Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Spammers are getting smarter

By static in Internet
Sat Mar 03, 2001 at 02:21:05 PM EST
Tags: Technology (all tags)
Technology

I've noticed a new trick in Unsolicited Commercial Email (spam): they publish a "remove" address near the bottom along with a warning that attempting to block or close that account will prevent other people unsubscribing.


Having managed to be spam-free for a long time, due to a mismanaged web site I patronised some while ago, one of my email addresses has now made it onto spam lists. It seems to average 1 a day, but there's a few differences from when I first saw spam several years ago.

Firstly, the email headers are much less often forged. There are still open email relays out there, of course, and people still sometimes forge their return address as "@hotmail.com", but the obfuscation seems to have generally been dropped.

Many of them also list "remove" accounts. Being the cynic I am against spam, I always assume these are only being used to verify email addresses. I would, of course, never be so clueless as to respond to those. Instead, I forward the email to the relevant abuse@[whatever-service-they-are-using]. (When abuse@* doesn't work is another problem.)

And that's where a lot of people are probably going to be put off: most spam I get with a "remove" address include a message saying that attempts to block or shutdown that account will prevent other people from unsubscribing. So as well as telling providers about a spammer using their service, I've been asking that they confiscate the spammer's database.

Is this a good tactic? What is everyone else doing with this new twist? Any ideas on the effectiveness of it? Or of my response to it?

Wade.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Also by static


Display: Sort:
Spammers are getting smarter | 59 comments (59 topical, editorial, 0 hidden)
Smarter? (4.75 / 8) (#1)
by spaceghoti on Sat Mar 03, 2001 at 01:08:53 AM EST

If spammers were getting smarter, they wouldn't be spamming. But that's another issue.

I've been getting spam like this for quite some time. "If you have this account removed, we will be unable to respond to move requests." I also see far more insidious comments, such as "according to X article of Y law passed by Congress on Z date, this email is not illegal so long as a method for list removal is provided." I have no idea if the article or law is legitimate, and I don't care. If Congress was stupid enough to pass such a law, then I will respond with simple disobedience. I'm not hacking these spammers, I'm just reporting them to the site admins requesting they be removed.

Sending to abuse@<spamdomain.com> is a good thing, but not always reliable. root is sometimes a good address to send to, as is postmaster. But the most reliable way is to get someone else to do the work for you. If you check with Spamcop and Abuse.net, they'll provide you with all the information you need. From then on, all you need to do is forward your spam messages to their email addresses with as much of the header information as you can possibly include, and so long as you've provided the information they outline for you, they handle it from there.

Warning: many spammers set up accounts for "list removal" through arabia.com. One of the things about list removal is that there's no law preventing spammers from selling your email address to someone else before they remove it from their list, if they actually do so. As for arabia.com, I'm in the habit of sending to them to ask that they participate in discouraging spammers but they've apparently gotten so many complaints that they're treating these complaints as spam and threatening legal action. Personally, I'd like to see them do it. In the meanwhile, I hope they get black holed.



"Humor. It is a difficult concept. It is not logical." -Saavik, ST: Wrath of Khan

Wasn't aware of that about arabia.com (4.00 / 1) (#3)
by static on Sat Mar 03, 2001 at 01:31:56 AM EST

So far, I've sent one to postmaster@arabia.com.

And I don't email postmaster@spammersdomain.com. If they are using a yahoo account for removes (seen several of those...) I'll email abuse@yahoo.com. :-)

I will certainly check out spamcop and abuse.net. I was aware of these types of resources; I just need to find time to see how to use them!

Wade.

[ Parent ]

Spam legality (4.50 / 2) (#11)
by BehTong on Sat Mar 03, 2001 at 08:36:51 AM EST

Do you really believe them when they claim, by some rather suspicious reasoning, that what they're doing is legal? I once got a spam with a notice saying that it's legal according to Congress or some such nonsense, and they forged the headers. Sure gives me a lot of confidence that their dealings are legal! Duh.

I LART'ed them with Spamcop. And will continue to do so with every spam I get. I don't care how they care to explain or justify themselves. Heck, a bank robber can feign as a customer. That doesn't mean he's any less of a robber.

Beh Tong Kah Beh Si!
[ Parent ]

'legal' (5.00 / 2) (#19)
by Seumas on Sat Mar 03, 2001 at 01:04:53 PM EST

What you're probably speaking about is the reference to Bill 1614 (I think that was the number?) that they attempt to use to validate their right to spam "as long as we provide a way to remove yourself".

Of course, what they fail to mention is that the bill was only that -- a proposed bill. It hasn't become a law in the two or three plus years that they've been using it as a tag in their spam messages.
--
I just read K5 for the articles.
[ Parent ]

well, it kinda is. (none / 0) (#33)
by chuqui on Sun Mar 04, 2001 at 02:38:53 AM EST


>by some rather suspicious reasoning, that what they're doing is legal?

Hate to tell you this, but chances are the spamming IS legal. because there are no laws against it that have held up in court so far, and it's going to be fun to watch them try to build some that will. even if Congress creates an anti-spam law for the U.S., what jurisdiction do they have against someone in Brazil relaying through Thailand, anyway?

We all hate spam -- even if we can't come up with a consensus definition for it -- but the problem is, it's like farting in a theater: we hate it, but it's legal, and all the laws in the world aren't gonig to stop it, because it's damn impossible to enfore.


-- Chuq Von Rospach, Internet Gnome <http://www.chuqui.com> <kuro@chuqui.com> "The first rule of holes: If you are in one, stop digging"
[ Parent ]
spamcop (5.00 / 1) (#37)
by chuqui on Sun Mar 04, 2001 at 02:48:52 AM EST


> LART'ed them with Spamcop.

as someone who runs e-mail systems for a living, I find spamcop pretty useless. It sure doesn't serve the basic purpose, which is to get the email to stop. I guess it makes people feel like they're doing something, but as someone who is on the receiving end of Spamcop requests here and there, it basically makes it impossible for me to do what the person wants.

I don't use it, don't recommend it, and frankly, am not terribly impressed with the system.


-- Chuq Von Rospach, Internet Gnome <http://www.chuqui.com> <kuro@chuqui.com> "The first rule of holes: If you are in one, stop digging"
[ Parent ]
spammers... (none / 0) (#36)
by chuqui on Sun Mar 04, 2001 at 02:46:08 AM EST


>If spammers were getting smarter, they wouldn't be spamming. But that's another issue.

This isn't really correct.

first, some spammers make good money doing what they do. You may not like it, but a lot of people react to the spam, enough to make it profitable for them.

But don't forget, where a lot of these people make their money is selling spam kits to people who don't know any better. they aren't spamming themselves -- they're writing tools to allow people to spam, and selling them. So the tool writers make money, and the spammers are people who buy those kits....


-- Chuq Von Rospach, Internet Gnome <http://www.chuqui.com> <kuro@chuqui.com> "The first rule of holes: If you are in one, stop digging"
[ Parent ]
I'll concede this. (none / 0) (#42)
by spaceghoti on Sun Mar 04, 2001 at 04:26:39 AM EST

Spammers are getting rich by playing off the ignorance and greed of ignorant people wanting to get rich quick with minimal effort. In the South after the American Civil War, they called 'em "carpetbaggers." These people aren't stupid, they know exactly what they're doing, which is a large part of why I object to them.

No, spammers aren't stupid. Which makes it all the more a crime in my mind. They're providing tools and encouraging idiots to harrass me with spam for their own benefit. Legal or not, the ethics are questionable and I approve of efforts like Spamcop and Abuse.net to shut them down.



"Humor. It is a difficult concept. It is not logical." -Saavik, ST: Wrath of Khan

[ Parent ]
Illegal (none / 0) (#43)
by Robert Gormley on Sun Mar 04, 2001 at 06:54:46 AM EST

It might not be illegal, but with 99.9% of the ISPs out there, it is a definite TOS violation. Not quite the same thing, but can be frustrating.

[ Parent ]
"We saw your resume in your webpage..." (3.33 / 3) (#2)
by Estanislao Martínez on Sat Mar 03, 2001 at 01:22:18 AM EST

The one I'm getting constantly is the one where some job board website (my guess, I never visit) sends me spam claiming to have read my resume on my webpage and that I fit in very well for one of their positions, and thus, I should visit such and such URL...

Which of course runs into the fact that I have no resume on my webpage...

There's also the spam that claims to be from "my old friend Joe from high school" (eh, there were no anglophones in my equivalent to high school).

--em

Resume SPAM! (4.00 / 1) (#6)
by www.sorehands.com on Sat Mar 03, 2001 at 04:27:31 AM EST

I put a copyright notice on my resume. I also put a SPAM warning at the top.

This was because I received offers to improve my resume, offers to be put your resume into a database, etc.

]I had one company put my company into a database that they sell access to. When I complained, they said, "what do you expect, you put your resume on the internet."



------------------------------------------------------------------------------
http://www.barbieslapp.com
Mattel, SLAPP terrorists intent on destroying free speech.
-----------------------------------------------------------
[ Parent ]

Your .sig (none / 0) (#8)
by ti dave on Sat Mar 03, 2001 at 04:38:18 AM EST

"Lč ou fč sa ma pč ou, // Paske ou se makout ou konprann ou ka kraponen mwen. // Ou rale ouzi-ou-la, mwen rilax sou ou! // Ou rale baton gayak-la, mwen bi koul sou ou!"
--Manno Charlemagne, "Ayiti Pa Forč"

It's been 6 years since I last read Creole.
I'll assume you're a Haitian ex-pat living in Quebec.
What's it mean in English?
Any on-line Creole-English dictionaries?

ti_dave

"If you dial," Iran said, eyes open and watching, "for greater venom, then I'll dial the same."

[ Parent ]
[OT] .sig (none / 0) (#9)
by Estanislao Martínez on Sat Mar 03, 2001 at 05:48:24 AM EST

I'll assume you're a Haitian ex-pat living in Quebec.

I'm not.

What's it mean in English? Any on-line Creole-English dictionaries?

Hint: if you are looking for an online dictionary for any language, yourdictionary.com is the best place to start. There's this wordlist, and another one.

Anyway, I'll put up a rough translation in my user info...

--em
[ Parent ]

Stingey address keeping (4.00 / 4) (#4)
by jesterzog on Sat Mar 03, 2001 at 03:14:09 AM EST

When I get spam I usually don't delete it (yet, at least). Instead, I throw it into a dedicated folder for storage. I guess one day if I ever need evidence, I'll have it right there.

I'm lucky enough that in the last couple of years, this folder still only has twenty emails in it. I'm also a bit irritated though that it's gone up from about 5 spam emails in the last couple of months.

The good news is that I know roughly where it came from. Virtually all the recent ones have been directed at a unique address that I only ever gave to realaudio.com. There's a chance that it was picked up in transit somewhere, but considering that I only transmitted it once directly to their website (realplayer's never known it) about a year ago, I think it's more likely that they just leaked their database.

For the record with tricks to "discourage" people from signing off the list (which I wouldn't personally do anyway because it just confirms that the address exists), many of the recent ones I've received have had this on them (cut n' pasted):

Under Bill S1618 Title III passed by the 105th US Congress this letter cannot be considered spam as long as the sender includes contact information and a method of removal. This is a one time e-mail transmission. No request for removal is necessary.

At the moment, my strategy has been to forward everything I get for that address back to every realaudio administrational address that I can find (eg. root, abuse, postmaster, webmaster, etc). I point out that they might have a database leak and ask them to deal with it, let me know what happened, or at least apologise. (Ideally all three.)

So far I haven't heard anything, which doesn't inspire me with confidence. They haven't asked me to stop forwarding it to them, though.

In general, I think the only strategy is to be really stingy about where your email address goes. I almost never give an unfiltered address to anyone with an electronic database without reading some sort of privacy policy. I certainly don't give it to anyone who I'd prefer to contact me some other way anyway. If I really want something that requires an address, I have my throwaway hotmail account that I never read except maybe to pick up a password that was posted to me, or something similar.

The other thing is to make sure that friends and family know not to give it away. Every so often I have the problem where someone gives my address to a website so I'll get an electronic greeting or something. Whenever this happens I might thank them and be polite, but immediately ask them not to do it again and tell them why. As long as I'm polite it usually works. These days I also have an email sig asking people not to give my address to commercial entities without my permission. If anyone asks why, I tell them.


jesterzog Fight the light


S1618 (5.00 / 3) (#12)
by finial on Sat Mar 03, 2001 at 10:07:47 AM EST

I'm sure you know this, but for all those non-Americans out there:

An American "Congress" lasts for two years. Each one has a number starting with the 1st in 1787. The 2001-2002 session (which started in January of this year) is the 107th Congress.

A "Bill" must be passed by both Houses of Congress AND signed by the President (or vetoed by the President and overridden by a 2/3 vote of both Houses of Congress) before it becomes law. Any bill that does not become law before the Congress adjourns at the end of its term vanishes into thin air and must be refiled during the next session. (An outgoing Congress can not make the next Congress act on filings that the next Congress did not generate.)

Bill are filed separately in the two houses. A bill in the Senate has a number starting with "S" and in the House it has a number starting with "HR." The

The referenced BILL (not law) numbered S1618 (which means bill number 1618 that was filed in the Senate during that Congress). Since it was never passed into law, it died at the end of the 15th Congress, that is, in December 1998.

I'm not sure if this link will work (I just can not figure out their searching scheme.) Go here: http://thomas.loc.gov/cgi-bin/query/z?c105:S.1618.RFH:

If that doesn't work, go here: http://thomas.loc.gov/home/c105query.html and search for S1618

[ Parent ]

spam.pl (5.00 / 2) (#16)
by codepoet on Sat Mar 03, 2001 at 12:09:20 PM EST

The link worked, and that would have been a gret law. It would require, for those who did not go, for spammers to include their name, physical address, and phone number in each message. If the sender was different from the content preparer, then both must be included. They would be prevented from forging the "Received:" lines or the "From:" lines, or the corresponding lines in whatever email transit method you use.

Really nice.

However, until then, I'm using a script called spam.pl I found on Freshmeat together with a script I wrote myself that does basically this:

  1. I save all spam I receive in a day (5-20) in a folder called spam. I'm in Linux on this machine, so it's just a mbox file.
  2. Then at midnight my script runs, breaks up the mbox into individual messages and sends them to spam.pl.
  3. spam.pl then breaks up the received lines, looks for the point of origin, and sends an email to postmaster and abuse at any involved domain other than your provider(s) (You give it a config file with a list of excuded domains).
  4. Since I have my own domain, I made a uce@blah address for the sender of this mail. People oddly took that more seriously than ahknight@blah. Go figure. Procmail organizes the results.
I average three killed spammers a day, and all I do it save it in a mailbox when I get it. =) Now, I'm about to make it smarter, so that it looks for Hotmail header lines if there's a Hotmail address or Yahoo lines for a Yahoo address (they have special headers sometimes) and won't complain to them if it's not theirs. Same with Road Runner, who doesn't give addresses like bob@rr.com but bob@mycity.rr.com. But when that's done, it will function like SpamCop, without the hassle. =)

-- The cynical can often see the sinister aspect of a cup of coffee if given enough time.
[ Parent ]
This is good to know! (none / 0) (#28)
by static on Sun Mar 04, 2001 at 12:04:50 AM EST



[ Parent ]
Spam blocking made easy (none / 0) (#47)
by squigly on Sun Mar 04, 2001 at 04:45:42 PM EST

So, how feasable would it be to produce a mail relay that detects that message and dumps it? Too much overhead? Whoever solves this problem will certainly be in line for a nobel prize.

--
People who sig other people have nothing intelligent to say for themselves - anonimouse
[ Parent ]
Re: Stingey address keeping (none / 0) (#53)
by elemental on Mon Mar 05, 2001 at 03:47:50 AM EST

At the moment, my strategy has been to forward everything I get for that address back to every realaudio administrational address that I can find (eg. root, abuse, postmaster, webmaster, etc). I point out that they might have a database leak and ask them to deal with it, let me know what happened, or at least apologise.

Now that just sounds like a great way to piss off a lot of people. OTOH, you were probably /dev/null'd long ago for this.

I work at an ISP and I can tell you from experience that there's nothing worse than people sending complaints (spam or otherwise) to every address they can think of. Nine times out of ten it's going to people who either aren't in a position to do anything about it or don't care because it's not even remotely their job. And those are legitimate complaints going to the wrong people. People who consistently send complaints that have nothing to do with us (like yours, if the spam did not originate on a RealNetworks controlled network) quickly get their own line in the procmail filters.


--
I love my country but I fear my government.
--> Contact info on my web site --


[ Parent ]
Don't email the spammer domain! (2.33 / 3) (#5)
by www.sorehands.com on Sat Mar 03, 2001 at 03:54:01 AM EST

Email the host of the SPAMMER domain. Use a tracerte to determine who provides the connectivity to the scum.

If they offer cable converter boxes, send a copy to your cable tv provider.

Never respond to the remove address! Can you trust them to be honest about the purpose of the remove address?



------------------------------------------------------------------------------
http://www.barbieslapp.com
Mattel, SLAPP terrorists intent on destroying free speech.
-----------------------------------------------------------

I don't. (none / 0) (#29)
by static on Sun Mar 04, 2001 at 12:06:04 AM EST

I email the provider of their "remove" address, and the owner of their email relay.

Wade.

[ Parent ]

New type of SPAM!!!! WARNING! (3.50 / 4) (#7)
by www.sorehands.com on Sat Mar 03, 2001 at 04:30:37 AM EST

I saw a new type of SPAM. It self verifies the email address. If you open the email in a browser, or an email client that processes html, it will tell the spammer that the email address is valid. Each email contains a call to a cgi script with a parameter, the "To:" address.



------------------------------------------------------------------------------
http://www.barbieslapp.com
Mattel, SLAPP terrorists intent on destroying free speech.
-----------------------------------------------------------

Web bugs. (2.00 / 2) (#10)
by Holloway on Sat Mar 03, 2001 at 06:49:46 AM EST

Is it the email bug type? Where a 1x1 transparent Gif is in the HTML mail and the src="...~/spam.gif?uid=youremail@host.com"


== Human's wear pants, if they don't wear pants they stand out in a crowd. But if a monkey didn't wear pants it would be anonymous

[ Parent ]
That's simple to solve? (4.00 / 2) (#13)
by theboz on Sat Mar 03, 2001 at 10:12:27 AM EST

Don't you know that you are supposed to disable javascript, opening attachments, html, etc. and just view your email in plain text? Allowing html in your email client is something purely set up for spam. Your friends don't send email to you with html usually, so it's best just to disable everything but text. Beware of most attachments, but if you know it's something valid, then save it to your hard drive before opening it. It's not that difficult to fight this type of spam, the hardest part is to prevent the spammers from getting your email address in the first place.

Stuff.
[ Parent ]

Re: That's simple to solve? (none / 0) (#15)
by AzTex on Sat Mar 03, 2001 at 11:35:02 AM EST

Don't you know that you are supposed to disable javascript, opening attachments, html, etc. and just view your email in plain text?
Yes, yet another reason I should stop using Mozilla for e-mail/news.  As far as I can tell, it does not offer this capability.

solipsism: I'm always here. But you sometimes go away.
** AzTex **

[ Parent ]
Not so simple: (none / 0) (#23)
by spcmanspiff on Sat Mar 03, 2001 at 04:41:06 PM EST

I haven't seen this (I'm pretty good at avoiding spam, so far.. *fingers crossed*), but if I wanted to verify email addresses & had HTML mail, it would be plenty easy without any javascript at all:

<img src="http://www.spammer.com/verify.cgi?addy=victim@sucker.com">

How does someone avoid that, except for using a text-only mail client and/or never even glancing at spam? Granted, you need to dynamically generate your spam and have a cgi that generates a simple image, but both are trivial problems.



[ Parent ]
not new at all. (none / 0) (#39)
by chuqui on Sun Mar 04, 2001 at 02:54:18 AM EST


> <img src="http://www.spammer.com/verify.cgi?addy=victim@sucker.com">

Not new at all. Also very common in e-marketing sytems.

> How does someone avoid that, except for using a text-only mail client and/or never even glancing at spam?

you just answered your own question.
-- Chuq Von Rospach, Internet Gnome <http://www.chuqui.com> <kuro@chuqui.com> "The first rule of holes: If you are in one, stop digging"
[ Parent ]
*nod* (none / 0) (#44)
by spcmanspiff on Sun Mar 04, 2001 at 11:51:38 AM EST

Wasn't saying otherwise... however, I was so damn tired that for some reason I missed the html in the parent and thought they were just talking about javascript, and felt the need to point out that html alone was perfectly capable of nasty stuff.

Of course, that was horribly redundant. Silly me :)

[ Parent ]
HTML email (none / 0) (#38)
by chuqui on Sun Mar 04, 2001 at 02:52:07 AM EST

> Your friends don't send email to you with html usually,

maybe true among old-timers, not true, not remotely true among the general internet population any more.


-- Chuq Von Rospach, Internet Gnome <http://www.chuqui.com> <kuro@chuqui.com> "The first rule of holes: If you are in one, stop digging"
[ Parent ]
Postmaster (4.00 / 1) (#14)
by J'raxis on Sat Mar 03, 2001 at 11:32:02 AM EST

Instead, I forward the email to the relevant abuse@[whatever-service-they-are-using]. (When abuse@* doesn't work is another problem.)
Always try postmaster@[isp]. The postmaster account is part of the RFC822 mail specification; so most every domain will have it. Whether or not they read the mail is another question...

You can also try the Abuse.net whois, which will return the address that an ISP has registered as their complaint address, or postmaster@ by default:

Website:
http://whois.abuse.net/lookup.phtml?DOMAIN= [ isp ]

Whois:
% whois -h whois.abuse.net [ isp ]   or
% whois [ isp ]@whois.abuse.net
depending on how your system's whois command works.

-- The Antispamming Raxis

[ J’raxis·Com | Liberty in your lifetime ]

Abuse@* usually works. (4.00 / 1) (#30)
by static on Sun Mar 04, 2001 at 12:09:16 AM EST

I try abuse first because that's what it's for. Besides, the big providers get upset if you email them stuff to postmaster when they want it in abuse. The few times that abuse@ doesn't work, I forward the reject to postmaster with an additional note that they should have an abuse@*

Wade.

[ Parent ]

Missing information (none / 0) (#17)
by MicroBerto on Sat Mar 03, 2001 at 12:32:18 PM EST

MANY times, spam is relayed through some sort of server. a lot of times, all I get in the header is an IP address, and an nslookup on it then fails.

So then I have to look at the whois records on the IP, such as whois -h whois.arin.net [ip-address]

then it turns out to be an IP from japan, so I try to get as much info as i can, and e-mail them, but it never works.

the mail is just forged, relayed through some stupid open-relayed server, and this is what makes it hard to complain about.

Berto
- GAIM: MicroBerto
Bertoline - My comic strip
Traceroute? (none / 0) (#24)
by fvw on Sat Mar 03, 2001 at 04:48:44 PM EST

I prefer using traceroute personally. That way, I get their most direct upstream that has reverse dns, which is usually the one you want. If abuse@ bounces and postmaster@ doesn't do any good, I go one further upstream. Because I don't obfuscate my email address, I still get my fair share of spam, but I do have the feeling this abuse-reporting strategy works...

[ Parent ]
The best SPAM prevention system (5.00 / 1) (#18)
by DeadBaby on Sat Mar 03, 2001 at 12:34:12 PM EST

About 3 years ago I thought up a fairly simple system to prevent spam. I've since heard similar systems have been implemented but I've never actually seen one in use.

The basic idea is to build support in to mail clients to send any messages marked as SPAM to a central database that would catalog the addresses. This way everyone using the service would tag messages. It wouldn't stop spam all together but it'd cut down on the sheer volume of it.

I also suggest you have a private account you only give to close friends and family. I currently have:

1) A spam bucket
2) Personal account
3) A business account
4) A fake address, normally something very rude.
5) A semi-personal account that I don't mind giving out to strangers.

The amount of spam I get in my main personal inbox is really very low. (maybe 2 items per week at the most)

"Our planet is a lonely speck in the great enveloping cosmic dark. In our obscurity -- in all this vastness -- there is no hint that help will come from elsewhere to save us from ourselves. It is up to us." - Carl Sagan
Statistical trends (none / 0) (#20)
by Andrew Dvorak on Sat Mar 03, 2001 at 01:17:34 PM EST

The only problem would be sorting through this junk mail, but what solutions don't have problems?

I think this would also serve as a suitable means for identifying statistical trends in spanning. The only problem: What we might be using to help us will also help the spammers develop more marketable methods for reaching the intended target. I think this could be a great research project.



[ Parent ]
it's being done. (4.00 / 1) (#35)
by chuqui on Sun Mar 04, 2001 at 02:43:50 AM EST


>I think this would also serve as a suitable means for identifying statistical trends in spanning.

It's being done.

www.brightmail.com is a service that can catch a wave of spam coming in and stop it. I've seen it in action, and it seems useful and promising.


-- Chuq Von Rospach, Internet Gnome <http://www.chuqui.com> <kuro@chuqui.com> "The first rule of holes: If you are in one, stop digging"
[ Parent ]
not so easy (none / 0) (#22)
by winthrop on Sat Mar 03, 2001 at 04:38:19 PM EST

The basic idea is to build support in to mail clients to send any messages marked as SPAM to a central database that would catalog the addresses.

But do you trust the owner of the mail client? What if I got really mad at you and submitted your email address to the centralized database? Would you have some way of retrieving your good name? How many people would have to submit before you were listed as a spammer? Can there ever be a way of verifying that all the people that submitted your name weren't one committed person out to get you? Or a cabal? What if as a joke ten people used all their email addresses to verify that scase@aol.com was a spammer?

[ Parent ]

Use spamcop (4.50 / 2) (#21)
by rebelcool on Sat Mar 03, 2001 at 01:31:52 PM EST

SpamCop

Just copy and paste your headers and message into their form, it auto-analyzes it and sends a message to the respective ISP abuse addresses complete with everything they need to know.

COG. Build your own community. Free, easy, powerful. Demo site

Hmm. (none / 0) (#31)
by static on Sun Mar 04, 2001 at 12:15:21 AM EST

The only catch is that I'm not sure they send the message I want to say.

Basically, I want the spammers who have my email address to lose it. Since they seem to be using major providers with anti-spam AUPs, if they are so dumb to do that, then they deserve to have their database confiscated. I haven't unfortunately, checked (say) Yahoo's AUP - but I think it would be A Good Thing if they had such a clause. It would certainly up the ante somewhat: try to use us for your spamming and when we catch you, you must forfeit your email database. By force, if necessary.

I'm not sure SpamCop does this...

Wade.

[ Parent ]

SpamCop is good (4.00 / 1) (#50)
by Delirium on Sun Mar 04, 2001 at 09:44:42 PM EST

Well, you can add in your own comments to the auto-generated email SpamCop sends. I do think SpamCop is a good resource, because a lot of even the adept spam-hunters often send mail to the wrong ISPs due to forged headers - SpamCop's scripts verify where the mail actually came from. For example, if you have a Received: line from some.ip.address.aol.com ([xxx.xxx.xxx.xxx]) you should only trust the IP address and look up the owner of that - many times the hostname given will not be the actual hostname it originated from, so emailing abuse@aol.com (in this case) would be a waste of effort (not to mention annoying to the abuse department there).

[ Parent ]
web harvesting techniques (4.33 / 3) (#25)
by jcs on Sat Mar 03, 2001 at 04:50:13 PM EST

I've been thinking about the following techniques and wondered if spammers/harvesters are using them:

  • A url like http://www.domain.com/~username is almost guaranteed to give you the address username@domain.com as a valid email account. It'd be easy to spider the web and pick up addresses like this, even if the user is careful never to display his or her email address on the page (let alone link to it)
  • Most MTA's have the VRFY command disabled, disabling the ability to quickly check for valid accounts on the system. However, since nobody pays much attention to HTTP logs, a spammer could easily try http://www.domain.com/~joe, http://www.domain.com/~fred, etc. and discard the URL's that give 404's. With HTTP being such a quick protocol, a harvester could easily build an entire ISP's user list with brute force in not much time (or using much bandwidth)

    Anyone know if these methods are being used?

  • How about address verification? (none / 0) (#27)
    by vasi on Sat Mar 03, 2001 at 11:39:05 PM EST

    Most of us have seen the "visit a web address which gives a cgi your address" type emails...but I just got an anonymous Blue Mountain card, which made me think:

    What if a spammer sent out a bunch of cards to random addresses? The bluemountain.com address seems innocuous enough that most of us wouldn't be scared to visit it; and when we do, the sender will be notified. One more address verified....

    vasi

    [ Parent ]
    they do this. (none / 0) (#34)
    by chuqui on Sun Mar 04, 2001 at 02:40:26 AM EST


    >What if a spammer sent out a bunch of cards to random addresses?

    they do this. some of them simply set up their own card delivery systems, since they're open source. No need to even bother with a commercial one that might notice and shut you down.


    -- Chuq Von Rospach, Internet Gnome <http://www.chuqui.com> <kuro@chuqui.com> "The first rule of holes: If you are in one, stop digging"
    [ Parent ]
    Re: web harvesting techniques (none / 0) (#52)
    by elemental on Mon Mar 05, 2001 at 03:39:34 AM EST

    That's an awful lot of work. Remember, most spammers aren't the brightest people around. They're usually happy to just stick with the lists they can buy.

    Another favorite method is to simply generate a huge list of common names (bob, joe, etc) and other possible usernames (asmith, bsmith, etc), pick an ISP, and let fly. They'll use a fake return address so they don't need to worry about bounces and most of it will probably be delivered. Or take your favorite list of say, hotmail.com addresses and change the domain to aol.com or earthlink.net and you've got a big list ready to go. If you hit a big ISP/mail provider there's a good chance most of them will be deliverable.

    Bah, I deal with this every day at work, I shouldn't be thinking about it on my day off...


    --
    I love my country but I fear my government.
    --> Contact info on my web site --


    [ Parent ]
    Track them and squash them (5.00 / 2) (#26)
    by bruce on Sat Mar 03, 2001 at 06:28:03 PM EST

    Don't worry about the threats and self-justifications the spammers put in their spam. Don't bother with "remove" lists; as you said, most of them seem to be ignored, and some of the rest are used to confirm "live" addresses so they can spam you all the more.

    However, it is impractical to confiscate or "get off" whatever database the spammers use. Most actual spammers buy the "millions of emails" CDs advertised by spam, and those with some minimal degree of competency can scan the net for themselves, anyway. Unless you want to devote a disproportionate amount of effort to each spammer, the most you can expect is to get them kicked off the net, much less track them down physically to confiscate anything.

    That said, the responsible thing is to track down their access points, and have them booted off. Learn to read the "Received:" headers, and complain to the responsible parties; if those parties are not responsive, use traceroute and complain to their upstream. Be polite and professional, but make it clear that net-abuse is not acceptable.

    Tracking and squashing spammers will probably reduce your spam load, but not to the degree that would make it worthwhile by itself. I look at it as a civic duty; and the occasional instance when the ISP's thank me, or the enforcement@sec.gov convicts of a stock spammer you notified them of, makes it all worthwhile 8^)

    Practicalities. (4.00 / 1) (#32)
    by static on Sun Mar 04, 2001 at 12:18:50 AM EST

    1. If they buy those CDs, then they could be confiscatable. Yes, it's some effort.

    2. If the big providers threatened confiscation in their anti-spam AUP, I wonder how many potential spammers would re-think their strategy?

    Thanks for the feedback; I wonder if there's not some other new way to work the system against them.

    Wade.

    [ Parent ]

    Sell fake email cds (none / 0) (#58)
    by pallex on Tue Mar 06, 2001 at 11:32:19 AM EST

    Would it be worth selling fake lists of email addresses? If enough lists of non-existant users were around (or with lists of politicians who havent made up their mind whether spam is bad or not yet), wouldnt it degrade the image of email lists so that its a less attractive proposition?

    [ Parent ]
    stopping spam (5.00 / 2) (#41)
    by chuqui on Sun Mar 04, 2001 at 02:59:58 AM EST


    Want to really squash spam? The huge majority of spam flows through open relays. Want to stop spam? Get those relays closed.

    How? It's going to take some drastic medicine. since most open relays are on boxes running really bloody old copies of sendmail, it's clear the admin won't upgrade them voluntarily, or they already would have.

    so I suggest people lobby the sendmail developers to add a patch to sendmail that will keep it from talking to any version of sendmail old enough to be an open relay -- if it detects a version older than 8.9.3, it should reject the mail.

    When you stop accepting mail from those open relays, huge amounts of the spam will disappear. And it'll force the people with ancient, buggy versions of mail systems to fix them or risk being disconnected.

    you can fix it piecemail, and for every relay or spammer you whack, a dozen will pop up to replace it, or you can find a way to fix the system. And the only way to do that is to decide to stop talking to the systems that are responsible for allowing spammers to abuse their systems. Doing that one at a time isn't practical, so convince the people who maintain the mailer systems to do it net-wide.

    Everything else is spinning your wheels. Might make you feel better, won't stop the spam.



    -- Chuq Von Rospach, Internet Gnome <http://www.chuqui.com> <kuro@chuqui.com> "The first rule of holes: If you are in one, stop digging"
    [ Parent ]
    SMTP-2? (5.00 / 1) (#45)
    by zephiros on Sun Mar 04, 2001 at 04:19:42 PM EST

    IME, less than half the spam I get involves relay raping an older version sendmail. Most involve other MTAs, like Exchange and EMWACS IMS, being poorly configured by novice admins. I suppose one could implement your idea by banning mail from any host running an MTA that doesn't come anti-relay configured out-of-box. But that would block mail from sites which are properly configured but not "version compliant." And it still won't block spam relayed through sites where the admin has removed relay protection in order to avoid having to properly configure the server.

    Now, OTOH, if you were to start fresh, this might work. That is to say, if you created an entirely unique email channel outside of standard SMTP. In order to participate on this new mail network, you would need to sign an AUP and certify that you're running a compliant MTA that's properly configured. Break the AUP, get booted off the network. Get relay raped, get booted off the network. If you're off the network, you can still send mail to regular email addresses, just not SMTP-2 (or whatever) addresses. That way, ISPs who are bad netizens aren't totally blackholed, but good netizens still have a semi-anonymous method of exchanging mail (eg. I can send you mail without you having to pre-approve me).
     
    Kuro5hin is full of mostly freaks and hostile lunatics - KTB
    [ Parent ]

    This may have some merit. (4.00 / 1) (#48)
    by static on Sun Mar 04, 2001 at 05:37:30 PM EST

    But it may be a bit tough to implement in practice. I think a mid-way approach may be better: upgrade SMTP enough over a few versions that older versions start failing - like chuqui recommended. Only, use this trick to migrate to actually update the underlying SMTP standard, as well.

    Wade.

    [ Parent ]

    Blacklists (3.50 / 2) (#40)
    by zephiros on Sun Mar 04, 2001 at 02:55:04 AM EST

    Many spammers are learning that sending spam to the wrong people can be an expensive proposition. Cancelled accounts and clean-up costs eventually outweigh the income derived from whatever they're hawking. Recently, I've seen ads for bulk address lists which indicate that the lists have been purged of "known disruptive users." This suggests, to me, that spammers are building blacklists of people who report UBE.

    Which means, even if you're not reporting spam for ethical reasons, you should be reporting it with the intention of warranting your own blacklist entry.
     
    Kuro5hin is full of mostly freaks and hostile lunatics - KTB

    Hey! Neat! (none / 0) (#49)
    by static on Sun Mar 04, 2001 at 05:39:18 PM EST

    I like that! I wonder how much effort it takes to get so "blacklisted"?

    Wade.

    [ Parent ]

    Re: Blacklists (none / 0) (#51)
    by elemental on Mon Mar 05, 2001 at 03:33:13 AM EST

    Many spammers are learning that sending spam to the wrong people can be an expensive proposition. Cancelled accounts and clean-up costs eventually outweigh the income derived from whatever they're hawking.

    Most professional spammers use fraudulant accounts set up with stolen credit cards, so they really don't give a shit about clean-up fees. Cancellations are to be expected. They'll set up 5 - 20+ accounts per day and spam until they're forcably disconnected, then dial up with the next account. It's not a pretty sight.

    Recently, I've seen ads for bulk address lists which indicate that the lists have been purged of "known disruptive users." This suggests, to me, that spammers are building blacklists of people who report UBE.

    It's extremely unlikely that this is the truth. They're just trying to lend an air of legitimacy to their spam kits/lists. This is why they also tend to use that "Senate bill 1614" (or whatever it is) bit at the bottom of their e-mails.

    Most people selling spam kits don't care about pissing people off. The 2% that respond make it worthwhile. Accounts are disposable (see above) and if they use a fake return address (very common) they don't even have to deal with the complaints. This also means they don't have to deal with bounces when they attempt to spam nonexistant mailboxes. They really have no way of getting the addresses of "known disruptive users" anyway, since most spamfighters are bright enough to not respond directly to the spammer (assuming the return addy is even real).


    --
    I love my country but I fear my government.
    --> Contact info on my web site --


    [ Parent ]
    Legal problem? (none / 0) (#57)
    by pallex on Tue Mar 06, 2001 at 11:29:39 AM EST

    Seems the prob with spam is a legal one. If the email addresses are fake, then the phone number they give must work - otherwise how are they going to get any business? Is the problem just that its hard to close down the phone number? Why?

    [ Parent ]
    Risky (none / 0) (#54)
    by FyreFiend on Mon Mar 05, 2001 at 04:36:08 AM EST

    Some spammers go after "known disruptive users" by joe-jobbing them. That's where they use your e-mail address in the forged headers/remove address or link to your web site.


    --
    Only kings, presidents, editors, and people with tapeworms have the right to use the editorial "we".
    -- Mark Twain


    [ Parent ]
    Real Spam Solution... (5.00 / 1) (#46)
    by mk2337 on Sun Mar 04, 2001 at 04:39:01 PM EST

    The _only_ real solution I have found to spam is www.sneakemail.com. It works great. The service is free. It works by letting you create a unique email address for each contact you want to communicate with. Then if you get spam through that email address, you can bitch at the person who gave it up to the spammers. Also, you can disable that email address so you won't get any more spam. And, changing that one email address won't disrupt all your email contacts as it would if you only had one email you used.

    If you don't like spam, try sneakemail. If you kinda don't like spam try a normal spam filter :-)

    trouble with sneakemail is... (4.00 / 1) (#56)
    by pallex on Tue Mar 06, 2001 at 11:27:13 AM EST

    ...you end up with an email address like p034_3%^33@sneakemail.com - would be nicer if you could chose them yourself.

    [ Parent ]
    Classic Spam (none / 0) (#55)
    by leviathan on Mon Mar 05, 2001 at 12:16:00 PM EST

    Ranking somewhere alongside your 'don't close the remove account' type spam in terms of sheer boneheadedness is a personal favourite of mine I've seen a few times now:
    This is a one-time mailing. You will not be contacted again. However, if you wish to remove yourself from our mailing list, email remove@...
    I'm sorry. You'd like me to do what??

    --
    I wish everyone was peaceful. Then I could take over the planet with a butter knife.
    - Dogbert
    Return addresses are often forged (none / 0) (#59)
    by hensema on Thu Mar 15, 2001 at 07:40:20 AM EST

    A few weeks ago I was plagued by bounces of spam on my domain. The spam bounced to a non-existing address (tlasoftware@hensema.xs4all.nl, FYI).

    Because the original spam including all headers was contained in most bounces I was able to track down the source of the spam. The source used a forged HELO greeting (it said HELO hensema.xs4all.nl while the mailserver recorded the HELO as being from a totally different IP) and some more tricks to disguise the actual source of the spam.

    I have sent numerous abuse email to the spammers domain (jps.net, which seems to be part of uu.net) but never received any reply other than the standard automated abuse-reply.

    Luckily the spam bounces eventually stopped and no complaints were filed against me (either that or my provider has enaugh clue to realise I wasn't the source of the spam).
    - erik
    Spammers are getting smarter | 59 comments (59 topical, 0 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!