Could Fake Phishing Emails Help Fight Spam? 296
Glyn Moody writes "Apparently, the US Department of Justice has been sending out hoax emails to test the security awareness of its staff. How about applying a similar strategy to tackling spam among ordinary users? If fake spam messages offering all the usual benefits, and employing all the usual tricks, were sent out by national security agencies around the world, it would select precisely the people who tend to respond to spam. The agencies could then contact them from a suitably important-looking government address, warning about what could have happened. Some might become more cautious as a result, others will not. But again, it is precisely the latter who are more likely to respond to further fake spam messages in the future, allowing the process to be repeated as often as necessary. The system would be cheap to run — spam is very efficient — and could use the latest spam as templates."
Seriously? (Score:4, Insightful)
The spam problem will not be solved with laws or pretty tricks like this.
It is a technological problem, and as such will be solved by technological changes: the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.
Re:Seriously? (Score:5, Interesting)
Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?
Re:Seriously? (Score:5, Insightful)
If the zombie box has username/password on a legit account (or whatever the authentication is) then no protocol will help. It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem). I don't think anything can solve the "spammer signs up for asdfghjkl.com and starts sending email through that server" spam.
I don't see how this'll help, though.
1) The people who fall for this won't actually learn until they're actually stung, not just an email that says it is from a government agency
2) Chances are they'll probably be more suspicious of the 'Government Agency' email than the "get stuff cheap" email because they're interested in getting stuff cheap, but why would they get an email from the Government
3) Spam is spam is spam
4) Spammers/phishers will piggyback the Government emails, clone them and send out similar emails saying they'd been caught by one of these traps, so go to [insert site]
5) Despite what I said in 1), some of these people will never learn (see the people who get conned out of thousands of £/$/etc)
Re: (Score:3)
The only solutions to spam that will actually work are ones that negatively effect the person whose computer is being used to send it. This leads to massive problems in trying to balance a workable service with the penalties.
Personally I would like to see ISPs begin to implement a system where they block service to anyone sending over a certain number of emails in a given time frame (this solution can be as t
Re: (Score:3, Funny)
Re:Seriously? (Score:5, Insightful)
I'm not a kernel developer, but every mailing list to which I once subscribed moved to web based forums, which I find much, much more convenient to use. I think mailing lists are a relic which some are reluctant to give up, and I'm sure there may be good reasons for that. I just don't know what they are.
Here's some of the reasons I prefer my mailing lists to forums:
* I don't have to remember to go there; it comes to me.
* I KNOW what I've read already.
* I can set up filters to mark my own "posts" as read automatically, to delete posts from people I'd rather not hear from, to flag items with particular subject lines, etc.
* Thunderbird has a good search tool. Online forums often don't, and it's luck of the draw whether they do or not.
* If the internet is down, I can still find that post that tells me how to do what it is I want to do right now.
* I can (with the original poster's permission) forward all or part of a message to an individual or another list.
* I can (with discretion and an x-post note) post the same text to multiple lists at the same time.
I'm sure there are other reasons, but those are the reasons I've advocated against email lists I belong to switching to online forums. Since most of them are Yahoo groups, though, people *can* read them as web forums if they want to instead.
Re:Seriously? (Score:4, Informative)
I was going to make this comment in computer-ish terms. It's called "push content" versus "pull content". Mailing lists PUSH the content to the user. Web fora require the user to PULL the content.
PUSH is much better for important information. PULL is better for information that is not critical.
My cell provider has an email to SMS gateway (and did the same thing prior to such gateways being common.) They also have "internet access" I could pay for that allows me to access POP/IMAP mail servers and web sites. The former is PUSH, the latter is PULL. When my server is dying, I want PUSH data telling me that. If my house goes below freezing, I want PUSH data telling me that. When I want to discuss hobbies, I mostly want PULL so I control when I read the information. If I want to know the temps in my house (other than extremes) I want PULL so I can control how often I am told.
One reason you didn't mention is that, for Unix users, at least, it is absolutely trivial to set up an email alias ("mailing list") using nothing other than standard email tools, where a web forum requires running a web server and the forum tools. I do both -- I have aliases for meeting notices and I have a Drupal wiki for online discussions. The aliases were so much easier and take so much fewer resources.
Re: (Score:3, Insightful)
It's probably a good idea overall, but it would get a lot of criticism as either a) people with email sending addictions sent too many emails and got caught or b) people with infected machines probably wouldn't know/care about what to do and would just object to being blocked.
ISPs blocking ISPs is potentially asking for trouble, though. It's like IP blacklisting, but it leaves a lot of innocents getting hit just because the ISP hasn't dealt with some trouble makers to some arbitrary degree to make another I
Re:Seriously? (Score:5, Funny)
"Congratulations! By responding to this test email, you've received an IRS coupon for a FREE TAX AUDIT. Enjoy!"
That's one way to teach them. Granted, it's a bit Pavlovian, but ... if it works, it works.
Re:Seriously? (Score:5, Funny)
You mean it'll make people salivate for food at the sound of a bell if they get a tax audit? Now that's some crazy conditioning!
Re:Seriously? (Score:5, Informative)
It might, however, stop email faking and sending from the zombie box itself, which would give a better point of control (because at the moment anyone can send emails that purport to be from Yahoo.com from their own box, if it is set up right, but a protocol that could fail connections claiming to be Yahoo.com emails that don't come from an approved Yahoo.com server would reduce the problem).
Note there is already a system for doing this. It called the Sender Policy Framework [wikipedia.org] (SPF) and uses DNS records to tell mail servers which machines are allowed to send mail for your domain.
This is not a perfect system though because often there is a legitimate need to use a different e-mail domain address than where your mail came from (eg. forwarding, etc). For that reason it doesn't appear that many mail servers are configured to check SPF records.
At the very least it seems like they would be good for pre-tagging SPAM (ie. still deliver it but add something to the header that says it could be spam).
Self identification might help zombies (Score:5, Interesting)
The "good" spam is sort of like a public education campaign about STDs. It's part of a well rounded solution in raising public awareness. Your's may not need raising but you will benefit if the awareness of others' is raised so put up with it.
Now then there's the post infection detection problem. We could take a simmilar approach of turning a bad thing to our advantage. Presumably these Zombie bots try to hit a series of predefined URLS to announce their availability. Once some of those are known, when not sieze them and use them to get infected computers to self-identify then notify the owners or if unresponsive their ISPs?
That would not cure all infection. But there is a well known principal in medial virus infection called the R-factor and that is the minimum number of infections needed in a population before the disease becomes self sustaining or growing in infections. We don't have to eliminate all zombies before we reach a point where the infection rate is highly damped.
Re:Self identification might help zombies (Score:4, Funny)
The "good" spam is sort of like a public education campaign about STDs.
Ooh, terrible metaphor. By that logic, this "good" spam would be like the government having unprotected sex with people to identify who needs to be educated about proper condom use.
Re:Self identification might help zombies (Score:5, Funny)
Actually, ... (Score:2, Insightful)
to go right with your metaphor, the "condom police" picks up a girl/guy in a bar, takes s/he to a hotel room, asks if they can go bareback, s/he says yes, receives a fine and a slap on the wrist (possible mandatory safe sex lessons) and goes home. Seems sensible to me.
Re:Actually, ... (Score:4, Funny)
No, because your metaphor doesn't take account of the fact that the proposed solution causes a lot of spam to be sent.
It's more like that the condom police just have sex with you bareback, and afterwards they say "okay well this time it was just genital warts... next time it might be AIDS".
Re: (Score:3, Interesting)
Relatively simple bots access a few URLs or an IRC channel, but many are more sophisticated than that these days, unfortunately. One strategy is to have a complex URL generator that deterministically spews out a couple of hundred http://fri4eie943kejkz.com/ [fri4eie943kejkz.com] garbage addresses per day, the botnet herder need only register one of them to deliver updates etc. Of course the algorithm can be reversed by sufficiently good analysts, so the next level up is for the botnet to form its own p2p network. Some of these are advanced, fully distributed systems employing encryption, automatic command and control failover (no central point of failure), "fast flux" DNS to present a constantly moving target etc. They are basically impossible to shut down, even if the legal will to do so across borders existed.
Exactly. So if you have a bot in captivity you see what addresses of the day it is going to.
Any computer that visits one of these gets flagged as infected.
No uninfected computer would visit any of them let alone all of them.
You could even push this up a level and simply looks for large numbers of DNS requests by different computers for the same invalid addresses. one could imagine that a mispublished URL could get a lot of legitimate computers making a bugus DNS request but if unrelated computers make the
Re: (Score:2)
It's not possible to spot a zombie box with a protocol (at least not one that is going to be used for simply sending email) but if the machine has to authenticate with the server before sending then immediately you have and accounting trail. Zombie boxes could be dealt with very quickly and probably in a fairly automated manner. The current black listing system works fairly well but it's rather clumsy and causes a lot of friendly fire (I've been hit several times). While I like the ability to run my own mai
Re: (Score:2)
1) You get a spam from box X that authenticated as sending mail for domain Y.
2) You determine that the message is spam.
3) ?
4) Box X gets shut down.
What is ??
A spammer would also be willing to cough up (one time) for a certificate.
Re:Seriously? (Score:5, Funny)
Can you come up with a protocol that will not allow a zombie box to, as you say, authenticate properly?
RFC 3514 [wikipedia.org] does propose a solution to this sort of thing...
Re:Seriously? (Score:5, Interesting)
There are advantages to thinking of (and addressing) spam as a social problem rather than a technological problem. For starters, treating it as a technological problem leads to an arms race mentality in which spammers are continually driven to "outsmart" technological safeguards as they are developed.
Personally, I have no problem with an approach in which "purchasers" (in other words, anybody who responds to spam in any way) are exposed and educated by any means necessary ... with education consisting of an escalating series of measures until the recipients finally comprehend just how fucking stupid their actions were.
Re:Seriously? (Score:5, Insightful)
Most spam is motivated by profit: trying to sell something to the recipient. There is therefore a money trail. Law enforcement could simply respond to a small proportion of spam and track where the money goes, and then prosecute for fraud, selling unregistered drugs, tax evasion -- it;s a good bet they are breaking some existing laws, no new "cyber laws" are needed. But they don't because governments really don't care about it. Each spam is a fleabite, and below the threshold for which they take action (I've heard at least $5000 for the FBI). And various business lobby groups have made sure that there are plenty of loopholes so their marketing material can get through.
My point is that they CAN find the spammers. They don't even try. Slashdottes foam at the mouth and talk about lynching. We imagine the rest of the world shares our hatred for spammers. But really, most people don't care. Governemnt leaders don't care, if they use email at all it's filtered by their staff and they never see spam.
Re:Seriously? (Score:5, Insightful)
Let's replace it with something that authentifies sender and receiver properly, and that allows for efficient transmission of binary data.
Sigh...it's so tiring to hear people on /. say things like "it's a technological problem" about spam. Do you know how easy it is to get a personal digital certificate from Thawte? Fill out a few forms, download your PKCS certificate. What's to stop your sooper-dooper anti-spam system if you can authenticate a spammer? Remember, if you can legitimately receive an e-mail message from ME (a stranger to you, presumably), you haven't "solved" spam. If you can't legitimately receive an e-mail message from me, I can't tell you that I'm your long-lost twin brother (i.e. your email system is then useless).
Re: (Score:3, Interesting)
So your arguement is basicly "The current system sucks, therefore no system will work!"?
Re: (Score:3, Insightful)
And for that I refer you to this comment. [slashdot.org]
Why is it so many otherwise perfectly intelligent people act as if a solution which doesn't solve 100% of the problem must be completely worthless?
Yes, a 99% effective solution (i.e. something that reduced the actual volume of spam by 99%) would likely not result in any fewer people clicking on spam. But it would mean
Re: (Score:3, Insightful)
First off, if the item is in the "what if" pool and isn't effective, then loosing it shouldn't matter.
Secondly, if the sole argument you are going to present is "It's hopeless! Just give up!", then frankly I wish you would.
Our current system for email is virtually 100% open and unsecured. No, I don't think we'll ever eliminate spam. And yes, we may take steps in the search for the 'optimal plan' that end up being a total waste of time.
But at the end of the day, the only thing you have presented so far is pe
Re:Seriously? (Score:4, Insightful)
The point of authentication is to get accountability, not to get instant filtering. If a spammer is using a fake certificate, that certificate can be blacklisted. If some company isn't checking for fake date, certificates by that company can be blacklisted. If random joe is sending me good mail, I could white list him. If random-mail-provider.com is doing good at stopping fake accounts, I could whitelist them as well. And when you would send your twin mail via a good email provider it would arrive just fine.
Today you have the issue that you can't really do much, because you can't tell where a mail did come from. Most of the data in the headers is completly fakable and useless, and yet they get used a lot for mail filtering because its the only data we have.
Re: (Score:2)
the SMTP protocol is outdated and totally unadapted to the modern uses to which we put it. Let's replace it with something that authentifies sender and receiver properly.
That would be nice. All messages could be identified by IP. No wait, it can be spoofed.
Then they can be identified by MAC. Hmm, but which mac to use?
Better by full name and Social security number. Yes, that's it! Let's include all data in each mail so the receiver can identify us.
Or better yet, with a credit card number and its pin.
Humm, no, that seems dangerous.
Let's sign the mails with an asymetric encription scheme. Wait, what? What do you mean it already exists and people have been using it for a decade
Re:Seriously? (Score:4, Interesting)
Private customers are even worse, their computer skill level is so low that it is impossible to communicate the fact that they __personally__ must do something and there is no widget solution.
As far as the government doing this, it just makes matters worse. Soon the spammers will mimic the official documents and as a final step will tell the consumer to install pwn_my_Machine.exe to solve all their problems.
Re: (Score:2, Interesting)
Well either sign/encrypt the message with the receivers key or just make the SMTP protocol fetch the mail from the MX server that is says it comes from, this will make sure that approx. 90% of all spam will never reach you inbox since they need to have a valid MX record for the mail to orriginate from.
To day the SMTP protocol goes like this:
userA@sub1.example.com sends a mail from a spoofing SMTP server at some arbitrary IP address to someuser@sub2.example.com, the sub2 SMTP server receives everything from
Re:Seriously? (Score:5, Insightful)
Spam is a matter of social engineering, of convincing someone to buy a product, give out information or click on a random executable, even though every rational fibre in that person's body should warn against doing so. Yes, using something more robust than SMTP would help, but it's no cure against stupidity and botnets.
I like this initiative, I just wish it would target those who are already at risk of 'stupid-clicking' instead of those with more than one braincell. It's disappointing that those who do respond to spam emails (twice or so...) don't get taken out of the gene pool either
Re: (Score:2)
It's disappointing that those who do respond to spam emails (twice or so...) don't get taken out of the gene pool either :(
I'm surprised this has never happened to people buying from pill spammers. Think about it: there are thousands and thousands of people ingesting pills purchased from anonymous untraceable strangers with probable ties to organized crime. I'm amazed Al Quaeda or some similar group hasn't clued in to this one yet.
not a tech problem - it's a PEOPLE problem (Score:4, Insightful)
No.
Spam persists because a tiny (absolutely, infinitesimally small) proportion of the recipients actually respond to it. Whether that's due to stupidity, greed (oooh - I might get something for nothing), boredom, accident or simply curiosity (hmm, I've never replied to SPAM before, I wonder what happens).
The costs of sending it are so low, that it is still worthwhile, providing there's one idiot in a million who takes the bait.
How do you cure this people problem? I don't know. Even if you spend you whole life telling children not to put dirt in their mouths, some still will. You'll never get rid of spam until all the dirt-eaters and spam-responders get a dose of common sense, and that'll never happen.
Re: (Score:2)
Send a hit-squad round to the house of everyone found responding to spam? Nuke the earth from orbit, thereby removing both the spam emails (fry the drives) and the recipients/clickers (fry the people)? I'm sure there are ways ;)
Re: (Score:3, Insightful)
Disease is a biological problem. You can't eliminate disease from the world using a purely technological approach.
However, if you have an internet connection to post to /., then chances are good that you and I both have living conditions that are far far more livable and comfortable thanks to the fact that people did use technology when it was possible to prevent what could be prevented and aliveate what couldn't.
You and I get the flu, pneumonia, or even TB, we are likely to live through it. That wasn't the
To take this even further OT (Score:4, Funny)
I'm with ya brother (Score:2)
The last damn thing I want is to click a link out of curiosity and within five minutes be standing there having to listen to the IT guy say "here's your sign" or end up in the HR office explaining my seeming poor hand-eye coordination because I accidentally clicked on a link in an email from the fscking HR department. Don't these people have enough work to do?
Re:Seriously? (Score:5, Funny)
The real solution is to simply tell all respondents that they have won an all expense paid vacation. Send them some fake e-ticket to print out and tell them where to go, and then just put them all on a rocket to the sun. Problem solved.
Re: (Score:3)
The "B Ark" solution, I like it.
Re: (Score:2)
Not Seriously?!? (Score:2)
Ick. What a stupid idea.
The reply rate to spam, if I remember recent numbers recently, is something like one reply in ten million messages sent. To have even a marginal effect on the spam, you'd have to reach at least a million users. So, that means they're proposing that the government send out ten billion spam messages.
Dumb.
Much better is to follow the money trail-- the spammers have to have a way to make money. Follow that trail.
Re: (Score:2)
Much better is to follow the money trail-- the spammers have to have a way to make money. Follow that trail.
Okay, I followed it to Russia. Now what?
Re: (Score:2)
You seem to think that the 'spam problem' is technological. It's not. You remember getting junk mail in your snail-mail box, right? Same concept. There is a medium through which many potential customers can be reached, and is cheaper than the alternative (for paper mail, it's cheaper than going door-to-door, for e-mail, it's cheaper than paper mail).
Even if sender and receiver are authenticated properly, so what? A spammer will still be able to 1)forge his own authentication or 2)compromise an authentic box
Re: (Score:2)
I disagree.
Yes, there are issues with the technology - that's not what I disagree with.
However, I know at least a few individuals who were fooled by an e-mail that looked legit (banking site), and didn't bother to check the e-mail address, etc.
The problem is, ultimately, people.
Nah, dumb idea.... (Score:5, Insightful)
In my experience, many of the people clueless enough to respond to some spam email are also the ones who wouldn't understand the reply that came back to warn them of their behavior.
(Heck, you wouldn't believe how many people I've had to help out, because a free version of their Windows anti-virus software expired, and they couldn't figure out what to do with the windows popping up to tell them they needed to download the newer version. They thought that stuff meant their anti-virus "broke" because they got a virus!)
Re: (Score:2)
I wonder how long it would take for fake government-anti-spam-warning emails to start showing up?
... the dumb ones are usually the bosses (Score:2)
My guess is that it'll be pulled faster than the pay-rise of the person who made him/her look an idiot by instigating it, in the first place.
it's already in use... (Score:3)
And it's called more exactly honey-pots.
Re:it's already in use... (Score:5, Informative)
And it's called more exactly honey-pots.
Actually, honey pots are more about collecting spammer addresses, not identifying their targets.
stupidity tax (Score:2, Funny)
Re: (Score:2)
They could lower regular taxes by creating this stupidity tax.
Where do I sign the petition?
actually, this works fairly well. (Score:5, Informative)
my school district did the same thing, and it works great.
It's the best form of targeted training. Only those who fall for shit like this get a lesson, and follow-up fake scams had a MUCH lower success rate.
Re: (Score:3, Interesting)
Re: (Score:2)
Pretty sure a local university does that here.. but what they do is if you click through to the site, the SITE itself tells you "Hey Dumbass.. you just got phished.. here's some info and the whys-and-wherefors". (The Site in question would actually be under the admins control and on the LAN)
I agree with most people here that the follow up email idea is bad because I'm probably MORE likely to ignore an email that says it's from the government
Re: (Score:2)
The first step in solving ANY problem is identifying it. So, let me ask you this:
What percentage of your staff is susceptible to a phishing email?
You don't know, right? How can you find out? A voluntary questionnaire?
Unfortunately, a phake phishing scam is the only tool you have to gauge the problem. And, coincidentally, it can help IT get the point across to the staff.
Re: (Score:3, Insightful)
my school district did the same thing, and it works great.
Really? Sounds ridiculous to me.
Sounds to ME like there's a testable hypothesis here, which someone should think about testing rather than just saying it SOUNDS ridiculous.
Re: (Score:2)
oblig (Score:2, Funny)
Spam is like XML, if it doesn't solve the problem, use more.
Dumbass idea, man (Score:5, Insightful)
Sending more spam in the name of eliminating spam is not eliminating spam. It's still creating a mess on people's email servers and personal computers, and storage for much of it adds up, especially at the server level. How about we simply improve our educational system and teach marketing majors a bit more about business ethics and ethical advertising?
Re: (Score:2)
That's a good argument, but I think you oversimplify.
The intention behind it is to stop spam, and the results of responding to these emails will lead to the responders answer less in the future (at least in theory).
While I agree with the principle that "the same energy that creates a problem cannot be used to solve it", this is not the case here.
For a similar example, there are vaccines that use a dead/weakened virus to trigger an antiviral response from the body (and you could say that sending more viruses
Re: (Score:2)
Go back to my original response and read the first sentence again: Sending spam to eliminate spam is not eliminating spam.
If that's too overly simple for you, I don't know of any other way to get the point across.
Re:Dumbass idea, man (Score:4, Insightful)
I find your complaints (and, frankly, suggestions) myopic. You can teach ethics all you want, but the basics of human nature show time and time again that it's not guaranteed to stick.
Re: (Score:3, Insightful)
Go back to my original response and read the first sentence again: Sending spam to eliminate spam is not eliminating spam. If that's too overly simple for you, I don't know of any other way to get the point across.
That's a great sound bite for an audience with an IQ of about 80, but it doesn't hold up to analytical rigor. If you decrease the spam response rate, you make spamming less lucrative, and you have fewer spammers.
That's still pretty simple, even for sound-bite based logic such as you seem to p
Re: (Score:2)
Increasing the amount of spam received on anyone's servers is something that I think most admins will tell you is unacceptable. Even a child of 5 could tell you that 2 + 2 does not equal 0.
Re: (Score:3, Insightful)
Re: (Score:2)
I should amend this: If that's what you want to do with your own email servers at your own business, have at you. But if your fakeass offers end up in my inbox, the server I receive them from will be treated like every other one that sends spam -- reported to major blocklisting facilities and added to local blocklists.
Re: (Score:3, Insightful)
Besides, we're talking about companies sending these fake messages to their own employees, a local, controlled list. If it's your own network, it's not spam. It's an approved, system-wide message. Get off your high horse.
Re: (Score:2)
Re:Dumbass idea, man (Score:4, Insightful)
I'm really surprised that phishing and viruses are confused with spam, they are very different things:
- viruses/phising: really "dangerous" messages. Opening them might lead to a comprimised bank account, PC, etc. In this case fake viruses/phising emails might help, educating people not to open such emails.
- SPAM: useless but harmless messages that are merely an annoyance to 99.9% of people. The problem is not opening such emails but the mere fact that you receive them. If someone opens spam then he might be actually interested in the advertised products, which is not bad, the problem is only that the same email is sent to thousands of people who are not. Sending fake spam to educate people not to open spam is just stupid. I don't think spam has anything to do with this article, the word has been just incorrectly used.
phishing vs. spam (Score:2)
Re: (Score:2)
I think the "solution" is so simple that it might just actually help. Even if it only educates 1% of the click throughs it has still made an impact. What's the best way to stop phishing? Make it not worth the while.
Awful (Score:3, Insightful)
This idea is awful for the same reasons that I don't want the local police department entering my home to show me how easy it is to pick my locks.
The idea smells of John Ashcroft appointees.
Been there done that. (Score:5, Interesting)
I did that back in 2001 to the sales force at Comcast. we in the IT department formed and sent a email with a exe file payload. when ran it reported back to us who opened it and pooped up a message on their screen that said, "IF I WAS A REAL VIRUS ALL YOUR FILES WOULD BE DELETED"
we sent it from outside the company with a yahoo.com address
85% opened and ran the attachment. we used this as a part of our It education to our users. after the classes that month we repeated it 45 days later.
we had a 90% opening rate this time. you really can not teach the users. Most people who are not IT professionals dont care. If they hose their own computer they dont have to fix it, you do.
The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.
Re:Been there done that. (Score:5, Interesting)
Re: (Score:3, Funny)
The only effective thing would be to actually delete all the users files and never give them back. Humans only really learn from cause and effect. Simulations rarely teach them.
Fire them all after the 2nd time. The survivors would warn the new hires.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
Yes you can. You taught one third of the remaining 15% that these messages are harmless service bulletins from the IT department - not the dangerous mails they originally thought.
Re: (Score:2)
Or, since docking pay sounds hard to arrange, try public shaming. "The following morons got pwned this week." Put it in the break room at first, threaten to post it in the lobby next time.
Re: (Score:3, Interesting)
actually that DOES work. we had a problem with users surfing to inappropriate sites.
I wrote a few linux scripts that displayed on the big 42" plasma in the office the images that were being surfed and the user-name attached to it I sniffed out of the IP traffic. correlating the user-name ot the IP of the machine requesting the image was actually easy.
It was only up for 1 week. Office websurfing went down 95%.
Your post advocates a.... (Score:5, Funny)
Your post advocates a
(x) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Re: (Score:2)
Exactly.
which is why we blocked ALL attachments on emails except for zip files. and as far as I know that limit is still in place.
The users whined for 3 months. then they got over it.
worked great. The only way to get a user to stop doing things is to slap their hands. They refused to be smart opening attachments, so we took away attachments.
Last I knew they were sending out a group policy that disabled script execution in Office as well, I no longer have anyone on the inside since the last 2 rounds of l
Re: (Score:2)
And then spammers started putting their viruses and malware in zip files.
And then you had to start over again.
Re: (Score:2)
Re: (Score:2)
I like your checklist. Lots of really good points there.
I'm just not quite sure that I agree with this one, however:
( ) Sending email should be free
First, philosophically, I'm not sure I agree with any statement that anything "should" be free. What does "should" mean here? I can list ten thousand things that "should" be free, and if I had my choice, food, shelter, medical care, and beer (free, as in beer) all "should" be free. I'd call all of these higher priority than listing which internet services "should" be free.
Second, why sh
Re: (Score:2)
You do realize that's not written by mindstorms, and is just a standard form to be used in all discussions of how to solve spam, right? You can find it at http://craphound.com/spamsolutions.txt [craphound.com].
It came about because there are so many "this is how to solve spam" posts with the same set of flaws, so this simply radically sped up the process of demonstrating why the plan wouldn't work.
A couple of corrections (Score:5, Insightful)
Your post advocates a
( ) technical ( ) legislative ( ) market-based (X) vigilante
Sending out spam to counter spam is bringing justice by breaking a law.
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
These mailing lists as well as end users would have to deal with additional volume of spam.
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
(X) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
(x) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches (you need to compete with spam filters)
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
(x) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers (they never learn)
( ) Dishonesty on the part of spammers themselves
(X) Bandwidth costs that are unaffected by client filtering (you're adding to the volume of spam bandwidth)
( ) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
(X) Countermeasures should not involve wire fraud or credit card fraud
(X) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
(x) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Perhaps (Score:3, Funny)
Perhaps they could hire some kind of outside contractor - with an extensive botnet and lots of spam-sending experience - at some ridiculous fee! I'm sure with significant compensation, these professionals could be convinced to spam the DoJ.
In all seriousness, all this will do is make a certain few people very very sad inside when they see just how easy it is to fool the common deskmonkey, and just how much info you can get. At best, some of those certain few people will become motivated to make it their profession...
I do respond to some (Score:2)
Phishing side-effect (Score:5, Insightful)
Let me get this straight -- we should suggest to people who are highly credulous that there is the possibility that they might receive legitimate email from "suitably important-looking government address"?
That will never cause bigger, more successful phishing scams.
Fake spam is so much different than real spam (Score:2)
Infotainment (Score:5, Interesting)
Kill kill kill (Score:2)
How about we use the government resources directly against the spammers?
1. Set up false fronts to buy the products.
2. Trace the transactions.
3. Establish a swift death penalty for whoever receives the funds.
Yes, this would need safeguards - for instance when spammers start threatening to send out spam for products from businesses other than their own, to blackmail those businesses with threat of government response. But for instance when the payment can be traced directly to a Canadian "pharmacy," simply ex
Re: (Score:2)
Be sure to make some special playing cards with "Ace of spam" printed on them to leave at the scene.
Anonymous killings don't achieve anything.
Is the right moment? (Score:2)
Could be of consideration taking control of domains/URLs very refered by spam, and instead of taking them down (by the hosting ISPs or what
Forbidden in Austria (Score:4, Interesting)
I once wanted to do such a thing for my employer: sending out fake "Enter your login credentials here to win xxx" emails to our staff and invite those that responded with submitting their true credentials to security awareness trainings. However, it turned out that this would have been a violation of privacy rights here in Austria, Europe.
The employer could have been able to discriminate people for falling for the scam and thus it is illegal for my company to do such a thing.
Re: (Score:3, Interesting)
Yup, idiots are kind of protected here. We have comparable strong laws protecting the privacy of the workplace, especially when it could be used against a worker. Like, video surveillance is not allowed to be used for evaluating things like when a worker makes a break or similar. Therefore, if the employer wants to access their own video surveillance tapes, he has to specify the exact reason, exact camera and a narrow timeframe and the "Betriebsrat" (workers' council) has to be involved in order to protect
A better solution to spam! (Score:2)
This is really easy, and it even works in Darwinism.
What if instead of continually repeating the exercise, the recipients of the fake spam get gently berated if they take the bait the first time. Then, if they fall for it again, a couple of guys in black suits and sunglasses show up at midnight to offer the option of "the pill" or a "bullet".
I think that would cut down on a lot of spam response.
Alternately, if someone falls for the v14gra spam more than once, send cyanide pills instead of viagra.
Proposed Name for Fake Phishing (Score:5, Funny)
To paraphrase on old saying (Score:3, Funny)