My Short Life As An Unintentional Porn Spammer

Freerange writes "Mike Masnick wrote up his experience getting slammed by a somewhat new kind of spam attack that doesn't get much hype (yet?). A spammer spoofed his personal email address as the 'reply-to' for a batch of spam, with interesting results for Mike: "I can now answer the questions 'who replies to spam?' and (should anyone ever wonder) 'what are the hundreds of variations on bounced messages?'" From Politech."

Reverse spam really isn't that new...

Spammers have been spoofing legit addresses for a while. I know a lot of times they'll simply use webmaster@somelegitdomain.com and basically cause that person a bunch of grief and headaches. Most users are too clueless to realize it's really not coming from that address.

Re:Reverse spam really isn't that new...

The new one i've run into recently is they use some kinda script so that the reply-to address in my address....which makes fintering really easy becuase how often do I send mail from my account TO the same account. However I could see some stuipd user getting very confused. :)

Re: Reverse spam really isn't that new...

> The new one i've run into recently is they use some kinda script so that the reply-to address in my address....which makes fintering really easy becuase how often do I send mail from my account TO the same account. However I could see some stuipd user getting very confused.

...and replying to himself in outrage.

Re: Reverse spam really isn't that new...

...And replying to himself in outrage.
...And replying to himself in outrage.
...And replying to himself in outrage.
...And replying to himself in outrage.
...And replying to himself in outrage.

It's "How do you keep an idiot busy for hours?" for the new millenium!

Re:Reverse spam really isn't that new...

That reminds me of when it was cool to tell lusers that there was this huge ftp site at 127.0.0.1, just log in with your existing account...

IQ Test

Press CTRL-ALT-DEL now for an IQ test.

Re:IQ Test

Which button is it???~!?//!?11

LOCK WORKSTATION, logout, shutDown, _Change Password, TaSK L1st, or Cncel?

I MUST KNWO! Give me answer! Pleez! NOW! Right NOW! PLEAEEHZ! PLEEZ!

Re:IQ Test

Duh. It's a trick question.

The *real* IQ test button is hidden on the back of your computer near the power cord.

Re:IQ Test

Press CTRL-ALT-DEL now for an IQ test.

Reminds me of my days as a BBS sysop..

My board forced registration before you could post anything - in the registration sign-up (before it asked for any information) I had it say "Press any key to begin. If you don't know which key is the 'any key, it's the large one on the front of your computer labeled 'reset'

Over the course of the 3 years I had it running, the logs showed two people drop carrier immediately after reading that.

Re:IQ Test

LOL!

I've never understood why people don't put "Press a key" instead. The intelligence-challenged can search out the `a' key, which will work, and the rest of us will know that all the others'll work too. Plus it's two characters shorter -- benefits all round!

Re:Reverse spam really isn't that new...

many years ago, at this site, i believe, it was reported that someone registered warez.blackdown.net as 127.0.0.1 Could have been SA too.

The chat logs as people came in fuming and it slowly dawned on people that they had been had were priceless

Re:Reverse spam really isn't that new...

That reminds me of when it was cool to tell lusers that there was this huge ftp site at 127.0.0.1, just log in with your existing account...

No, it's "Dude, I hate to be the bearer of bad news, but I'm afraid you've been hacked -- the FTP server at 127.0.0.1 has all your personal files. See for yourself; just log in with your normal id..."

Thing is, it only worked when a sufficiently naive person would still be likely to be using a Unix system and be familiar with FTP, whereas now, even having heard of those things is something like a guarantee of knowing too much to fall for it.

Speaking of falling for it, though -- didn't I read here a while back that this particular troll had been used on the Scientologists, with spectacular success? Like, they were in court taking a deposition and their lawyer was shouting at the guy "Tell us who runs the FTP server at 127.0.0.1!"

Re:Reverse spam really isn't that new...

Keith Henson, during a deposition. It's all over the place, but definitely here [keithlynch.net]

Re:Reverse spam really isn't that new...

Ditto.

The easiest way of me getting data (Word docs, code, etc) to and from a place of business where I'm freelancing and my home is by emailing the files from one web-based email address to that same email address.

Because the data is being sent from and to the same server, there's no chance that the email won't be delivered. So, you know that (barring a major server or internet breakdown) your data will be there waiting for you at the other end - no need to carry around any media at all.

It can even be made practically secure - just zip up your files and attach a password to the transmitted zip file.

Also, should you get side-tracked and not make it home (eg, if you get lucky and score, despite being a geek) then you don't have to worry about carting around a floppy disk or CD-R all day, or worry about losing it (leaving it at her place).

Temporary online storage like this works wonders.

Re:Reverse spam really isn't that new...

just zip up your files and attach a password to the transmitted zip file.

should you get side-tracked and not make it home (eg, if you get lucky and score

What kind of a geek ARE you??? Not only do you talk about zip rather than gzip/bzip, then call zip passwording "secure", but you also talk about getting sidetracked by scoring, rather than some more sci-fi reason, like being shot at by storm troopers, attacked by some creature from LOTR, etc. Come on, get it together man! This IS slashdot afterall.

Re:Reverse spam really isn't that new...

The new one i've run into recently is they use some kinda script so that the reply-to address in my address....which makes fintering really easy becuase how often do I send mail from my account TO the same account

More often than you might think. This is how a lot of mail systems support people like me who like to keep a copy of everything they have sent.

I do wish that more of the spam filtering people would take notice of these tactics however. Quite a few of the more clueless ones have all sorts of hack-back features that can end up slamming innocent people.

The only unusual thing in this case is that it was porn. The porn senders tend to be rather more discrete than most since they know that if there is an FBI type investigation they are sure to make examples of porno senders first. This tactic tends to be more common amongst the con-artists that the FBI are completely uninterested in prosecuting.

One of the big problems is that there is no agency that has an analogous operation to the mail-inspectors role in the post office. In theory this is wire fraud but the wire fraud investigators tend to be busy dealing with cases with a few really big transactions. They are much less interested in a case where the amounts are $30 or so, even though the totals might be millions.

Re:Reverse spam really isn't that new...

What is even less interesting about this is that the Reply-To header can be set to anything you want by most e-mail clients and processors. There are plenty of legitimate reasons for doing this, such as wanting all incoming mail to go to one account, or making people have to think about whether they want to reply to a mailing list or just the default of the original poster. The From header is the one that requires a tiny bit of knowledge to "forge".

This sounds to me sort of like referring to someone who discovers an unpublished URL by trial and error as a "hacker". Of course, I didn't RTFA, but I will once it is un-slashdotted.

er, get a better email client

Even Outlook Express sets any From: you want

Re:Most users too clueless...

Fun reply to your last bit, I've got an Earthlink DSL account, which comes with an email address that I've had for about 2.5 years now. I've never used the thing to send mail ever. I had to log in to it to get something from Earthlink a while back, to find about 8 MB of spam on an account that has never been posted anywhere, never been used to send email, never known by anybody but Earthlink and myself, and my username isn't so common that people should be just guessing to send email there, at least not 8 MB of spam much.

I figure it isn't my space so I'll let Earthlink deal with it. They're probably the ones who sold me out in the first place.

Re:Reverse spam really isn't that new...

I've actually had spam being forged from my yahoo account a couple times. They didn't do just the reply-to trick either, but instead forged the whole thing so the send from is my email address. Though it's only happened a couple times and I've only ever gotten one irate reply, I know it's happened several times by the mail server bounce back that I get with the original message, along with the huge alphabetical list of addresses it couldn't be delivered to.

But that isn't the most disgusting part about it. All the bounced addresses were coming from one particular domain, which happens to be the domain my parents are on so I really don't want my email address blacklisted from their servers. Nor do I want my account closed by Yahoo, as I've had the account for a long time. Since I don't want this, and I hate spam as much as the next guy, I decided that I should send that domain owner's operators, which happen to be an ISP, an email message explaining what was going on and that if they could retrieve the headers from my message they'd have another relay they should add to their list to block.

On to the disgusting part. I get a message back telling me that I have a virus. A virus of all things, sending spam, to alphabetical lists of people on a single domain. Right. I try again, explaining the situation in detail so they can see what's going on. I include the bounce message, etc. They tell me they'll take care of it in that sort of message you know means they'll delete any correspondence we've had to this point and ignore it. Luckily enough I haven't gotten any more such signs that my email address is being forged, but I'm still put out that the people who should care, because it's their bandwidth and customers, first insulted me and then told me in so many words to bugger off.

What the Internet needs:

A proprietary mail protocol by a major power (MS?) to eliminate IP address/e-mail address spoofing.

Re:What the Internet needs:

It's funny people are modding you down cuz you mentioned MS.

I agree with you, and these morons are missing the point. The email protocol is fucked, millions could be saved if we moved to something new. And it is no secret that MS and a few other major companies could have the power to do it.

Anyways, I gave you a few extra points. The question should be how. And, how on earth can we enforce the destruction of today's email protocol while introducing another? How can we even stop spam with a new one?

New Mail RFC

You mean like this?

RFC 2487 [nyc.ny.us]: SMTP Service Extension for Secure SMTP over TLS.

SMTP [RFC-821] servers and clients normally communicate in the clear over the Internet.... Further, there is often a desire for two SMTP agents to be able to authenticate each others' identities. For example, a secure SMTP server might only allow communications from other SMTP agents it knows, or it might act differently for messages received from an agent it knows than from one it doesn't know.

Not New @ All

I experienced this five years ago and a group of sysadmins helped me track the guy back to his ISP and we turned the info over to the FBI as identity theft. We were told that my experience did not meet the threshold for them to investigate further ($5000 in damages). Worse, the ISP didn't have a code of conduct prohibiting this type of thing...

Sucks when it happens, but isn't new.

Probably the same idiot in Minnesota:(

Re:Not New @ All

That's what baseball bats are for.

If the FBI won't take it further, you could always beat seven shades of shit out of him, then when the police arrest you, assume his identity.

since they have a threshold

only break $5000 worth of his bones. then you won't be worth investigating either.

Skynet

its not going to be military computers that come alive and kill us all, its going to be the spam filters! I mean, its going to take some serious adaptive AI to filter out spam at this rate...

and the conformforting thought:

when spamfilters come alive... their prime directive will be "eliminate anything that is worthless"

Yeah, us too

The place I work (Productive Data Corporation) gets tons of bounced spams and replies to spams every day. Our domain is productive.com so any email to whatever (at) productive.com comes back to the admin email accounts. As you can probably guess there's quite a few spammers that use productive.com as reply-to. We have to constantly update our spam blockers to weed out all the real emails from the spam =/

You Don't Like The Mail Admin, Do You?

Our domain is productive.com so any email to whatever (at) productive.com comes back to the admin email accounts. As you can probably guess there's quite a few spammers that use productive.com as reply-to.

Given that you just entered the domain name not once, but twice, and your post is likely to be seen my thousands, spidered, and google-cached, I take it that you don't like your mail admin very much, do you?

Why?

Why intentionally spoof someone's legitimate email address in the reply-to field?

Why not just put some bogus made-up address there?

Are the spammers just trying to cause as much chaos and unpleasantness for as many peoples as is humanly possible?

Re:Why?

>> Are the spammers just trying to cause as much chaos and unpleasantness for as many peoples as is humanly possible?

Perhaps some, but it's also a way to get past some spam filtering app, or to make you think its a legit e-mail. I remember there was a big whoopty-doo a year or so ago about spammers using someone@linux.org as the reply to.

Which goes into the trashbin first, hotsex69@sexparty.ru or ltrovalds@linux.org?

Re:Why?

Hanging out on some anti-spam news groups I've seen this happen to people who go after spammers. In this case the spammer quite intentionally selects the FROM: address to make the bounces and irrate replies cause trouble for someone who has been causing trouble for the spammer. This is called a "Joe-job".

Re:Why?

In general, it's not a good idea to accept mail unless you think you can correctly generate a bounce message if you fail to deliver it. As a result, many mail servers will refuse to accept mail if the

MAIL FROM:

section of the SMTP exchange doesn't include a domain that exists. Some will go further and do some checks to see if the localpart exists, too. If the spammers want to get to as many addresses as possible, they have to use a real address rather than a made up one. In some cases, they'll pick the address of someone who's irritated them (anti-spammers, for instance).

Re:Why?

Why intentionally spoof someone's legitimate email address in the reply-to field?

Revenge.

I've had several spammers disconnected by reporting them to their ISP. One of the ISPs I reported to was stupid enough to send the report (along with my email address) to the spammer (before they disconnected them.)

Next thing I know, I'm getting tons of bounce messages for spam I didn't send.

It stopped after a week or so.

It's nothing new

It's referred to as a "Joe Job" or that you've been "joe jobbed"

an article about it [techtv.com]

Everyone call your State Rep!

I gave Testimony [pingalingadingdong.com] to the Missouri House of Reps on Jan. 29th.

It's easy to get things in motion, everyone is too lazy to try though.

No way to contact spammer

I am repeatedly surprised by the amount of spam out there that does not contain any way to contact the spammer. How do they expect to make money if there is no way to contact them?

--sex [slashdot.org]

Re:No way to contact spammer

Volume!

Re:No way to contact spammer

A lot of that in my case is simply 'stock advice' that amounts to setting up a pump-and-dump [wordspy.com] scheme for the stockholder sending or contracting someone to send the spam. Obviously in such a situation all the stockholder has to do is wait for the price of the stock to be artificially inflated by all the buyers then sell off everything he's got.

I don't know if this actually works for anybody trying the spam technique, as I'd hope most people getting these messages would either be too smart to fall for it or too afraid of the stock market to set up and manage their own account.

Re:No way to contact spammer

Just ask Rodona Garst [sec.gov] or her "customer" who paid for the pump and dump, Mark Rice [sec.gov] for what their take on this scheme is. Details of their pump and dump can be found here [freewebsites.com].

And since everyone loves to see spammers get theirs, go visit Behind Enemy Lines [freewebsites.com]. Be sure to visit the Lets Get Brutal [freewebsites.com] section to see what spammers look like in various states of undress!

Re:No way to contact spammer

Some spams are purely for confirmation that your email address works. I repeatedly see spams which have 1x1 pixel gif's that link to a script to call the image and pass your email address off to that script. Biggest reason not to use HTML mail.

Re:No way to contact spammer

Can I turn off HTML email in Outlook? Sorry for the stupid question that Google would probably answer for me.

Re:No way to contact spammer

Try this [ostrosoft.com].

Re:No way to contact spammer

Can I turn off HTML email in Outlook?

As far as I know, there is no way built into Outlook to do this.

I spent some time searching on how to do this a while ago, and the only way I know of is to use a COM add in. It doesn't work through the rules wizard, you have to go into your advanced email settings and register the DLL before it will work. Search Google, and you'll find the answer. A word of warning though... The one I found a while ago made Outlook painfully slow, so I ended up uninstalling it.

It is a huge pain the way Outlook has it set up. You can't set up a rule that strips the HTML, you can't set your email to automatically convert HTML mail to plain text, and you can't even use the VBA scripting language built in to automatically strip the HTML. What a pain...

Depends on Which Version of Outlook

Service Pack 1 of Office XP (which contains Outlook 2002) adds a feature for disabling HTML mail which is described in Microsoft KB Article # 307594 [microsoft.com]. Users of previous versions of Outlook can use the macros provided here [slipstick.com]

Re:No way to contact spammer

I am repeatedly surprised by the amount of spam out there that does not contain any way to contact the spammer. How do they expect to make money if there is no way to contact them?

Are you really gonna leave that hanging up there like a big, juicy grapefruit?

1. Sling a kajillion spam messages with no contact information whatsoever.
2. ???
3. Profit!

"We apologize for the previously displayed shenanigans. Those responsible for that ordered list have been sacked."

Not happy...

...with all the spam replies and such he got, he now decides to take it a step further and slashdot his server!

Way to go!

Happened to Me, Too

I'm in the Northwest US. The spam sent with my name came from Bermuda, according to the headers. I got complaints and a reply that seemed to be a death threat. The death threat came from Russia. Email to its return address came back as undeliverable. Talking to my ISP, they said that there is really not much that can be done about this unless I wanted to change my email address. I do business there, so I can't.

Fix it with PGP.

Really, the only way to combat this kind of identiy fraud is with PGP. It would be ideal if every mail-program out there supported PGP.

Re:Fix it with PGP.

There was a discussion on my local lug.

PGP/GPG only ensures that you did send it, not that you did not. Since you can send e-mails without being signed, unsigned e-mails don't prove a thing.

Those that know you (or have your key) would know
enough about you that any non-PGP e-mails would be
suspect, but that's what, .000001% of the internet?

Spam needs a technical solution.

This adds more weight to my assessment of spam as being a technical problem with a need for a technical solution. Why are address spoofing and open mail relays still a problem after over a decade of spam-related problems?

Obviously, legislation isn't catching up and as evidenced by the junk fax law is useless when it does. Technical minds built the Internet, and I have little doubt that a solution could be found once we quit looking for the quick fix.

Re:Spam needs a technical solution.

About a year ago I designed a new email system. It was pretty kickass.

It was kind of a cross between usenet and standard email. When you "sent" an email, it was in reality uploaded to your message store (the idea of the inbox was removed). Then notifications were sent to each person that a message was in the To field. That meant that for instance you could edit messages after they were sent, you could bring people in on threaded conversations half way through preserving the threading and so on. It also meant the attachment limit was decided by the senders account, not the receivers. Want to send a 200mb video to your hotmail using friend? No problem.

One of the features of this system was that key signing was built in from the start. That meant, you could opt to trust certain "roots", probably international ISPs. If you wanted to setup a newMail server, you'd have to get your hosting ISP to sign it for you, probably requiring a contract to be signed saying you'd shut down any abusive accounts etc.

Mailing lists were dealt with specially, I've never been happy with the way they currently work.

Combined with send limits (how often do you email >100 people?), that meant that spam could be cut down quite significantly. In particular, because it could be shut off at the source, if a spammer did somehow manage to spam lots of people at once, all it'd take is one report and the email would magically disappear from peoples message stores, before they'd even seen it in some cases. If the spammers were running their own servers, revoking their certs would do a similar trick.

It wouldn't eliminate spam of course, that's not possible. Smart enough people will figure out ways around it. However, having accountability built in from the start would help curb the situation a lot.

Originally I was going to write the client as a commercial app, but make the protocols open (with a non-commercial free license available). However, I ended up working on autopackage instead, so I never got around to it. If somebody thinks it'd be cool, contact me and I'll fill you in.

incase of slashdotting

the site seemed to be going pretty slow for me.. so Ill put the info here if it gets slashdotted

My Short Life As An Unintentional Spammer
by Mike Masnick

Ever wonder what sorts of emails end up in a spammer's email database? Want to know who actually responds to spam and what they say? Want to know the myriads of formats (and languages) a bounced email message can take? I can now tell you all of this. Without my knowledge, I recently became an accidental porn spammer.

When I got home one evening a few weeks ago, I noticed that I had more than the expected amount of email waiting for me. A quick glance through the inbox showed about fifty "bounced" emails - saying that email addresses of people I had emailed did not exist. The problem with this, of course, was that I hadn't actually emailed anyone.

It did not take long to figure out what happened. While some bounces simply told me that the recipient didn't exist, others included the original text of the email I had supposedly sent. It claimed to be from someone named "Chris" or "Ali" and was a reply to an alleged message from an online dating site. Chris and Ali apologized for taking so long to reply, and nervously suggested that the recipient find out more information about them by going to a website. Clearly, this was porn spam. Out of principal I won't visit the websites that were in the spam messages.

The problem was, I hadn't sent these messages at all. I'm not Chris or Ali. I don't use dating sites. I don't have a porn website. I don't send spam.

One of the popular "tricks" among spammers nowadays is to set the "reply-to" address as the same as the recipient's email address. That cuts out on the problems of bounce mails, and also has a psychological effect on recipients who are curious what email they've sent themselves. Most spam filters have figured out ways to still capture these spam messages (though, I'm now hearing stories of legitimate emails that people send to themselves being classified as spam). I've received plenty of these types of spam, and most are filtered away, never to be bothered with.

It seems that this particular spammer took things one step further, and made the "reply-to" address for all of his spam message set to my personal email address. If anyone looked at the headers, it was clear that I had nothing to do with the email whatsoever. However, most mail servers aren't so smart.

With any spam list, there's a certain percentage of "bad" or outdated email addresses. Generally speaking, a server that receives an email for someone they don't have an account for will "bounce" the message. Those bounces go to the person who sent the message - normally found in the "reply-to" line. Since my email address was in the reply-to line, all those bounces started coming my way, regrettably informing me that my pornographic spam emails had not found their intended recipient.

After dealing with the rapidly growing desire to reach through the internet and strangle whatever lower-than-life scum did this to my email address, I resigned myself to looking at this from an anthropological perspective. Suddenly, I was in a position to offer information on things that few others would (hopefully) ever willingly have access to.

Should anyone want it for research purposes, I now have a fairly large collection of bounce messages. It appears there is no standard format for a bounce message (which, by the way, makes them painfully difficult to filter). They have infinitely different subject lines. They say different things in the body of the message, sometimes nicely, sometimes rudely. They show up in different languages with different explanations. Some admit that the account has been closed due to too much spam. Others simply don't exist any more (if they ever did at all). Some bounces quote the original message; some don't. Some include full headers; some don't. Who knew there was such variety in how mail servers bounce their email?

Beyond the bounce messages were all sorts of auto-responders. It seems that some of the email addresses in the spammer's database were emails people used to send responses to those who "request more info". Suddenly I was receiving huge files of information that I really had no use for whatsoever. I also found out about a number of people who were on vacation that week, or who had recently switched jobs. One even had an auto-responder saying "this is closed...I am tired of the internet... all internet access for me is closing". Some of the addresses were to subscribe to various mailing lists. Many bounced back confirmation emails, asking to prove that I really wanted to subscribe, while others just subscribed me automatically (which will now force me to manually unsubscribe).

While most of the "information" was fairly useless, I suddenly had the opportunity to peek into the lives of people I had no association with whatsoever - connected only by spammer. I felt like reaching out and commiserating with those who were sick of the spam and wondered if I should congratulate those with new jobs. However, there was no time for that, I had more erroneous spam fallout to deal with.

Next, came the responses. I, like many people, often wonder what sorts of people actually respond to spam emails. For years, it has been beaten into my head that you never, under any circumstance, respond to a spam email. It just shows that you're a live human being, making your email address more valuable. I'm still shocked when I come across people who haven't heard this. However, they are out there, and they come in all different shapes and sizes. I have their emails to prove it.

There are the confused, but polite people. One woman wrote me a nice message saying that a "horrible" mistake had been made, and that she had not replied to my online dating ad. She did warn me, however, that there are "plenty of strange people out there" and that I should be careful. How nice. Another woman couldn't remember what she had said in her reply to my non-existent online dating profile and wanted to be reminded. A few others just asked who I was.

Then there are the unsubscribers, who are under the unfortunate delusion that asking spammers to take them off their list will help. They send simple messages saying simply "unsubscribe" or "unsubscribe, please", as if that will ever get to the actual spammer, or that they would actually pay any attention to it.

Lastly, are the angry, but clueless. I feel their pain, but they need to find a better outlet. I received emails telling me things I never knew (and find unlikely) about my lineage and suggesting I go places I have no interest in going, using all sorts of language you wouldn't use in polite company. I also received a threatening letter saying that I would be hearing from some company's corporate lawyer.

None of these people stopped to think that it was odd that my email address includes, pretty clearly, my name - which is neither Chris nor Ali. With the number of spam messages that go out every day, I wonder if these people reply to them all. I guess, for some people with anger management problems, this is a kind of outlet. All day, every day, respond angrily to spam messages, and maybe it will have a calming effect on your life.

What's scary is that, for the most, part, I only saw the bounced messages. They continued for approximately 36 hours, and then stopped abruptly. In the end, about 500 email messages bounced back to me, so I can only guess at how many thousands of poor, unsuspecting email boxes are currently dealing with spam sent with my email address as the reply-to. I apologize to all of you, even if I had nothing to do with it. I don't want to date you, and please, feel no compulsion to look at the web page in the email.

Most people agree that spam is evil. It's a waste of time and a general nuisance. I can argue against spam from a variety of levels. It's bad for the internet. It's bad for users. It's bad for business. It's just bad. Luckily, there's a rapidly growing industry of companies (and simply concerned individuals) creating software solutions to help stop the spam menace. While there are debates over how well any of these systems work, it is possible to at least reduce your spam intake. Personally, I use a spam filter that is pretty effective in reducing my spam load to a mostly manageable level.

However, with something like this, there simply is no effective preventative measure in place. The spammers spoof the reply-to, making it whatever they want - so it never even touches my mail server at all. My inbox gets bombarded because there's no simple way to filter out the bounced messages since they are all so different. It's difficult to track down a spammer normally - and more so when the spam isn't even sent to you. Despite the fact that my address was the reply-to, it seems the spammer never sent me the message directly. I found a bounce message that showed the full headers and tracked it back. The email came from a mail server in the Philippines, and pointed to a website hosted in China, owned by a company in London. Tracking down the actual spammer would likely be close to impossible. Assuming they could be found, suing them would be nearly impossible as well, not to mention costly.

One potential solution to this would be to require every outgoing email to have a verified identifier of some sort, so that any email can automatically be traced back to the original sender. This (as does every solution) brings up other problems. There are benefits to anonymous email, and we wouldn't want to take that away (though, perhaps you could limit the number of emails that could be sent anonymously to prevent bulkmailers from abusing the system).

In the end, though, this sort of stunt has killed off the tiniest amount of support I had for spammers. These spammers stand behind their First Amendment rights to speak their minds (which is an argument that can be shot full of holes in a second). In this case, though, the spammer made no use of any First Amendment rights. What they did was just mean and nasty and a complete waste of my time.

Who replies to spam

I can think of a few. People looking for:

• Penis emlargements;
• Viagra;
• Boob jobs;
• Sex;
• Porn;
• Rebuilt credit;
• Credit cards;
• Cheap mortgages;
• Cheap health insurance;
• Cheap dental insurance;
• An easy way to make millions from home with little effort!;
• University Diplomas;
• Free anything; and, of course
• Spam lists.

Spammers try to sell (gullible) people what they might buy, never what they won't. I've yet to see a spammer selling flights to Mars - although I do predict it will be a growth area for spammers in 20 years time.

Am I missing something?

Why do we just not modify the mailer daemons to do a forward and reverse DNS lookup whenever another host attempts to send it mail. If the domain the mail originates from does not resolve, or the source IP address of the sender is not registered to the same domain that the mail originates from, the message is considered SPAM and the connection dropped.

Why wouldn't that work to vastly reduce the amount of SPAM?

Re:Am I missing something?

That would vastly reduce the amount of USEFUL EMAIL as well. You would not believe what a large fraction of the Internet is configured to fail that kind of test -- or else you would not seriously contemplate that solution. Sometimes there are good reasons to configure a mail server that way.

DNS is not a terribly useful authentication mechanism for this kind of thing. Much more useful is origin-authenticated SMTP: the originator (either user or mail server) calculates a signed hash of the message, and attaches that when sending it. The receiver can verify that the signature is valid for the person (or mail server) that claimed to originate the message.

Obviously things lose in the transition period before every sender does that. You also get a huge fight over which algorithms to use, how to distribute and verify the public keys, and so forth. Welcome to Internet politics.

This is old news for me

It's been about two years since I started receiving spam from "myself", or rather some spammer spoofing me. I still get several a day, but mostly they get hung up in my postini filters. I also get several bounce messages a day. For some reason the spammers often use an ancient address in one of my domains that is no longer used.

Curiously, I almost never get anyone writing to me complaining about the spam. That used to happen, but I think most folks have figured out not to reply. I also don't seem to have been blacklisted anywhere (faughnan.com); the blacklist maintainers are apparently smart enough not to be fooled by spoofed fields.

Why did they pick me? I think they like to take addresses that are present in the registrar databases. Or maybe they picked me because I complained about spam and write about ways to stop it (not that hard really, we just need to authenticate the sending service [faughnan.com] rather than the harder task of authenticating the sender).

In any event, sadly this is old news. Good to know it's starting to make its way into the public consciousness though.

Internet growth halted protocol refinement?

Has the rapid growth of the Internet of the last few years caused it to reach the status of an immovable object?

IPv6, which includes security, ummm, mechanisms that could be utilized to curtail spoofing, some forms of DDOS and net abuses in general, but rolling it out seems too be gracial.

New RFC's could be authored that extend, modify or replace those upon which our present mail server's are based, but would... could anyone get them pushed through? Or is the Internet infrastructure so massive that any major advances in concept run smack into the issue of interoperability?

and in other news

it's now illegal to provide any false information while using oral communication. specifically related to, but not limited to, false information regarding the name of the communicator.

spam spam spam. if spam should be illegal, so should any form of unsolicited communication. that includes conversing to persons without their permission at the local pub.

i'm personally in favor of a more liberated
government system, but if we want our legislatures to make rules, let's make it a level playing field , not just fix the annoying problem we have of spam (that is created because of a technical deficiency in the overall system of itself).

Re:and in other news

spam spam spam. if spam should be illegal, so should any form of unsolicited communication. that includes conversing to persons without their permission at the local pub.

Spam is grossly different to most other forms of unsolicited communication in one simple respect - the total cost to the recipiants is hugely larger than the total cost to the sender. This isn't true of (say) unsolicited email from an individual directly to you, unsolicted junk mail, unsolicited telephone calls or unsolicited personal conversation.

Mirror.

Mirror! [vidarholen.net]

Coming next...

My Short Life as A Slashdotted Person

"So I got this story posted on slashdot after that time gigabytes of bandwidth got used up by that fake porn spam address, and so the site got slashdotted and that used up even more bandwidth until my ISP decided to limit my access, so I got another story posted under 'YRO' on slashdot about that and...."

It happened to my wife!

This exact same thing happened to my wife. At the time, she had an email address "@iname.com". Someone posted something to alt.bestiality.something or another with the From and reply-to set to her email address. The actual email was talking about what Julia and her little sister liked to do, and encouraged suitors to respond in email.

Holy crap the email she got! Emails came from people all over the world. An incredibly rare number of them included clothing and were simply introductions. Most of them included an attached nude picture of (I assume) themself (either that or there is a cast of nude pictures of incredibly ugly people floating around somewhere). Some of them demonstrated their sexual experiences with animals. But every single one of them seriously pursuing some sort of sexual relationship with someone that

1. they had never met
2. wasn't actually my wife

This whole experience turned my wife off of the internet for a long time.

I was able to track down the original post to alt.bestiality.whatever it was, and tracked it to a posting through deja news. (This was about 5 years ago). But ironically, there was nothing in that post that included "go to this website" or anything like that. The only contact information in it was my wife's email address. At the time, I assumed that the person who did this wanted us to change email addresses so he/she could have the one that we had (which was simply my wife's first name@iname.com).

After tracking it down I sent deja the information and asked them to pursue it. And I changed my wife's email address. We have our own domain now. BUT I still, occasionally login to the iname.com account and empty it. I want that account to stay active forever so that whoever tried this doesn't win.

What would you do if this happened to you? What are the defenses for this kind of thing? The email that came in wasn't spam. It was real email from real people who had real mailboxes. How do you prevent this kind of thing? So most of the antispam techniques that I know of wouldn't have worked. Additionally, we occasionally get emails w/attachments from friends who want to show us pictures of their kids. So blocking all attachments won't work. What should be done?

Do Spammers use bounces to prune their databases?

If so, perhaps spamware like SpamAssassin could be modified to intentionally bounce mail?

Replying can help stop spam...

...if it's a legit company who has someone who has a person actually reading the replies.

This is a letter I sent off to a company who offered me ways to enlarge my breasts. Being male and having no desire for hooters I felt obliged to reply.

----------

Do you people simply not bother to see to whom this message is going to? Do you not bother to do market research to see if I'm even going to be able to use the product? I am a man. I have a penis and not breasts. I am a guy, a bloke packing a "willie", a "johnson", "meat and two veg", a "one-eyed trouser snake", a "little fellow", a thingie, the "outy" parts to match up with the "inny" bits of the people to whom you should be sending this spam to and not me and my "Collection of dangly bits".

To put it simply people..."A DICK"

I have no interest in your product for the enlargement of breasts and request that you remove me from your list.

Thank You,
[name removed]
BTW: I'm also happy with the size of my naughty bits and request that you not send me information on that product should you offer that as well.

----------

To which I actually got this as a response:

----------
ROFL

Sir we are deeply sorry that you have recieved this advertisment and we are taking you off our contact list. We thank you for your polite and amusing letter.

Again sorry for the inconvience
----------

That was in August and to this day I have not seen any messages offering to give me "Huge...tracts of Land" since that date.

Sometimes it pays to answer a spam

Phoenix

Re:Replying can help stop spam...

Do you people simply not bother to see to whom this message is going to? Do you not bother to do market research to see if I'm even going to be able to use the product? I am a man. I have a penis and not breasts. I am a guy, a bloke packing a "willie", a "johnson", "meat and two veg", a "one-eyed trouser snake", a "little fellow", a thingie, the "outy" parts to match up with the "inny" bits of the people to whom you should be sending this spam to and not me and my "Collection of dangly bits".

To put it simply people..."A DICK"


You've got balls man...

Happened to my wife

This happened to my wife recently - She was suprised (to say the least) to be getting hundreds of bounces back from a spam.

If it had been porn I would have looked into the possiblity of filing a defamation of character lawsuit. It was in your case and if it was written in the first person singular ( "come see me nekkid...") and had *you* as the reply-to I'd imagine you'd have an excellent chance of winning such a case - it would certainly be worth talking to a lawyer about.

Swift and effective retribution...

A spammer forges the wrong domain into a batch of spam, and the victim strikes back. [freewebsites.com]

Spam Addresses

Someone needs to register a domain name and make anything@foo.bar automatically forward to UCE@FTC.GOV . That way, when we sign up for sites and such that filter out users who use UCE@FTC.GOV as their email, there will still be a way to prevent junk mail. Also, sites that list randomly generated fake emails to slow down spambots could be made more effective.

It's called a "Joe Job"

Sometimes spammers do this just by putting whatever domain in. Other times this is done deliberately as a means of attacking someone.

The term Joe-Job got it's name originally from Joes.com when a spammer decided to get revenge in this fashion. Information can be found here:

Spam Attack! [joes.com]

I can say from having had this done to me, it absolutely sucks. It creates a huge mess that takes weeks to clean up, plus the joy of dealing with people who decide to attack you for something you didn't/would never do. If I were to ever get my hands on those responsible....

Unfortunately, the problem with tracking down those responsible for this dispicable act is the same one with tracking spammers down in general. It is time consuming, costly and may not yield a desireable result.

If you want to see more on this, just Google Search for "Joe-Job" [google.com]

It is good to bust/report spammers, but when you do, look at the spam and the site being spamvertized. You might have received a joe-job email and by reporting them, you're playing into the spammer's hands.

If you ever get joe-jobbed, I would say one defense on the web is to change your page to one similar to the "Spam Attack" page I reference above.

Better than Disneyland?

Q: You've had your email address forged on spam, subjecting your mail server to many many many bounce messages and complaints. What are you going to do now?

A: I'm going to slashdot my web server!

Killed or Hurt Spammers

Have there ever been any cases of an e-mail equivalent of "road rage", where someone (or a group) has actually went out and either physically harmed a spammer or killed him?

3 little words

POP
BEFORE
SEND

Seriously, if your mail server has that, turn it on. It means no one can relay mail through your server, unless their IP has made a successful mail-check. Some mail servers let you "authenticate" by checking to see that the reply-to address is valid on the local server, that, as you can see, does nothing and can be spoofed easily. Pop-before-send is quite a bit stronger and doesnt really require the clients to do anything. No, its not perfect, Im not saying it is, but it will help 99% of the time.

Re:3 little words

Um.. those are three very pretty all caps words... but they don't have a lot to do with this article. They aren't talking about open-relay abuse here.. During the course of an SMTP transaction, there are two important identifying lines:
HELO
and
MAIL FROM:

Many SMTP servers will do some sort of verification on the HELO line, but very little can be done about the FROM line. You can't easily kill addresses that don't match the HELO domain because legitimate mail relays would be unable to forward your mail on then.

I can send you a piece of mail that will display bob.hope@whitehouse.gov as the from address. If Bob had that address, and people replied to the forged address, he'd be getting the blame for my spam.

It sucks.

Re:3 little words

POP before send is a hack to get around the poor level of authenticated SMTP support in most clients. A correctly configured SMTP sever will only relay for clients with IP addresses in the local network - authenticated SMTP or POP before send allow people who aren't on the local network to relay mail through the SMTP server. This has very little to do with spam - POP before send just allows you to do something that wouldn't otherwise be possible without running an open relay. How on earth would it prevent someone from forging somebody else's email address? There's no way to pass that authentication information to remote machines, and POP before send generally allows you to use arbitrary email addresses once you've authenticated.

This happened to me... Here's what I did...

This doesn't sound so bad to someone, until it really happens... I began receiving a couple hundred bounced messages an hour, and a few "please don't spam me any more" messages... Just what I wanted - to be known as a porn spammer...

I tried to find where they were coming from, some of the bounces were more informative than others... The originating IP ended up being someone(intentionally or unintentionally) running an SMTP proxy server... And the IP was out in the middle of nowhere... (Came back to a B-class set of addresses... Not much help in tracking down a network admin...)

Some of the bounces had the actual message... Which were linking people to a site which in turn asked them to buy something (saying that their order page was secure when it wasn't)... I tracked down who had registered the domain (the admin and billing contacts...) addresses ended up being in China (domain was cnmailads.com)... Sent email, no response... I set up procmail to redirect the hundreds of bounces to them, plus I had some simple spam filters, and redirected all of my spam to them as well...

The order page contained a form that had an email address for where the orders were really going... I made my own personal copy of the form, and began sending megs of data through... Entering bogus info to corrupt any real entries (who would order this crap over the Net from a website in China??? Who knows...) Email address was a yahoo account, which it didn't take long for me to fill it up... All added the yahoo address to my procmail redirector as well...

I went to a couple of spammy sites (cooldeals.com or something like that)... Signed them up to receive all sorts of valuable emails... Signed them up for some mailing lists too... Easy to sign up, and pain to get off of...

It had been going on for about a week before I started this, and stopped after about 2 days... Checked back to the link that was sent and the site was gone... Probably moving on to the next sucker email address and site...

One result: more SPAM. (Can you say "DOS"?)

I had this happen to me. It was "www securedrugs net" I thought for a while of using some recent attack as revenge, such as the anonymous UDP Gamespy DOS attack, to take down the perp's website for a few weeks. However, I don't really have the time or experience for this sort of thing. If anyone else feels like it, Go right ahead! Now that this has happened, my inbox has seen a doubling of spam. From a Yahoo account, it is not so easy to filter this stuff. Soon I may very well have to pay for Yahoo mail, to get better filtering. Perhaps some of these recipients have signed me up for more? J

For those who cannt access the site

I mirrored it. [myby.co.uk] Read away.

This is a result of broken mail servers

If an email bounces, the bounce is supposed to go back to the sender, not to the Reply-to: address. (I believe this is in RFC 2821) It's amazing how many commercial mail servers out there use Reply-to: to send postmaster notifications.

More and more of this stuff:

Spammers have been resorting to guessing email addys now. This isnt new but I've just started seeing more and more of this shit lately:

Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <dclark@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <paladin@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <mbrown@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <viper@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <kelley@mydomain.com>... User unknown
Feb 12 13:39:27 warthog sendmail[21909]: h1CIdQK21909: <rbrown@mydomain.com>... User unknown
Feb 12 13:39:28 warthog sendmail[21909]: h1CIdQK21909: from=<joe@nowhere.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=[200.162.240.168]

I tried to post all 65 attempts in this batch but the damn lameness filter said:
"Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted"

Nonetheless you get the picture.

New Mail System

It seems to me that as long as we have no authentication method for sending e-mail and verifying where it is coming from we will continue to have problems with SPAM. Most mail servers will believe whatever you tell them; this has got to stop. The Reply-To and From fields need to be set on the mail server. Users should also log in to send mail from their smtp server and you should be able to use the same smtp server from anywhere instead of just within its domain. There are other details involved in verifying the smtp server when receiving mail to prevent people from using their own sendmail in an inapropriate manner. This can be solved techinically; especially if there was one global e-mail database but we all know how much everyone wants a global database of anything; let alone e-mail to ID.

There are 2 cases where I have replied to spam

1) Prior to installing Spamassassin so that it gets rid of all of my spam now, I would visually check to see if it looked like something that was actually from someone instead of just an automated deal.
The ones that tended to be exactly what I wanted were the Nigerian scam ones. I tried to always reply to them, and if I noticed that they were in the same area as another, I would try to set them up with eachother or recommend that they talk to each other (sometimes one wanted to "give" me money, other times they wanted to "borrow" money - I had a laugh in recommending them to each other).

I think I only once had a conversation with them where they replied once.

2) I am now cocky about spam with spamassassin doing so well - so occassionally if I'm feeling up to it, I just go through my spam and reply to a bunch of it or try to unsubscribe by the method that they suggest.
I do it purposely in hopes of getting more spam to see how spamassassin holds up to it.

Yet Another Forged Email (not SPAM!) Solution

SPAM and email with forged email addresses are two different problems, though the latter tends to be one of the biggest banes of the former. I think that from a technical side of things, there's a way to handle forged headers by some sort of Web of Trust with email servers. Sorta mirrors how PGP/GPG is supposed to work, but applied to the email system as to do basic filtering without incuring too much new CPU time or traffic loads I suspect the idea's been given before, but my solution is as follows:

First, inplement some SSL or other public/private key crypto into the server software.

When sending server A contacts server B, authenication is attempted. If B as yet does not trust server A (no public key yet on file), then the message is simply marked as questionable (or, say on the SpamAssassin point scale , give it 5 points). A failed authenication attempt should be marked a bit more. A successful authenication would not be marked. Otherwise, the message continues through with the usual routing.

Then you need to set up a way to give public keys between mail servers. I'd start with having the major ISPs talk to either such that MSN has AOL's key, AOL has MSN's key, etc. Basically anyone that acts as a major pipeline provider with mail servers needs to be involved in this step.

Then you get those ISPs and net providers to work at their customers; second tier network providers need to let their ISPs know of their server public keys, and same with business and residental customers with their ISPs. At this point there would need to be some careful authenication checks by the ISPs to watch for spoofers, as this is part of the Web of Trust.

Now, the idea is that if you want to make sure that your message from your email server reaches the reciever without being flagged, you just have to make sure the email goes along the path that you know is Trusted. So your email goes from your server to your ISP, where your ISP should now trust your server; from your ISP to the receiver's ISP, again with Trust, then from reciever ISP's server to the reciever's personal server, again with Trust. Everything authenticated, so the reciever should be able to trust everything in the headers.

Now say you haven't yet gotten the Trust of your ISP's server; then when you send, there's a mark on it from the lack of trust of your email server to the ISP server. The rest of the transport changes nothing, but the reciever will be able to notice the mark and can assume that there's some question to it. Or say that you send from your email server directly to the reciever ISP's server (removing your ISP's server); again there's no trust between you and the reciever ISP's server, so your message gets another mark. (That's how one can deal with 'rogue' email clients).

Another possiblity is that mail servers can apply different scores if the sending server is already on a blacklist, is otherwise unknown, or on the whitelist of public keys. This would make mail from blacklisted servers get huge marks against it.

Over time, an ISP or other organization can tally the Trust levels from various ISPs and see if a lot of untrustful message fall through. If that happens, they can simply remove/disable the public key of the ISP that is sending them. This won't stop the mail from going through, but it will start flagging everything as being untrustful. Presumably there would be some way to the ISP at fault to know that this happened, and can take steps; maybe they can look at their logs and see that a mail server upstream of them is sending too many untrusted messages, and then they can disable that public key, and letting the original ISP know that they've dealt with the issue such that the original disabling is removed. This is how one can deal with ISPs that are "spam havens".

At some point with the Web of Trust fully in place, email servers can then start blocking messages that lack sufficient trust, or basically scored too high already. While this point can be a problematic step in the question of free speech and false negatives (blocked legit messages), if the Web of Trust is given fully enough time to develop before this blocking begins, I'm pretty sure that you'd find no false negatives from this method.

Since someone with forged headers are most likely going to be either using their own email server, and/or using open relays on the net, it would be expected that these servers would never be trusted by the ISP that hosts them (much less other ISPs), the server operator would never try to establish any trust with an ISP, or that no ISP would ever want to trust these email servers, thus leading to effectly 'ignoring' of these servers.

Key here is that besides putting such software in place, it's a system that can be used to gracefully implement the Web of Trust instead of a cold-turkey approach (that is, maybe initially untrusted messages get only low points against them, but once the web's in place, that point value goes up). It's adaptable when new "spam havens" are found, or ex-"spam havens" take steps to reduce their problems. And it would seem to me (though I do not consider myself a guru on network problems or the email protocol) a simple thing to modify the existing email clients to handle this new function cleanly. Most importantly, it would be necessary to get word of these Web of Trust servers into the sysadmin world such that it can be implemented in a rather short period of time as to get the fully functioning Web in place.

My Long Life: 500 bounces? try 200,000 and growing

I've been a joe-job victim at my yahoo.com address (for which I'm paying $30/yr) since Dec 15, 2002. Since that time, I've received 205,282 (as of 10:00 am PST Feb 12 2003), presently receiving additional bounces at a rate fluctuating between 9000-12000 per day (since Feb 1 2003), having increased from the original 2000 per day in mid-December (with a 1 week break). If you'd like a copy of all 205,000, respond, and I'll send you a tarr'd gzipped directory.

The website being advertised is the same (penis enlargment), and the IP remains the same (always www.fundamentalbusiness.net, served from China). At present, they're using http://www.fundamentalbusiness.net/x2/index.html [fundamentalbusiness.net] (/. away).

I have a done the following:

1) The company is a fraud (says I), geared to collect credit cards for fraudulent purposes. The name registration was done with a US company, and the contact information on the reg. is all fraudulent (bizarrely, it is only a few miles from my home). I emailed the registration company, pointing out that they probably were paid with a fraudulent credit card number, and so should "shut off" the name registration. No response. 2) The original website (since changed) had an actual address with phone numbers. Reverse lookup showed that the phone number is a land-line, and so likely leads to a real person (it could have been a cell-phone, which could be a person anywhere in the world, or to a non-existent phone). Phone calls gave a non-committal vmail service, and messages left were unanswered. 3) The website and emails are being served from a Chinese IP. Didn't even bother trying to contact.

Legal approaches: A) The original phone number/address on the website (no longer there) lead to Florida, which has no anti-spam laws. B) I live in California, which claims a $50/spam law. However, see below. C) I contacted two attorneys -- one (it turned out) who I knew personally, and found that to pursue a claim would require $15K-$20K retainer, which is substantially greater than real damages (and more cash than I have to sink into a speculative legal wrangle). The second attorney said the same, AND that even though I live in CA, the $50/spam law would only pay to an ISP (yahoo). N.B. the above was not told to me as a client, and did not constitute legal advice (i.e. could be wrong). C) Several email contacts to yahoo.com went unanswered. D) Complaint has been filed with the California Attorney General, with no response.

Solutions: A) My (apple) mail tool now has about 8 rules which sort out nearly all the bounces. Exceptions include bounces which have chinese subjects (can't translate, and the From keeps changing). B) Wait. Hope. Pray.

Why not just abandon my email address? Because it is my last name, registered at yahoo.com like 2 weeks after yahoo started in 1992 (or so). It's a damn cool address and I want to keep it!

My personal experience with the "joe job" tactic

I was the target of a joe-job since last April. A spammer advertising a Human Growth Hormone website based in China was sending out tens of thousands of spams over a long period, with my long-held email addy in the From: address.

The vast majority of the mails you get back are administrative emails saying that "the user does not exist." There is also a small amount that you get that are ill-informed, ignorant, and often very inflamed responses from people who respond.

At the peak of the attack, I got over 14,000 emails in a single day. It almost caused me to have to give up my email address, which I had held for almost seven years at the time. I didn't want to give it up so easily.

My solution was to install and use the Tagged Message Delivery Agent (http://www.tmda.net), which is a whitelisting service. It has my admiration for rejecting 100% of the unwanted emails for two reasons. First administrative accounts don't reply to their whitelisting requests, and second, ignorant angry users don't bother to reply to get whitelisted anyways.

As for the question of why someone would do this, I have thought of three reasons:

- To make their spam look more legitimate.
- Just to cause general havoc
- Because I have, in the past, not hesitated to complain to service providers about spam. This was probably retribution.

I did attempt to bring some form of legal action into the fray. I talked informally to Scott Frewing, a US attorney (one of the prime players in the Skylarov case), about the attack. He referred me to the FBI's online fraud folks, but couldn't really give me much encouragement on the chance of the success, since the spammer's website was located in the China Telecom domain, although the company it claimed to represent was in New Jersey. In fact, he told me I would probably be better off pursuing the case strictly on the basis of fraud and possible identity theft (the use of my email address) rather than as a spam case.

I stopped pursuing it after talking to Frewing.

In any event, I have won the battle in the sense that I will never see the unwanted mails. But I have lost the war in the sense that I can't really make the F*CKER stop doing it, and it does consume resources on my linux box.

Happened to my Sweetie Two Weeks Ago

My sweetie got Joe-Jobbed a couple of weeks ago. 20K bounces over the course of the day. Thankfully, the payload of the spam was only two lines of text, containing a URL to a (non-existent) pr0n site. So the bounce messages were comparatively short. A cursory look at the headers in the bounces suggested that the attacker -- 'spammer' is too genteel a term for this -- was using a constellation of open relays to spread the stuff.

She came into my office, saying, "Make it stop!" Sadly, there turns out to be little one can do to stop it. The emails were coming from thousands of different legitimate sites, all serving a legitimate bounce to an illegitimate spam. It was very distressing for her. Fortunately, the attack stopped, and things settled down after about 24 hours.

I wrote up the experience [kuro5hin.org] on Kuro5hin. Feel free to have a look.

Schwab

Happened to me

I had the UK national radio station Classic FM [classicfm.com] hijack my domain and use it to send a Valentines day spam message (this was last year). Again, the only way I found out was when all the spam came bouncing back to me. I wrote to the MD of the station, and did get a personal reply, apologising and claiming their web developer had made a "mistake". I asked for compensation and didn't get it though. I also got plenty of out of office auto replies, plenty with name, addresses and telephone numbers. The biggest number of bouncing emails came from Hotmail, Yahoo and Lycos. The thing I found most upsetting was the possibility of having my email blocked by companies or people that got this spam or having my net connection closed because of spam reports.

Unfortunately, posting to /. can generate spam....

Two stories, one related to /.

I submitted an article to /. last weekend about the Simpsons cast on Bravo. To my utter shock, it was accepted and posted. I stupidly put my very private email (the one that didn't ever get spam) in the Email field. I know, I know...

Less than two hours later, I started getting weird email, complete with .zip.pir attachments, and a few with blatant Trojans. Luckily, I'm OSX so they had no effect, but I was amazed how quickly the email hoovering app grabbed that email addy. They seemed more malicious than sales oriented.

I haven't received any today at that address but I'm still kicking myself. Moral: spammers hoover slashdot, so don't post your email here, ever.

Story two: For almost five years I had the email bruce@altavista.net. In November, I got mail from Mail.com stating that the Altavista.net domain was being closed down and they were replacing my long-used address to something like bruce@way-cool-dude.com. Um, no thanks I said, I use this account for business and that doesn't work for me.

Ok, they said, how about we reactivate bruce@mail.com and you can have that? "Hmm, neat addy, easy to remember," so I agreed. They activated it on a Monday night.

Tuesday morning I woke up to more than 400 mails. Maybe 20% were typical Hotmail "make your penis so big you need a hose reel" spams but a full 80% were Joe jobs: spammers who had used that address as a reply-to. I knew I was going to shut it down but I watched it for three days just to see.

Total Joe job spams, almost four thousand (in three days) before I had them cut the damn thing off. Said fuck it, and bought a domain for business mail, and ended that adventure.

Someone oughta make a law.....

It's about ADVERTISING

The author of the article appears to have missed the point. His address was used as a return address because the spammer did not care about any e-mailed responses. The spammer never expected (and probably didn't want) to receive any response in the normal "reply" sense.

The message almost certainly contained some sort of serial-numbered link to the spammer's web site. That way if your serial number shows up in their web server's log, they know that you've opened their message.

Doesn't sound like a big win for them... until you know that advertising is big business. By proving that you opened the message, they can claim that their spam will make one more "impression". Initially, they'll want to do a little profiling because audiences "targeted" by interest areas can be sold for higher rates, something like [US]$10 per 1000 impressions in general and up around [US]$20 or more for 1000 targeted impressions.

Once you've opened one of those dumb spams with a mail client that will load images from HTML IMG tags, you become part of the "audience" which that spammer can sell to advertising clients.

And by the way... five hundred e-mails is nothing compared to the number of hits the spammer probably got back.

It happened to me too, but I got a little revenge.

in the last 4 days my yahoo account (which i've had for years and don't want to have to change) has used its' 6mb quota up 17 times because of all of the undeliverables i'm getting back from this spam I didn't send. I volunteer for a Forensics K9 Search group and I get emergency call-outs sent to this address, so my mailbox filling up and bouncing messages is a very very very bad thing. (side note: this week NASA contacted us saying that if they needed to call in groups from outside CA and TX we were next on the list to be brought in!) This morning was the last straw..i got over 1000 bounces again and I decided to take a closer look at the SPAMMERs site. It turns out they have a crappy verisign shopping cart that does not, in fact, verify credit card numbers beforehand. So i submitted the form about 1000 times before i got sick of it. If you'd like to have a laugh, or to help me get revenge, then click the link below to see a screenshot of their website with the info i filled in the form, as well as the URL to the SPAMMER's page...

This is NOT the spammer's page, just a link to a screenshot of their page with the URL included [greenwebdesign.com]

next attack

Mike Masnick wrote up his experience getting slammed by a somewhat new kind of spam attack that doesn't get much hype

Now he gets to write about a somewhat old type of DOS attack known as "getting slashdotted". Actually, his site seems to be holding up well.

MDC

How to easily avoid this kind of problems

Sending a spam with a fake return address is called a Joe Job in anti-spam circles (see the posts above). This is why you should never, ever reply to a spam. A reply will either enrich the database of the spammer (if the Reply-To address is genuine) or will annoy an innocent user. Spammers don't read replies.

The only effective countermeasure I found was to use SpamGourmet [spamgourmet.com]. It's a web site that allows you to define disposable addresses forwarded to your real (secret) address. The disposable addresses can be disabled. They automatically shutdown after 20 messages from unknown senders (not in your whitelist). So, a Joe Job would generate, at most, 20 replies into your forwarded mailbox. After that, you'd have to re-enable the disposable email, although you'd rather leave it disabled because it WILL be spammed again.

-- SysKoll

This happened to my girlfriend too

My girlfriend started getting a ton of bounced emails and not being a techie type person, asked me what the hell was going on...turns out the same thing happened to her as happened to the writer of that article: A spammer was mass mailing, in this case, penis enlargement pills, and setting her address as the reply-to.

Instead of writing a witty retort on a website though, I took care of it the way everyone else should from now on: (READ THIS) I looked up the registration info on the website that was being advertised in the spam....luckily it was a US registrant.

I then immediately called the technical contact listed for that company. After a few tries, I managed to get him to answer the phone. I told him politely but firmly that whomever he had hired to advertise his website/product was using questionably legal and certainly unethical tactics to do so and was making a lot more enemies than customers. He seemed genuinely upset that this was going on and gladly gave up the name, address, email address, and telephone number of the spam-mercenary he had hired. I called the spammer and left a voice mail telling him I hope he didn't really enjoy his email address or phone number a whole lot and proceeded to sign up for any and every mass marketing, porn, magazine subscription, and telemarketing form I could find.

Sometimes the operator of the website is the one doing the spamming, and if this were the case I would have chewed him a new one when I talked to him. Either way, you'll get a pretty good idea of where the spam is coming from if you just call the webmaster for the advertised site. I've been saying for years that this is how they need to enforce spam legislation....bring charges against the website operator rather than trying to track down the spammer. No customers to spam for, the spammers will dry up and blow away. Legally, it makes sense...if you hire someone to kill a person for you, you're legally culpable...so hiring someone to spam for you should get you into trouble as well. Make the first offense a "warning" in case they hired a marketing company and didn't know they were spammers. A slap on the wrist and warnings of heavy fines for future infractions will most certainly make them choose more wisely when picking a marketing company.

Doesn't protect the ISP or end user

Sure you can filter it, but you haven't stopped the bandwidth that you paid for from being sucked up.