Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Responding to Spammers -- The Internet Strikes Back

By darkonc in Culture
Wed Nov 05, 2003 at 09:41:24 AM EST
Tags: Internet (all tags)
Internet

One of the things that I live my life according to is the question: "What would happen if everybody did this?". This is one of the reasons why I would never spam.. If everybody did that, we would end up with, well, the situation we've got with spam.

Today, I got so fed up with the spam I've been receiving (I'm up to about 300 spams a day now), that I picked two random spams, went to their web sites and typed in random data into their forms. One of those sites was even kind enough to respond with a toll free number that I could use if I was overly eager to talk to them ( 1-866-561-9216 -- inaccessible from Canada). Then I asked myself my recurring question "What if everybody did this?". I liked the answer.
We've been going about it all wrong. We need to start responding to spam.


Spamming is based on statistics. At X positive responses per million, an income of $P per positive response and a reasonably low cost per million emails sent, their income is effectively based on the number of spams they can send out (we all know that). The current model of spam-fighting has been to increase the cost of sending spam. Unfortunately, that's mostly only increased the fixed costs for sending spam. Since most of the per-message costs of sending spam come from the cost of bandwidth, this simply forces spammers to increase their volume of spam until gross profits exceed fixed costs (i.e. contrary to our real intent).

What we need to do now (and what we should have been doing all along) is raising the cost per email to the spammers by raising the variable cost of processing the responses

In the last few years, the spamming industry has managed to raise the signal-to-noise ratio of my email from less than 1% to well over 90%. This ignores mailing list emails that are easily filterable and leaves spam competing against the ad-hoc emails that (for me) are generally among the most valued. This raises the very real risk of throwing out some of my most valued emails having mistaken them for one of the least-valued. (Yes, I use spamassassin and Mozilla's mail filters. The 300 spams are mostly filtered by them, but I still have to worry about false positives).

Spamming is based on statistics. It's workability is also based on the presumption that was, until recently, valid for email -- that communications have a good signal-to-noise ratio. More specifically, spamming is dependent on the presumption that 99.99% of spams that get tossed out are simply and silently tossed out. However: what would happen if instead of silently ignoring all of the spam we received, we simply chose a very small percentage to respond to with red-herring data?

Pretty simple -- they'd have the same problem that SPAM causes with E-Mail ... a bad signal-to-noise ratio. If the success rate on calls for people interested in mortage renewals fall below 1%, mortage companies currently buying from spam clearing houses might as well turn back to cold calling.

Note that I distinguish this from previous suggestions to DOS spam sources. A DOS (even a small one) is immoral, if not illegal. In most cases it's against your ISP's TOS. Posting random data is more like a registration of disgust. Innocent (or zombified) servers are not burried under a bandwidth, and it's only an inconvenience to someone if thousands of people independently conclude that a piece of email constitutes SPAM.

Current intelligence indicates that most of the spam we receive comes from a small band of virulent spammers -- perhaps a few hundred of them. If every member of this community were to respond to one spam per day with red-herring data, then each spammer would be inundated with thousands of false responses which they would have to filter for the handful of true positives. My guess is that spammers would start to drop like flies, and this would result in a concentration of our daily response on the few remaining spammers. The number of false positives received by each spammer would quickly rise in an almost geometric progression. With them would rise the per-spammer costs.

The nice thing about this system is that it feeds off of the intrinsic power of the Internet. It is entirely distributed, and self-limiting. There is no AOL administrator randomly determining that your innocent query is a spam and cutting off your account. There is no spamhaus to DOS into oblivion. If somebody sends off a legitimate bulk email and accidentally includes me, there's currently less than a 1% chance that I'll respond with false data. If somebody sends off a 'legitimate' email to 10 million people without doing due diligence to ensure that their recipients really are going to want to hear from them ...... that's their problem.

There's not even the worry that we're becoming spammers ourselves... Nobody could seriously call following a single link in a recieved email harassment. On the other hand, there is suddenly a per-spam cost to email... The spammer with the most outgoing spam is now also going to get the most incomming garbage.

My last point here is that we must remain diligent. If this process works, then we must continue it even after SPAM has ceased to be the level of scourge that it is now. It must continue even when the level of spam is down to one per day, because -- on that day -- the one remaining spammer will doggedly send out 10million emails and find himself filtering through 750,000 false positives.

After that, blessed silence.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
I think this idea is
o Silly 24%
o Interesting 45%
o Brilliant 13%
o Stolen from me 10%
o Other 6%

Votes: 120
Results | Other Polls

Related Links
o DOS spam sources
o Also by darkonc


Display: Sort:
Responding to Spammers -- The Internet Strikes Back | 112 comments (101 topical, 11 editorial, 0 hidden)
nice idea (2.28 / 7) (#4)
by dimaq on Tue Nov 04, 2003 at 11:43:28 AM EST

instead of us filtering the emails, let them filter the orders. I like it :)

not all spam buyers will really care of course.

Your idea has its merits (2.87 / 8) (#5)
by hatshepsut on Tue Nov 04, 2003 at 12:01:49 PM EST

but this is still eating up my time (which is precious to me, at least) and my bandwidth (which I pay for).

Ultimately, any such "revenge of the spammed" would have the same problems: time and bandwidth. I know you could argue that sending one or two false responses per day doesn't eat up that much time or bandwidth, but think about how upset people get (and I include myself) when the twits out there suggest that we all "just hit <delete>".

So, while you idea has its appeal (I LOVE the idea that the idiot spammers would be trying to filter THEIR email as rigourously as I already filter my own), I can't see this actually correcting the problem. Still, a novel possibility to add to the general anti-spam arsenal.

spammers are specialized (2.75 / 4) (#27)
by martingale on Tue Nov 04, 2003 at 09:52:17 PM EST

(I LOVE the idea that the idiot spammers would be trying to filter THEIR email as rigourously as I already filter my own)
Why would they? Spammers don't care who or what responds. In fact, I'd be surprised if some enterprising spammer didn't already think of writing a script to fill out order forms with plausible sounding junk himself, to improve his success statistics to his clients.

Remember the heyday of banner ads? Teh operators got paid by ads served, not ads seen or clicked through or products bought. So you had web sites which actually paid their visitors simply to hit reload (or click through, in the later days, when you had to collect clicks to get paid).

Spamming is as much a racket on our mailboxes as it is a con job on clueless business people.

[ Parent ]

Garbage data isn't worth buying (2.75 / 4) (#34)
by darkonc on Wed Nov 05, 2003 at 02:26:25 AM EST

If their data is 99% garbage, then the companies will quickly realize that they're better of cold calling (which is free).

I'm thinking that it might even be worth giving them my real phone number... Depending on my mood, I'll either suck their time dry, or ream them out for using a spammer.. In either case, they'll quickly learn.
Killing a person is hard. Killing a dream is murder. : : : ($3.75 hosting)
[ Parent ]

Cold calling isn't free. By far. (none / 1) (#81)
by error 404 on Thu Nov 06, 2003 at 01:57:14 PM EST

Cold calling is actualy one of the most expensive (per contact, probably not per sale) forms of advertizing.

Business phone lines are charged by call. There are plans out there that include some number of "free" calls, those cost extra.

But the big expense is labor. For each call, you have an employee making at least minimum wage (and a really good cold-caller can make quite a bit more than that) for as long as the call takes.


..................................
Electrical banana is bound to be the very next phase
- Donovan

[ Parent ]

They do this (none / 2) (#61)
by RevLoveJoy on Wed Nov 05, 2003 at 04:17:22 PM EST

I've been filling out forms w/ bogus info for a while now (see above).

Most of the time I'd be "Joe Spammer" or "Ima Spammer" - most web forms advertised by spam will not allow these types of responses any more.

Personally, I just see this as evidence that I'm not alone in poisoning the harvested well. Fuck em, I say, I can out wit a spammer script.

Cheers,
-- RLJ

Every political force in the U.S. that seeks to get past the Constitution by sophistry or technicality is little more than a wannabe king. -- pyro9
[ Parent ]

Look at it this way (3.00 / 6) (#58)
by RevLoveJoy on Wed Nov 05, 2003 at 03:58:51 PM EST

I see your point and I have to counter that I have been using this article's suggestion for the better part of two years now. I look at my responses to spam as leisure time (sick and wrong, yes, I am aware - hear me out for christ's sake). Every once in a while (sometimes if I get the same piece of spam, say 12 times) I respond with junk to the web survey. Yes, my monthly income is 12K. Yes, I have 3 mortgages and I want to refinance NOW at 7%! Please call me at 541.555.1212.

I will call the 800 number and tell the operator that millions of poeple the world over *hate* her because she works for a spammer. Then I hang up.

I will call the ISPs that host the spammer and ask them how I can open a spam account too (this one's fun, try it some day!).

Granted, my job puts me in close proximity to the spam gateways and the filtering mechanisms whose machinations we all must understand and tollerate these days lest our corporate bread winners become innundated beneath untollerable refuse. Regardless of this, I can say that after 2 years of now and again pissing away my 5 minutes on the phone with some fake & bake lender, I get a real kick out of ticking these people off.

Cheers,
-- RLJ

Every political force in the U.S. that seeks to get past the Constitution by sophistry or technicality is little more than a wannabe king. -- pyro9
[ Parent ]

Prior art. (2.87 / 8) (#6)
by megid on Tue Nov 04, 2003 at 12:11:51 PM EST

Sorry to say, but you are not the first.

http://www.wired.com/news/business/0,1367,61012,00.html?tw=newsletter_topstories _html

--
"think first, write second, speak third."

Thanks I was looking for that. (2.40 / 5) (#12)
by darkonc on Tue Nov 04, 2003 at 02:20:11 PM EST

My idea is different than Graham's I'm not suggesting that anybody launch a one-person DOS.. An effective counter-attck would require that thousands of people (rather than just one) agree that a mailout is spam.

It also responds direct to the spammers' servers rather than to the spam sources (which are now often just zombified customer boxes).
Killing a person is hard. Killing a dream is murder. : : : ($3.75 hosting)
[ Parent ]

what about.... (2.80 / 5) (#38)
by I8TheWorm on Wed Nov 05, 2003 at 09:55:02 AM EST

While reading the article, and after you posted that 866 number, I thought the idea was to call the advertisers.

Much like what /. readers did when Dave Berry published the numbers for the ATA and such, I thought that would be a novel idea. Spending the advertisers $$ on toll-free long distance, keeping them on the line as long as possible, etc... and reminding them the call was due to a pop-under or spam in your mailbox.

Maybe that would begin to deter advertisers from using those mediums for advertising.

[ Parent ]
Would it work? (2.33 / 6) (#10)
by Stephen Turner on Tue Nov 04, 2003 at 12:39:55 PM EST

Denial-of-service solutions to spam have been proposed before. The problem with automatic DOS solutions is that it's too easy to send out messages that look like spam if you want to DOS someone else's website. So you seem to be proposing a sort of "manual DOS" solution whereby well-meaning citizens go and fill in data on spammers' sites -- I really doubt you'd get enough people joining you for a long enough time to make it worthwhile.

Doesn't need to be many people. (2.50 / 4) (#18)
by Xeriar on Tue Nov 04, 2003 at 04:31:18 PM EST

There are, perhaps, a million or so 'clued in' internet users. If they decided to have some fun once in awhile and averaged say, one false positive a month, they have already drowned out the true positives by a couple orders of magnitude.

Also, I think spam will eventually become self defeating. As it grows it will become less and less profitable, and this tactic will become more effective.

----
When I'm feeling blue, I start breathing again.
[ Parent ]

convincing people (2.80 / 5) (#25)
by martingale on Tue Nov 04, 2003 at 09:21:51 PM EST

That's a fair goal. A million people, you say? Luckily, the internet makes dissemination easy. If I'm around for voting, I'll +1FP your article, then you'll influence maybe 500 people. That's 999,500 people to go, but every little bit helps. I hear slashdot has maybe 1000 people who'll ponder your submission before it scrolls off the page. Where do you intend to advertise next?

[ Parent ]
email everyone (none / 3) (#92)
by MorePower on Fri Nov 07, 2003 at 11:41:26 PM EST

Dude, you missed the obvious way to advertive. We can send out a bunch of bulk, unsolicited emails to every email address we can find. I mean, there's like millions and millions of people on the internet, so if we can convince even 1% of them to join this plan....

Why do I have this wierd deja-vu feeling?

[ Parent ]
-1 (1.04 / 22) (#14)
by Night In White Satin8 on Tue Nov 04, 2003 at 03:41:30 PM EST

~yawn~
Why did rusty take away my story writing/diary writing privilege for no legitimate reason?
one minor problem (2.86 / 15) (#15)
by eudas on Tue Nov 04, 2003 at 03:44:34 PM EST

there's one problem: it assumes that all spams are trying to get responses, which they then filter through for data mining.

more and more spam, though, is HTML bullshit with images, and its intent is not to get a response, but is in fact more like a Television commercial -- just trying to get its brand name out there, like Advertising. It's not trying to reel you in -- it's trying to program you.

eudas

"We're placing this wood in your ass for the good of the world" -- mrgoat

speaking of programming (2.57 / 7) (#29)
by Kasreyn on Tue Nov 04, 2003 at 11:01:36 PM EST

is it not plain creepy that I, a person who has had VERY limited exposure to TV in my life, and hasn't lived in the same house with one for ~5 years (with a 3 month visit in there), find myself watering slightly at the mouth like one of Pavlov's fucking dogs when I see a picture of a can of Coke covered in ice?

[shudders] Fucking sick, isn't it? =( Subliminals work, even if you're actively trying to resist or ignore them.


-Kasreyn

P.S. I drink coke and I actually do like the taste of it a lot (though whether I like it because I am programmed to is another issue altogether), so maybe I only drool because I'm reminded of what I like? Confusing shit. Still, it's the only common advertising image that has that sort of effect on me (that I can see).


"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
[ Parent ]
easy solution (none / 0) (#64)
by fishling on Wed Nov 05, 2003 at 07:28:20 PM EST

every time you see an image of a can of coke with ice on it, lick a 9 volt battery and stuff your mouth full of cotton.  that way, your mouth will learn that it should stay dry and until it does, it is going to get shocked.  YMMV.  :-)

[ Parent ]
ROFLMFAO ^_^ I may try that, thanks -nt (none / 2) (#71)
by Kasreyn on Thu Nov 06, 2003 at 01:07:58 AM EST

nt means NO TEXT
"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
[ Parent ]
glad to be of service. :-) (n/t) (none / 2) (#89)
by fishling on Fri Nov 07, 2003 at 05:21:25 PM EST



[ Parent ]
Sam problem (2.57 / 7) (#19)
by bugmaster on Tue Nov 04, 2003 at 04:49:04 PM EST

This solution suffers from the same problems that other "spam the spammer" kinds of solutions do.

In order to fill in the bogus data, we'd have to write some sort of script. Yes, it's possible to fill in the data by hand -- but we'd have to actually read the spam for that, and this is what we're trying to avoid to begin with.

If there's a script that inputs the bogus data, then someone can just send a message disguised as spam, and trick the script into accessing the site linked to from the message. Boom, instant DDoS. I agree that something must be done to stem the tide of spam, but in this case the cost may be too high.
>|<*:=

You sir, are referring to ... (3.00 / 4) (#22)
by finite automaton on Tue Nov 04, 2003 at 06:46:36 PM EST

FormFucker.

And yes, it is a just as nasty as it sounds. And, yes, it can be used for a DOS attack.

If you Google around the net-abuse newsgroups, you will see that there are two camps on this

  1. "It's also abuse, don't do it"
  2. "Stick it to 'em"

I am in the "don't do it" camp, but secretly want to be in the "stick it to the spammers good" camp.



[ Parent ]
solution (2.66 / 6) (#35)
by martingale on Wed Nov 05, 2003 at 04:41:58 AM EST

If you wear a mask and a skin tight rubber suit and a cape, then you can also be in the "stick'em good" camp during the night, while keeping your quiet unassuming personality during the day. Win-Win. And you even get to say things like POW!, SPLAT!, BONG!

[ Parent ]
Nonsense! (none / 2) (#50)
by dragonfly_blue on Wed Nov 05, 2003 at 01:43:08 PM EST

FF seems like a nice tool. Would have come in handy on a project I worked on at one point - I ended up using the Perl Nonsense 0.6 module to create random entities for the forms I had to fill out.

What's nice about Nonsense is you can actually use it to generate complex form data - it even handles artificial resumes, school records, Slashdot headlines, absurd college courses - you name it. Very versatile.

I think crazy must be contagious.
[ Parent ]

Yes. Do it by hand. (3.00 / 4) (#33)
by darkonc on Wed Nov 05, 2003 at 02:08:14 AM EST

In order to fill in the bogus data, we'd have to write some sort of script. Yes, it's possible to fill in the data by hand -- but we'd have to actually read the spam

No. I'm expecting it to be done by hand. Precisely because a human is more likely to recognize a joe-job and deal with oddities of the web page. Dealing with joe jobs is part of the reason. The other reason is that it'd be easy enough to write a page to confuse a script, but something which would confuse a human user would make life harder on a real victim -- (and decrease the click-through of paying customers :-)

Yes, you'd have to actually read the spam, but just one or two spams a day... chances are you do that by accident already, but rather than just read it, you'd follow it and mess up their database.


Killing a person is hard. Killing a dream is murder. : : : ($3.75 hosting)
[ Parent ]
no need to read the spam (3.00 / 4) (#36)
by martingale on Wed Nov 05, 2003 at 04:51:03 AM EST

You can scan the HTML source for FORM elements and construct a CGI encoded URL with junk in the various fields. That's fairly easy to script. It would be easy to spot the garbage entries in the database though, if the script doesn't attempt to understand the form. But then again, that shouldn't matter. Obviously, whoever owns the database would only be scanning it periodically, and would have to deal with all the junk entries in one go.

Basically it's still a DOS attack. In fact, it's quite likely that you could easily bring down the server script by directly encoding forms with random data. Most scripts bomb out with unexpected input, since most programmers never do proper input checking.

[ Parent ]

Markov chains! (none / 1) (#95)
by meldroc on Mon Nov 10, 2003 at 03:14:19 AM EST

You could write a script that automatically fills out spam forms with Markov chain output. Since it's statistically similar to human-written text, it'll be hard for spammers to filter it, and it'll take a few minutes of the spammer's valuable time to parse it in order to figure out it's garbage.

[ Parent ]
Why go to all the trouble? (1.76 / 13) (#20)
by Fredrick Doulton on Tue Nov 04, 2003 at 05:24:55 PM EST

It would be easier just to hunt them down and kill them.

Bush/Cheney 2004! - "Because we've still got more people to kill"

Two words (2.91 / 12) (#23)
by roystgnr on Tue Nov 04, 2003 at 08:42:03 PM EST

Joe job.

A joe-job in the wild (none / 1) (#93)
by Maserati on Sat Nov 08, 2003 at 10:36:52 AM EST

http://www.snopes.com/inboxer/outrage/darkprofits.asp

--

For the wise a hint, for the fool a stick.
[ Parent ]

Doesn't matter if... (1.80 / 5) (#24)
by Gysh on Tue Nov 04, 2003 at 09:15:36 PM EST

...the address is spoofed or stolen.

The spammer's great weakness (none / 3) (#66)
by StephenGilbert on Wed Nov 05, 2003 at 08:01:41 PM EST

The point of spam is to sell you something. This means that the spammer eventually has to give you some kind of real contact information so that a transaction can be made.

[ Parent ]
Marketing? (3.00 / 7) (#26)
by Lincoln on Tue Nov 04, 2003 at 09:31:36 PM EST

So what happens if a Spam email's website is getting paid for banner hits? All of sudden you are supporting the freakN Spammers!
-= Only dead fish go with the flow =-
Turn off images? (2.60 / 5) (#30)
by Tatarigami on Tue Nov 04, 2003 at 11:46:00 PM EST

If you visit a site with scripting and images turned off, and use a browser which allows you to block pop-ups, would that solve the problem?

[ Parent ]
Oh well, put 'em out of business too! (none / 1) (#88)
by derobert on Fri Nov 07, 2003 at 12:22:46 PM EST

Well, since you're not generating any sales for the advertiser, they'll have to give up soon, too. Either they will refuse to do business with spam sites or go out of business. I don't see the problem, really.

[ Parent ]
Excellent (2.20 / 5) (#28)
by ComradeFork on Tue Nov 04, 2003 at 10:08:03 PM EST

I love the idea of fighting nonsense with nonsense. It might not work, but it certainly captured my imagination.

Credit card numbers (3.00 / 7) (#31)
by Edward Carter on Tue Nov 04, 2003 at 11:53:26 PM EST

Most of the time, I think spammers' websites want some kind of credit card number for a valid response to the spam, because they're selling penis enlargement pills or vicodin or whatever.  Filtering out bogus credit card information is easy to do automatically.

Still causes problems (2.71 / 7) (#32)
by darkonc on Wed Nov 05, 2003 at 01:59:15 AM EST

Filtering out bogus credit card information is easy to do automatically.

A massive increase in credit card verification attempts would probably catch the attention (and ire) of the credit card reporting companies.
Killing a person is hard. Killing a dream is murder. : : : ($3.75 hosting)
[ Parent ]

Luhn check may stop it (2.83 / 6) (#42)
by thenerd on Wed Nov 05, 2003 at 10:36:46 AM EST

If the code was up to a reasonable level, a simple luhn check on the CC number would show whether it should be sent to the processor or not. This might unfortunately limit the mayhem caused. =(

[ Parent ]
Nah (none / 3) (#48)
by hardburn on Wed Nov 05, 2003 at 01:16:43 PM EST

It's pretty easy to generate a CC number which is formatted correctly but (probably) isn't on a real credit card. The first few digits identify the company that issued it (MasterCard, Visa, etc.), with each company having a different number of total digits in the complete number. The last number is a checksum digit, which is generated with an algorithm that is fairly easy to find.

Look at the source code to the Business::CreditCard Perl module if you're intrested. The comments have the identifier digits and length for many companies, and the checksum algorithm is implemented in the generate_last_digit() subroutine.

Do note that plugging such a number into an order form probably constitutes credit card fraud. IANAL.


----
while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


[ Parent ]
One-time CC numbers? (none / 2) (#70)
by knator on Wed Nov 05, 2003 at 11:41:01 PM EST

One of my cards (Citibank) does one-time CC numbers against your account. You can authorize the number up to a certain amount of money over a certain time period (although this is "advanced" functionality).

Although that's probably more trouble than it's worth, it can solve the problem at hand: authorize a one-time number for $1 for a month. Then it gets invalidated and in the meantime you can use it where necessary.

[ Parent ]

It's magnificent. (2.83 / 12) (#37)
by Russell Dovey on Wed Nov 05, 2003 at 08:30:43 AM EST

Wow. Well done.

This is similar to the old trick that I use to deal with Mormons or Jehovah's Witnesses: invite them in and give them a cup of tea, then talk to them for hours and don't let them leave.

The result is that they spend the entire afternoon at your house, when they could be bothering more people. Eventually, of course, they probably just won't come to your house any more, but that's the idea, right?

"Blessed are the cracked, for they let in the light." - Spike Milligan

Jehovah's witnesses (3.00 / 8) (#51)
by gyhujikolp on Wed Nov 05, 2003 at 02:06:25 PM EST

This is similar to the old trick that I use to deal with Mormons or Jehovah's Witnesses: invite them in and give them a cup of tea, then talk to them for hours and don't let them leave.

My housemate did that once. He has a degree in theology from Oxford University. The poor Jehovah's witnesses didn't stand a chance -- his formidable weapons included "Ah, but I think you'll find if you look at the original Greek that this isn't what Christ was saying at all..." ;-).


[ Parent ]

Mormons (none / 2) (#54)
by thejeff on Wed Nov 05, 2003 at 02:41:41 PM EST

I'd was going to try this with a couple of Mormons who came to my door awhile back, but when I said I was a pagan, one of them whispered to the other, "What's that mean?". So, I figures there'd be no sport in it. Battle of wits with an unarmed opponent and all.

If I'm going to waste my time, I want some challenge at least.

[ Parent ]

"Satanist" works better, lol [nt] (none / 1) (#68)
by vyruss on Wed Nov 05, 2003 at 09:33:49 PM EST



  • PRINT CHR$(147)

[ Parent ]
Satanist (none / 3) (#85)
by thejeff on Thu Nov 06, 2003 at 09:44:28 PM EST

Say you're willing to trade literature and then offer them a copy of the Satanic Bible.

[ Parent ]
OMG Too funny (none / 2) (#75)
by Josh A on Thu Nov 06, 2003 at 04:08:19 AM EST

"What's that mean?"????

---
Thank God for Canada, if only because they annoy the Republicans so much. – Blarney


[ Parent ]
How one friend dealt with the JWs (none / 3) (#84)
by Quantumpanda on Thu Nov 06, 2003 at 08:29:29 PM EST

One of my college friends (he was a really strange guy to begin with--and coming from me, that's saying a lot) once found two JWs at his door. He told them he was a little busy at the moment, but if they were willing to come back in about an hour, he'd be glad to talk to them.

Well, I've never known a JW to turn down an invite like that. So an hour later they went back. My friend answered the door in a black robe. Several candles were burning in the room behind him. He said, "Oh, good. I'm glad you came back. You're just in time for the sacrifice. Cthulhu will be most pleased."

He's never had another visit from JWs at that house.

People are stupid. But we usually can't kill them, so we have to settle for the next best thing: we laugh at them.
[ Parent ]

I resorted to something more prosaic. (none / 1) (#91)
by static on Fri Nov 07, 2003 at 07:29:56 PM EST

Since they were inviting me to their church, I invited them to my church: a middle-class, mildly evangelical baptist church. It quite derailed them, actually.

Wade.

[ Parent ]

[OT - but funny!] A better solution. (3.00 / 4) (#59)
by RevLoveJoy on Wed Nov 05, 2003 at 04:06:16 PM EST

Get a dog.

I am not making this up - this was my dog (bless her) the first year in our new house.

As I mention, the new house. It did not have a paved driveway. In fact, I live in the country, gravel is all I want. However, the first year we had just mud (it was dirt, then winter hit Oregon and well, mud).

So the Mormons show up one fine, rainy, day in their war wagon (15-passanger van) and they get out to preach at me. The dog, we'll call her Buddah (as that's her name) jumps into the van.

Flailing arms and ducking heads as my wet muddy doggie gives "kisses" to all involved!

They have never been back.

I swear on the soul of my goat this is the truth.
-- RLJ

Every political force in the U.S. that seeks to get past the Constitution by sophistry or technicality is little more than a wannabe king. -- pyro9
[ Parent ]

nice, but not new. (2.71 / 7) (#39)
by pb on Wed Nov 05, 2003 at 10:18:35 AM EST

My personal favorite idea involves distributed publishing of all the e-mail addresses and phone numbers recieved in spam, preferably in such a way to ensure that it will be harvested and used. That way, the spammers and telemarketers and junk faxers could all spam each other to death. :)
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
Divide and conquer (3.00 / 6) (#41)
by shokk on Wed Nov 05, 2003 at 10:36:16 AM EST

Back when Eudora 3.0 first came out they had this nice Resend feature where it forwarded messages with the headers modified to appear as if from the original sender. This worked because everything was an open relay. Anything that I knew was not a mailing list was forwarded off to a list of spam addresses I collected. Back then all spammers had real addresses and replying to a spam got you on their list. So each of these spammers autoreplied and got onto the other spammer's lists, etc. I noticed that a few of these spammers would go down for a day or two after that and then I would get an angry reply telling me to cut it out. I advocate going to these spammer's web sites and entering addresses from other spam mailings in order to make them crossmail each other. If you've noticed, there are plenty of spam addresses out there waiting for reply from legitimate users so they will have the same problem blocking the same multitude of addresses that we are trying block. Let them spam each other...divide and conquer.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
[ Parent ]
Let them spam themselves too (none / 1) (#74)
by Josh A on Thu Nov 06, 2003 at 04:06:51 AM EST

I just filled out a spammer's form, and put webmaster@spammersdomain.com in the email field ;-)

---
Thank God for Canada, if only because they annoy the Republicans so much. – Blarney


[ Parent ]
been there (2.33 / 6) (#40)
by the wanderer on Wed Nov 05, 2003 at 10:20:01 AM EST

I've been doing that for a while (i even took it further and sent bogus mail messages to all adresses i could find on the spammers website), but it's only doable if you've got quite some time on your hand.
But still, you're right, if everybody would start doing this, spammers would probably be somewhat descouraged to do their thing.


david, the Lost Boy
the Written Pixel

Do the same for postal spam (2.75 / 8) (#43)
by rujith on Wed Nov 05, 2003 at 10:38:35 AM EST

I do the same thing for postal spam. It doesn't take long to do while going through my snail mail. I make it appear as if I intended to respond, but made some dumb mistake, like mailing back the user agreement rather than the signed credit card application. - Rujith.

I take a similar approach (2.71 / 7) (#44)
by thewookie on Wed Nov 05, 2003 at 10:56:21 AM EST

Wait until you have a handfull of mailshots with complimentary return envelopes and put the junk from company X into company Y's return envelope and so on. The best bit about using those free reply envelopes is that it ends up costing the company that sent you the stuff to receive your junk mail reply.

Sweet.

(btw, maybe I'm paranoid but I cross out any ref's or barcodes on the envelope & junkmail so I can't be identified by a unique code of some kind.)

[ Parent ]

Using pre-paid envelopes (none / 2) (#46)
by stefrobb on Wed Nov 05, 2003 at 11:35:31 AM EST

I do this, but I've always wondered what would happen if I changed the return address. Would I get free postage? I will try this with the next envelope I get. Mwahahahaha, etc.

[ Parent ]
In the US, that's mail fraud (none / 2) (#53)
by glor on Wed Nov 05, 2003 at 02:38:32 PM EST

... since you're using the post office to steal from the business.  You claim to have a UK address but it's probably fraud there, too.

--
Disclaimer: I am not the most intelligent kuron.
[ Parent ]

Worked for me (none / 2) (#56)
by nardo on Wed Nov 05, 2003 at 03:04:34 PM EST

Netflix once used plastic envelopes with a sticker on it with my address that I would peel off to reveal their address for when I sent the DVD back to them. I forgot to peel the sticker off once and wound up dropping a pre-paid envelope with my address on it into the mailbox. It was delivered to me a day or two later.

[ Parent ]
Won't work ... (none / 2) (#78)
by palmersperry on Thu Nov 06, 2003 at 11:36:58 AM EST

stefrobb twisted the electrons to say:
> what would happen if I changed the return address.  Would I get free postage?

Well, it might not cost you anything but the recipient might well not appreciate getting surcharged #1 plus the actual cost of the stamp to receive your letter.

[ Parent ]

One step further (3.00 / 7) (#47)
by hal200 on Wed Nov 05, 2003 at 11:37:40 AM EST

My fiance takes it one step further...she uses packing tape to seal the envelopes. No mechanical mail opener will touch it. You can't even use a letter opener. You have to physically pry the tape off, ripping the envelope to shreds before you can get at the junk inside. It's brilliant!

She's evil, but I love her. ;)

[ Parent ]

handling postal spam.. (none / 2) (#72)
by thepunekar on Thu Nov 06, 2003 at 01:29:08 AM EST

right, I too do the same. I fill up the postage paid envelope with all sorts of junk and spam from other companies, make it as heavy as possible, and send it.

[ Parent ]
What I like to do (none / 3) (#73)
by Josh A on Thu Nov 06, 2003 at 04:04:05 AM EST

...is print funny flyers of my own, things like a woman praying to god, and the text is about praying for no more junk mail, etc.

These I put in postage-paid reply envelopes and send back :-)

---
Thank God for Canada, if only because they annoy the Republicans so much. – Blarney


[ Parent ]
Too much work and expense (none / 3) (#79)
by error 404 on Thu Nov 06, 2003 at 12:39:34 PM EST

The individual opening the envelopes is not your target. That individual has zero decision making authority. Your flyer might make that person's day a little better, which would be a good and charitable act on your part but not the goal of the exercize, or a little worse, which would be a useless act of cruelty. People working that kind of job are in it for basic survival and (I speak from experience) in that mode taunting may hurt but it won't change behavior.

Your target is the decision maker.

I just seal the envelope empty and toss it in the outgoing mail. This is quick, so I can do it often. Preparing a flyer would slow me down, and I'd be tempted to skip the whole process. Returning the envelope results in money going from the company to the Post Office. A transfer from an annoying institution that does no net good (I don't do this with anything worthwhile. Yes, I am qualified to judge, I am a member of this civilization and it is my privilege to make that decision so far as my resources - including resources given to me in the hope of getting at my other resource - allow.) to a fundimental component of civilization. The less the envelope weighs, the less it costs the Post Office to carry it, and short of ridiculous overweight, the company gets charged the same. Sealing the envelope means that it must be opened, which moves money from the company bottom line to the envelope-opener's survival fund.
..................................
Electrical banana is bound to be the very next phase
- Donovan

[ Parent ]

Ratios (2.71 / 7) (#45)
by adrizk on Wed Nov 05, 2003 at 11:24:23 AM EST

In the last few years, the spamming industry has managed to raise the signal-to-noise ratio of my email from less than 1% to well over 90%.

Shouldn't that be the other way around? I.e. you have a lower, rather than a higher signal to noise ratio now?

Jargon File: Signal-to-noise ratio

Just a little point though, in an otherwise great article. I'd be very interested to see how this would work..



Idea of how to beat spam (2.50 / 4) (#49)
by asaccin on Wed Nov 05, 2003 at 01:30:01 PM EST

Why not introduce a fake response for every spam caught by a spam filter? In effect, a message goes back to the spammer with all the correct details of, 'Email not know etc etc'. Eventually, the email will be taken off the spamlists - and no more spam. Would this work?

Won't work (2.75 / 4) (#57)
by wastl on Wed Nov 05, 2003 at 03:25:03 PM EST

Nowadays, spammers mostly use forged From-addresses and Return-Paths. One of my domain regularly abused in this manner, and I get approximately 5 bounces per second.

Recently, I got a massive "spam attack" with from-addresses from "indiatimes.com" (approximately 1000 messages a minute) with random local parts at my domain (all of them non-existant). Of course, indiatimes was not the originator. The messages came from DSL accounts in Sweden, South Africa and Brazil, so I'd suspect they were using "captured" home PCs.

Spammers simply don't care whether their database contains large amounts of invalid addresses. It is cheap enough to send the messages anyway, they don't even have to pay for the bounces, since other people are getting them, and they don't have to pay for the majority of send-traffic, since they use captured computers from other people.

In my opinion, there is really only one way: legislative measures. Let some spammers be executed in China or Texas.

Sebastian

[ Parent ]

Won't work (none / 2) (#62)
by Alhazred on Wed Nov 05, 2003 at 05:00:40 PM EST

Oh Icky, I'm now breaking 12 laws instead of 11. If those darned politicians pass another it will be 13, BEFORE breakfast that is...

Legislation doesn't do crap. You think its legislation that scares criminals? No, its law enforcement that scares criminals.

How about if major ISPs set up a PKI with a root CA that charges $50.00 a pop for personal digital certificates, and then they deep 6 any email that isn't signed with one of them? If you get nailed for spamming your cert goes on a CRL.

End of story. If the response is quick enough then you'd have spammers forced to spend $50.00 x however many times a day they get revoked. Coupled with denying credit cards who's owners end up on these CRLs and it would get real hard to send out SPAM right quick.

And the fact is that using a signing proxy such an infrastructure could be deployed very rapidly with virtually no need for software updates, just a bit of added infrastructure at the ISPs. I'd venture to imagine that the reduced cost of SPAM processing would pay for it pretty quickly.
That is not dead which may eternal lie And with strange aeons death itself may die.
[ Parent ]

Problems with your root CA strategy (none / 1) (#65)
by pin0cchio on Wed Nov 05, 2003 at 07:31:33 PM EST

You aren't the first to suggest requiring that all e-mail messages be signed. How would the ISPs recover the $50 per customer per year cost of these certificates without increasing everybody's ISP bill by $4 per month? And what happens when the root CA becomes corrupt *cough*Verisign*cough*?


lj65
[ Parent ]
A better system is being developed (none / 2) (#67)
by Dwonis on Wed Nov 05, 2003 at 08:24:36 PM EST

You aren't the first to suggest requiring that all e-mail messages be signed.

I'm working on a proposal for a system like that, and it's decentralized, DoS-resistant, *simple*, and doesn't have a lot of the problems that current systems have.

I actually stumbled across it while I was playing with the idea of removing a lot of the cruft from existing protocols, and merging together a few of them. Another interesting thing about all this is that it seems to be solving a lot of other problems. Just a few days ago, I figured out a simple, decentralized single-sign-on system that uses components of the same system.

The Internet-Drafts will probably be out in a year or two (provided I don't run into any unrecoverable problems).

[ Parent ]

Interesting :-) (none / 1) (#80)
by l3nz on Thu Nov 06, 2003 at 12:54:40 PM EST

Let us know something about the existing part, c'mon! :-)

Popk ToDo lists - yet another web-based ToDo list manager. 100% AJAX free :-)
[ Parent ]

Yeah, me and some friends of mine (none / 1) (#96)
by Alhazred on Mon Nov 10, 2003 at 09:31:07 AM EST

developed such a system 5 years ago. Its really dirt simple to do, though there are a couple sticky parts. In any case we can actually have a web page do a CLIENT SIDE check on credentials, so basically you go to site A where you log in, and then go to a page on site B, which, using only JavaScript, can securely determine that you have legitimate credentials. Naturally if you feel less trusting you could forward that information to a server which could verify it with the original source of the credential.

Furthermore using destributed object store techniques there need be no centralized user database, you just have to have a web of trust between the various servers.

Exposing the authentication API via an RPC mechanism lets you authenticate pretty much any arbitrary thing you want, and from there you can tie into it via LDAP and/or SASL, etc.
That is not dead which may eternal lie And with strange aeons death itself may die.
[ Parent ]

SMTP (none / 2) (#63)
by katsklaw on Wed Nov 05, 2003 at 05:34:46 PM EST

It's easier to re-write SMTP so that SMTP authentication is required by all POP3 Servers and have the POP3 servers then run a verify script back to the originating SMTP to insure the user is valid.An extra field in the headers can then be placed with the required info. A valid and responding SMTP server would then be allowed to send email. New POP3 servers can then check for that extra field and auto-bounce all mail that is missing it, this will help filter out spammers that use older servers that don't have the SMTP authentication requirement. This way bounced email would go to a valid user, even if that mail isn't read or simply deleted unchecked .. this will now tax the incoming and outgoing bandwidth along with the machine that the mail servers are on. Legitimate mail servers would have no problem with meeting that requirement.

It would also benefit if all ISP's would pay closer attention to spam that goes through their servers from known spammers and use blacklists more often.

[ Parent ]

If anyone's got a few minutes (2.81 / 11) (#52)
by djotto on Wed Nov 05, 2003 at 02:15:20 PM EST

I just got viagra spam advertising http://www.med32zd.com/

Inspired by this essay, I just took a look around their site. They have a "live support" chat script where you can talk to a real person. I've been amusing myself by pasting bits of other spams into the chat window at random. I encourage anyone with time on their hands to make a spammer's day a little more surreal.



Live support was obviously being spammed so... (none / 2) (#69)
by vyruss on Wed Nov 05, 2003 at 10:06:06 PM EST

...I used the mail form to send them various spams I received this week. The best one was (I laughed my ass off when I received it, even more so when I sent it to them):

From: "Valentin"<vm@ustas.ru>
Subject: Letter
Date: Mon, 3 Nov 2003 18:08:21 +0300

Dear Friend,

I send you this message from a library of our small city and I hope very much that this message has reached your address.

My name is Valentin, I'm a student and I live with my blind mother in Russia. I work very hard every day to be able to take care of my mother, but my salary is very small because my studies are not finished.

Due to the crisis our authorities stoped gas in our small city and now I cook food for my mother and me by making a fire near our home. Now we cannot heat our home because we don't have gas anymore and I don't know what to do, because the winter is coming and the temperature outside will be minus 30 degrees Celsius. I'm afraid that the temperature inside our home can be lower than 0 degrees and we will not be able to survive.

Therefore I send you this desperate message with a prayer in my heart and I hope you can help us. If you have any old warm blankets, sleeping bags, portable heater or any other things which can help us during the winter, as well as any high-calories food-stuffs, I will be very grateful to you if you could send it to our postal address which is:

Valentin Mihailin,
Ryleeva Street, 6-45,
Kaluga. 248030,
Russia.

If you think that it would be better or easier for you to help with some money, please write me back and I will give you the details for sending it safely if you agree. This way to help is very good because the necessities here are not very expensive.

I pray to hear from you soon. From all my heart I wish you Happiness, Love and Peace.

God Bless You,

Valentin and my Mother Elena.
Kaluga. Russia.


  • PRINT CHR$(147)

[ Parent ]
Here's my spammer timewaste (none / 0) (#104)
by BrianAldridge on Mon Nov 17, 2003 at 08:21:41 PM EST

I'll have another go tomorrow.

** You are now speaking with Jack, support. **
Ted Heath : is this stuff legal?
Jack : hi there
Jack : this is generic tadalafil
Jack : All orders are shipped from India
Ted Heath : what's that?
Jack : the active ingredient
Jack : The name brand product only recieved FDA Approval a few weeks ago and won't be available over the counter in the US for a few months.
Ted Heath : does it work for women too? My wife could do with a little help...
Jack : Results from an exploratory placebo-controlled trial show no conclusive treatment effect relative to placebo in women with Female Sexual Arousal Disorder
Jack :
Ted Heath : So that's a maybe?
Jack : kind of yes
Jack : some women do try it as with Viagra although research has been inconclusive
Ted Heath : Pardon me for asking but have you tried it? does it really work?
Jack : no I havent but I know many who have
Jack : it works really well for 80% of men with ED
Ted Heath : Do you ever get irritated by unwanted mail messages?
Jack : Yes, but really its just data
Ted Heath : How many do you typically receive per day?
Jack : I dont, I filter them out
Ted Heath : It's a hassle though. I think it's worse than paper mail because people pay to receive it
Jack : I really dont have an opinion....too many other things to have an opinion about
Ted Heath : Such as?
Jack : If you have no further question, I'll say good night...take it easy..
Ted Heath : See, you and spammers like you have wasted my time so I waste yours
Ted Heath : Thanks
Jack : thank you, I get paid by the call :)
Your party has left this session.**

[ Parent ]

excellent (none / 0) (#106)
by monsted on Tue Nov 18, 2003 at 09:28:19 AM EST

"Jack : thank you, I get paid by the call :)"

Now this is just brilliant. If we can create a large enough cost by having them pay these people, their business goes straight to hell :)

[ Parent ]

/. material here (2.60 / 5) (#55)
by Rahyl on Wed Nov 05, 2003 at 02:49:49 PM EST

This would be perfect /. material.  Remember what happened when the name and home address of a spammer was spread around there?  He got buried under junk.  The same principle would work here :)

The same process would also bring the IRS to its knees in little time.  As automated as their processes have become, a little work on the part of a lot of people would shut them down pronto.

"Civil Disobedience is Golden"

fax advertising... (2.66 / 6) (#60)
by xcham on Wed Nov 05, 2003 at 04:06:35 PM EST

I've always thought unsolicited fax advertising was the most virulent kind of advertising, since in addition to consuming your time and mental resources in filtering it, it's consuming a significant amount of ink and paper (both corporeal, physical resources). My father and I have taken to "invoicing" senders of unsolicited faxes, 0.38 per page, not bothering with their automated removal systems, but placing a footnote on the invoice asking personally for a removal. If they continue to send me these things, I'll just keep sending invoice, until I have an amount high enough for small claims court. Will it work, who knows? Who cares? Scaring them a little is worth it.



If you're in the US (none / 1) (#87)
by derobert on Fri Nov 07, 2003 at 12:13:42 PM EST

If you're in the US, the correct chargs is $500+ per fax, by statute. See, for example, http://www.coldcure.com/html/faxlaw.html

[ Parent ]
what if... (1.33 / 6) (#76)
by the77x42 on Thu Nov 06, 2003 at 04:38:33 AM EST

... everybody wrote an article talking about how much they hate spam? WAIT... they already have!!


"We're not here to educate. We're here to point and laugh." - creature
"You have some pretty stupid ideas." - indubitable ‮

You tit. [n/t] (none / 3) (#90)
by mr strange on Fri Nov 07, 2003 at 05:45:40 PM EST



intrigued by your idea that fascism is feminine - livus
[ Parent ]
Won't work that well. (2.25 / 4) (#77)
by Anonymous Hiro on Thu Nov 06, 2003 at 11:20:38 AM EST

Spammers use throwaway email accounts.

You probably don't.

So unless you take the trouble to forge and hide your tracks, be prepared to change your email address after you get joe-jobbed.

You may not be as willing to bear the costs as the spammer is (time, effort). This is his/her chosen area of interest. Your area of interest could be different.


You think I give them MY email address???? (none / 2) (#82)
by darkonc on Thu Nov 06, 2003 at 02:54:58 PM EST

So unless you take the trouble to forge and hide your tracks, be prepared to change your email address after you get joe-jobbed

I usually use the email address of the last nigerian scam spam. If we're lucky they'll even start up a dialogue....

So let me get this straight -- If I get you a new mortage on your house in Nigeria , you'll give me 5Million dollars???

Killing a person is hard. Killing a dream is murder. : : : ($3.75 hosting)
[ Parent ]
True (none / 1) (#86)
by Anonymous Hiro on Fri Nov 07, 2003 at 04:35:55 AM EST

But in some cases they may be able to identify you, depends on what email client you use and your security settings/config, or whether you actually clicked on the links in the email.

[ Parent ]
Only for toll-free numbers (3.00 / 7) (#83)
by JamesThiele on Thu Nov 06, 2003 at 06:56:14 PM EST

I have a rule for my email client that puts any email containing "800", "866", "877", or "888" into a folder called "Toll Free" I check it every morning and if there is a SPAM in there with a valid toll free number I call it and say, "I got your email with the subject 'You can make more money now' and I just wanted to call to let you know I'm not interested." in a calm voice and hang up.

Responses feed data miners (none / 2) (#94)
by Riba on Sat Nov 08, 2003 at 06:22:55 PM EST

NEVER respond to spam.  (I had to open an account to make this point everyone seems to have missed :-) )

Replying via email is the most direct way of shooting yourself in the leg.  You've just verified your email address to the spammer...

URLs in the emails are the same.  You might think that clicking a link can't be traced?  Yes, it can.  The spam emails I've bothered to analyse rarely contain plain links like "www.business.com" but rather they're links with numerical/unidentifiable parameters.  "It's for dynamic content," you might claim but I'd say it's for identifying the recipient.

The URL would carry enough information to link back to your email address and by clicking it, congratulations, you've again confirmed to the spammers that email address works and that the spam message was read and you've even visited the web page.  Now the spammer can collect the money offered by the buyer of the spam campaign, plus he can make more money by selling your "certified" email-address to other spammers and he can cash in on the various banner ads that you loaded whilst visiting the page.

If your mail client is smart enough you don't even need to click a link to do this, the mail client probably loaded the pictures the mail had IMG-tags to, like that transparent 1x1 GIF named www.spammemore.com/subscribe?id=youremail@dummy.net.gif.

The actual content of the web page, like "unsubscribe forms" can be all bogus.  The main function was to verify your email address, not to gather real un/subscriptions.

This whole thing can be automated to a very high degree.  The more you interact with the spam the more you play into the spammers hands.  I recall some spammer bragging that most their income comes from selling spam tools, antispam tools and email address lists.

In addition to spam filtering the only sort-of effective block I've read of is tarpitting.  See http://www.lyris.com/about/whitepapers/stop_spam_now.html for reference.

To make a real response to spam would be by tracing back the server that relayed the message and send email to abuse@ address of the domain.  In addition, whois-database provides a good basis to track down the people who have put the web sites up.  whois-database has (or should have) full contact infos.


Tarpitting is useless (none / 1) (#100)
by dn on Thu Nov 13, 2003 at 04:35:03 AM EST

Spammers quickly adapt to simple defensive measures. Moreover these days they're using huge networks of cracked machines running spambot software, so even a destructive reactive approach (crack and destroy the sending machine) probably wouldn't keep ahead of the flood.

My solution is client-side filtering. Mozilla's simple Bayesian filtering takes care of 95%+ of the spam I get (half a dozen spams on Monday morning compared to several hundred), and there's a lot of room to make the filtering much more intelligent and better. In the end, spammers will always be forced to send out millions of messages that have strongly correlated content, and statistically speaking those stick out like a sore thumb. No amount of randomly fiddling the punctuation and so forth can fix the statistics.

I predict that more and more people will start using statistical filtering. In response, the spammers will send more and more spam to get "enough" sales. But the more they send, the more people will migrate to filtering, the more identifiable the statistics will become, and the more sophisticated the analyzers will become (look for contributions from the NSA). The arms race will rapidly run to completion and spammers will largely die out.

    I ♥
TOXIC
WASTE

[ Parent ]

Spammers are poisoning Bayesian filters (none / 1) (#105)
by plover on Mon Nov 17, 2003 at 09:43:08 PM EST

I've noticed that recent spams have incorporated "innocuous" text in addition to the HTML sales pitch. It looks like perhaps some snippets from an eText in project Gutenberg (that I wouldn't want to read,) clips from a news source, or perhaps just a nonsense "personal letter generator." Regardless, my "spam corpus" is building up a vocabulary I don't really want it to have. Spam will remain spam, but I fear it won't be long before the false positive rate rises to unacceptable levels, and that's the time the filters have to come off.

I think ordinary filtering is becoming more and more effective at the ISP layer of email delivery, and that the spammers are having a more difficult time spewing their crap without it getting caught in the drift nets. They're turning their attention to defeating the filters, and the arms race is simply heating up another notch. We're not winning.

[ Parent ]

I'm not entirely sure (none / 0) (#110)
by dn on Fri Nov 21, 2003 at 08:24:30 PM EST

Spam filtering is in its infancy—there are a lot of statistical techniques not yet being used. The existing systems are also rather opaque, so users can't easily whitelist important senders, tune the rejection threshold, and fix problems.

Also, AFAIK none of the filters use spam-trap email accounts. Doing cross-correlation on an account that gets nothing but spam would catch the lion's share of spam but have a near-zero false positive rate.

    I ♥
TOXIC
WASTE

[ Parent ]

Collaborative Spam-Fighting (none / 2) (#97)
by nstender on Mon Nov 10, 2003 at 11:42:41 PM EST

Have you heard about Cloudmark? They allow you to tap into a community of 700k+ users, instantly sharing "signatures" of spammails. Only a few people have to detect a spammail and the rest will know. It resembles the immune defense system.

Cloudmark, Vipul's Razor, etc. (none / 2) (#111)
by wiml on Thu Dec 04, 2003 at 12:51:42 AM EST

Coudmark and Vipul's Razor are the same (that is, they use the same servers). Razor is an open-source perl-based client. :-)

There are other projects that work along similar lines (such as Pyzor, which has even more open-source-y goodness).

[ Parent ]

We need a new solution. (none / 1) (#98)
by spstanley on Tue Nov 11, 2003 at 02:30:31 PM EST

All the talk of deflecting spam, raising the cost of spam to spammers, etc. is just band-aiding the problem or innefectual. What we need is to change the way e-mail works so spam is no longer even an issue. What if e-mail was constantly stored on mail servers, and all you received was the header data, including the subject line, and a "link" to purposefully retrieve the body of the e-mail? We would have these benefits: 1) Open relays would no longer exist -- you'd be going directly to the server to retrieve your e-mail. 2) The cost is automatically higher for would-be spammers. They have to continue storing the e-mail so you can retrieve it! 3) Now you know where they live. You can't retrieve e-mail without knowing where to get it, and if you don't like what you see when you "visit" their server, you'll never be back.

Re: We need a new solution. (none / 1) (#99)
by voblia on Wed Nov 12, 2003 at 07:20:38 AM EST

1) Open relays would no longer exist -- you'd be going directly to the server to retrieve your e-mail. Is geting 1000 of headers different from geting 1000 emails ? 2) The cost is automatically higher for would-be spammers. They have to continue storing the e-mail so you can retrieve it! Ever heard of symlinks ? Like lets have one copy and send the header to like 1 mil of spamees. And what about authenticating to every server you can recieve email from ? How can the server be sure that the email is designated for you ?

[ Parent ]
How about a nice script that parses the SPAM mbox? (none / 1) (#101)
by sayamindu on Mon Nov 17, 2003 at 09:03:02 AM EST

How about a nice script that parses the SPAM mbox and sends out "Get out of my box - or I'll pee right through ya!" - or something like that to the spammers (using a fake email address ofcourse) :-D For creating the SPAM mbox - procmail+spamassassin is your friend.

Give em' hell (none / 1) (#102)
by rockkid on Mon Nov 17, 2003 at 07:04:36 PM EST

I did this in response to a cracker trying to steal my Paypal data by sending me a link to a fake form.

(What a fool!)

Anyway, perhaps not so brightly, I did put in fake information, though the best course may just be to report such things, in this case to Paypal security, which I also did, but sometimes you have to get the scallywag at their own game.

****
I've always wondered how anyone profits off of spam, and why any fool would pay for "natural Viagra" or whatever shit they're pushing to convince them that continuation will be at all profitable.
<<<<I am the cure and the sickness.>>>>>

He he, got /.'ed (none / 0) (#103)
by basta on Mon Nov 17, 2003 at 07:36:52 PM EST

http://ask.slashdot.org/article.pl?sid=03/11/17/2247251

Are you nuts??? (none / 0) (#107)
by arcanum on Tue Nov 18, 2003 at 03:23:39 PM EST

RESPOND to these?? You actually think one has time to respond to a 150 ABSOLUTELY fucking good for nuthin, bandwith wasting SPAM MAIL ????? I get a 150 a day, and i dont even use that account.
Its a Satanic Drug Thing...You would'nt Understand !
[ Parent ]
Plug-ins for Mail programs are needed (none / 0) (#108)
by SoopahMan on Tue Nov 18, 2003 at 11:42:09 PM EST

What would really make this effective is a randomized auto-response to junk mail.

In Plugin form you could make anything that's automatically marked as junk respond with a nonsense "Yes please sign me up!" response, each time jumbled in some way (reordering of words, varying phrases, varying message length, random mispellings/bad English).

This could sit on mail servers too - things that are  so obviously bulk mail spam that there can be no mistake about it could be turned around with a "response" immediately, using the same above algorithm.

The advantage is that, sure they can just turn on some kind of junk filtering themselves to try to prevent those autoresponses from coming in - but they'll look so much like real responses, they'll be loathe to turn it on. They'll be faced with losing 1 out of the 5 precious responses they get, if not more.

A campaign by each person to occasionally reply has some effect - but a campaign by each to install Spammer Jammer software - that's genuinely effective.

Someone write this software!

Yeah... (none / 0) (#109)
by SirDvorak on Thu Nov 20, 2003 at 09:57:20 PM EST

This is much like the idea of sending in "postage paid" junkmail items so that they actually have to pay the postage.  Good idea indeed.

The Cause of Spam (none / 0) (#112)
by Jumery on Sat Dec 27, 2003 at 02:09:51 PM EST

The cause of spam is people buying the products, just make it illegal to buy the shit spam sells :).

Responding to Spammers -- The Internet Strikes Back | 112 comments (101 topical, 11 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!