My Short Life As An Unintentional Porn Spammer 570
Freerange writes "Mike Masnick wrote up his experience getting slammed by a somewhat new kind of spam attack that doesn't get much hype (yet?). A spammer spoofed his personal email address as the 'reply-to' for a batch of spam, with interesting results for Mike: "I can
now answer the questions 'who replies to spam?' and (should anyone ever
wonder) 'what are the hundreds of variations on bounced messages?'" From Politech."
Reverse spam really isn't that new... (Score:5, Insightful)
Spam needs a technical solution. (Score:5, Insightful)
Obviously, legislation isn't catching up and as evidenced by the junk fax law is useless when it does. Technical minds built the Internet, and I have little doubt that a solution could be found once we quit looking for the quick fix.
Doesn't protect the ISP or end user (Score:3, Insightful)
Everyone call your State Rep! (Score:5, Insightful)
It's easy to get things in motion, everyone is too lazy to try though.
and in other news (Score:4, Insightful)
spam spam spam. if spam should be illegal, so should any form of unsolicited communication. that includes conversing to persons without their permission at the local pub.
i'm personally in favor of a more liberated
government system, but if we want our legislatures to make rules, let's make it a level playing field , not just fix the annoying problem we have of spam (that is created because of a technical deficiency in the overall system of itself).
Do Spammers use bounces to prune their databases? (Score:3, Insightful)
Flowers.com (Score:3, Insightful)
Most ISPs do though... (Score:3, Insightful)
So just to put things into perspective... Every piece of spam comes through:
1. Eats a little bandwidth
2. Eats up a little CPU doing filtering.
3. Eats up a little bit of CPU doing virus filtering.
4. Eats up a little bit of disk space.
Now you say most americans don't pay by the bandwidth, this is true, but they do pay FOR the bandwidth. For instance, all of my customers pay for the shared resources on my server. If one customer gets 50 million pieces of spam in an hour my server has come to a crawl and all of the customers who paid for hosting service are interrupted.
Re:Reverse spam really isn't that new... (Score:4, Insightful)
This sounds to me sort of like referring to someone who discovers an unpublished URL by trial and error as a "hacker". Of course, I didn't RTFA, but I will once it is un-slashdotted.
Re:Am I missing something? (Score:3, Insightful)
Do you mean that the server should ensure the source IP isn't masqueraded, or that the originating domain in the From: header should match the domain of the IP address? In the latter case, refusing mail from mismatched domains would prevent me from using my email address at school when I send mail from home via my ISP. That's an important convenience I wouldn't want to give up, and I suspect that many more people use this feature.
I do agree with the rev DNS lookups and I think most well-configured SMTP servers already do that.
Re:No way to contact spammer (Score:4, Insightful)
Re:and in other news (Score:5, Insightful)
Spam is grossly different to most other forms of unsolicited communication in one simple respect - the total cost to the recipiants is hugely larger than the total cost to the sender. This isn't true of (say) unsolicited email from an individual directly to you, unsolicted junk mail, unsolicited telephone calls or unsolicited personal conversation.
Re:and in other news (Score:3, Insightful)
if spam should be illegal, so should any form of unsolicited communication
This is not insightful. In the US, you have the right to freedom of speech. You do not have the right to force anyone to listen. Spammers try to force people to listen to them by faking headers, ect.
To use your pub analogy, you have the right to strike up conversation with anyone you choose. However, persisting when the conversation is clearly not desired by the other party, and going as far as masquerading as someone else to get their attention would be harassment, and possibly stalking.
No, not Skynet; Nomad (Score:3, Insightful)
Re:3 little words (Score:5, Insightful)
HELO
and
MAIL FROM:
Many SMTP servers will do some sort of verification on the HELO line, but very little can be done about the FROM line. You can't easily kill addresses that don't match the HELO domain because legitimate mail relays would be unable to forward your mail on then.
I can send you a piece of mail that will display bob.hope@whitehouse.gov as the from address. If Bob had that address, and people replied to the forged address, he'd be getting the blame for my spam.
It sucks.
State laws? (Score:3, Insightful)
Did you look at state law remedies, call the attorney general, that sort of thing? I'm not faulting you if you didn't, I'm just ignornant of whether there a meaningful alternatives.
You could have sued the guy personally in small claims, although the dollar value was low. But there's nothing wrong with a little spite.
Re:You have no right to complain /. (Score:2, Insightful)
My personal experience with the "joe job" tactic (Score:3, Insightful)
The vast majority of the mails you get back are administrative emails saying that "the user does not exist." There is also a small amount that you get that are ill-informed, ignorant, and often very inflamed responses from people who respond.
At the peak of the attack, I got over 14,000 emails in a single day. It almost caused me to have to give up my email address, which I had held for almost seven years at the time. I didn't want to give it up so easily.
My solution was to install and use the Tagged Message Delivery Agent (http://www.tmda.net), which is a whitelisting service. It has my admiration for rejecting 100% of the unwanted emails for two reasons. First administrative accounts don't reply to their whitelisting requests, and second, ignorant angry users don't bother to reply to get whitelisted anyways.
As for the question of why someone would do this, I have thought of three reasons:
- To make their spam look more legitimate.
- Just to cause general havoc
- Because I have, in the past, not hesitated to complain to service providers about spam. This was probably retribution.
I did attempt to bring some form of legal action into the fray. I talked informally to Scott Frewing, a US attorney (one of the prime players in the Skylarov case), about the attack. He referred me to the FBI's online fraud folks, but couldn't really give me much encouragement on the chance of the success, since the spammer's website was located in the China Telecom domain, although the company it claimed to represent was in New Jersey. In fact, he told me I would probably be better off pursuing the case strictly on the basis of fraud and possible identity theft (the use of my email address) rather than as a spam case.
I stopped pursuing it after talking to Frewing.
In any event, I have won the battle in the sense that I will never see the unwanted mails. But I have lost the war in the sense that I can't really make the F*CKER stop doing it, and it does consume resources on my linux box.
Re:Everyone call your State Rep! (Score:3, Insightful)
It can be done....
From my post of last Friday Evening...
"I'm from Missouri "And this version of the proposed law sucks big-time. How about they put a million bucks in a pool, open up 50 or 60 tracking bank accounts, and buy whatever it is the spam is selling.... Thus creating a $$$ trail that can be followed, and a judge can just take and put back into the state coffers. Him em where it hurts... in the pocket!
Think about this now....
1) Recieve Spam
2) Report Spam (forward to spam-abuse somewhere official)
3) More than X number received complaints, State goes into action.
4) State dude/dudette actually buys whatever the spam is selling...
5) state office then traces the $$$, get's a judge to freeze the $$$, apply an ADMINISTRATIVE FINE and keep the spammers frozen $$$ til the fine is paid.
6) spammer learns to not screw with Missouri if they can help it (tough, but doable).
Is this easy? No.. Can it be done? Yes, absolutly... If they're gonna write a law, write one that works...
And yes, I'm chatting with several MO Reps and State Senators about it too.
Spam or DDOS? (Score:2, Insightful)
The sender address was a similar auto-generated hotmail address. When I found out what was going on (on a sunday night) because the sysload went up, my mailqueue contained over 50000 undeliverable messages.
I blocked the sending address with an ip table rule and mailed the Irish ISP. The next morning the connection attempts were still bouncing of my firewall and the ISP never replied.
These guys are beginning to do more and more damage...
Xenna
Re:IQ Test (Score:5, Insightful)
I've never understood why people don't put "Press a key" instead. The intelligence-challenged can search out the `a' key, which will work, and the rest of us will know that all the others'll work too. Plus it's two characters shorter -- benefits all round!
Re:IQ Test (Score:3, Insightful)
Anyone can use a computer.
Some people shouldn't.
Re:Reverse spam really isn't that new... (Score:2, Insightful)
Including the Received lines? Learning how to read those, backstepping from the last (trusted) one takes a bit of practice, but will get you to the spammer or the open proxy that he's hijacking.
The main thing to track is the web site that most spammers have as the "payload" of their spam. Disposable accounts to send the spam are easy to replace, but getting the web site killed hurts the spammer. (Alas, too many ISPs are wearing the Enormous Foam Helm of Stupidity [userfriendly.org] about spam-support web sites.)