My Short Life As An Unintentional Porn Spammer 570
Freerange writes "Mike Masnick wrote up his experience getting slammed by a somewhat new kind of spam attack that doesn't get much hype (yet?). A spammer spoofed his personal email address as the 'reply-to' for a batch of spam, with interesting results for Mike: "I can
now answer the questions 'who replies to spam?' and (should anyone ever
wonder) 'what are the hundreds of variations on bounced messages?'" From Politech."
It's nothing new (Score:5, Informative)
an article about it [techtv.com]
incase of slashdotting (Score:3, Informative)
My Short Life As An Unintentional Spammer
by Mike Masnick
Ever wonder what sorts of emails end up in a spammer's email database? Want to know who actually responds to spam and what they say? Want to know the myriads of formats (and languages) a bounced email message can take? I can now tell you all of this. Without my knowledge, I recently became an accidental porn spammer.
When I got home one evening a few weeks ago, I noticed that I had more than the expected amount of email waiting for me. A quick glance through the inbox showed about fifty "bounced" emails - saying that email addresses of people I had emailed did not exist. The problem with this, of course, was that I hadn't actually emailed anyone.
It did not take long to figure out what happened. While some bounces simply told me that the recipient didn't exist, others included the original text of the email I had supposedly sent. It claimed to be from someone named "Chris" or "Ali" and was a reply to an alleged message from an online dating site. Chris and Ali apologized for taking so long to reply, and nervously suggested that the recipient find out more information about them by going to a website. Clearly, this was porn spam. Out of principal I won't visit the websites that were in the spam messages.
The problem was, I hadn't sent these messages at all. I'm not Chris or Ali. I don't use dating sites. I don't have a porn website. I don't send spam.
One of the popular "tricks" among spammers nowadays is to set the "reply-to" address as the same as the recipient's email address. That cuts out on the problems of bounce mails, and also has a psychological effect on recipients who are curious what email they've sent themselves. Most spam filters have figured out ways to still capture these spam messages (though, I'm now hearing stories of legitimate emails that people send to themselves being classified as spam). I've received plenty of these types of spam, and most are filtered away, never to be bothered with.
It seems that this particular spammer took things one step further, and made the "reply-to" address for all of his spam message set to my personal email address. If anyone looked at the headers, it was clear that I had nothing to do with the email whatsoever. However, most mail servers aren't so smart.
With any spam list, there's a certain percentage of "bad" or outdated email addresses. Generally speaking, a server that receives an email for someone they don't have an account for will "bounce" the message. Those bounces go to the person who sent the message - normally found in the "reply-to" line. Since my email address was in the reply-to line, all those bounces started coming my way, regrettably informing me that my pornographic spam emails had not found their intended recipient.
After dealing with the rapidly growing desire to reach through the internet and strangle whatever lower-than-life scum did this to my email address, I resigned myself to looking at this from an anthropological perspective. Suddenly, I was in a position to offer information on things that few others would (hopefully) ever willingly have access to.
Should anyone want it for research purposes, I now have a fairly large collection of bounce messages. It appears there is no standard format for a bounce message (which, by the way, makes them painfully difficult to filter). They have infinitely different subject lines. They say different things in the body of the message, sometimes nicely, sometimes rudely. They show up in different languages with different explanations. Some admit that the account has been closed due to too much spam. Others simply don't exist any more (if they ever did at all). Some bounces quote the original message; some don't. Some include full headers; some don't. Who knew there was such variety in how mail servers bounce their email?
Beyond the bounce messages were all sorts of auto-responders. It seems that some of the email addresses in the spammer's database were emails people used to send responses to those who "request more info". Suddenly I was receiving huge files of information that I really had no use for whatsoever. I also found out about a number of people who were on vacation that week, or who had recently switched jobs. One even had an auto-responder saying "this is closed...I am tired of the internet... all internet access for me is closing". Some of the addresses were to subscribe to various mailing lists. Many bounced back confirmation emails, asking to prove that I really wanted to subscribe, while others just subscribed me automatically (which will now force me to manually unsubscribe).
While most of the "information" was fairly useless, I suddenly had the opportunity to peek into the lives of people I had no association with whatsoever - connected only by spammer. I felt like reaching out and commiserating with those who were sick of the spam and wondered if I should congratulate those with new jobs. However, there was no time for that, I had more erroneous spam fallout to deal with.
Next, came the responses. I, like many people, often wonder what sorts of people actually respond to spam emails. For years, it has been beaten into my head that you never, under any circumstance, respond to a spam email. It just shows that you're a live human being, making your email address more valuable. I'm still shocked when I come across people who haven't heard this. However, they are out there, and they come in all different shapes and sizes. I have their emails to prove it.
There are the confused, but polite people. One woman wrote me a nice message saying that a "horrible" mistake had been made, and that she had not replied to my online dating ad. She did warn me, however, that there are "plenty of strange people out there" and that I should be careful. How nice. Another woman couldn't remember what she had said in her reply to my non-existent online dating profile and wanted to be reminded. A few others just asked who I was.
Then there are the unsubscribers, who are under the unfortunate delusion that asking spammers to take them off their list will help. They send simple messages saying simply "unsubscribe" or "unsubscribe, please", as if that will ever get to the actual spammer, or that they would actually pay any attention to it.
Lastly, are the angry, but clueless. I feel their pain, but they need to find a better outlet. I received emails telling me things I never knew (and find unlikely) about my lineage and suggesting I go places I have no interest in going, using all sorts of language you wouldn't use in polite company. I also received a threatening letter saying that I would be hearing from some company's corporate lawyer.
None of these people stopped to think that it was odd that my email address includes, pretty clearly, my name - which is neither Chris nor Ali. With the number of spam messages that go out every day, I wonder if these people reply to them all. I guess, for some people with anger management problems, this is a kind of outlet. All day, every day, respond angrily to spam messages, and maybe it will have a calming effect on your life.
What's scary is that, for the most, part, I only saw the bounced messages. They continued for approximately 36 hours, and then stopped abruptly. In the end, about 500 email messages bounced back to me, so I can only guess at how many thousands of poor, unsuspecting email boxes are currently dealing with spam sent with my email address as the reply-to. I apologize to all of you, even if I had nothing to do with it. I don't want to date you, and please, feel no compulsion to look at the web page in the email.
Most people agree that spam is evil. It's a waste of time and a general nuisance. I can argue against spam from a variety of levels. It's bad for the internet. It's bad for users. It's bad for business. It's just bad. Luckily, there's a rapidly growing industry of companies (and simply concerned individuals) creating software solutions to help stop the spam menace. While there are debates over how well any of these systems work, it is possible to at least reduce your spam intake. Personally, I use a spam filter that is pretty effective in reducing my spam load to a mostly manageable level.
However, with something like this, there simply is no effective preventative measure in place. The spammers spoof the reply-to, making it whatever they want - so it never even touches my mail server at all. My inbox gets bombarded because there's no simple way to filter out the bounced messages since they are all so different. It's difficult to track down a spammer normally - and more so when the spam isn't even sent to you. Despite the fact that my address was the reply-to, it seems the spammer never sent me the message directly. I found a bounce message that showed the full headers and tracked it back. The email came from a mail server in the Philippines, and pointed to a website hosted in China, owned by a company in London. Tracking down the actual spammer would likely be close to impossible. Assuming they could be found, suing them would be nearly impossible as well, not to mention costly.
One potential solution to this would be to require every outgoing email to have a verified identifier of some sort, so that any email can automatically be traced back to the original sender. This (as does every solution) brings up other problems. There are benefits to anonymous email, and we wouldn't want to take that away (though, perhaps you could limit the number of emails that could be sent anonymously to prevent bulkmailers from abusing the system).
In the end, though, this sort of stunt has killed off the tiniest amount of support I had for spammers. These spammers stand behind their First Amendment rights to speak their minds (which is an argument that can be shot full of holes in a second). In this case, though, the spammer made no use of any First Amendment rights. What they did was just mean and nasty and a complete waste of my time.
Re:Why? (Score:4, Informative)
Perhaps some, but it's also a way to get past some spam filtering app, or to make you think its a legit e-mail. I remember there was a big whoopty-doo a year or so ago about spammers using someone@linux.org as the reply to.
Which goes into the trashbin first, hotsex69@sexparty.ru or ltrovalds@linux.org?
Re:No way to contact spammer (Score:5, Informative)
Re:Why? (Score:5, Informative)
Re:Am I missing something? (Score:4, Informative)
DNS is not a terribly useful authentication mechanism for this kind of thing. Much more useful is origin-authenticated SMTP: the originator (either user or mail server) calculates a signed hash of the message, and attaches that when sending it. The receiver can verify that the signature is valid for the person (or mail server) that claimed to originate the message.
Obviously things lose in the transition period before every sender does that. You also get a huge fight over which algorithms to use, how to distribute and verify the public keys, and so forth. Welcome to Internet politics.
Bounces (Score:2, Informative)
The specifications for bounce messages are extremely loose, and while many mailservers adhere to the definitions, many do not. Most bounces are sent to the 'envelope from' address listed in the header as the 'Return Path:' address, but some go to the header 'To:' or the 'Reply-To:'.
Re:Why? (Score:5, Informative)
MAIL FROM:
section of the SMTP exchange doesn't include a domain that exists. Some will go further and do some checks to see if the localpart exists, too. If the spammers want to get to as many addresses as possible, they have to use a real address rather than a made up one. In some cases, they'll pick the address of someone who's irritated them (anti-spammers, for instance).
Re:Reverse spam really isn't that new... (Score:2, Informative)
I used to do it all the time - general reminders / memos to self.
Re:Fix it with PGP. (Score:5, Informative)
PGP/GPG only ensures that you did send it, not that you did not. Since you can send e-mails without being signed, unsigned e-mails don't prove a thing.
Those that know you (or have your key) would know
enough about you that any non-PGP e-mails would be
suspect, but that's what,
3 little words (Score:4, Informative)
BEFORE
SEND
Seriously, if your mail server has that, turn it on. It means no one can relay mail through your server, unless their IP has made a successful mail-check. Some mail servers let you "authenticate" by checking to see that the reply-to address is valid on the local server, that, as you can see, does nothing and can be spoofed easily. Pop-before-send is quite a bit stronger and doesnt really require the clients to do anything. No, its not perfect, Im not saying it is, but it will help 99% of the time.
Re:and in other news (Score:2, Informative)
SMTP and email format are both essentially 20 year old protocols. There are two reasons they are still used. First, it is expensive to replace that much software (and sometimes hardware). Second, it basically works. Can you imagine how much less productive the world would be without email being so ubiquitous?
If you want a level playing field, apply the common rules of postal service to email: The sender must accurately identify themselves. The origin must be labelled (you know, the postmark). Sending huge volumes of mail to harass someone is against the law. Sending huge volumes of mail costs the sender considerably more than the receivers.
Do not claim that email is exempt from being legislated in ways specific to its new capabilities. It is different than what came before, and deserves to be treated as such.
What the Internet REALLY DOESN'T needs (Score:2, Informative)
Yeah right. The last thing I want is to need a Microsoft client to read my email just because "somehow" their new proprietary protocol isn't compatible with their own specifications...
I'd rather keep on deleting that useless spam for now (if ONLY spam was targeted... Give me MP3 players offers, web hosting offers, etc... I can find my pr0n myself, thank you).
Re:No way to contact spammer (Score:4, Informative)
And since everyone loves to see spammers get theirs, go visit Behind Enemy Lines [freewebsites.com]. Be sure to visit the Lets Get Brutal [freewebsites.com] section to see what spammers look like in various states of undress!
Re:I hear ya! (Score:1, Informative)
One result: more SPAM. (Can you say "DOS"?) (Score:3, Informative)
For those who cannt access the site (Score:5, Informative)
Re:No way to contact spammer (Score:5, Informative)
er, get a better email client (Score:4, Informative)
/.'ed again (Score:1, Informative)
My Short Life As An Unintentional Spammer
by Mike Masnick
Ever wonder what sorts of emails end up in a spammer's email database? Want to know who actually responds to spam and what they say? Want to know the myriads of formats (and languages) a bounced email message can take? I can now tell you all of this. Without my knowledge, I recently became an accidental porn spammer.
When I got home one evening a few weeks ago, I noticed that I had more than the expected amount of email waiting for me. A quick glance through the inbox showed about fifty "bounced" emails - saying that email addresses of people I had emailed did not exist. The problem with this, of course, was that I hadn't actually emailed anyone.
It did not take long to figure out what happened. While some bounces simply told me that the recipient didn't exist, others included the original text of the email I had supposedly sent. It claimed to be from someone named "Chris" or "Ali" and was a reply to an alleged message from an online dating site. Chris and Ali apologized for taking so long to reply, and nervously suggested that the recipient find out more information about them by going to a website. Clearly, this was porn spam. Out of principal I won't visit the websites that were in the spam messages.
The problem was, I hadn't sent these messages at all. I'm not Chris or Ali. I don't use dating sites. I don't have a porn website. I don't send spam.
One of the popular "tricks" among spammers nowadays is to set the "reply-to" address as the same as the recipient's email address. That cuts out on the problems of bounce mails, and also has a psychological effect on recipients who are curious what email they've sent themselves. Most spam filters have figured out ways to still capture these spam messages (though, I'm now hearing stories of legitimate emails that people send to themselves being classified as spam). I've received plenty of these types of spam, and most are filtered away, never to be bothered with.
It seems that this particular spammer took things one step further, and made the "reply-to" address for all of his spam message set to my personal email address. If anyone looked at the headers, it was clear that I had nothing to do with the email whatsoever. However, most mail servers aren't so smart.
With any spam list, there's a certain percentage of "bad" or outdated email addresses. Generally speaking, a server that receives an email for someone they don't have an account for will "bounce" the message. Those bounces go to the person who sent the message - normally found in the "reply-to" line. Since my email address was in the reply-to line, all those bounces started coming my way, regrettably informing me that my pornographic spam emails had not found their intended recipient.
After dealing with the rapidly growing desire to reach through the internet and strangle whatever lower-than-life scum did this to my email address, I resigned myself to looking at this from an anthropological perspective. Suddenly, I was in a position to offer information on things that few others would (hopefully) ever willingly have access to.
Should anyone want it for research purposes, I now have a fairly large collection of bounce messages. It appears there is no standard format for a bounce message (which, by the way, makes them painfully difficult to filter). They have infinitely different subject lines. They say different things in the body of the message, sometimes nicely, sometimes rudely. They show up in different languages with different explanations. Some admit that the account has been closed due to too much spam. Others simply don't exist any more (if they ever did at all). Some bounces quote the original message; some don't. Some include full headers; some don't. Who knew there was such variety in how mail servers bounce their email?
Beyond the bounce messages were all sorts of auto-responders. It seems that some of the email addresses in the spammer's database were emails people used to send responses to those who "request more info". Suddenly I was receiving huge files of information that I really had no use for whatsoever. I also found out about a number of people who were on vacation that week, or who had recently switched jobs. One even had an auto-responder saying "this is closed...I am tired of the internet... all internet access for me is closing". Some of the addresses were to subscribe to various mailing lists. Many bounced back confirmation emails, asking to prove that I really wanted to subscribe, while others just subscribed me automatically (which will now force me to manually unsubscribe).
While most of the "information" was fairly useless, I suddenly had the opportunity to peek into the lives of people I had no association with whatsoever - connected only by spammer. I felt like reaching out and commiserating with those who were sick of the spam and wondered if I should congratulate those with new jobs. However, there was no time for that, I had more erroneous spam fallout to deal with.
Next, came the responses. I, like many people, often wonder what sorts of people actually respond to spam emails. For years, it has been beaten into my head that you never, under any circumstance, respond to a spam email. It just shows that you're a live human being, making your email address more valuable. I'm still shocked when I come across people who haven't heard this. However, they are out there, and they come in all different shapes and sizes. I have their emails to prove it.
There are the confused, but polite people. One woman wrote me a nice message saying that a "horrible" mistake had been made, and that she had not replied to my online dating ad. She did warn me, however, that there are "plenty of strange people out there" and that I should be careful. How nice. Another woman couldn't remember what she had said in her reply to my non-existent online dating profile and wanted to be reminded. A few others just asked who I was.
Then there are the unsubscribers, who are under the unfortunate delusion that asking spammers to take them off their list will help. They send simple messages saying simply "unsubscribe" or "unsubscribe, please", as if that will ever get to the actual spammer, or that they would actually pay any attention to it.
Lastly, are the angry, but clueless. I feel their pain, but they need to find a better outlet. I received emails telling me things I never knew (and find unlikely) about my lineage and suggesting I go places I have no interest in going, using all sorts of language you wouldn't use in polite company. I also received a threatening letter saying that I would be hearing from some company's corporate lawyer.
None of these people stopped to think that it was odd that my email address includes, pretty clearly, my name - which is neither Chris nor Ali. With the number of spam messages that go out every day, I wonder if these people reply to them all. I guess, for some people with anger management problems, this is a kind of outlet. All day, every day, respond angrily to spam messages, and maybe it will have a calming effect on your life.
What's scary is that, for the most, part, I only saw the bounced messages. They continued for approximately 36 hours, and then stopped abruptly. In the end, about 500 email messages bounced back to me, so I can only guess at how many thousands of poor, unsuspecting email boxes are currently dealing with spam sent with my email address as the reply-to. I apologize to all of you, even if I had nothing to do with it. I don't want to date you, and please, feel no compulsion to look at the web page in the email.
Most people agree that spam is evil. It's a waste of time and a general nuisance. I can argue against spam from a variety of levels. It's bad for the internet. It's bad for users. It's bad for business. It's just bad. Luckily, there's a rapidly growing industry of companies (and simply concerned individuals) creating software solutions to help stop the spam menace. While there are debates over how well any of these systems work, it is possible to at least reduce your spam intake. Personally, I use a spam filter that is pretty effective in reducing my spam load to a mostly manageable level.
However, with something like this, there simply is no effective preventative measure in place. The spammers spoof the reply-to, making it whatever they want - so it never even touches my mail server at all. My inbox gets bombarded because there's no simple way to filter out the bounced messages since they are all so different. It's difficult to track down a spammer normally - and more so when the spam isn't even sent to you. Despite the fact that my address was the reply-to, it seems the spammer never sent me the message directly. I found a bounce message that showed the full headers and tracked it back. The email came from a mail server in the Philippines, and pointed to a website hosted in China, owned by a company in London. Tracking down the actual spammer would likely be close to impossible. Assuming they could be found, suing them would be nearly impossible as well, not to mention costly.
One potential solution to this would be to require every outgoing email to have a verified identifier of some sort, so that any email can automatically be traced back to the original sender. This (as does every solution) brings up other problems. There are benefits to anonymous email, and we wouldn't want to take that away (though, perhaps you could limit the number of emails that could be sent anonymously to prevent bulkmailers from abusing the system).
In the end, though, this sort of stunt has killed off the tiniest amount of support I had for spammers. These spammers stand behind their First Amendment rights to speak their minds (which is an argument that can be shot full of holes in a second). In this case, though, the spammer made no use of any First Amendment rights. What they did was just mean and nasty and a complete waste of my time.
This is a result of broken mail servers (Score:3, Informative)
Have you read Peter Watts book Starfish? (Score:2, Informative)
In Starfish by Peter Watts, some of the book is centered around genetically programmed pseudo-AIs used to patrol the net for spam, virii, worms, etc. I won't say more as it might spoil the book for you but read it and I'm sure you'll enjoy it! What you said in your message has something to do with it ;-)
More and more of this stuff: (Score:3, Informative)
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <dclark@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <paladin@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <mbrown@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <viper@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <kelley@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <rbrown@mydomain.com>... User unknown
Feb 12 13:39:28 warthog sendmail[21909]: h1CIdQK21909: from=<joe@nowhere.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[200.162.240.168]
I tried to post all 65 attempts in this batch but the damn lameness filter said:
"Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted"
Nonetheless you get the picture.
New Mail System (Score:3, Informative)
Re:No way to contact spammer (Score:4, Informative)
As far as I know, there is no way built into Outlook to do this.
I spent some time searching on how to do this a while ago, and the only way I know of is to use a COM add in. It doesn't work through the rules wizard, you have to go into your advanced email settings and register the DLL before it will work. Search Google, and you'll find the answer. A word of warning though... The one I found a while ago made Outlook painfully slow, so I ended up uninstalling it.
It is a huge pain the way Outlook has it set up. You can't set up a rule that strips the HTML, you can't set your email to automatically convert HTML mail to plain text, and you can't even use the VBA scripting language built in to automatically strip the HTML. What a pain...
Re:It happened to my wife! (Score:3, Informative)
In your case, a bestiality enthusiast would reply to your email. Instead of ending up in your email box, the sender would get an email from you confirming that they intended to send you an email (this blocks most unsolicited email since this email would end up at the forged email address), and you could put in an additional warning along the lines that any person replying to a forged post to bestiality.whatever will be turned over to the proper authorities.
You should then be unencumbered by any other such annoyance.
TMDA can be found at http://tmda.net/
Re:and in other news (Score:3, Informative)
I think you misunderstood. I just stated how the law currently is, at least in the USA. People have the right to privacy. As stated in the recent NYT article, "Tangled Up in Spam" by James Gleick:
"Many people who hate spam believe, honorably enough, that it's protected as free speech. It is not. The Supreme Court has made clear that individuals may preserve a threshold of privacy. ''Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit,'' wrote Chief Justice Warren Burger in a 1970 decision. ''We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another.''"
Re:No way to contact spammer (Score:3, Informative)
You don't need to turn off HTML e-mail to protect yourself. Though it is a good idea if you can stand it.
All you need to do is tell your mailer not to automatically download images. This will result in readable text with no images, and no indication that you read the mail. You should also turn off auto return reciept (less widely, but more correctly known as DSN notification,) and javascript in e-mail as those can be used against you as well.
I don't know how to do these things in Outlook, since I use evolution where the default setting is not to download automatically.
Depends on Which Version of Outlook (Score:5, Informative)
Re:3 little words (Score:5, Informative)
Re:Doing this in procmail (Score:3, Informative)
You're going to have trouble with any mail that passes through non-routable hosts inside a firewall. All my mail will have something like "Received: ... by gateway.localdomain (10.0.0.1)".
It will be even worse for mail that travels though something other than SMTP for a bit.
New Mail RFC (Score:5, Informative)
RFC 2487 [nyc.ny.us]: SMTP Service Extension for Secure SMTP over TLS.
SMTP [RFC-821] servers and clients normally communicate in the clear over the Internet.... Further, there is often a desire for two SMTP agents to be able to authenticate each others' identities. For example, a secure SMTP server might only allow communications from other SMTP agents it knows, or it might act differently for messages received from an agent it knows than from one it doesn't know.
How to easily avoid this kind of problems (Score:3, Informative)
The only effective countermeasure I found was to use SpamGourmet [spamgourmet.com]. It's a web site that allows you to define disposable addresses forwarded to your real (secret) address. The disposable addresses can be disabled. They automatically shutdown after 20 messages from unknown senders (not in your whitelist). So, a Joe Job would generate, at most, 20 replies into your forwarded mailbox. After that, you'd have to re-enable the disposable email, although you'd rather leave it disabled because it WILL be spammed again.
This happens too frequently (Score:2, Informative)
My solution has always been to renamed the account and cancel the forwarding from the old name to the new one. Seems to do the trick. I wonder what happens to the bounced emails then..