Could Fake Phishing Emails Help Fight Spam? 296
Glyn Moody writes "Apparently, the US Department of Justice has been sending out hoax emails to test the security awareness of its staff. How about applying a similar strategy to tackling spam among ordinary users? If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary. The system would be cheap to run — spam is very efficient — and could use the latest spam as templates."
stupidity tax (Score:2, Funny)
Your post advocates a.... (Score:5, Funny)
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Perhaps (Score:3, Funny)
Perhaps they could hire some kind of outside contractor - with an extensive botnet and lots of spam-sending experience - at some ridiculous fee! I'm sure with significant compensation, these professionals could be convinced to spam the DoJ.
In all seriousness, all this will do is make a certain few people very very sad inside when they see just how easy it is to fool the common deskmonkey, and just how much info you can get. At best, some of those certain few people will become motivated to make it their profession...
Re:Been there done that. (Score:3, Funny)
The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.
Fire them all after the 2nd time. The survivors would warn the new hires.
Re:Seriously? (Score:5, Funny)
The real solution is to simply tell all respondents that they have won an all expense paid vacation. Send them some fake e-ticket to print out and tell them where to go, and then just put them all on a rocket to the sun. Problem solved.
To take this even further OT (Score:4, Funny)
Re:Seriously? (Score:5, Funny)
"Congratulations! By responding to this test email, you've received an IRS coupon for a FREE TAX AUDIT. Enjoy!"
That's one way to teach them. Granted, it's a bit Pavlovian, but ... if it works, it works.
Re:Seriously? (Score:5, Funny)
You mean it'll make people salivate for food at the sound of a bell if they get a tax audit? Now that's some crazy conditioning!
Comment removed (Score:3, Funny)
oblig (Score:2, Funny)
Spam is like XML, if it doesn't solve the problem, use more.
Re:Self identification might help zombies (Score:4, Funny)
The "good" spam is sort of like a public education campaign about STDs.
Ooh, terrible metaphor. By that logic, this "good" spam would be like the government having unprotected sex with people to identify who needs to be educated about proper condom use.
Re:Self identification might help zombies (Score:5, Funny)
Re:Seriously? (Score:5, Funny)
Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?
RFC 3514 [wikipedia.org] does propose a solution to this sort of thing...
Proposed Name for Fake Phishing (Score:5, Funny)
Re:Actually, ... (Score:4, Funny)
No, because your metaphor doesn't take account of the fact that the proposed solution causes a lot of spam to be sent.
It's more like that the condom police just have sex with you bareback, and afterwards they say "okay well this time it was just genital warts... next time it might be AIDS".
As goes the old metaphor... (Score:2, Funny)
"Give a man a phish, and he'll eat for a day. TEACH a man to phish and he'll eat for a lifetime."
Sorry, terrible pun I know, but it is true; the only way to fight this sort of thing is to make people more aware of it in the first place, knowledge is power. Personally, I think they're at least trying the right thing. My concern is the automatic filtering of "spam" messages done by some ISP's and mail services (especially gMail), and how it will interfere with the success of something like this.
Re:not a tech problem - it's a PEOPLE problem (Score:2, Funny)
Two birds, one stone: force all the spam-responders to eat dirt!
It might not solve the spam problem, but at least we could get a laugh out of it. Hell, you could make a TV show out of it.
Oh wait, a metaphor? Never mind...
Re:Seriously? (Score:1, Funny)
Rockets to the sun are expensive.
Just send them an e-ticket to print that has "I'm a terrorist" written on it somewhere. They are probably too dumb to check the ticket carefully, but when the try to get through security at the airport with that bogus e-ticket I'm sure they will learn a valuable lesson.
To paraphrase on old saying (Score:3, Funny)