The Economics of Spam

higgins writes "The Wall Street Journal has the best story I've ever seen on the economics of spam. A self-described "spam queen" (Clean link; should work for non-subscribers) talks about not just the millions of emails she spews, but what it costs per mailing ($250 for 500k emails), what the response rates are (1-2 one-thousandths percent) and what she actually makes. (40% of each sale of one product: anti-spam software)."

New spam...

Here's a new one for you:

The other day, I got spam via my 'windows messaging service' - someone on my cable modem subnet is sending me pop-up spam with the 'net send' command (Windows only). Obviously this is easy to disable (for someone who knows how to) but...

WTF?

I took a screen shot which indicated time/date AND IP but the cableco tech morons said that they couldn't do anything about it? Right... How about revoking access? Perhaps it was the cableco themselves selling this service?

Re:New spam...

I started getting that across my T1.

WTF? You have that T1 just plugged into the back of your Windows box or what? I'm sorry but anyone who has a Windows box on a T1 with nothing filtering NetBIOS is a goddam public menace. You'll get little sympathy from me.

Ironic..not really..here is how it works

I got the exact same thing yesterday in my school lab. It is not ironic since the act is intentional. It is called targeted advertising.

The message is being listed as being sent from 'WEBPOPUP' since that is the name someone used for their system. Most of these diploma traces so far go to ev1.net, though after a lot of complaints they refuse to do anything. Check out a little information concerning this issue here:

http://www.mynetwatchman.com/kb/security/article s/ popupspam/index.htm

The program being used is called "Direct Advertiser". If you have NetBIOS bound to your interface, someone using net send will, by default, pipe the message over SMB to TCP 139. But if NetBIOS is not bound to the interface, net send will use UDP 135 instead. It takes the "net" command a bit longer to figure this out, but it does work.

The Direct Advertiser product just skips the preliminaries, knowing that smart system administrators close TCP 139, and goes right for the undocumented back door.

The 'Direct Advertiser' web site even tells you how to not receive these kind of things any more.

How to set up your system not to receive netbios messages

To deliver the message our program uses a NetBios call built into the Windows API.

Click Start->Setings -> Control Panel->Administrative Tools->Services
Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
Click the STOP button.
Select Disable or Manual in the Startup Type scroll bar
Click OK

Windows XP

Click Start->Control Panel
Click Performance and Maintenance
Click Administrative Tools
Double click Services
Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
Click the STOP button.
Select Disable or Manual in the Startup Type scroll bar
Click OK

Windows 98/ME

Remove or disable the file and printer sharing from your network configuration.

Re:New spam...

I took a screen shot which indicated time/date AND IP but the cableco tech morons said that they couldn't do anything about it? Right... How about revoking access? Perhaps it was the cableco themselves selling this service?

Spam via SMB is quite the new thing, I gather. This has the potential to _really_ piss people off.

But it could turn out to be a good thing. The reason we can't stop spam by blocking port 25 is that we need to accept email from people who have legitimate reasons to send it. But who has a legitimate reason to connect to SMB on a desktop machine via the Internet? Nobody. Ever.

If this leads ISPs to block the ports involved, the world will be a better place, with no more script kiddies owning Win98 machines via smbclient.

Re:New spam...

No, ISPs should NOT be blocking ANY ports. I pay them for a connection. Perhaps email, news, etc. Securing my machine is my responsibility. If there is a machine on their net causing a problem, then yes, they should kill THAT machine's connection. Filtering anything is not the right thing for them to be doing.

ISPs have rights too

No, ISPs should NOT be blocking ANY ports. I pay them for a connection. Perhaps email, news, etc. Securing my machine is my responsibility. If there is a machine on their net causing a problem, then yes, they should kill THAT machine's connection. Filtering anything is not the right thing for them to be doing.

You pay for a connection, but the ISP owns the infrastructure, and it's their network you are connecting to. While it would be nice if they did not block any ports, they have every right to do so on their own network. If you don't like that, you are always free to take your business elsewhere.

Re:ISPs have rights too

I'm getting criticism like this from folks who don't read closely enough.

The poster said should not and not can not. In other words, this is the way the poster wants things to be, or thinks they ought to be, or hopes they will be, for the reasons given, but not the way they must be. That filtering is "not the right thing" is a policy assertion, and it is implicit the poster will switch ISP's if the current one downgrades its service. However, the supply of ISP's, esp. broadband, is not infinite, and if ISP's react in a kneejerk fashion the availability of alternative service could dry up quickly -- and unnecessarily.

Re:New spam...

"No, ISPs should NOT be blocking ANY ports."

Why not have the ISP block the ports by default and give you an option to enable them via web interface?

Let the ISP be the firewall...

Re:New spam...

Argh, I get people at work complaining about this. "I called Comcast, and they're not doing anything about it, those jerks!"

Your ISPs job is to provide you an internet connection that you pay for - it is NOT their job to secure your computer for you.

If you're getting Messenger spam, then you probably don't know how to protect your computer, which means if I were you, I'd be worrying about what else on your box is 0wned.

Re:New spam...

It's not a matter of repairing the vehicle.. it's a matter of putting on your seatbelt.

Re:New spam...

No, but I would expect someone who doesn't lock their car door, leaves the keys in with the engine running everytime they park somewhere should complain when the car gets stolen.

Re:New spam...

A more apt analogy would be you, parking your car, locking it like you think you should, going inside, coming out the next day and finding it stolen. The thief broke in, hotwired it, and drove it away.

Would you tell the victim, "You should have secured the ignition wiring better!"?

While those savvy in cars might recognize the vulnerability and do something about it to make the thief's job harder (maybe even be l33t enough to install a hidden kill switch), your average user is going to go simply by what the vendor recommends, and what globally recognized best practices are (locking your car).

I do not recall any Microsoft announcements involving the default state of the Messenger service and its ability to receive unsolicited traffic from the Internet.

Let's think about this in a little more realistic light, yah?

Re:New spam...

Nothing is being stolen in the case of spam (processing power aside, yada yada, we're not all being paid by SETI@home).

It's analogous to locking you car, going inside, coming back out and finding a flyer on your windshield. Some places allow this, others don't, but we've ALL gotten these flyers before.

In my case, I don't figure it's a big deal, I'll throw it in the backseat with the rest of my trash.

--trb

Re:New spam...

Actually, with netBIOS, there IS such a sign - an unsercured windows machine actively advertises itself on the network. Blame Microsoft for a stupid default configuration, blame Compaq and Gateway and all the other OEMs for shipping Windows in that configuration, or blame users who don't know and don't want to know (that last is important) anything about computer security or the need for it, but the fact is: If your unsecured (default) windows machine is hooked directly to the internet without a firewall of some kind (hardware or software) you not only of leaving the doors unlocked, you are literally opening them and inviting everyone in. There's alot of blame to be partioned out for the sad state of home computer security, but users have to take thier share. A computer is NOT an appliance, and you ARE responsible for a minimum level of knowlege and precaution.

Incidently, my job is totally independent of fuckwit users.

Re:New spam...

Your ISPs job is to provide you an internet connection that you pay for - it is NOT their job to secure your computer for you.

It is their job to enforce their TOS--which most likely perclude spamming.

And if the IP is off-network, simply contacting whomever owns it would work.

Re:New spam...

Actually, you're wrong. It's also their job to enforce their policies. Something like SPAM'ing other users (decreasing customer satisfaction) is covered under most ISP abuse policies.

It's also their responsibility to enforce abuse policies that they agree to with THEIR network provider (not necessarily being violated in this situation tho).

So, what I recommend is that people go read the abuse policy of their ISP, and see if it has anything that covers this kind of abuse. If the person sending you this SPAM over SMB (first turn off SMB messaging and get a Firewall), confirm that they are breaking their agreement, and then bitch to all high heaven. If the idiot on the phone says there's nothing they can do, ask for their manager. If they refuse, get their employee number and report them (then report the company to the appropriate agency [ie. BBB]). If that manager doesn't help, ask for his/her manager. It may not immediately solve the problem, but it will leave a big fat record of this being a problem.

If fewer people just sit on their ass, and say "It's my problem", nothing will get done on a more global level. And THAT is the only way crap like this really gets addressed. Be loud, be clear, be heard! Don't let a stupid company bully you.

And finally, even if they help you... if you feel they are a good company to you as the customer drop them. You pay them. If you are under contract, and they don't help you, accuse them of being in breach of their policies (if they are).

Not everyone knows how to protect their computer. And they shouldn't have to know how to. That's the point of computers, to make your lived easier not more of a headache.

So... in summary... I couldn't disagree more with reaper20. Don't just take it and get walked all over. Stand up, and fight for your right as a consumer and customer!

Just my $0.02!

-Alex

Re:New spam...

Actually, you're wrong. It's also their job to enforce their policies. [....] If you are under contract, and they don't help you, accuse them of being in breach of their policies.

Refusing to terminate someone else's account on your say-so is not a "breach of their policies." An abuse policy places limits on how the customer is allowed to use the service. It does not in any way imply that the ISP is somehow obligated to punish every infraction. They are well within their rights to terminate the offender's access, or suspend it, or give a warning -- or do absolutely nothing.

Here is the method to disable windows messenger:

Right here [caltech.edu]
This is really useful, just do it once and no more problems with messenger spam.

Re:New spam...

A large number of ISPs are already filtering those ports. Comcast has been filtering those ports (incoming and outgoing) in the Baltimore area for at least 4 years. Even a lot of dialup ISPs filter NetBIOS traffic now.

While I'm opposed to backbone-level filtering on a philosophical level, my practical side says there's no valid reason to run SMB over a public network. If you legitimately need to connect to a remote SMB network, you should be doing it over a VPN or some other encrypted tunnel.

$5 to anyone who proves this statement wrong-

"I'm just trying to make a living like everyone else," says Ms. Betterly. Her e-mail marketing operation, she says, allows her to raise her children, Chris, 10, and Craig, 11, and to spend quality time with them. "You can call me spam queen, I don't really care. As long as I'm not breaking any laws, you don't have to love me or like what I do for a living."

Not breaking any laws. Riiiiiiiight. Nice values to instill in those kids, too.

Yes she would

1. People come in, see her naked.
2. People pay her to put her clothes on.

Money made.

But, being a spammer, she may have someone strip their cars while the door is bolted to keep them inside.

Now, Now...

The Colombian drug lords just want to provide for their kids too.

Colombian drug lords make a living by selling a real product to a customer. It is very unfair of you to insult them by equating them with parasites like Ms Betterly.

Re:$5 to anyone who proves this statement wrong-

It's different than snail-mailing because

• she doesn't pay for the open relays or open proxies that she abuses (if you don't use such tricks, you're terminated by pretty much every ISP faster than you can say SPEWS), while snail-mailers do pay for the postage. She also doesn't pay for the consumed bandwidth of your ISP nor for the storage of her junk in your inbox, which means that in the end it's you that pays part of her six-bedroom house with pool on her 5000 square-foot property.
• Commercial speech has absolutely no freedom of speech protection
• Since she makes a lot of money from selling anti-spam software, this is no better than mob gangs that demand protection money: she's asking you to pay for a "solution" to a problem she causes herself!

If such things are "the basics of business" for you, I feel sorry for all people that have to do business with you.

Re:$5 to anyone who proves this statement wrong-

And in the "breaking a law you didn't expect her to be breaking" category, I'll bet that the 6 bedroom house she operates her business from is not zoned for this kind of commercial activity.

We all knew that spammers weren't the brightest bulbs on the planet, but giving an interview with your real name and location to a national newspaper does seem a bit foolish, doesn't it?

Re:$5 to anyone who proves this statement wrong-

"I'm just trying to make a living like everyone else," says Tony Soprano. His waste manangement operation, he says, allows hime to raise his children, and to spend quality time with them. "You can call a mob boss, I don't really care. As long as I don't get caught, you don't have to love me or like what I do for a living."

Substitute crack

For a more entertaining read, just change the word "spam" to "crack" in the story.

Hrmm

Perhaps we should punish the people who are feeding these spam monsters. Do you think that the spammers would even bother if they didnt get a sale?

I'm just amazed at people's stupidity. Oh well I guess there's always going to be a market for penis enlargers and those PhD's from non-accredited universities.

Re:Hrmm

Finally someone on the point. If someone spams me they no longer get any business from my household. Ever.

Just a few names off the list:

AmEx: Anytime you write to their security and privacy people you are automatically included into a SPAM mailing list and not removed ever after. I tried to get them to stop and ended cancelling the account. As a result they wrote me back telling me that they authorise themselves to use my phone to call me with new offers. If you have an AmEx card and use it you are supporting a spammer outfit.

Play.com: Similar story. Canceled the account and blacklisted them on every server I maintain a blacklist for. Does not help. They are still trying to send.

To ve continued ad naseum...

Re:Hrmm

Both the Democratic and Republican candidates for governor in the last election spammed me. Am I supposed to boycott both political parties now?

Yes, but not just for that reason.

Worldcom = Spamhaus

But the other message was a complaint from WorldCom. A WorldCom customer had reported an "alleged violation" of the company's policy that prohibits spamming. "We request you take whatever measures you deem appropriate which will ensure no further violation will occur," the e-mail from WorldCom said.

WorldCom lets spammers get away with 'first offence'.

Mr. Connell typed a response: "Problem solved. This guy won't receive anything from us again." He flagged the name of the offended e-mail recipient on Ms. Betterly's list so that person wouldn't be contacted again.

WorldCom helps spammers listwash.

WorldCom says that if problems with a spammer persist, the company will send increasingly stern notices and eventually cut off service.

WorldCom will let spammers get away with spamming several times before actually doing anything about it.

Paging SPEWS. SPEWS to the white courtesy phone, please...

Mod that shit down

• WorldCom lets spammers get away with 'first offence'.
• WorldCom helps spammers listwash.
• WorldCom will let spammers get away with spamming several times before actually doing anything about it.

Are you people never satisifed? Do you want the FBI raiding at the FIRST sign of trouble, or do you want to follow proper channels?

Such an informative post. Where did that customers email address come from? How is Mr. Connell to REALLY know if that person merely clicked-through an agreement (Without reading it) that their email would be shared? Did that person then attempt to use anything posted within the email to remove his/herself from that list?

"And she only sends bulk e-mails to people who have indicated at some time that they want to hear more about certain products or offers. People do that, some unwittingly, when they sign up for free e-mail accounts or create chat-room identities or buy products online. Many Web sites ask users whether they are interested in receiving marketing offers and ask them to check -- or, more likely, uncheck -- an obscure little box if they don't want to receive that kind of e-mail."

So people, in this case, are not paying attention. Strangely, that's also why there's such hubub about cars and cell-phone use.

"He flagged the name of the offended e-mail recipient on Ms. Betterly's list so that person wouldn't be contacted again."

So wait a second, because some places don't abide by their privacy agreements, or don't remove people when requested, then EVEYRONE is bad?

I suppose, then, I should be in prison, because I've circumvented copy protection using a No-CD crack so my kids don't have to touch CD's.

Obviously, you belive that if SOMEONE is doing something illegal in a certain area (hacking government systems), then EVERYONE must be doing that. I guess we shouldn't have access to source code either. Who KNOWS what we could do with that!

Please. Tell us. Some of us want to know which side of the double standard you really stand at.

Re:Mod that shit down - NOT

As for your illegal use of CDs, that's your lookout - you have chosen to put your family at legal risk just to save a couple of bucks on CDs. Or maybe you are taking a moral stand, but you are still choosing to take a risk. Mayhap that's an OK risk for you, but it's still there, don't pretend you aren't breaking a law for your own convenience.

As for the spammers, I have NEVER EVER EVER given "opt-in" permission on my tech contact Email to any business. It was stolen from the Internic "whois" database over ten years ago, and now receives thousands of spams (ironically, I maintain that address as a spam trap now to help me keep a strong access.db) from hundreds of spammers, all of whom make exactly the same claims as Betterly.

It should be obvious that with individuals rapidly and constantly trading lists of as many as 60 million addresses, it is effectively impossible to get "opted out" permanently once one is on such a list. It is equally obvious that there is tremendous financial incentive to create lists without any regard for the wishes of those on the lists, and to represent those lists as "opt-in" when trading with other spammers.

At least you are consistent; you, an admitted scofflaw, are defending other scofflaws. Kudos to you for that, I respect a consistent code of ethics.

still too many

With 605.6 millions of internet users, worldwide (according to kadius [www.nua.ie]) 1-2 one-thousandths of a percent that's still 6056 replies to spam. With that many replies and close to zero cost one could make a decent business... sadly