf. Almost none of them were close to what you would associate with spam, such as illegal pharmacies, gambling, porn etc. The sort of clients they do serve are companies selling real products or services. They also got several colleges (the sort that gives real bachelor's degree that is accepted by graduate schools). They got a stock broker and a financial investment company owned by a multi billion dollars corporation. They got a big telemarketter as a client, and interestingly at the same time they worked with this client they started offering "targetted mailings". And last week they finally got the biggest client: ME. Not that I ordered any jib by them. My government hired them. I pay taxes. So it's my money they got paid to use their botnet to send me spam offering me loans from my government if I am a small business. It's an Israeli spammer, operating openly in Israel, with even the government as a client, and selling the services of a network of hijacked PCs all around the world (USA, China, Germany, France, Spain, Russia, Argentina, Brazil, and many more countries that I have on record). This kind of thing must be stopped!
Slashdot Mirror
I have a copy of my work email redirected to my fastmail.fm account.
I only access it using webmail/firefox.
The usual way people do it is using Outlook that is of course running over a Windows admin account. So what's safer: using a webmail service that defangs html before displaying it or using a client that's happy to do anything requested by an email message in an environment that allows it to alter the OS (and set so by the IT staff)? Not to mention that the usual mode of work is to receive MS Office documents from outside and open them (in an admin account, of course).
About 100$ of employees using networked computers at work use an old P2P protocol called TCP/IP ...
However, in most cases doing so is not in violation of IT policy, except perhaps technically if the people who recorded the policy in documents did not realize that the company's network infrastructure is actually based on P2P protocols.
> ... IMAP doesn't map well to gmail's style of doing things already ... Do you know if Google has any plans to develop a newer protocol ...
>
I was hoping that when Gmail offers IMAP access they would implement "labels" through IMAP flags, and was very disappointed to see how they implemented it as "folders" (called "mailboxes" in the IMAP4 specification, and for a good reason). Messages with more than one label applied are just broken into multiple copies, and any attempt to use multiple labels to create some structure in the online email store or subfolders to create structure on the local store is flattened on the other side. As I recall there were several discussions of implementation of label/keywords/somthing of the sort in FastMail.FM forums, and a major reason that was mentioned (I guess by Rob) is that those IMAP clients that do have such a mechanism don't implement it in a consistent way (with each other), so it's quite impossible to implement a "labels" feature that would work with more than one major client.
If Gmail had chosen to implement labels so it would work with just one or a few mail client, it would have pushed the standardization of this forward. The way Gmail has done it would not work smoothly for people who regularly apply multiple labels.
IMAP4 is quite an old standard, and I think we in need of an "IMAP5" that would be more appropriate for people that use IMAP mailboxes as subfolders of a folder they consider as their "mailbox", and also want to be able to apply multiple labels and to search mail in multiple folders, things the present IMAP specification just doesn't have.
I have never received any spam with copyright notice except for the spam I regularly receive mentioning L. Ron Hubbard as copyright holder and claiming they are not affiliated and only have permission to distribute from the copyright holder.
But then perhaps I'm lucky. Do others regularly receive spam promoting other religions?
> Their government will NEVER think to make their own proxies ...
...
> and anonymous spam to catch users
Isn't this exactly PHISHING? Creating a fake service and tricking people into thinking they are using the real service? Would the Chinese government stoop so low as to break their own law
On the other hand, the Chinese government would have no problem blocking the "proxy spam" by blocking the source, unless the source is disguised using exploits (botnet, open proxy etc.) So the question becomes not if the end justifies sending spam but if it justifies breaking laws all over the world and stealing and exploiting third parties' resources.
> ... and once some of those computers go to class (or to sleep, for example,) ...
> take over the MAC address and ask for a new DHCP lease
Is it really necessary to ask for a new lease? I thought one can just take over both the MAC address and the IP address and use it. Shouldn't be a problem as long as the other computer is off. (or just take the IP address. Behind my NAT router at home I just assign static IP addresses and they of course work as long as they are in the same subnet. When in the distant past I asked to use my own laptop in the (university) department network the helpdesk guy just told me to make up an IP address in the network and there should be no problem.)
If all ISPs block port 25 then botnet operators would program their zombies to use whatever email settings are there on the PC and send through the ISP's relay. As long asa few ISPs block port 25 sending directly is a better strategy for spammers. When the percentage of networks blocking port 25 would get higher than some threshold sending through the ISP servers with whatever filtering it has would become a better option for the spammer and the spammer would switch. This would be much more problematic for ISPs: dealing with a massive amount of spam trying to get out of their servers (instead of directly) might overload their outgoing email servics, would require huge resources in filtering outgoing mail, would create false positives with customers' legitimate outgoing mail being blocked on the way out.
So as much as blocking outgoing port 25 sounds nice and effective, it doesn't scale. On ther other hand port 25 "sniffing" might be good, expecially if it can lead to connecting the hijacked PCs to whoever uses them. But for this to work abuse fighters first need to abandon the idea that the most important goal is to catch the people that actually control the botnets. If a botnet is used to send spam on behalf of someone that paid someone else that hired yet another guy that paid a botnet operator for the service of using stolen resources then the one that provided the money for the operation should go to jail. And t's quite easy to determine who the advertiser is. So what's needed is to collect the data on actual spam messages going out of zombie PCs, choose those that are easier to locate, and put them in jail because they hired a criminal to work for them. If they can make excuses that they "didn't know" a crime is commited and without providing enough info to get the criminal then they should end up in jail. With just a few such cases there would be much less money flowing into spammers' pockets, and they'd be looking for another job...
Sometimes the food doesn't make it all the way to the back. Last time I fleww Iberia I was seated in the back and when they got to our seat there was n food left. They apologized, promised that perhaps we can get some leftovers from the first class but we have to wait till they finished their meal. Actually the first class leftovers were quite good (or whatever they were - some kind of special meals...)
...
But then, perhaps not getting the airline meal is good
A very accurate descripton of the worst kind of spamming.
If the "owner" you know were to be publicly excuted, thousands will come to make sure the corpse doesn't remain in one piece...
> the recipient bears the majority of the cost ...
> (actually, the ISP does, in terms of increased
> bandwidth and storage requirements,
Actually I did the math, and the costs in terms of bandwidth and storage are much much lower than the cost of the recipient's time.
"Just hit delete" is very expensive if you just multiply the the few seconds it takes to read a bit of the mail and think just a little bit to make sure you don't delete real email.
Snail mail spam is not a real time waster for me because the time use to junk it is wasted time anyway. Most of it go straight to the garbage can we have near the mailboxes for that purpose, and the rest of it to the other garbage can we keep next to the elevator. the time it takes to walk from the mailboxes to the elevator is usually enough, and is wasted time anyway. In addition most snailmail junkmail I see is actually quite targetted. That is someone put in some thought and money into trying to locate relevant audiences. Email spam is not sent to people. It is sent to strings that contain a "@". There is no effort to limit the sending to recipients that might be interested as it is cheaper to send glbally than to research the market. Spam lets the market "research itself", and that's what's wrong with it. What should have been outlawed is the sending of bulk communications to lists of addresses (or "routing instructions") that are not positively identified with individuals.
Telemarketng is very annoying, in that it is actually harrassment. It makes you get up and go to abswer a phone, and when there's too much of it it robs you of the functionality of a phone as a means to call you in an emergency (it cannot be used in this way if most of the times you pick up the phone you find out it's commercial harassment. Anyway, with telemarketing the cost to the recipient (time it takes to get up and answer the phone, and the indirect cost of interfering in one's routine and in harassment) is much higher than the cost to the caller, of a single phone call, probably with great discount for bulk usage.
The real solution is to make the advertisers costs higher, and the way to do it is to respond: use their 1-800 numbers to tell them their advertising is unwanted. Use their inquiry forms to force them to contact you to hear you're not interested (or just provide false info they have to follow because they have to find the real customers out of all the inquiries they receive). Bulk mail/telemarketing is built on the assumption of low percentage of responses that are "high quality", i.e. that they only have to allot expensive resource (handling by a human) to whoever is going to purchase the service. The way to make this nuisanse go is to respond negatively much more often, swo the the costs of handling responses does not justify the campaign.
Botnet herders are there for the money, and spam is "good money". So most spam is sent using botnets and sending spam is the major income for botnet herders. See the very recent two article series called "Botconomics" on Cnet: Part 1 (http://reviews.cnet.com/4520-3513_7-6748100-1.htm l), Part 2 (http://reviews.cnet.com/4520-3513_7-6749973-1.htm l).
Now the botnet herders might be hard to reach, behind multiple layers of proxies or whatever, and the money trail perhaps would not lead all the way to them, but stopping much of the flow of money can suffocate them, or at least keep them from growing. You cannot easily stop them from sending spam advertising illegal things like porn' gambling etc. But you can keep the big money out, and the big money is in legitimate businesses. If they can get away from being accused of crimes they paid to commit (using trojaned machines to send their spam) by saying they got the service on the internet from someone unreachable and unidentifiable then it's very bad. It's like someone who bought a stolen TV set going away unpunished because he says he bought it "from this guy in this van and there's no way he can identify the seller because the seller was wearing a mask". So if an business gets spamming services from an unidentifiable provider and it turns out it was sent using trojaned machines that business owner should pay a price (jail time) because it's not much different from buying a TV set from a masked man in a van. If they can lead to the service provider then they might be able to claim that they have been tricked into buying this service. The spammer I am folowing has sold his services to legitimate businesses: big businesses that require their service providers to work legally, provide paperwork such as receipts that show that tax was paid etc. The spammer works openly and looks like a legitimate business. So the only problem is to get the data that can be used to prove the use of trojaned machines in a way accepted by a court of law (and statistics showing hundreds of spam messages coming from any corner of planet Earth that has some kind of internet connection is not enough, it seems).
So if a "luser" got trojaned", the thing to do is exactly what that journalist did: not panick, and see what evidence about the people abusing the computer can be retrieved from the computer. If they wanted your personal info stored on the computer they already got it by the time you found out you've been trojaned. You shouldn't store it openly on your PC anyway. A burglar can take the PC and then get the info out of the stolen PC. On the other hand a trojan that's part of a botnet has no interest in harming your PC. The trojan's interests are keeping a low profile and not being discovered so they can do their work. Lately some trojans have been seen to install anti-virus software on the machines they infected to keep out other (competing) malware. So it seems you do not have to worry too much about the damage a trojan will do to your computer nowadays, at least if you don't store sensitive information and have backups. You can watch what the trijan does and since it's there to be hired out to real people eentually you'd find out who hired it, and hiring it is just as illegal as controlling it, or at least should be illegal.
It's not that simple!
The IP address doesn't lead to the spammer. The IP address leads to the victim whose computer was infected by malware that allows a criminal (spammer or worse) to use the computer. The fast that 29% of the IP addresses used by a spammer (that was not US-based) were in the USA reflects the fact that approximately 29% of the computers the botnet operator managed to take over are in the USA. So you cannot just come to the PC owner and jail her.
But it doesn't mean that the US law authorities don't have an "advantage" in having 29% of the botnet US-based. It means that they can probably get physical access to enough machines to have hard evidence that can be used to get to the spammer. The problem as I described it is of how to enable the law enforcement people to get this info: how to let them get to the compromised machines in time to be able to watch them being abused, how let people know they can help law enforcement catch the criminals that take their PCs over and make the process as smooth as possible, and how to cooperate across jurisdictions.
So somehow people should be educated that if their PC is found sending out spam and they are not the ones doing it, then they should not run and hide so they are not caught sending spam. Instead they should know they can cooperate by having the info on their infected machine available to law enforcement and be content that at least they contributed something that can help stop the criminals, just as they would if a burglar entered their house.
"A Turing machine with a black box, called an oracle, which is able to decide certain decision problems in a single step" (http://en.wikipedia.org/wiki/Oracle_machine)
The solution to the problem of bypassing Captcha tests was known before they were introduced, and is taught in almost any reasonable undergraduate textbook on computational models. Spammers just did their homework...
I would suggest 1 second in jail, for each single piece of spam, non-overlapping.
And I would suggest that the spammer allowed to appeal (each term individually. That is, they would be able to opt-out of being punished using the provided "removal mechanism").
Or perhaps they can even be provided with a release order, that they would have to find in a mailbox full of millions of pieces of spam. They would need to "just hit delete" for everything except the release order.
I have been following only one Israeli spammer, so my statistics are perhaps not as good as Spamhaus statistics, but out of 270 pieces of spam received over more than a year, sent by the same spammer using 268 different IP addresses in 40 different countries, 79 unique pieces of spam (29%) came from IP addresses of US providers. Western Europe (Spain, France, Germany etc.) came in second with 27%, Eastern Europe with 14.5%, South America with 13%, Midle east with 7% (within it 4% from Israel) and the far east came last with 6% (about half from China, which is 10 times less than the USA). Detail (alas in Hebrew) are here: http://israblog.nana10.co.il/blogread.asp?blog=383 074&blogcode=6741471 and the IP addresses themselves (webpage in Hebrew, but IP addresses and links to dnsstuff still usable) are here: http://israblog.nana10.co.il/blogread.asp?blog=383 074&blogcode=5950596 .
Now all this shows quite definitely that this spam operation is botnet-based, so can law enforcement get this spammer and put him in jail? I didn't think so, so for several months I have been asking ISPs to check and confirm that the machines are actually infected machines that are sending out spam without the owner's permission. Only one ISP replied. First reply said:
> I can confirm that I have other reports from this system, including what
> appears to be german stock pump spam.
Reply to my further inquiry said:
> It will take a few days. There's no way for sure to verify outside of asking the
> customer. However, we've not had any issues with this customer sending spam in
> the past. They are also located in a small rural town in Oklahoma. I will try
> and get the customer to report to me which viruses and trojans are removed by
> A/V supposing they don't reformat.
>
> I guess I'm saying that the spam is sent without their permission. I'm just not
> completely sure how to prove it.
and then:
> I'm not sure if the customer will get me the proper virus/trojan information,
> but I can attest to them being infected. They were caught scanning 137 and 445.
> They also had 2 open ports which were handing out binary code, most likely the
> payload of the virus.
>
> 5468/tcp open unknown
> 50507/tcp open unknown
>
> This machine is definitely compromised, we just don't know by what.
Now with this I went to the computer crime division of the Israeli police (and with the spammer's contact info - cellphone number, list of some of the spammer's customers, including publicly traded companies and a government agency, samples of spam with forged headers etc.) and they said they are not sure there's a lot they can do with it, but they will investigate to see if perhaps there can do something. In particular having the information that an abuse team of an ISP from another country say that it looks like an unknown virus is an indication, but practically they need someone that they can call to testify in a court, so what they really need is a local infected machine that they can actually check and link to the spammer (that is: they need evidence that can be brought to the court that this particular person accessed and used another person's PC and the other person can actually say it was without permission). They did ask me and I provided all the particular pieces of spam that were sent from local (Israeli) IP addresses.
This is an example to the problem faced by law enforcement: they need to establish a direct link between the abused machine and the abuser, and actually prove it was without permission. They cannot just say that using so many IP addresses show that it is illegal. And there are many other hurdles, including definitions in the laws defining computer based cri
You are lucky! You actually got to contact support! (or something named "support").
When I tried to contact my bank's "interent support" about the email they sent being marked as a phishing attempt (because a link specified one domain and pointed to another) I never got through. Something in their support system was not functioning.
The email itself was really sent by the bank, to a unique address I gave them only they know, and the domain their email linked too was their domain (figuring that out required some DNS+whois detective work. More than one query).
Anyway, they seem clueless, and I wouldn't trust them in anything related to internet (though I do trust them with all my savings...)
In this forum post Rob Mueller of Fastmail.fm explains why they stopped using the SpamAssassin plugin for DomainKeys.
"... knows exactly what a web site is ..."
Does this means understanding what DNS is and how it works, what a web server and web client are and how they interact? Or does it mean just being acquainted with the metaphor of a website as a bunch of pages shown in a web browser that appear to be related to each other?
Judges make decisions that affect more than just the case they are considering, and making those decisions based on a description by an attorney of what the attorney comprehends as "being a website" which most often would have little to do with what a website is or what a website might be five years from now might very well lead to decisions that would complicate the future in unwanted ways.
The internet and the web are not just another fact of life. The internet is a universal communications medium and the web is a universal repository of information. Communications is converging into the internet and information is converging into the web as universal platforms, and all aspects of life become related to these technologies, because of their universality.
So I see a need that people such as judges and decision makers be more thoroughly educated about what these mean. They don't need to get to know the bits. They do need to get to know the concepts and the infrastructure so whan they make decisions they are not just based on the superficial knowlege of what things look like (a website, a message etc.) but also on what they really are and how a decision about them can affect other related concepts.
I think legal minded people should know a bit on how it works behind the scene, such as how there's a network of computers that have numbers, and tables that map names to these computers, how computers ask each other to send information, and how this information is constructed to create a metaphor of a website or an email message. Show them a few RFCs (such as the one the defines MUST, SHOULD etc that they can relate to) so they understand there are standards working in a way quite similar to the laws they are enforcing, only they work to make computers get along with each other while laws work to make people get along with each other. Then they can make better decisions, or at least they can grasp Lessig's "Code".
I regularly follow one particular local (Israeli) spammer whose operation seems to be botnet-based. I report every single message received from that spammer using SpamCop (spamcop.net). Recently I started adding text asking the ISP that receives the notification to confirm if the sending IP address can be confirmed to be a spam sending zombie. I still hadn't received any kind of response (I have also asked several times domain owners whose adresses were forged to confirm the addresses were used without permision and no one has ever replied).
7 4&blogcode=5950596
So what do I have: hundreds of email messages, coming from almost the same number of IP addresses spread all around the world, and with email addresses in numerous domains that seem to be irrelevant to the advertised service. And not one can be positively confirmed to really be a zombie (or forged identity). So it's obvious it's a criminal spammer, but I doubt anything legal can be done using just the evidence that each message is sent using a different IP address in a different country, and practically all of these are in dynamic consumer broadband ranges (there was one instance I know of that is recorded on the web of someone whose domain was forged on spam by this spammer that had actually filed a complaint with the police and blogged about it, but AFAIK nothing happenned).
So I know about an Israeli spamming operation. I know the spammer's cellphone number that is included in their self promoition messages. I have a list of many clients that have hired their services, including financial services, academic colleges, Some IT companies, many others, and even one government agency (i.e., my tax money paid to a botnet operator to steal computing and network resources!) but I doubt if I can do much with it. I informed all the Israeli ISPs about this spammer. I know others are getting this spam. The ISPs could probably collect hundreds of thousands of spam messages and map the botnet, and provide all the evidence needed to put the spammer in jail for many years. Yet they haven't. So it seems they're not that interested.
There's a list of all the spam messages I received from this spammer including sending IP addresses and their geographic locations plus info identifying the advertisers for each spam message that I posted (In Hebrew. Only the IP addresses and dnsstuff.com links are usable to none Hebrew speakers) here: http://israblog.nana.co.il/blogread.asp?blog=3830
> we need to come up with a solution that ensures safety for the user who don't have a clue ...
Certainly! I don't expect my parents to fool around with addresses in their "own domain". What I think can work is the type of thing Sneakemail does: email is coming to sneakemail to an address that looks randomized. Sneakemail rewrites some headers, specifically the "From" and "To" headers, and then the recipient sees what Sneakemail put there, and that serves as a "seal" that tells you who sent it.
Now Sneakemail is not suitable for the general public "as is". It is componentised and you need some understanding of the inner working to build what you want. But the concept works. It just needs a "dumbed down" UI that limits the user to what the user needs. So this sort of functionality can form the basis of a rather simple system that an ISP can provide to users, and from the user's point of view it would be that instead of giving the email address used for work/fun, the user gets a "secret encoded email address" to give to the bank, and the user knows that email coming to the bank first goes through the ISP and gets a "seal of approval", that the user learns how to recognized.
I think that financial institutions should adopt this model. If there's cooperation between servers and recipients (i.e. banks and email providers can agree on some protocol) then the RCPT address of SMTP that is the only component that cannot be arbitrarily forged can be used to create secure "SMTP channels" without changing the protocol. Only cooperation between the recipient and sender is needed to do it within the existing protocol. The only thing needed is for the financial sector to show some interest. Once the concept is adopted they have plenty of resources to develop additional tools around it (such as ways for communicating the "keys" from ISP to bank or any other security gadget they want to communicate so that the user can safely rely on ISP telling "this is OK").
The simple way to avoid phishing is to use the authentication that is built into SMTP.
SMTP has only one form of built in authentication: the email is sent to the recepient specified, and to no one else (that is to the envelope-recipient, aka RCPT, not the the address in the "To" or "Cc" header field).
So the way to authenticate email that claims to be from your bank is not to use the same email address with your bank as with anyone else. Then email that comes to the address you provided to your bank is from your bank, and any other email that claims to come from your bank and was not sent to the address you provided to your bank is not from your bank.
Personally I gave my bank a sneakemail.com address. I gabve another financial institution a unique address in my own domain. Both are good ways to authenticate the sender as long as no one else knows about the address.
I was using UNIX all thru the 90's, and most of the time on a VT-220 text terminal. Then came X-terminals. I got a different GUI depending on host I loginnd to from my teminal, and the choice usually depended on finding one that's not overloaded. Customizing the commandline environment was easy (just define some aliases etc.) Customizing the GUI required more learning, but the worst part was that it broke whenever the GUI was changed. So I went to the helpdesk for help about using the default GUI I saw, but the usual answers were "that WM sucks. I use this one that's much better" and "RTFM" or actually check the man page. So I happily used "man" to look for different WMs and then used "man ...wm|lpr" to get them all printed so I can take it home and see what the options are and see what I want. But what I had was hundreds of pages listing options alphabetically, with no idea about what's important and what should be skipped. Eventually I gave up, and instead of using the Xterminal on my desk that was just working I brought my own heavy laptop with win95 preinstalled and miles of ethernet cables, conected to the network, and didn't have to RTFM.
man pages were nice in the old days of not too many options, but you cannot call them "help" when they list thousands of options with descriptions that can only be comprehended by people who know the inner working of the OS or the describes software, that are prioritised based on alphabetical order of the option's code (which was often chosen based on what letters remained available at the time the option was added.
man pages are good for developers. For years I was trying to switch to using LINUX on the desktop, but I don't have infinite time, and to this time most trials I made were failures, though not completely unuseful. And it's not that I born in the Windows environment. I was using Unix when it was just commandline and someone else did the system maintenance.
What Linux/FOSS needs is a standard way to cooperate on writing documentation and prioritising it, and to recruit people who are not developers into writing documentation without having to first learn how to do it. SOmething that none technical people can easily use to contribute.
The main flaw with the Berne convention as I see it is that in almost all cases it does not respect for the creator's wishes for their work. By default it makes every work uncopiable unless explicitly licensed by the author, and it doesn't provide any means of locating the author. Almost all content on the web was posted by authors who don't expect to make money by selling their content, who don't care about their content being copied (at least when proper attribution is made) and usually prefer that their ideas be diseminated this way. Most of who posts on the web is not reachable to give explicit permision, and if reachable now will not be reachable by the same means next year (say when they abandon their old email address in favor of a new spam-free one).
The first thing that needs to change is that there should be a requirement that legal protection for copyright holders should be restricted for those who claimed they want such protection in advance, before they can claim infringement, in a standard way that could be used by the accused infringer to check and know that there are restrictions on use. Such a standard way should also require that any proted work be made available in a way that allows fair use, or at least allows the passage of the work to the public domain when time comes (i.e., there should not be legal protection for works diseminated only in a way that prevents access after the work has legally entered the public domain).
In a world where most published work was not meant by the content creators to be restricted, the law should not restrict it by default. If anyone wishes to control their work, they should state so. It is not difficult.
-----
License:
I am the copyright holder of this post.
I wish to retain my rights to this post.
As the copyright holder of this post I hereby explicitly grant the permision to anyone who so wishes to copy all of part of this post and to include it in their work.
This notice would hold until 70 years after I cease to be alive, and after that time this post will pass into the public domain regardless of any changes in copyright laws.
If in doubt consult my death certificate if you are able to find it. If you cannot find it assume I am alive and well.
> Credit cards? 30 seconds windows during which my money is accessible?
> We already have things that are better than this.
I think the only thing that's really needed is some kind of mechanism that ensures the merchant only gets info that's good for the particular transaction. so it should be a mechanism that replaces the credit card that receives info that includes things like amount, merchant code, time+date, unique transaction id created by the merchant (can be sequential number, random, doesn't matter), adds the customer's info (CC number + internal code not available to the merchant) and creates a hash that is then included with the transaction record.
No need for complete security. Just to eliminate the current situation where using a credit card for purchase means the customer has to provide the merchant with info that can be used by whoever has that info to impersonate the customer and make other transactions. Anything that avoids this can then be insured against fraud at rates that are negligible compared to what is happenning today.
The most interesting facts are in the end of this post. Keep reading...
I am reporting some of the spam I get, but not most of it. Mainly spam sent by advertisers in my country. Some of it is sent by spammers that tend to use the same ISP and I don't see that the ISPs are doing anything against these spammers. I use SpamCop to report, both because its easier for me, and because I believe it is better service to the receiving abuse desk that gets a reliable report. This is one thing I would like to hear more about: how helpful are spamcop reports, and do abuse desks use the tools spamcop provides for them.
Then there are botnet spammers. I am following one such spammer. Reporting seems pointless but I was glad to see the parent post and several others that indicate that sometimes the info is used to help a customaer clean their PC. However, I am interested in another aspect: I have a list of several hundred IP adresses this spammer has used to send email that are scattered all around the world. It seems to suggest use of a botnet, but I have no positive evidence that any of these IP addresses represents an infected PC. There might be anther explanation, such as they are using open relays/proxies, but it seems most of these IP addresses are not listed as open relays/proxies at the time of reporting, and they are almost all identifyable in consumer dynamic IP ranges. So I would really like to somehow get a positive reply from an ISP that can actually say "yes, we identified that this is a hijacked PC and we detected it spewing out tons of spam similar to the one you reported.". I have the spammer's cellphone number and list of clients, collection of hundreds of spam messages sent from different IP addresses and all with forged sender credentials, but the missing part is actually being able to tell that one of these hundreds of IP addresses have been positively detected to be hijacked and controlled by the spammer. I also tried several times to contact owners of domains forged in headers to get an actual response saying they did not agree for their identity being used and never got a response, but at least I know one blogger that complained about his own identity being forged by this spammer (and he complained to the police but AFAIK nothing much happenned).
Finally, I premissed in the first sentence that the best part would come in the end, and that is why I would want to follow this one spammer. Well, it looks like a botnet operator, but the real story is the sort of clients that hire the botnet operator to use a botnet to send spam with forged identities on their behalf. Almost none of them were close to what you would associate with spam, such as illegal pharmacies, gambling, porn etc. The sort of clients they do serve are companies selling real products or services. They also got several colleges (the sort that gives real bachelor's degree that is accepted by graduate schools). They got a stock broker and a financial investment company owned by a multi billion dollars corporation. They got a big telemarketter as a client, and interestingly at the same time they worked with this client they started offering "targetted mailings". And last week they finally got the biggest client: ME. Not that I ordered any jib by them. My government hired them. I pay taxes. So it's my money they got paid to use their botnet to send me spam offering me loans from my government if I am a small business. It's an Israeli spammer, operating openly in Israel, with even the government as a client, and selling the services of a network of hijacked PCs all around the world (USA, China, Germany, France, Spain, Russia, Argentina, Brazil, and many more countries that I have on record). This kind of thing must be stopped!