Requiring stronger passwords works because there are an amazing number of websites that have registration algorithms that prohibit a password of MORE than 8 characters (or one containing special characters). The spambots that use the same password everywhere have to choose one or the other, and the 8-character-and-under-password websites are the low hanging fruit.

It would be nice if ignoring them made them stop. For instance, I will never reply to anything advertised in spam. I report quite a lot of spam, and spammers know it. (I've seen my email address posted in spammer forums on a list of "antis.")

Yet the spammers keep mailing to that same address, and my spam volume keeps growing. I used to think 50 spams a day was a lot. Now I get more than that in an hour, as the spammers try to compete for the attention of the few people who will respond to their messages. Making it hard for them to get noticed only makes them increase the volume.

I believe the article said he spent four years contacting the owners of the forums to try to educate them that they are displaying advertising for stolen credit card data, and that he then tried notifying the hosting services, also with no response. Sounds like he agrees with your stipulation and followed it.

Actually, it wouldn't help to email him to unsubscribe. He's not the one sending you email. He just sets up a vacation message on a spambot's email account. In effect, you're sending yourself email when you autorespond to a spambot with an autoresponder. The best suggestion is the one above, to set up a filter to autodelete any random digilante emails if you don't want them. It's not like he's changing or obfuscating them to outwit your spam filters. What I'd like to know is whether he can confirm his assertion that once a forum has instituted a strong password requirement -- so even the initial attempt at registration fails -- that forum is removed from Xrumer's preloaded list of forum URLs. If so, the reduction in bandwidth ought to make that a much better strategy than permitting registrations and subsequently deleting/sandboxing the bots.

I think every country in the world has an agency that would be an appropriate choice to take over for Bobbear's role in catologing and publicizing scams. It's called "law enforcement." Bobbear has done an invaluable service cataloging and publicizing these scams. But these are crimes that take advantage of the interconnectedness of modern banks, and the only way to effectively fight them is through cooperation of banks and law enforcement agencies around the world. They should be baiting these guys -- not to get embarrassing pictures of the scammers, but to gain intelligence on their upcoming thefts. A banking-law enforcement liaison team could set up dummy bank accounts which would sound an early warning as soon as money was transferred in. By alerting a victim's bank immediately, the scam can be aborted and the money returned before the mules' banks opened in the morning. The scammers recruit mules through spam sent to millions of recipients. It would be an easy thing to flood them with responses, so there are so many responses from undercover investigators that the scammers are unlikely to indentify real mules.

Actually, ThePlanet and SoftLayer are probably pretty good at responding to complaints about pirated content, because the people filing the complaints are doing so on law firm stationery and are prepared to get punitive damages against any firm which fails to take action... The people suffering harm from C&C servers are the people whose computers are infected and the people whose inboxes are full of spam. It's not a single wealthy copyright holder who can justify an expensive legal fight. In general, the victims of botnets are not rich, not powerful, and often not clueful about the internet. And when larger entities -- like ISPs whose servers are clogged with spam sent to their customers -- have tried to use the legal system, they have run into problems with judges who didn't understand the issues.

If you report something to Google, they take action very quickly. It's just a pain to report to them, via web form, one URL at a time. When they are getting abused by criminals, it takes them a while to fix the ineffective captchas or to scan their docs/blogs for clones of ones that have already been reported a few hundred times. They do eventually get their act together. They really need a better system for accepting bulk submissions. Currently, they're on top of the Blogspot and Google Docs abuse. But when Microsoft finally gets its act together and boots the spammers off Live Spaces, they'll be giving Google another try. Then we'll be starting all over trying to get the attention of someone with authority to shut down more than one user registration at a time based on the pattern of abuse, without waiting until the spam has already been sent.