A Day In The Life Of A Spammer

kaip writes "Internetnews.com has a story of a spammer. The individual sends 60 million spam emails for four days worth of work and claims that one in 19 of AOL users clicks the links in his mortgage spam (this number should however be taken with a grain of salt, see rules 1 and 2). Maybe not everybody has heard of the Boulder Pledge... The article also tells how the CAN-SPAM Act, which legalises spamming, is turning the US into the spam haven of the world. Currently, 86 percent of the total spam volume is coming from the States."

Our love-hate relationship with business-scum

I thought everyone on Slashdot hated the RIAA, the MPAA, and Microsoft. Why do you keep hyping CDs, movies, and Windows games?
Big corporations are what they are. They sell us cool stuff with one hand and tighten the screws on our freedoms with the other. We hate them every morning and love them every afternoon, and vice versa. This is part of living in the modern world: you take your yin with your yang and try to figure out how to do what's right the best you can. If you think it has to be all one way or the other, that's cool, share your opinions, but don't expect everyone else to think the same.

In short, there are some advertiser communications that we don't welcome into our lives and call "spam", while there are other advertiser communications that we invite into our lives when we go through the Sunday Newspaper looking for the ad circular from our favorite store so we can see what's on sale without having to go there.

Wording a rule set so that spam gets shut down but ads we want to see still get through is quite a tough task to do on a one-viewer basis. It becomes even more difficult to do that on a comminity basis. Some of us want to know what's on sale this week at Best Buy, others couldn't care less.

I just don't see a solution that pleases everybody being possible in this area. It'll always be a game of new regulations constantly going up, but only being effective until somebody finds a way to work around them. We can hate spammers as scum, but that seems like the worst we can do to them at times.

Re:Our love-hate relationship with business-scum

we go through the Sunday Newspaper looking for the ad circular from our favorite store so we can see what's on sale without having to go there.

That 'looking for' is the key. If I don't want to, I don't have to read the ad section.

Plus, everybody knows how fradulent these spam schemes are. Atleast, with the newspaper, if the frauds start creeping up, the newspaper company has to step up and tighten the noose.

Re:Our love-hate relationship with business-scum

Equally important, the companies advertising in the newspaper at least put in enough effort to write copy, do the graphics art, the layouts, and get the ad into the media.

Spammers can't spell, have no business history, have no reputation, and just keep intruding on my life, my business, and my bills (increased costs to my ISPs.)

Sorry, but "If I nag 5,000,000 people, someone will buy" is not a marketing plan or strategy, it's begging. It's disingenuous fraud, hoping that someone will be stupid enough to waste their money on a con. It's hoping users don't notice that "cheap software" is pirated, or that the "herbal viagra" is available for $10.95 at their local health food store instead of $49.95 through some spammer.

Spammers are not legitimite businesses, no matter how they bleat and plead about their "rights". You have no right to harass people on the street pushing your wares -- you'd be arrested for being a public nuisance at best. You have no right to barge into my home to tell me about your products without invitation -- that will have you arrested on trespassing or B&E.

Spam is not about "business", it is not about "rights", it is about a bunch of scum sucking vermin who twist the courts and ISP contracts to swindle and scam the public, hoping to make their cash and escape quickly.

In the past 7-10 years, I have not seen one legitimite or viable product advertised by spam. Not one.

Shut them down and arrest them as the frauds they are, and to hell with yet another US government sellout to "corporate" interests via CAN-SPAM. I don't know anyone who calls the info broadcasts from respected corps "spam" because they ask if you want it, not shove it down the throats of strangers.

Opt in lists

"the simple situation is that I don't need _any_ advertising through email"

That's a bit draconian. I would like to be notified when Blizzard is releasing a new game or the new Glen Cook book is being released. To get this info from the web sites, I would have to poll (check regularly) the web sites. I would rather receive a notification.

The key to this is opt in only lists. One way to do this is to make a server with your email provider that allows you to register an email as requested (bulk mail whitelist). Those can go through. Other bulk mail is prevented. There are other methods as well; that is just one example to handle both.

The real key is no *unsolicited* email advertising. If I request it, I want to be able to see it. Frankly, if a newspaper (to get back to that example) drops off their product unrequested, I would like to be able to prosecute them for littering. Further, a newspaper includes other things besides advertising. Spam does not.

Re:Our love-hate relationship with business-scum

Here's the thing. I don't like paying to receive adverts, which is the current situation. Sending cost is a fraction of the delivery cost, which is mostly handled by the receiver.

Secondly, the scale of this is a massive problem. I get approximately 400 e-mails/day to my work account. About 250 of those are from two high-volume mailing lists, which get auto-sorted into folders, and I scan-read the subjects before deleting most of them.

About 5-10 of those are from people who are contacting me directly, and have a valid reason to do so...

The remaining 140 or so are spam. No, I'm not exageratting the numbers, I've got 6 more while I typed this, mostly trying to sell me Viagra, but with a couple for OEM software.

Marking what my spam filter (Thunderbird's built in one) misses is a significant effort. Then having to go through the spam folder and make sure all of these e-mails isn't actually from work is even more effort. Especially the ones that say "Meeting at 14:00 on thursday" or something.

Probably what gets to me most of that almost none of these apply to me. I don't want (or need) Viagra, I can't afford a house here, and the mortgage offers are for the USA only, I already have a university degree, I have reputable sources for OEM software, etc. etc. etc.

What's even worse is what doesn't get to me. I've had to two e-mail sacrifice accounts because they were getting too much spam (at around 200/day extra, each, for rarely used accounts). Of course, spammers will keep e-mailing those accounts - it's not like the bounces will ever get to them.

Another spam just arrived. Something about being 19 again.

One of those accounts was only ever given out to people on a face to face basis - but it was of the form @. The only way spammers could have found it would be by pouring thousands of e-mails into my work's domain, hoping that one of them would find a matching e-mail address. While I may not receive that e-mail, it's still pouring into work's servers. clogging them up and occupying our bandwidth.

Many other forms of advertising mean I get something for free (several TV channels here) or cheaper (magagzines/newspapers), and never cost me more, anyway (billboards, etc.).

In comparison, spam costs me money, and time, and adds a significant risk of e-mail loss. That is why I don't like spam.

Re:Our love-hate relationship with business-scum

6 months!!! If I had to train a filter for 6 months before it becase effective I would go insane.

You need K9.

http://keir.net/k9.html

RM

Re:Our love-hate relationship with business-scum

It's not love/hate at all.

Most reputable businesses choose advertising channels where the advertiser bears the majority of the cost of the advertisement. These advertisements tend to have at least SOME downward pressure on the total number of advertisements a person will be forced to see. These advertisers are on the whole a little more truthful, because the money trail back to them is larger and clearer.

Less reputable businesses may choose advertising channels where the advertiser bears a very low percentage of the cost of their advertisement. Because they pay very little, and the overhead costs are small, it's easier to employ random and changing small-time "advertisers" and it's easier to generally obscure the money trail, allowing for less truthful advertisements. Because the cost of each ad impression is very very low, there's virtually no downward pressure on the number of ads a person may be forced to see. Because these "advertisers" are in the game for a quick buck, and their reputations won't suffer from any ill will, they don't care if they decrease the value of the targetted communications channel to nearly zero, to the point where people start considering abandoning it.

Finnaly

Finnaly, now i can track down this person and kill him as revange for all the porn mail I'm receivning. Wait, that i want... hmz pr0n&spam or no pr0n&no spam... Difficult decison

Re:Kill them?

Someone sends you porn... you have a serious desire to kill them.

It is the same sort of rage that you feel at someone who cuts you off in traffic, or listens to their voice mail with the volume cranked up. Hatred is a common reaction to extreme rudeness and spam is rudeness taken to the nth degree.

The gut reaction of hatred caused by spam has very nothing to do with logic. When I think about spammers logically I think they should be fined to the point at which their business case is destroyed and in extreme cases (fraud, illegal merchandise) they should go to jail. When I waste 30 minutes filtering mail or miss an important mail because of spam then, just for a second, I'd like to bloody the nose of the assholes responsible for it.

*sigh*

SPAM will continue to exist until people stop making spam profitable. It's a bad side effect to greed. People will do anything for a buck.

Legislation won't help. Technology hasn't been able to help that much yet. Basically, advertising is here to stay, and you can do one of two things, make yourself invisible so you can't be advertised to, or accept it.

Companies want you to be a consumer, so that they can keep being producers. There's too many companies, so they are going to fight hand over foot to get their product into your mind in whatever method they can.

-Eric

Re:*sigh*

Ugh, will people give that up?
Spam will *always* be profitable as long as email is free. It's essentially free advertising, and therefore it will always be profitable to someone.

Re:*sigh*

SPAM will continue to exist until people stop making spam profitable.

SPAM will continue as long as spammers percieve that spam is profitable.

I have never read an article where a spammer actually gave solid documentation of how much money he or she made. I've always read that "for a successful campaign, I get between this much and that much on a sales rate of this much or that much on a click through rate of about this on a distribution of about that."

Sending spam is a get-rich-quick scheme, and the people participating lie about how much money they make, just like every other stooge in every other get-rich-quick scheme. Spam will continue to exist as long as shitheads who live in trailers with high-interest credit cards will agree to "spend money to make money" by buying scam email proxy servers and scam bulk email software.

Re:*sigh*

Blockquoth the poster:

Legislation won't help. Technology hasn't been able to help that much yet. Basically, advertising is here to stay, and you can do one of two things, make yourself invisible so you can't be advertised to, or accept it.

That's unnecessarily defeatist. Spam will always exist as long as it's profitable, as you say. Laws and tech can both raise the cost of spam or, equivalently, decrease its effectiveness. Imagine if all email programs came with a default-on advanced spam filter, and you had to go through hoops and hurdles to turn it off. How many people would choose to receive spam, even among those who (in my opinion, assininely) click through on the spam they receive?

I'll let Hanover Fiste speak to this:

He's nothin' but a low-down, double-dealin', back-stabbin', larcenous, perverted worm!! Hangin's too good for him!! Burnin's too good for him!! He should be torn into little bitsy pieces and buried alive!!!

Con means anti-Pro, Congress is the anti-Progress

There are some things the US Government is just plain contradictory on because, well, We the People are contradictory on the topic.

We shout out that we have the First Amendment rights anytime somebody tries to tell us not to speak, but then we strugle to find a way to make other people we don't want to hear shut up. The fact is, anywhere you create an unregulated communication medium, the smut, scum, and scam people will definitely show up to play. It's just the way things work.

Re:Con means anti-Pro, Congress is the anti-Progre

Not american, but still... Yes, free speech. Everyone's entitled to free speech. Everyone's also entitled to not listening if they don't want to - and for me, this is where spam crosses the line. The mere fact that you have to go through so much pain to keep your e-mail box spam free is indicator of how annoying these people can get in order to FORCE you to read their advertisements.

Re:Con means anti-Pro, Congress is the anti-Progre

I think many people aren't quite clear on the first amendment. It says roughly that we have the right to say what we want. However, it does not say that we can force people to listen or that we have any right to be heardd.

It should be noted, before I say anything else, that corperate speech does not fall under free speech. General unsolicited email might be covered under the first amendment, but spam advertizing something business related isn't.

Additionally, sometimes what people consider free speech crosses over into things which are illegal. You can tell something, but if you follow them around and continue telling them, that could be considered harassment. You can put up a protest, but if you threaten people or indimidate others or keep people from getting to work or cause a large disturbance or many other things, you're protest has crossed the line of what is legal.

The point is that you can say whatever you want when it doesn't affect anybody else, but we don't live in a vacum and your right to swing your fist ends where my nose begins.

The actions of spammers are destructive and cost people time and money, even if you ignore fraudulent spam. To say that it should be legal by first amendment is to ignore much of the issue.

Make unsolicited e-mail cost...

I think MS might have been onto something with Penny Black... if sending unsolicited e-mail (sending to an address that didn't have you on their contact sheet) cost a small micro-payment, it would quickly offset any profits to be made from spamming on the scale described in the article, and wouldn't be prohibitive to those who needed to send the occasional unsolicited e-mail.

It's either that or get into the murky waters of concrete identity, and of the two the former is the least opressive regime.

CAN-SPAM

This is more proof of why Spamhaus called CAN-SPAM the "National Right to Spam Act."

Blech. Shoot 'em all.

I don't get CAN-SPAM

I just don't get it. I mean, Congress bending over backwards to legitimize obnoxious behaviour by big corporations I can understand; that's pretty much what it's for, these days.

But spammers? They're not particularly organized, as far as I know. It's not as if the Viagra-and-penis-extension lobby is a major campaign contributor. So what gives? Are Congresscritters really so consistently stupid right across the board, AND their staff, AND all the IT and telecoms industry lobbyists who must have had something to say?

Or were they worried about the effect of (useful) legislation on political direct-email campaigns? Maybe. But I can't see how that would benefit one party more than the other, so why care?

Double standards?

On page one of the article:

"Richard Cunningham" more than likely isn't his real name; he won't say one way or another

And on page two:

"They are nothing more than kooky Net trolls out to profit and glorify themselves off a so-called problem more so than actually attempting to fix the so-called problem," he said. "They do not scare me, and the likes of them are cowards hiding behind a computer screen."

If he ain't scared, why hide behind a false name?

My spamproofing

I use postfix, but sendmail can do the same:

1. reject_unknown_client is on. This means that a connecting client MUST have a reverse-dns lookup for its IP, and the resulting name MUST resolve back into that IP. This alone blocks most spammers before their client can even begin to send a message.
2. I use xbl.spamhaus.org. This is a wonderful thing. This blocks not only any box known to spam, but also any box found to be infested by some virus, ie zombies. Once again, this stops them dead before the message even starts.
3. In the unlikely event that they get past those hurdles, I have a homebrewed filter that watches for bogus HTML tags, since they like to intersperse bogus empty tags in the middle of words in order to foil content-based filters. This simple filter actually blocks 90% of anything that made it that far.
4. Spamassassin. The few brave soldiers of spam that got this far rarely pass this. I leave this filter near the end because it's rather CPU intensive...
5. Finally, a simple procmail rule: If my name isn't in the "To:" or "Cc:" line, file it as spam.

I haven't seen a spam message in, uh, maybe a year or two?

Re:My spamproofing

That's all well and good, but do you have any idea how many false positives that system has generated over the last year or two? I'm curious, because it sounds like it would reject a lot of list mail and "cold" contacts from people asking for help with stuff (which is something I'm happy to answer when I have the time).

p

It's the mail you don't get that matters

While your techniques will all stop spam, they will also stop a great deal of legitimate mail (ham). Stopping spam is not the hard problem Stopping spam while letting ham through is the hard problem.

If businesses did what you did, most of them would go out-of-business.

Saying CAN-SPAM causes spam seems like a stretch..

The article also tells how the CAN-SPAM Act, which legalises spamming, is turning the US into the spam haven of the world.

I think CANSPAM is an awful law. It overrides much better and stricter state laws, and it doesn't really do anything to reduce SPAM.

However, it seems like a stretch to say that CANSPAM is turing the U.S. into a SPAM haven. I think most spam recieved in the U.S. is tied to U.S. businesses, even if it's sent or bounced through servers abroad. Just because spam from US servers have increased doesn't mean CANSPAM is the cause - you can use logic like that to "prove" that pr0n is good for kids [techcentralstation.com].

I wouldn't be surprised if part of the reason for the increase is that there are more virus-laden compromised computers in the U.S. to relay spam off of.

Banks are the benefactors of mortage spams

It is amazing to me that the ultimate benefactors of mortgage spams are generally banks, one of the stodgy, conversative types of organizations around. (And rightfully so). Now, they need several layers of spam-laundering in order to hide themselves with plausible deniabilty from the spammers. But, it seems to me that an organized campaign to lobby and educate banks and other financial institutions ought to be able to eliminate mortgage spam.

1.2.3. Profit

From the article

"As long as it makes me money, I'll continue to do it."

That's the key issue here. As long as spam is profitable people will continue doing it no matter how illegal it is. When 1 in 19 AOL users stop clicking on spam, Mr Cunningham and his friends will go away for good. Personally I haven't received any spam whatsoever since I moved away from Hotmail a few years ago. My university email is as clean as a baby's but and my yahoo.se is very clean (1-2 a week). Most likely because my univeristy has a very competent IT staff.

The further development of filters and smarter users are, imo, the things that will make spam go away... in a few hundred years or so...

A day in the life of a spammer

8:30 AM: Wake up.

8:35 AM: Morning stretches and exercise.

8:55 AM: Pray for forgiveness for being a subhuman piece of filth, hoping to save already-rotten soul from the deepest pits of Hell.

9:00 AM: Shower.

...etc.

Holy crap...

Take a look at http://www.specialham.com/ [specialham.com]. I had no idea spammers were being this open. For example, check this message [specialham.com]:

Anyone interested in an undetected socks 4 bot for computers that you have access to? Completely undetected and self-spreads via unique methods.

-Executable for sale only (no source)
-Updates
-CGI/PHP notification
-Random Ports or user defined port.
-EXE only

aim: ofno

"self-spreads via unique methods": Hello, I am selling MSDoom.VQY. Jesus Christ.

And they're sponsored by [specialham.com] our old friends, The Bulk Club [slashdot.org]. Can't we spread a rumour that Osama is actively funding spammers or something?

What really gets me...

... about spam, is it just doesn't apply to me. You see, I have a degree in computer science. This means:

1. I don't want a degree from a prestigious non-accredited university.
2. My sex life is well beyond being helped by Viagra, or anything else in pill form.
3. Outsourcing means I can't afford a mortgage (okay, actually I'm employed, but work with my joke).

Just quarantine the US.

No, seriously. If 80+% of spam originates in the USA, and the US congress is daft enough to pass laws like CAN-SPAM global ISPs should hold a "cut the link" week and block email traffic from the USA. Just imagine the chaos and media attention that would cause. And it would be media attention is something that makes politicians squirm. A question, though. Can anyone explain to me what would make US lawmakers vote in favour of this bill? It seems like the kind of thing that any semi-sentient 14 year-old would be able to critically dissect as narf idea in about 12 seconds.

As I always do when a spam story pops up...

...allow me to pimp two of my favorite projects. First up is the Unsolicited Commando [astrobastards.net] project. It's a little java app that spends its day quietly and merrily filling out forms on spamvertised websites with completely bogus - and yet totally real looking - data. It's especially effective against - surprise! - mortgage/refinance spammers, which seems to be the specialty of the dirtbag mentioned in the article. Go check it out, and the source code is available just in case you think something fishy is going on.
The second page I'd like to point you to is here [hillscapital.com]. It's a 'Lad Vampire' antispam page that also targets spamvertised websites, but in a different way. The page links to individual images on the sites and constantly reloads them without caching, thereby burning up the spammers' bandwidth and driving them out of business (or at least costing them some money and forcing them to sell their children on the black market). Be forewarned that the page has no help, no documentation, and *only* works in IE, so don't yell at me about that. The source code is available for that as well, so here's hoping someone can make it more usable in Moz, Opera, ThunderFireBunnyChicken, or whatever browser is your fave.

Spam: born in the USA. Why?

Because spammers go where the bandwith is.

From an interesting article with some insights about the reason why most spam is US based:

http://www.compliancepipeline.com/28700163

"The United States is the origin of choice for spammers, said Alperovitch, because of the plentiful supply of cheap high-speed bandwidth. "Spammers need big pipes, and they don't want to pay much for it," he said.

That explains the low percentage of spam messages originating from overseas' IP addresses. The lack of cheap bandwidth outside the United States is stymieing spammers' attempts to scale up the volume of their mailings to U.S. sizes."

I'm working on some hostile spam filtering

I've been getting a deluge of spam since I rebuilt my main server and lost my TMDA filtering. Looking at the volume, I realized that I was spending a significant amount of space storing spam and a significant amount of bandwidth sending bounce messages.

I'm currently working on a new filtering solution. The first step is SPF record checking. If the sender forged the address of a site that publishes an SPF record, I reject the mail. The second step is all mail now goes through postgrey. Postgrey is a greylist that tells the sender to try again in a while. That actually seems to work pretty well, though it does delay my mail by about an hour. The third step, which I'm still working on, performs two checks. It checks to see if the sender's on a whitelist and if he is, it lets him through. If he's not, it checks to see if the mail's encrypted to my personal GPG key. If it's not, the mail gets rejected (At the MTA, so I don't have to send a bounce message.) I can always eliminate the second step if the spammers ever figure out how to deal with that. I'll be changing the GPG key on a regular basis to keep the target moving.

It's a pretty extreme solution, but all of about 3 people in the world send me legitimate E-Mail and I was getting 200K+ of spam a day. With that S/N ratio, I may as well just turn my E-Mail server off. This is the next best thing.

I use to hate spammers but not as much anymore

but I was on hotmail then, on yahoo, my bulk folder does a good job, so I rarely see their junk and I am not annoyed as much. A good spam filter is like Tivo...

After having been a victim of the jacked up job market, How is a man to survive? I can see why some of em do what they gotta do.

The original idea of cable TV was to be commerical free. We pay for cable TV just like we do for our internet connection. I consider TV commericals SPAM. I did not ask for it, but likewise they advertisers always go, "We have to make profit." Why is it that people put with cable commericals but not spam? Then there is the movie theaters. It use to be that if you went there, the previews start a few minutes before the movie time, and the movie starts on time. But today? commericals come first at the time the movie is suppose to start, then the previews, then the movie.

Spam is here to stay. It is NEVER going away. The day SPAM can be completed eliminated from the net, well, I certainly wouldn't be on it, cuz it must not be a free net. One of the pain of freedom is that those you do not like are also free to do the things you do not like for them to do.

We should battle SPAM the right way, not by banning it or attempting to. Suing the company for wrong advertisment (if they did.) Ordering from the company then returning the product. Credit card charge backs are in the average range of $20 per charge back for internet companies. Imagine if 1,000 people ordered then cancelled their orders. $20,000 in extra fees for the company selling the junk.

How to deal with this man.

Let's get a collection have this man removed from the planet in a very slow and painful way.

It amazes me just how ineffective our government can really be at times.

If everyone greylisted spam would die

The most effective tool I have seen so far is greylisting. greylisting reduced the amount of spam from 3000 to 6000 a day to 5 to 10 spam a day. Include spamassassin and the spam that does get through greylisting gets nailed. spam problem solved.

Now if everyone greylisted the spammers would be out of business. But people here, which should be technologically knowledgable, seem to just complain about spam. Implement greylisting on your servers along with spamassassin! You will not regret it.

Since doing this I have actually been able to get back to real work instead of worrying about spam.

a mortgage is serious

A mortgage is a serious transaction ... so why in the hell would anyone in their right mind trust somebody who can't even spell mortgage in an honest way? It baffles my mind!

No thanks, I'll pass on that m0Rt~ga'gE offer, you shithead.