Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Spam

Spambot Poisoner 187

Posted by CmdrTaco from the have-a-great-thanksgiving dept.
halfelven writes: "Sugarplum, the anti-spambot fighting machine, is out! Quoting from their website: Sugarplum is an automated spam-poisoner. Its purpose is to feed realistic and enticing, but totally useless data to wandering spam-bots such as EmailSiphon, Cherry Picker, etc. The idea is to so contaminate spammers' databases as to require that they be discarded, or at least that all data retrieved from your site (including actual email addresses) be removed." I've seen this sort of thing before, but I just figured it's a fun thing to chat about on a holiday. It would be cool to put this on Slashdot some time: I bet I'm not the only Slashdot reader whose email address has been slurped.
This discussion has been archived. No new comments can be posted.

Spambot Poisoner More

Spambot Poisoner

Comments Filter:
  • The fraction of invalid data that this is going to put in the databases is unlikely to warrant the spam trawlers bothering to do anything about it.

    Do they even bother checking anyway? Don't they just trawl millions of things-that-look-like-email addresses, and sell them on CDs to the ****s that send the spams?

    There's still bound to be far more valid email addresses than false ones trawled, anyway.
  • I've been doing it with junk snail mail for years. I save up the junk mail that contains postage paid envelopes, go thru it to make sure my name/address/bar code info, etc is not in it. Then swap the info among several different senders and pitch it in the mail. Surely the folks trying to sell me vacation condos need info on panty hose that don't run. And I know the credit card companies are thrilled to get info on how to avoid bankruptsy. It even helps the postal service earn more bucks.

  • Even from the minor details allowed here, this system will clearly not work. Spammers will quickly evolve past this. When Hotmail and a host of other web-email-providers instituted the "Bulk Mail" option, the press gave kudos and hailed it as a solid wall against spammers.

    Um....maybe it's just me, but I haven't noticed any slow down from this type of refiling system, meant to filter unwanted spam. All I've noticed is an adaptation wherein the spam is more personal and harder to detect, thus making it more likely that I'll read one of these ridiculous suckers. Enough with the anti-spam....let's just spread the word that spamming causes impotence - that oughtta work.

    1. P 2 P___H U M O R [mikegallay.com]
  • Hotmail has finally limited it's number of blocked addresses and Yahoo will likely do the same thing soon. You got Wine [winehq.com] to work with Outlook? oh right, Win9X/2K/etc. :{)
  • 2's not surprising -- the site's very new, and most of the big block were from testing (friendly spammers?)
  • If you do this.. not only will you fool spambots, but you will fool *humans* as well!!

    Personally, I always remove nospam from emails I'm trying to send... how would I know yours is genuine?

    Andre060

  • You're obviously not paying attention. It was just explained how spammers may compile a list of valid addresses and you reply saying your address was sold? No it wasn't.

    I highly doubt any reputable ISP, especially one the size of SW Bell, would ever sell the addresses of their user base.


    --
    Turn on, log in, burn out...

  • Re:Mirror Please... (Score:3)

    by aqua ( 3874 ) on Thursday November 23, 2000 @12:36PM (#604929)
    http://www.svn.net/~aqua/atlantic/s uga rplum/ [svn.net]

    Thanks for the attention, all. The freshmeat posting was quite managable, but slashdot's is more than the 128kbit outbound can handle. Asymmetric DSL sucks in a substantial number of ways.

    aqua
    (sugarplum's slashdotted author)

  • I guess that the next thing would be to put invisible (to human readers) links to poison pages on my main web pages.


    Fascinating idea. Tell me though, what does invisible text sound like?

    Is it also invisible in lynx?

  • So the spambot can be programmed not to be trapped forever. BUT, if you have Wpoison generate links to Wpoison'ed pages on other domains, that could make life harder for the spammers. Given a large enough network of participating websites, said spambot might never figure out it has been fooled once it first took the bait.

    It just might work.

  • Re:Speaking of spam... (Score:1)

    by Anonymous Coward
    Hey! They sent him their phone number in an email message addressed specifically to him. Is he supposed to keep them waiting by the phone? That would be cruel.
  • FWIW, there are patches available for qmail such that after a configurable number of RCPTs, the smtpd turns into a tarpit (starts deliberately slowing down the connection unto unusability). It wouldn't be difficult to adapt that to count only bad RCPTs, or similar. That, or issue transient failures after a smallish number of RCPTs, so legitimate MTAs will try again in a bit. Stateful comparisons would help quite a bit too (if >75% of usernames requested are in /usr/dict/words, you're probably the target of a dict attack).
  • From the Teergrubing FAQ:
    E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP
    connections from/to a certain port. But in most cases it's a lot less due to limited resources.
    If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts.

    Only likely to work if you can force massive rfc 974 complience. Otherwise it's just another reason for spammers to prefer to use a third party (including ISP provided) relay.
  • The idea sounds good, but I do not see a $60-per-year [networksolutions.com] option as a valid option...
    It still is cheaper to click BlockAddres in your Yahoo! account or make a rule in your Outlook


  • Maybe when the hapless admin is paged at 2 am she can stop their server from acting as an open relay.
    Doubt it would stop ISP's providing their own third party relays. with some ISP business models there is little difference between the ISP machine and an open relay anyway.

  • spam pingpong (Score:1)

    by Anonymous Coward
    This used to work when there were auto reply spam email. I had made a list of auto reply spam emails, it was about 40 addresses. When I received spam mail with an autoreply, I would send an email with the list of auto reply spam as the address and the return address of the original spammer. Spammer would auto reply to auto reply spammer. I took down many servers before they got wise. Received many angry emails also.
  • The spammers try to filter out invalid addresses, so all you need is a real address that seems to be invalid.

    Only if they are delivering their own mail. If they are using a relay they probably arn't going to care, since someone else will be getting the error messages
  • When submitting a form, I usually give my email as theirs. For example, I've signed up RealPlayer to send as many 'product updates' as possible to support@real.com. I hope they like it. Or, I use the one mailhost garunteed never to point to a real machine, example.com.

    Then there's anything@spamcheck.bizland.com, where I can change 'anything' to the name of the site I'm giving it to (see my slashdot email), and later filter all mail coming to that address if it starts getting spammed.

    --

  • Re:Poison? How about crasher? (Score:3)

    by bero-rh ( 98815 ) <bero AT redhat DOT com> on Thursday November 23, 2000 @08:35AM (#604940) Homepage
    The speed of poisoning depends on what poison you use...
    I tend to think a spammer with an address database containing root@localhost [mailto], postmaster@localhost [mailto], abuse@localhost [mailto], root@localhost.localdomain [mailto], , [mailto]abuse@localhost.localdomain [mailto], root@[127.0.0.1] [mailto], postmaster@[127.0.0.1] [mailto], abuse@[127.0.0.1] [mailto], and uce@ftc.gov [mailto] wouldn't have too much fun before being kicked by his ISP.

    Unfortunately, many spambots are probably intelligent enough to filter out the common variants of these...

  • try variations of that name at various domains

    uh. this is true, i've seen myself having multiple new e-mail addresses - of course they were only relayed through these odd servers but still... i'd like to nuke all spammers, as everybody else, but there's very little we can do right now. anyway, i didn't read the Sugarplum website but i'm heading there next..

  • http://www.spamgourmet.com -- while surfing, you can invent limited-use email adddresses whenever you want them. Any mail sent to such an address after its limit has been reached becomes nothing more than a statistic...

  • Teergrube (Score:5)

    by geirt ( 55254 ) on Thursday November 23, 2000 @08:40AM (#604943)

    Blow the spammers away by stopping their tools:

    From the Teergrubing FAQ: [iks-jena.de]

    E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources.

    If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts.

    A teergrube is a modified MTA (mail transport agent) able to do this to specified senders.

    Read the full story in the Teergrubing FAQ: [iks-jena.de]

  • I may be paranoid, but how do we know that you're not an evil spammer trawling for our email addresses? Invite us to your site and the next thing we know we have half a ton of the rubish in our inboxes
  • I do not like the idea of using fake adresses to poison a spammers database, because of the obvious reason of perhaps (likely?) harrassing someone completely innocent, namely the admins of your faked domain and the faked domained the spammer used in his sender address. If you use faked addresses, you reduce the usefullness of mail by an amount that's not appropriate in regard to the gain you get from the use of faked adresses.

    I think except the approach mentioned in another posting to use several of my own subdomains to delay a spammer (30 MX x 30 A x 70 sec), there are the following legitimate targets to use as spam targets in your web pages:
    • real addresses of known spammers (not the faked From: addresses!)
    • addresses taken from the web sites advertised in spam
    • Administrative contacts of well-known spammer domains
    • Adresses from politicians or economic leaders promoting spam and pro-spam laws
  • I habitually call them up late at night and play my stereo onto their answering machines... For an hour or so. It's not a harrassing call, because they asked you to call them... OTOH, very few of them use 800 numbers any more :-))
  • The problem is, spammers will sign up about 50 accounts, many times using fake credit info, names and phone numbers. They do this on online signup pages for ISPs, usually the little mom and pop ones that don't do the immediate credit checks. They do this on Fri nights mostly. This way they have around till mon or tues before the accounts start getting whacked, problem is, in those few days, they can send millions of messages.

    Problem here is the business model of allowing access before verification. But if this is what the "big boys" do then the mom & pops have to do the same to stay in business at all.
  • I usually use a@b.c, garanteed to go nowhere. But if the website requesting the adress is a little paranoid, he can check the live validity of the server during the process, obliging to give a valid mail host.
  • I'm in a similar situation; one of my two Hotmail addresses is completely unpublished, unknown etc., yet still gets plenty of spam. (The other is three letters and two numbers @hotmail.com, and gets spammed into the ground...)

    That reminds me... I recently set up a Hotmail account for the sole purpose of getting spam: I have never used it for anything except to send mail to a few places that have spammed me, replacing getrich@spammer.com (or whatever it was) with delete@spammer.com.

    Interesting experiment, although I have to admit to being a bit disappointed -- I haven't received any spam yet!

    Sadly, I get plenty of it sent to my real email address thanks to a misconfigured mailing list I'm on.

  • Ya know, you'd think that, regardless of the metal fog that everyone's in when it comes to legislating the internet, it would be illegal to assume someone's else's identity.

    Using a your domain as a return address for spam strikes me as terribly unfair. It's a shame there are no existing laws to put folks who do that in jail.

    I used to own "boy.com" many years ago and gave up the domain for similar reasons. There would be a ton of email forged with that as the return address. The last straw was possibly illegal porno being posted to USENET with "boy.com" as the hosting site (forged, of course.) Back then--in 1995-1996--I decided to get rid of it because I thought it may be impossible to convince authorities that we had nothing to do with those postings.

  • Sugarplum is an interesting idea but a better one is to use the spammers techniques against them. Turn their strengths into weaknesses.

    A spammer looks for email addresses, and sugarplum goes some way to taking advantage of that fact by giving them crap addresses. Unfortunately it's fairly simple to check the validity of the domains and accounts.

    A better solution is to give spammers valid email addresses which are aliased to a spamtrap account; This is a system account who's sole job is to receive spam. You then know that anyone who sends mail to this account is a spammer.

    You now have information about who the spammers are and can use this information to block spam from real accounts.

    This is all described on the Spamido web page [freeserve.co.uk] along with some procmail recipes which can be used to implement it.

  • I'd love to mirror interesting sites like this, but my ISP is a small consumer-owned coop with a single T1 serving ~100 customers. which leads me to the following question:

    How hard would it to be for slashdot.org to provide a load-balancing mirror service? I'm thinking of a simple round-robin url-redirection to mirrors of potentially slashdotted sites.

    So if I want to volunteer a mirror of a site referenced in an interesting slashdot thread I could submit it to slashdot.org with a maximum HPM ceiling so that my ISP wouldn't get bombed with excessive traffic.

    This is nothing fancier than the typical web-farm distributed processing. I would be happy to offer *limited* bandwidth to mirror a site with relevant content. I just don't want to slashdot my own coop .
    ==============
    (this post was spell-checked by OmniWeb - all grammatical errors are mine)

  • Well 0.24 gbp [uk2.net] a year isn't really that bad.
  • I use Bizland.com [bizland.com] mail forwarding. It works the same way as the first poster's idea, but with a free subdomain. If I remember correctly, with Sneakemail you have to log onto their site every time an address gets spammed and delete/change the account. This way, all you have to do is add it to your filters, which seems to be more convenient to me.

    --
  • I often browse the httpd access logs for sites I run, and regularly notice spidering behavior from hosts with a Mozilla user-agent string.
    These hosts generally don't read robots.txt, instead they start at www.yourdomain.com and follow all the links from there. Some of them are even stupid enough ti visit the same page multiple times if that page is reference from multiple pages on your site.

    Probably the worst thing about these rogue web robots is that there is no way to identify and block them without having a daemon monitor the access logs in real time looking for this activity and adding the appropriate Deny rule to the config once a host is identified.

  • I pity dev@null.org, my personal choice of 'fake' e-mail address... :)
  • I do the exact same thing with a free subdomain from Bizland.com [bizland.com].

    --

  • Valid email addresses... (Score:4)

    by darylp ( 41915 ) on Thursday November 23, 2000 @08:06AM (#604960)
    I notice one of the fake email addresses they have in the sample output is one @yahoo.com. Surely, this isn't really a _fake_ email address, as it's pointing to a valid mailserver? (Thus causing yahoo.com to be clogged up when the next round of spam discharge is fired.)

    And you've got to feel sorry for sweetp@dash.com!


  • So the solution is: Get yourself a valid email address with "nospam" or the like in it - The spammers will do the work for you and exclude you from their lists.

    That's something like reverse psychology for the spambots, isn't it? :)

    Of course, if I were a spambot author, I'd include all sorts of regex's to de-mangle the most common forms of address mangling. With that in mind, I reason that the best course of action is to just mangle your address to the point that it doesn't look like one.

    As an example, you may note that *my* slashdot email address has the @ and . enclosed in both braces and spaces. Any human would be able to demangle it to a vaild address, but spambots don't even see it. As an added bonus, the humans who email me don't have to decide which words of the address to delete, lessening the margin of error.

  • Re:Valid email addresses... (Score:3)

    by bleh-of-the-huns ( 17740 ) on Thursday November 23, 2000 @08:45AM (#604967)
    You have no idea how it works do you....

    With the exception of psi.net, the rest actually do enforce their AUP.

    The problem is, spammers will sign up about 50 accounts, many times using fake credit info, names and phone numbers. They do this on online signup pages for ISPs, usually the little mom and pop ones that don't do the immediate credit checks. They do this on Fri nights mostly. This way they have around till mon or tues before the accounts start getting whacked, problem is, in those few days, they can send millions of messages.

    I have played whack a mole with hundreds of spammers at my previous job as an Abuse person at a very large ISP (will not name the backbone provider who is based in louden VA :). Anyways, untill their is a law that can be effectively used (not proposed bills), and enforced, spammers will use every which way they can. And every spammer that my dep managed to get rid of permanently, moved to psi.net, and as far as I can tell, they are still with psi.net after me changing jobs over a year ago.

  • Re:Anti-Spam technique (Score:3)

    by KevinMS ( 209602 ) on Thursday November 23, 2000 @08:45AM (#604968)

    Well, this also has been posted many times...

    Sneakemail.com [sneakemail.com] does all that for you without all that hassle.

  • Domain poisoning? (Score:4)

    by redhog ( 15207 ) on Thursday November 23, 2000 @08:58AM (#604971) Homepage
    Gave me an idea: Why not set up a hole load of domains that resolves to 127.0.0.1 (Or, if that can be done in teh DNS protocol, I don't know the details of it (Sorry, I'm a luser): resolving to the requester)? They may be subdomains of "real" domains, and with just random names, so that they are hard to distinguish from real ones, and then poisoning the spambot with randomstring@random.spam.poison.domain?

  • There are much better, older tools for this (Score:5)

    by TekPolitik ( 147802 ) on Thursday November 23, 2000 @02:11PM (#604973) Journal
    The granddaddy of these was by Ron Guilmette (aka RFG). He probably still has it downloadable from www.monkeys.com.

    His one actually generates addresses at subdomains of cooperating domains. These subdomains have special qualities - they typically have 30 MXs, and each MX host has 30 As. Every single one of the As will go to a host that doesn't exist, but is on a routable network. Given the timeout for opening TCP connections of 70 seconds, you can keep a spammer (or their third party relay) busy for 30 * 30 * 70 seconds, for a total of 63,000 seconds, or 17.5 hours.

    I think Ron even has instructions on how to set one of these up.

    Don't just pollute their database - make them (and the the queues at 3rd party relays who won't close up) spin their wheels for a day or so per address they scrape.

  • Thanks for the link! My skepticism has been mostly abated.

    One thing that answers my first concern (the ability to make a screenshot) seems to be answered by the spammer's like of PC Anywhere. I thought of BO... but thought that installing the server would be unlikely at sudden notice. A misconfigured PC Anywhere session, though, would be usefull and fortunate for the attacker indeed!

  • while upgrading sendmail, I had somehow allowed the world to realy :-(
    A spamer hit my box and out of 23 messages only 6 were valid.
  • From what I've seen, they love sales@ and webmaster@. I get email for those and I've never used them with my domain.
  • I know there are spam reporting systems. Do any of those alert ISPs of the contact addresses contained in spam? So when a spammer uses mail or Web addresses as contact points for victims, that information will quickly be pointed out to the affected ISPs?
  • Yes, yahoo.com get's tons of invalid emails from the spammer because of this. Then, Yahoo sues the spammer for attempting to DOS their mail server. This is a good thing.

  • Re:Poison? How about crasher? (Score:3)

    by SEWilco ( 27983 ) on Thursday November 23, 2000 @09:08AM (#604986) Journal
    The Wpoison web generator creates web pages with fake email addresses, and links to itself so a spam web crawler will be trapped within generated pages. Obviously a spam web crawler can be programmed to not be forever trapped, but Wpoison at least provides a trap for the unwary crawler.
  • Spammers are now running dictionary attacks against SMTP servers. A spammer will connect to mail.example.com and try a large (if not exaustive) list of possible usernames. If the mail server gives an 'OK' message the address is added to the spammers list; if it gets a 'user unknown' it discards it and goes on to the next. There was a piece of spamware that had the ISP that I admined hardcoded into it's searches.
  • Second, I use the address as an identifier in my addresses. At mp3.com it's mp3@world-domination.net, at yahoo it's yahoo@world-domination.net.
    You just poisened your own method by posting those email addresses on slashdot. If a spambot finds them here, you'll think mp3.com sold or yahoo your e-mail address.
    And yes spambots visit slashdot!! (so this program might be something they should use.)
  • So you're suggesting something like a Wpoison [monkeys.com] Web Ring. Or some other Wpoison central registry. It's tempting, but then spammers will crawl the list and use it to filter out Wpoison sites.
  • Calm down. I never stated that. The spammer will start an interactive SMTP session and run thru a series of RCPT's and keep the OK's. Thus if a spammer got an OK on joe_blow while on 'mail.example.com', he would know that 'joe_blow@example.com' was a valid address.

    Not all MTA's will give a "user unknown" error. If the machine is not the final destination of the email it can't possibly know anyway.
  • I have been using it for a few years now and have never upgraded it (or even looked to see if it was upgraded!) The thing is running here [middlewest.com].

    It does catch the spammers! I have seen spam harvesters sit there for days just going through page after page after page. And of course I just let it.

    However, make sure you have your robots.txt set up properly. I made a goof in the original one I had set up and ended up doing quite a number on Web Crawler. With some help from their tech support staff I got that fixed pretty fast.

  • There is a third party module for the Roxen webserver that's called the Email Address Cloaking Device [riverweb.com].. I use it, and it works very well..

    Before any content is served, it checks the User Agent; if it's a bot, it translates any MAILTO: links in the HTML into gibberish.. it eliminates the need to "spam-proof" your MAILTO: links.. (The only thing I'm worried about is spammers altering their bots to ID themselves as Mozilla, or something similar..)

  • personally, I'd be inclined to use something like lightgreen on palegreen1 [bcgreen.com] :-). I definitely like the idea. I guess that the next thing would be to put invisible (to human readers) links to poison pages on my main web pages. That and generating aliases to localhost.bcgreen.com, to point email adddresses at.
    `ø,,ø`ø,,ø!

  • Re:Spammers cheat, this will not work (Score:5)

    by pjrc ( 134994 ) <paul@pjrc.com> on Thursday November 23, 2000 @09:27AM (#605010) Homepage Journal
    Thus wrote "bleh-of-the-huns":
    ...so whether he has a db of 1000000 real addresses, or 1000000 addresses that are crap without 20 real addresses by luck, he does not care.

    Nowadays, there are an awful lot of people who are working to fight spam, which makes is quite a bit harder for a spammer. With cool services like Spam Cop [spamcop.net] (you copy-n-paste the spam w/ headers, and they track the spammer and stop that account, often within minutes), anyone can easily contribute to getting whatever account a spammer is abusing shut down as rapidly as possible.

    It works. I've tried spamcop several times, and every time the result was that someone had already beat me to it and the ISP had already shut down the account that was being abused. The spammer wasn't caught, but they were delayed and their job was made harder.

    This forces spammers to work harder, so the cost of sending a message is not zero. An an example, take a look at the material a hacker stole from spammer Premier Marketing, Inc [freewebsites.com]. It's clear that they had to use multiple people and a never-ending supply of stolen dialup accounts. They went to a lot of trouble to compile a giant list of know anti-spam activists who used services like Spam Cop (or read the headers themselves and called ISPs), so that their stolen dialups would hold out a little longer.

    It's easy to just throw your hands up in the air and accept spam as a fact of life. It's easy to feel like spammers are unstoppable. The truth is that these anti-spam countermeasures do make things harder for spammers. They increase the cost, from virtually nothing, to something. Admittedly, not much, but it doesn't take much to make some of the really lame-ass scams these folks spew unprofitable.

    There's also hope for the world in the kick-ass efforts of Paul F. Pete Wellborn III [federalcourts.com], the lawyer who's taken down a couple big-time spammers, most recently that annoying printer supplies guy!

    So don't give up. Even if you just press delete without a second though, don't discourage others. There is hope. A lot of people are working against spam, and as more things like this come on-line, the cost and risk of sending spam will continue to slowly rise. A very Good Thing!

  • So, what you're implying is that the best way to really hinder spammers is to severly tighten up security on all computers? (makes sense to me) I get very little spam myself (maybe 5 a week), but a world without spam would be very nice.

    Bill - aka taniwha
    --

  • Use the DMCA (Score:3)

    by www.sorehands.com ( 142825 ) on Thursday November 23, 2000 @09:34AM (#605014) Homepage
    I know people who have gottten spam on the address used on EBAY and NSI's whois.

    According to the terms of agteements, they cannot use this the information from the board for spam.

    There there is a statutory amount for copyright violation, why not use that against the list providers?

  • Either spammers spam random addresses, or hotmail is selling addresses to sex spammers.

    I'm in a similar situation; one of my two Hotmail addresses is completely unpublished, unknown etc., yet still gets plenty of spam. (The other is three letters and two numbers @hotmail.com, and gets spammed into the ground...)

    A friend of mine set up two Hotmail accounts, with very different user profiles: one honest (late twenties male geek, a couple of interests), one not so (maximum age, no interests...). Both have attracted some spam, but the first one gets far more - and he hasn't used either address publicly.

    So, no hard evidence here, but it looks to me like Hotmail have been leaking user profiles...


  • It is too bad there is no way to poison the sender of the spam. Spammers will evolve beyond this, they always do.

    On my Christmas Wish List, I want Santa to bring me something that doesn't exist. Something that's a great idea, but not actually possible. Ya know, like world peace, honest politicians or stable Microsoft products.

    I want an e-mail client that will automatically detect spam and e-mail virus hoaxes - with 100% accuracy, so I don't lose real messages - and without any intervention on my part, smurf the sender.

    Because, Dear Santa, I wish to be able to post my e-mail address with impunity, for all to see.


  • Spammers are now running dictionary attacks against SMTP servers. A spammer will connect to mail.example.com and try a large (if not exaustive) list of possible usernames. If the mail server gives an 'OK' message the address is added to the spammers list; if it gets a 'user unknown' it discards it and goes on to the next.

    Oh jeez, that's spooky.

    I'm administering several small domains running Linux. Now, I gotta admit, I still haven't read the many great thick tomes on Sendmail. I do have relaying from outside my LANs turned off, of course, but that's the only overt anti-spam measure I've taken.

    Running Sendmail 8.9.3, can anything be done to stop this?

    I assume modifying Sendmail to give an OK reply to every attempted username would simply result in a deluge of messages being bounced which would eat my bandwidth and still wouldn't protect my users. Turning off the OK to username queries would probably effectively block all incoming e-mail.

    So, what's a small-time sysadmin supposed to do?

  • But I don't think the active spammers using a relay are necessarily the ones harvesting the addresses. The harvesters probably automatically remove "nospam" in an attempt to boost the number of likely good addresses in the lists they are peddling to spammers.

    Burris

  • So why not limit new accounts to 50 pieces of email per day until the account is a few months old?

    And run a few simple filters on the mail to check if it's all got the same body text, or similar addresses, or something, flag it for a human to look at.

    Or, just keep all accounts from sending more than 50 pieces per day unless the user has specifically requested a higher limit - then watch the people who do for a while to make sure it's not spam.

    This doesn't even entail reading the email, unless it all comes up as identical... just looking at addresses and sending patterns.

    Blocking access to external mail servers would be a good idea too, at least until people ask for that to be changed on their account.

    That way, anonymous spammers wouldn't be able to create and abuse tons of accounts but regular users would, at worst, have to email the support staff to get the email limit and such removed.
  • It's not actually a copyright violation. It might be a contract violation if they agreed to something when they made an account, but it still wouldn't be a copyright violation.

    Copyright *can* cover pulling addresses from lists and all, but only when the organization shows creative intent. An alphabetical list of phone numbers, no. A street-by-street listing of number, maybe. But in any case, to use that information isn't a copyright violation, only reproducing it would be.

  • Lucky for your commie ass that I won't be using that email address much longer.
  • Don't forget, your average spammer is desperate for the low margin of sales he can hope to achive. Thus, many of the spams I have recieved often contain 1-800-xxx-xxxx numbers for contacting them. Remember, with an 800 number, the reciever of the call is charged money for each incoming call to it.

    A friend of mine runs a script which intermittently dials the numbers in the evening when he's asleep and not otherwise using his line. Vindictive, evil, yet somehow it seems just.


    ---
    man sig
  • SPAM does not work as a marketing tool. You can't sell things to people you piss off.

    It's about numbers. If a spammer sends out 10 million spams asking for $10, and 0.01% of the recipients are sufficiently naive to reply, he has made $1,000. If the spammer is just looking for credit card numbers to defraud, all it takes is one bone-dumb idiot out of millions of recipients to send theirs in. The odds look pretty good for the spammer.

  • Unless you can get politician's email addresses that don't end in .gov, there is no point. Even a spammer isn't dumb enough to spam .gov addresses. After all, that's what got junk fax in deep shit. And if the politicos have other addresses, they are a closely guarded secret.

    However, it might be worthwhile to set up a bunch of forwarding addresses that don't end in .gov that you could supply to the spammers that would forward all the spam to everyone in congress.

    Another thought -- is it possible to get an email address that ends in .gov if you aren't in gov't? If ordinary people used .gov addresses, the spammers would have a harder time figuring out who they can shit on with impunity.

  • There are several spambot poisoning programs out there, but spam continues. The reason is simple; spamming doesn't cost anything. The only ways to make any dent in the spamming will have to involve ways of making it cost something.

    There is at least one fellow who may have found a way to do something effective.

    Check out the email address on this post. It is a real, non-munged email address. After you have admired it a few seconds, then go to http://www.suespammers.org, and get your very own free Washington-state based email account from a guy who is hoping to make a living suing the bastards.

  • bad for the DNS (Score:2)

    by Anonymous Coward

    The trouble I have with all these schemes is that it causes lots of extra work for the root servers of the DNS. By forging bogus addresses in invalid domains and offering those addresses to harvesters, you're guaranteeing that people using these lists will cause tons of root server queries. If the addresses are at valid domains like hotmail, you're burdening hotmail with the effort of looking up these (maybe) bogus users.

    I just munge my address, adopting the form: mailto:foo%2bdomain%2etld , which all the browsers I tested understood just fine. So far, so good. A nice bit of poison that I like: postmaster@[127.0.0.1] and postmaster@localhost.

  • I received about 6 emails from this idiot here:

    1-800-206-3934 ex. 5858

    ...and no less than eighteen from here:

    ***1-800-224-5988****

    On checking the headers, I saw that my email address was contained in every message (in other words, no aliases or other things that merely resolved to my address). These guys deliberately spammed me multiple times.

    That's fine, though, because I collect 1-800 spam numbers. It would be a real tragedy if they were called repeatedly from a worldwide audience who hates spam, wouldn't it?

    Don't use your home phone. ANI will bite you on the ass if you do.

    -Legion

  • Re:Spammers have evolved (Score:3)

    by 13013dobbs ( 113910 ) on Thursday November 23, 2000 @09:59AM (#605039) Homepage
    What? Are you trying to claim that all SMTP servers know all valid email addresses the world over?

    Calm down. I never stated that. The spammer will start an interactive SMTP session and run thru a series of RCPT's and keep the OK's. Thus if a spammer got an OK on joe_blow while on 'mail.example.com', he would know that 'joe_blow@example.com' was a valid address.

    What you have described is only going to work over a single domain, and even then only with an incredibly badly adminned mail server.

    Even well adminned servers are abuseable. The attack does not use EXPN of VRFY; it acts like it is a normal mail transaction. Most pro-spammers have multiple phonelines (I know one who has 8 lines), so they can run against multiple servers at the same time and can easily snag 1/4 million addresses a night.

    What ISP was this? indy.net (RIP)

  • SO it's okay for them to email you multiple times, but it's not ok to call their 800 # multiple times from your place? I don't get it. Both take up resources.

    Don't use your home phone. ANI will bite you on the ass if you do.
  • That sample output page uses the worst colour-scheme I've ever seen!

    Still, it's great to see a means of getting the spammers to spam each other. If only the same thing could be done for junk snail-mail.

  • > Because, Dear Santa, I wish to be able to post my e-mail address with impunity, for all to see.

    Subject: Unsolicited e-messages
    From: postmaster@northpole.org
    To: BogBlockMopar

    Dear Mr. Mopar,

    My client, Mr. Claus, respectfully requests that you and all the other k1dd135 on the planet quit sending him unsolicited e-messages requesting toys. If you continue this practice, I will be forced to notify your ISP and ask them to terminate your account.
  • I've searched Wired News' archive for "spam" and "spammer" and did not find any article referencing this site during 2000. I'd be interested in an article tittle or link.

    The site looks interesting. But as the AC pointed out, the ability to get a screen capture via a sudden-notice attack on a Windows box (Win9x? WinNT?) seems very unlikely. There's reason to be skeptical.

  • I have been running a cgi called nameorama since atleast 1997 on my webserver. If it detects certain user agents it starts spewing out juicy looking links and e-mail addresses. I had hits on it as recently as October. I can't believe the e-mail suckers don't report themselves as generic Netscape or something.

    To try it, run lynx -useragent=EmailSiphon http://ibgwww.colorado.edu/

    It is really funny to see some poor spambot spend an hour or two thinking it has hit some really rich website.

  • Re:Valid email addresses... (Score:3)

    by Nodatadj ( 28279 ) on Thursday November 23, 2000 @10:15AM (#605059) Journal
    I'm certain that spammers automatically spam random addresses at yahoo/hotmail anyway.

    I have an address, no-one else knows it, and it wasn't published anywhere. It gets 3 spams a day from sexamp.com. It's also not an easy to guess one.

    Either spammers spam random addresses, or hotmail is selling addresses to sex spammers.

    Maybe one day I'll set up a uuidgen'd address like
    29f03ca7-8f26-4675-b1a7-b61ebb13bb8f@hotmail.com and see if it gets any spam.
  • Indeed, like the number of people that assume that thingy@thingy.com doesn't go somewhere when entering 'fake' details for registration - I get all those, thanks.

    (there are a few amusing upsides - I've recieved other people's (paid for) passwords for, uh, 'premium content', before now)

    A neat spamtrap I saw somewhere was a sentence halfway down someones page that just said: "Whatever you do don't mail me at pink-and-wobbly@asdkjlwelkj.com, because then I'll know you're just an address-harvester, and blacklist your IP until the end of time", just before their normal contact details.
  • Wow, this sounds like what /. is doing to the poor guys site right now, only with HTTP :)

  • Get automatically sorted out (Score:5)

    by ee23 ( 257528 ) on Thursday November 23, 2000 @10:29AM (#605068)

    The spammers try to filter out invalid addresses, so all you need is a real address that seems to be invalid.

    I discovered this by accident: I wanted to track which companies give my email address out, so I created a subdomain with throw-away addresses: "nospam.sig11.net", and gave out unique identifiers for the username. (See my email in the header - it is a valid address - do not remove "nospam".)

    But the funny thing is: I never received any spam to these addresses. (And for the other addresses I see about 5-10 spam mails a day rejected by my spam filters...) It seems the address gets sorted out because of the "nospam" part.

    So the solution is: Get yourself a valid email address with "nospam" or the like in it - The spammers will do the work for you and exclude you from their lists.

  • This thing should work due to the combination of multiple spam-evasion techniques. Spamming is like recycling cans or telemarketing in that the profit margine is very narrow, and the tiniest variables can upset that margin.

    Spammers designed ways of gleaning email addresses from websurfers in order to avoid having to pay for verified email addresses; without a way of verifying the addresses they collect, spammers will have to switch back to paid lists gained from registrations, etc.

    In this case, the need for verification will create that extra step for spammers, making it cheaper not to use the lists at all. Is anyone aware of a cheap and easy way, other than just emailing the person, to verify a valid yet false address?

    The only way I can think of for spammers to evade Sugarplum would be the establishment of intermediate businesses to vet email lists gathered by spammers.

  • I created a Hotmail email address several months ago and never used it for ANYTHING. Within a month, the inbox was full of spam. Try it yourself. I guarantee that MS is selling email addresses; no reason why they shouldn't.
  • Yikes, holy bizarre analogy Batman ;P

    Spammers are a type of thief. It's that simple really. It's the online equivalent of if people could steal your car while you weren't using it, and return it when they are done with it but without paying for gas. They can make a big fuss about how they aren't stealing your car but they're using it and wearing it out without paying for any of it, and whether or not you also can use it is not relevant.

    The law doesn't let people steal your car just in case they plan to return it before you need it again. It forbids people from stealing your car in general terms because the stealing is taking place without your permission or consent. By the same token, spamming is use of your internet resources (from ISP right down to use of your inbox and 'mail visual scan' for important stuff) without your permission or consent- the resources being used are all YOURS, not the spammers. They have no right to use 'em, any more than they have a right to steal your car temporarily and use the gas up.

    There is also no legitimate argument that their use of your resources is doing you some kind of informational favor. You would be just as able to access that information if you went to their website on your own- you don't owe them the attention, just for existing. I guess that's the bottom line really- spammers behave like attention is a right, calling it free speech and basically insisting they must be allowed to _seize_ the attention of anybody in the world. Attention is a privilege, not a right. Free speech laws never considered the situation of a person with a megaphone loud enough to yell at every single person that exists- free speech is based on an assumption that the speech is going to be somewhat localised, and that if you are somewhere else or not paying attention you won't hear it.

    In a weird way stalking laws seem oddly applicable. If you continually follow a person berating them you may well be legally forced to stop as your demanding of their attention is considered a sort of assault. Spammers are, effectively, 'stalking' millions of people at a time. No-contact laws might be a good idea- if no-contact to specific individuals is too much like 'opt out' or too unrealistic, perhaps what's needed is 'no bulkmail/email at all' laws for a digital version of no-contact. The former would be a legal acceptance that spamming is a form of harassment, and a block against that person doing it again for any reason through any means- and the latter would be a recourse if the spammer refused to stop harassing.

    If Kevin Mitnick can be forbidden to work in the computer industry just for being a troublemaker, why can't unrepentant spammers be forbidden to use email for any reason? There's always postal mail, the phone, and face to face contact- ALL of which already are covered legally against harassment situations.

  • Junk snail mail is stupid and wasteful but _they_ pay for it and pay the Post Office bulk rates to have it delivered. _I_ pay for my email.

    If I had to pay by the pound for snailmail the junkmail would bug me a lot more. The fact that the bulkmailer has to pay postage is a governing factor that keeps them from going too nuts with it. I have yet to see a Taiwanese sex toy emporium find it economical to flood me with unsolicited catalogs. Those cost _them_ actual money :)

  • Happy Thanksgiving, You've Been Slashdotted! (Score:4)

    by Seumas ( 6865 ) on Thursday November 23, 2000 @08:21AM (#605077)
    Aw, man. How cruel. Post a link to this (apparently) small-time site on a day when everyone in the country has the day off and is surfing Slashdot, while his ISP is probably minimally (if at all) staffed to respond to problems -- and get him slashdotted.

    That's the holiday spirit alright... ;)
    ---
    seumas.com

  • politicians' email addresses (Score:5)

    by Peter Koren ( 2433 ) on Thursday November 23, 2000 @08:22AM (#605078)
    Would it be possible to seed the spambots with the email addresses of politicians who support pro spam policies/laws. It would be wonderful to subject them to the same crap they shove at us.

  • Reminds me of that TNG episode where they found a way to make the Borg examine a picture that constinued forever.

    Hmm.. wouldn't that be interesting, have the feeder continuosly feed it email addresses and never stop. It's a better way to fight, don't resist, just give them exactly what they want, and lot's of it, until they stop it by themselves.

  • Anti-Spam technique (Score:4)

    by truelight ( 173440 ) on Thursday November 23, 2000 @08:24AM (#605081) Homepage
    Well, even though his has been posted many times, I cant see any hurt in porting it again, to remind everyone.

    1. First - get a domain

    2. Second, get hosting company that offers a default-mail-redirect. (i.e. If someone mails a message to jsahjfhjdkdsueue@yourdomain.com the server automatically forwards it to you@yourdomain.com

    3. Now, when you enter you email-addy in a signup form somewhere, enter the name of the company as your adress (i.e. amazon@yourdomain.com, yahoo@yourdomain.com)

    4. Now, everytime someone sends you spam, you can simply block them in your E-mail filter PLUS that your see what comany has been flithy enough to sell your adress!

    It might not be perfect, but it's damn good.
  • Indeed it is a tall tale (this site [freewebsites.com])... it was covered right here on slashdot [slashdot.org] several months ago. This article is old enough that slashdot seems to have only a static page with comments with mod >= 1.

    But as the AC pointed out:
    the ability to get a screen capture via a sudden-notice attack on a Windows box (Win9x? WinNT?) seems very unlikely. There's reason to be skeptical.

    You can certainly read through the comments from the time is was discussed here on slashdot, but I'll boil it down a bit. There seems to be three schools of though (more or less).

    • It's gotta be a fake, windoze doesn't have remote login and nobody could have done that hacking. (as our AC above pointed out)
    • It's real... it'd be very hard and a lot of work to fake so much data. The spammers were running windows file sharing wide-open, and they used PC Anywhere, so their systems were very easy to attack (many people provided details of how to do it). The (very long) ICQ chat logs show them asking script kiddies for help setting up their networking, and there's conversations about how they liked PC Anywhere so they could lay in bed while "working".
    • The data is real, but the "hacker" is someone who had physical access and stole the disks or otherwise made a copy with physical access.
    You'll also notice, if you read the slashdot discussion from June 7th, that several slashdot readers who spent their days chasing after spammers found their older email addresses on the list of anti-spam activists (that they avoided). Others verified some misc facts, but wether it's real or a fake is still not conclusive.

    Maybe it's all a hoax, but as many folks posted, the remote windows screen capture is apparantly a simple trick if the target has unsecure windows file sharing. The Back Orifice [bo2k.com] tool is certainly not a hoax.

    So if it really was a hoax, I'd like to see some real evidence that it's a hoax... remembering that remote windoze screen capture being a relatively easy thing if file sharing is unsecure, and not even all that hard if you can trick the user into running some code in one of many ways pointed out in the June 7th discussion. A thing like this is much easier to prove to be a hoax than to confirm.

    It may indeed be a hoax, so AC, if you're reading this, take a moment to post anything you can find to discredit the story, other than you don't believe the hack was possible because it's beyond your knowledge/paradigm. The hack is easy and many people have explained how to do it.

  • Better yet, when you write your HTML, spell out your address like "user&#64;domain&#46;com". A browser will display it looking like a normal address, but the spambots won't see it. I've been doing that for a couple years now and my address hasn't been harvested yet (knock on wood). Just make sure you don't use mailto: tags.


    --
    Turn on, log in, burn out...

  • Is your email address: slant6mopar@yahxx.com ? It seems a spambot just scarfed it up!

    Bastard! I hope you get a melanoma on your glans.


  • To: BogBlockMopar

    Hey! I've got a 625 CFM Carter AFB carburetor on a Chrysler 400 CID (6.6L) V8. She doesn't bog, I assure you.

    Actually, it's in a pickup truck without a Sure-Grip differential. Pulling away from a light without smoking off a 235-75R15 is tough. Let alone killing my manifold vacuum.

    [redneck carspeak] No sir, she don't bog.

    My client, Mr. Claus, respectfully requests that you and all the other k1dd135 on the planet quit sending him unsolicited e-messages requesting toys. If you continue this practice, I will be forced to notify your ISP and ask them to terminate your account.

    Wouldn't even Santa find such a tool useful? :)

  • A nice idea -- maybe Apache2.0's filters will lend themselves to something similar. However, of the spambots whose behavior I've observed, they are entirely free to provide a bogus User-Agent, or a U-A that changes on every HTTP request. The latter is easy to detect if URLs are serviced in the same spot (as with sugarplum grafted into a document tree with mod_rewrite), but an agent that merely lies about itself is harder to detect. Remote OS fingerprinting, comparing a stated platform with the perceived one, might help, but the reliability factor would be low. AFAIK, all spammers use windoze machines, and one M$ tcp stack looks much the same as another from the outside.

    A marginally better approach is to have pages with email addresses generated by php3/perl/etc, with mailto: links encoded for all requests -- s/(.)/'&#'.ord($1)/ge in document content, the same for URI-encoding in mailto: links. Still not impossible to decode, but the more spammers try to decode the content they harvest, the more bad data they get on their own. Moreover, most spammers aren't by reputation all that bright, and no self-respecting ethical programmer will work for a spammer, so their ability to adapt technologically isn't as good as ours.

    aqua
    (sugarplum's slashdotted author)

  • One more thing, that I should have mentioned in the post I just submitted a moment ago...

    If the relative ease of breaking into unsecure Windows computers and remotely controlling them as well as you could a linux box is news to you, maybe this is a good time to check if your box is wide-open to attack. The days of "they can't get me because my OS doesn't network" ended in DOS (maybe Win 3.1).

    There are many many ways to do this, but small company where I know someone has a very easy-to-use free port scan [sdesign.com], that will check if you've got any of the really obvious problems. There are some others available on the net, but this one will check a lot of other services besides just the usual Windoze problems.

    Unfortunately, Secure Design [sdesign.com] has seen increasing costs in running this service, main to respond to threats from network admins who detect the scans (due to a request from one of their users), and their free port scan, which is probably the best of the simple free web-based scans, may be coming to an end. Oh well.

  • There has been a CGI script called wpoison that has been around since 1997 which feeds spambots articial e-mail addresses.

    From what it seems, the only two things this does that wpoison doesn't, is spams spammers and crashes the spammer's machine with denial of service attacks.

    Having spammers spam other spammers seems okay, but attacking spammers with denial of service attacks? Sorry, but it my opinion, performing denial of service attacks on people you don't like makes you almost as bad as a spammer.

    Aside from all that, if CmdrTaco hasn't noticed, this is Slashdot, not Freshmeat.

  • Spammers cheat, this will not work (Score:4)

    by bleh-of-the-huns ( 17740 ) on Thursday November 23, 2000 @08:27AM (#605102)
    When a spammer makes his spam run, he uses stolen resources. He hijacks a mail server, and forges the from address, and the reply to address, so whether he has a db of 1000000 real addresses, or 1000000 addresses that are crap without 20 real addresses by luck, he does not care. Because the address he forged will be the recipient of the bounce back messages.

    Spammers don't follow the rules, all the crap they spout in emails about this bill and that bill making this legal are complete bullshit.

    Spammers are the murderers and rapists of the techno world, they steal resources of other peoples networks, and the traffic they generate is enough to drop small networks and mail servers.

  • Is this a bad thing?

    I'd think so, if it was my email address they managed to hit...

    Cheers,

    Tim
  • The problem with this approach is that a smart spambot coder can simply have the bot ignore your site and move on to an easier target. It's like hanging up on a telemarketer. Sure, they're not bothering you anymore, but they move on to someone else.

    If you can make the telemarketer think that you MIGHT actually buy something, he'll waste his time trying to sell it to you. If the spambot thinks it's getting valid addresses, it'll keep on harvesting them. The longer you can keep feeding it garbage, the less time it will spend gathering useful information.

    LK

  • My technique... (Score:3)

    by SupremeOverlord ( 76353 ) <kyle97330@gmail.com> on Thursday November 23, 2000 @08:30AM (#605108) Journal
    I have two methods that I personally use. Since I own my domain and recieve all e-mail sent there, I can be anything@world-domination.net. So the first technique is to choose mail addresses that get rejected by spambots, webmaster@world-domination.net, support@world-domination.net, etc., or in the case of slashdot, root, for the l33tness factor.

    Second, I use the address as an identifier in my addresses. At mp3.com it's mp3@world-domination.net, at yahoo it's yahoo@world-domination.net. Then if I start getting spammed at one of those addresses, I know which site's fault it is, and I can change my address at that site and block all future mail to that address.

    I admit this solution isn't for everyone, but it works great for me.

Slashdot Top Deals

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Close