Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Spam Your Rights Online

Fighting Spam on the Home Front 306

Saint Aardvark writes: "Something interesting from the SecurityFocus Honeypot mailing list: a couple of honeypots for spammers. This message has a link to a how-to page for setting up a Sendmail honeypot to trap spammers, and the status page for a honeypot in Moscow that's trapped spam meant for >1.7 million recipients. The author mentions using a honeypot in conjunction with the Distributed Checksum Clearinghouse -- this seems like a great way identify both spammers and their messages."

And C-Moan writes: "Wireless spam volume is likely to increase in the coming years. But smart use of spam-fighting measures can go a long way toward eliminating the problem. This article provides info about the latest crop of e-mail filters and enhanced mail client options, as well as two roll-your-own programming platforms that could help keep your in-boxes spam free."

This discussion has been archived. No new comments can be posted.

Fighting Spam on the Home Front

Comments Filter:
  • by Anonymous Coward on Monday February 25, 2002 @12:26PM (#3065303)
    I run a fourth level .ca domain. It gets so much spam that the only solution for me was to put in firewall rules. TCP port 25 is open for my 5 friends, and a few mailing lists. For everyone else, it's closed.

    I've got a longer rant on my web page, but I won't post it here, as the machine will die.

    Suffix it to say that I can't afford 500k+ spams a day. The SMTP 'HELO', 'MAIL FROM', and 'RCPT TO' traffic for spam was getting to a gigabyte of
    traffic every few days.

    rbl doesn't work. The spammers that hit me aren't listed on it. 'teergrube' doesn't work. I can't afford the bandwidth or the CPU time to maintain millions of open connections.

    When you get spam, if you do ANYTHING other than
    drop the TCP SYN packet, you've lost.
    • by Anonymous Coward
      Well, a comment from your "Operator in Moscow" who is actually runs this system (h0n5yp0t url above). No, my system is well-running. It's i486DX4/100 machine (go to www.corpit.ru). I can control it to the level I need. But what I want this machine to be protected from is -- from being /.'ed... ;) I noticied that machine load average increased to about 8..9 and noticied huge amount of hits in my apache logs. I was unaware of this /. posting. Well, machine handled (and handles) this load pretty good.
    • You should run teergrube, here's an answer as to why from the Teergrube FAQ [iks-jena.de]:

      How many connections will be tied up by a teergrube on my host?

      A regular teergrube will hold up to ten connections open at a time. On the spammer's side there will be up to ten connections open for every teergrube he runs into. So decentral resources fight against centralised spammer ressources. The more teergrubes are installed, the better.
  • spider traps (Score:4, Interesting)

    by Alien54 ( 180860 ) on Monday February 25, 2002 @12:29PM (#3065317) Journal
    I recall a number of scripts meant to trap spidering harvesters by generating endless pages of bogus content, with bogus addresses.

    I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.

    • Re:spider traps (Score:4, Informative)

      by Raphael ( 18701 ) on Monday February 25, 2002 @12:58PM (#3065491) Homepage Journal
      I recall a number of scripts meant to trap spidering harvesters by generating endless pages of bogus content, with bogus addresses.

      You are probably refering to Sugarplum [devin.com] or Wpoison [monkeys.com].

      I wonder how useful they would be in a honey pot setup, if you had the bandwidth to spare.

      They perform two very different purposes: the poisoning scripts mentioned above are designed to fool the robots that harvest e-mail addresses. They slow down the spammers and introduce many invalid addresses in their list, but they cannot completely prevent the spammers from collecting e-mail addresses.

      The fake open relays mentioned in the article are designed to stop the spammers from sending their spam. The spammers think that they have found a nice open SMTP relay and they dump all their spam to it, but in the end nothing is sent to the intended recipients.

      You could of course run both on the same machine, but this is probably not a good idea because the goals of these spam traps is to convince the spammers that they have found a "live one". If there is anything that looks strange on the target site (such as a warning generated by their harvesting robot), it is likely that they would consider this to be a suspicious site and they would not try to use it to relay their spam.

    • if we can set up a trap and let the email-harvesting bots come in, and the trap sends back a virus to blow the machine up, or something less dramatic like deleting the contents of the hard drive.

      Is this legal? Is this feasible? I'm no expert is email system and scripting.

    • Re:spider traps (Score:3, Interesting)

      by po_boy ( 69692 )
      I just wrote a mod_perl apache module [mooresystems.com] to implement a similar honeypot idea. The primary difference is, though, that if a spider requests a page from the honeypot, the webserver realize that it's a maliicious spider. After that the webserver refuses to serve any pages at all to that client for some time.


      It's supposed to cut down on email harvesting bots and others that ignore the /robots.txt file

    • Hmmm. Some of you may be interested to know that our favorite "cause celebre" company, Elcomsoft, sells spamming software.

      Their spam-software site is here [massmail.ru]. Scroll down to the bottom to see the (c) Elcomsoft.

      Of course, the Slashdot editors rejected this story :-)

      • That's been common knowledge on /. almost since Dmitry got arrested. Most of the comments were along the lines of: yeah, spammers suck, but getting arrested for talking about Adobe's poor encryption is criminal.
      • Dmitry didn't write the spam software. He simply worked for the company part-time, doing something entirely unrelated.

        It isn't really fair to blame interns who happen to work for [insert name of evil corporation] for the company's possibly unethical behaviour. I doubt that many people here agree with everything their employer's does. (I know I disagree with my employer's decision not to promote me and give me a big fat pay rise...)

  • by greyguppy ( 413383 ) on Monday February 25, 2002 @12:30PM (#3065319) Homepage
    I like the idea with sendmail -bd, not delivering any mail, but surely spammers will simply assume that an "open" relay that takes 2 days to deliver their test message is being moderated as such by somebody running a honeypot. Unless you can identify, and forward spam tests as quickly as if the mailserver was running properly, then the spammers will soon catch on.
    • I do not think that many spammers pay attention to the delivery time for their test messages, because they usually send dozens or hundreds of probes at the same time. As long as the message is delivered (by hand) within a couple of hours, that should be sufficient.

      But they will probably pay attention to this trick sooner or later. So we need a more sophisticated script than this simple "sendmail -bd". Maybe some kind of "limited open relay": a program that always delivers the first message received from any IP address, but delays (or drops) all the other ones coming from the same address. There could be a configurable threshold allowing more than one message per IP, in order to fool the spammers who would try to send two test messages.

      Such a machine could be used as an open relay, but with limited consequences. As long as the administrator of the machine keeps the logs of all incoming IP addresses (with timestamps and as many details as possible), the messages that go through it will not do much damage.

      • there was a school of thought on this that would increasingly delay the time between each message sent. first message goes right out. next takes 2 seconds, 4 seconds, 8, etc we all know how doubling works. simple but effective if I am sending a message to 4 or 5 people there is no noticeable delay. if I am sending to 50 people it will take a couple hours. any more than that you are probably spamming. in a real implementation you would probably come up w/ a more elegant scheme than doubling. B)

        as w/ any spam ruleset there are exceptions. there should be a conf file for allowed mail senders such as if you are running a mailing list or the such.

        it should be trivial to write something like this into a milter or to just put a wrapper in front of your port 25.

  • What am I missing? (Score:3, Insightful)

    by Carmody ( 128723 ) <slashdotNO@SPAMdougshaw.com> on Monday February 25, 2002 @12:33PM (#3065343) Homepage Journal
    I read the article, and it seems to be based on this.

    (1) Spammer sends bunch of stuff to someone who is throwing it away, unread

    (2) ? ? ?

    (3) Spammer is discouraged from sending spam

    In other words, I understand that that spammer THINKS his spam is reaching endusers, when, in actuality, it is not. But I don't understand how that discourages or harms the spammer in any way.

    • by GeorgeH ( 5469 ) on Monday February 25, 2002 @12:55PM (#3065468) Homepage Journal
      (2) Spammer sees .01% response rate drop to .0000001% response rate (finding open relays, spidering email addresses, etc). Looks at books and sees that he spent 10 hours getting everything together to spam. Additionally, he spends 30 hours dealing with people who call pretending to be interested, keep him on the line, and then say that their credit card number is "spammers suck." So he spent 40 hours and only sold one widget, that he gets a $5 profit on. Realizes that he could have made more money working 40 hours at Mcdonalds, and there are nicer customers to boot.

      The reason people spam is the cost is low. Increase the cost of doing business and they will reevaluate.
      • by Carmody ( 128723 )
        (2) Spammer sees .01% response rate drop to .0000001% response rate (finding open relays, spidering email addresses, etc)

        This is an interesting answer. If the spammer is looking at response RATES, that answers my question, because the honeypot will decrease the apparent response rate. But wouldn't a spammer be looking at the response TOTALS? In other words, "I spend $1,000 to send a spam, and I got $10,000 in orders, so I made 10x my investment." The response total will not change if there are honeypots or not, because the spam would be blocked by the ISP who set up the honeypot in either case.

        Your argument works if the time investment (the 40 hours you detailed) goes up as the response rate goes down. I don't believe it does that - whether or not a honeypot is set up, the spammer still sends out the same quantity of spam.

        Do you agree with me, or am I still being thick?

  • vipul's razor!!!1` (Score:5, Interesting)

    by notsoanonymouscoward ( 102492 ) on Monday February 25, 2002 @12:37PM (#3065363) Journal
    This sounds alot like vipul's razor [sourceforge.net] a fellow checksum'ing spam catcher. In addition to being free and open source, I think vipul's has been around longer than these other guys. They also use honeypots to catch lots of spam, but I believe not so much in the relay dept.
    • Makes quite a difference. I've pointed my trollbox at the report script. My own spamido scripts were OK, but lacked the distributed functionality of Razor.

    • It looks like it's designed to integrate quite well with sendmail while Vipuls Razor is easier to plug and play with Procmail.

      Vipuls Razor looks easier to install and get running, but DCC might be more effective for high capacity sites.

      Two slightly different approaches, Vipuls Razor is Perl based and DCC is written in C. How's about a common data format, common databases and servers?

    • Checksumming strikes me as very easy to defeat. Just have the mailer append a random string to each message body. I've noticed most spam already does this with subject headers. Am I missing something?
      • by zsmooth ( 12005 ) on Monday February 25, 2002 @02:09PM (#3065902)

        Am I missing something?

        Yes. The DCC page states that they use a 'fuzzy' checksumming algorithm that doesn't just checksum the whole message, and that the algorithm is evolving as spam evolves.

        • Yes. The DCC page states that they use a 'fuzzy' checksumming algorithm that doesn't just checksum the whole message, and that the algorithm is evolving as spam evolves.

          I cannot speak to what approach DCC uses, but razor [sourceforge.net] only picks pieces of a message it believes to be static when computing its SHA1 hash. In the very near future, razor is going to implement Nilsimsa hashes [shinn.net] which are 'fuzzy' and should be able to detect everything from spam with minor differentials to mutating e-mail viruses.

          Combined with the new razor trust system, razor is going to be quite the tool; and when used in conjunction with SpamAssassin [taint.org] we'll have quite the arsenal to battle unwanted spam.

      • Who says you have to checksum the entire body of the message?

        You can pick bits of the messages to checksum, say the 5th to the 10th from last line. Exactly the bits the spammer wants you to read.
      • Checksumming strikes me as very easy to defeat.


        It is.
        A rock will let you enter a locked car, but you still lock your car.
        A filter doesn't need to be 100% effective to be useful,
        and it's not likely that spammers will care until this kind of thing is guarding more than 50% of mailboxes.

        The random string is more likely a tag to find out who responded than an attempt to bypass filtering.

        -- Is a "no soliciting" sign spam?
  • by GSloop ( 165220 ) <networkguru.sloop@net> on Monday February 25, 2002 @12:38PM (#3065367) Homepage
    I've come to the realization that the solution to spam is political/legislative.

    I use SpamAssassin and it blocks virtually all spam, but that doesn't really solve the problem. Most users can't use spam assassin, or other good spam blocking system. Spamcop is good too, but that's now $3/month. Why should I be forced to pay to haul the spam, and $3/month not to see it?

    The solution as I see it is this. We need legislation that allows for damages from the beneficiary of the spam. Almost all of the spam I get comes from SMTP servers in China and Eastern Europe. Good luck getting these people shutdown. Or, it comes from an open relay. Again, it's useless to attack the unwitting/stupid party, although it might have some effect here. But the spam beneficiary almost certainly has a bank account in your country, or some bank funds transfer mechanism. If they want to do lots of business with the US or other countries, there's going to be somefinancial presence there. So, we now have money...just tap into that money, by making the beneficiary of spam a civil tort, and spam just gets more expensive to promote.

    When the demand for spam drops, because it's too expensive, then the demand for the out of country spam services drops, and eventually, most spam stops.

    There would need to be some way to keep companies from being "set-up" as spam beneficiaries, but I think that shouldn't be too hard of a problem to solve. (Who's going to pay a spammer to "set-up" someone else, when the risk could be quite high if you get caught?)

    Anyway, I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators. I don't know that they care, but I can pretty much guarantee they're going to get sick of getting such sicko stuff in the mail. Perhaps they'll actually do something. I've even pondered sending it all to every congressman and every senator, but that's a bit costly!

    Well, do your damage...

    Cheers!
    • Agreed. You can cite U.S. state-specific violations from this page [spamlaws.com]. Remember, it's just as easy for them to ignore e-mail as it is for you to ignore spam, so send a postal letter [about.com] to your representative [about.com] or senator [about.com].
    • by jazman_777 ( 44742 ) on Monday February 25, 2002 @01:15PM (#3065588) Homepage
      I've come to the realization that the solution to spam is political/legislative.


      I've come to the realization that the solution to spam is vigilante justice. That's how my emotions are, anyway.

    • Not Quite So Easy. (Score:3, Interesting)

      by BadlandZ ( 1725 )
      I'm starting to print out the most scummy spams, Porn etc (Esp pictures) and I'm going to mail them to my Congressmen and Senators.

      How's that going to help if the porn sites are in China? Passing a law won't change it, your Congressman and Senator would have to be willing to support some kind of "punishment" in the form of economic sanctions or something on the country as a whole.... If that... It's not going to happen, not by just passing a law.

      If it were to be stopped by law, it would have to be an INTERNATIONAL law (funny how electrons in cables don't know to carry a passport and stop to check in with the Customs Officer when they cross a border).

      And, EVERY country would have to support the law. Or else the spaming operations would just move to a country that allows it. Good luck getting every country in the world to agree to an international policy just to keep spam out of your inbox.

      Sorry to rant, but it gets on my nerves when ANYONE thinks the USA has some right to make any Internet regulation at all.... because, they are trying to control something that extends way beyond the countrys borders.

    • You should be careful before sending pages of porn to your congress-critters. I don't know the details, but I know there are laws in the U.S. re. snail-mailing porn. Your spammers would probably really enjoy having you in court, possibly even in jail, while they continue to spam porn to the world.

      Just a thought.

      Does anyone know the requlations regarding sending pornographic materials via the US Postal Service?

      • Does anyone know the requlations regarding sending pornographic materials via the US Postal Service?

        Yes, I'd like to know...

        But, I think it would be very NEWSWORTHY for me to get "prosecuted" for sending porn in the mail to my representatives, when government refuses to do anything against the spammer and the beneficiary of the spam for sending it to me in th first place.

        Plus, I think they would have a difficult time making it stick, as it would be the most protected speech. Speech to a representative for political discourse... (Or am I full of it?)

        I would really hate the time spent fighting it, and the expense, but I could really raise the roof if I was able to get it in the press.

        This is rather a cool idea. I might just "push the envelope" to see what a stink I can raise!

        Any suggestions?

        Cheers!
    • "The solution as I see it is this. We need legislation that allows for damages from the beneficiary of the spam"

      And watch as all Slashdotters start spamming each other with advertisements for Windows XP.

      "I've even pondered sending it all to every congressman and every senator, but that's a bit costly!"

      Email, man! :)

    • And when the eco-terrorists, or the Republican party starts sending you "position papers" who do you sue then?

      -- Is a "no soliciting" sign spam?
  • Teergrube (Score:5, Informative)

    by quigonn ( 80360 ) on Monday February 25, 2002 @12:40PM (#3065380) Homepage
    What can be generally interesting when fighting spam is
    1. razor [sf.net] (I recently posted a message about it on /.)
    2. A "teergrube". This is german for "tar pit". In the ice age, animals like mammoths trapped into them, today the spammers shall trap into them. Lutz Donnerhacke wrote an interesing FAQ about it, you can get it from here (english, of course) [iks-jena.de]. IMHO every ISP should run such a teergrube on his SMTP host.
  • more documentation (Score:3, Interesting)

    by Anonymous Coward on Monday February 25, 2002 @12:41PM (#3065389)
    I've just rented a dedicated server running freebsd, and I get messages of relay denied daily, now I need to accept relay for my users... so i've been reading about pop before smpt, thats a good solution, since I am not used to sendmail, it has been very difficult to configure it for me...I think we need a document to configure sendmail "for dummies"...all the documentation ive found is not so easy to understand.
    • O'Reilly. The one word you need. The "Bat Book", which is their sendmail tome, helped me daily when I ran sendmail.

      I now run postfix (or qmail, when I need EZMLM for mailing lists), and am eagerly awaiting their Postfix book.
    • by ncc74656 ( 45571 )
      I've just rented a dedicated server running freebsd, and I get messages of relay denied daily, now I need to accept relay for my users... so i've been reading about pop before smpt, thats a good solution, since I am not used to sendmail, it has been very difficult to configure it for me...

      I've handled local relaying by just adding IP addresses and/or address blocks to the server config. It works as long as nobody has a dynamic IP address...since the addresses that are let through are all private-subnet addresses (people behind the firewall), this isn't a problem. Their mail gets out, but spammers in search of an open relay are cut off.

      You might also want to look into qmail...it's much simpler to get going than sendmail, and IIRC no security holes have been found yet.

      Somebody linked to this article [evolt.org] on using Apache to find the bots that swipe email addresses from websites. While you're waiting for the bots to respond to their suggested changes, you might also consider searching your logs for other attempts at sending mail through your system. Searching all the logged 404s on my server turned up 91 attempts at exploiting webmail systems. Some were the result of Nessus [nessus.org] scans I had aimed at my server, but filtering those out left 36 confirmed attempts.

      Here are the user-agents that turned up:

      • EmailSiphon
      • Microsoft URL Control - 6.00.8862
      • Gozilla/4.0 (compatible; MSIE 5.5; windows 2000)
      ...and here are the addresses of the spammers (get a load of the last one on the list):
      • 07-127.057.popsite.net
      • 209.85.24.157
      • 24-161-169-176.san.rr.com
      • 24.27.210.44.pinecastle-ubr-a.cfl.rr.com
      • 251.cleveland-05-10rs.oh.dial-access.att.net
      • 2cust165.tnt2.ladue.mo.da.uu.net
      • 63.116.175.28
      • 64-214-40-67.brv.frontiernet.net
      • ac85c77d.ipt.aol.com
      • ac894f07.ipt.aol.com
      • ac8b6f74.ipt.aol.com
      • acb5c2f6.ipt.aol.com
      • adsl-64-169-101-147.dsl.lsan03.pacbell.net
      • adsl-64-172-45-126.dsl.snfc21.pacbell.net
      • cm092.8.234.24.lvcm.com
      • ip68-0-166-201.tc.ph.cox.net
      • lsanca1-ar2-143-206.lsanca1.dsl.gtei.net
      • pool-151-201-153-163.phil.east.verizon.net
      • roc-204-210-146-77.rochester.rr.com
      • tide86.microsoft.com
  • by Anonymous Coward on Monday February 25, 2002 @12:42PM (#3065390)
    Short-messaging (SMS) is enormously popular in Europe. Here in Finland, the porn spammers begun to capitalise on the popularity by sending "call this number to get your cock sucked by beautiful ladies" kind of SMS spam to arbitrary listed numbers including underage kids' cellphones.

    This kind of spam exists no more. How? It was made illegal practically overnight and that shut the bastards down.

    The spam problem is a political problem. Until there is enough political will in your governments to crack down on the spammers HARD, the spam problem will be getting worse and worse.

    • Political will in the US Government? Surely you're mistaken. Oh, sure they all jumped up and said their piece after Sept, 11, and a bunch of them actually are behind campaign finance reform, but they only do this AFTER it's a problem. Well, spam's a problem, but they've let phone solicitors drive us to screen messages on answering machines (which I swore I never would do, but do now) and all this BS is some twisting of "Freedom of Speech".

      I'd like to see the House, Senate and Administration actually come up with some relief legislation on this and crack down hard. Pity, they won't do it, but they saddle us with DMCA.

    • The cell phone that my company provided us has the service from AT&T (that would not be my first choice if I could choose). And I received all kinds of spam pages on the phone every week (it's not as crazy as email spam, but still...)

      Some of them are from AT&T itself (I really can't understand why they spam their own already-service-subscribing customers!). Otheres are from who-knows-whom. Some with messages like "Call this number to make more money", or "Call this number for a free home loan consulting", or some idiotic messages like that.
    • As many posters wrote, many UCBE emails come from servers outside US and EU, so I don't see how a legislation could help for those cases.

      That doesn't mean nothing can be done, but no solution will make spam disappear instantly.
  • by weefle ( 22109 ) on Monday February 25, 2002 @12:47PM (#3065417)
    It would be really cool to take the relay blackhole list to an extreme, and enhance it with something like LaBrea [hackbusters.net]. That way, instead of just immediately refusing to accept spam, freeing the spammer to move on to the next host on the list, a "tarpit" relay would bog the spammer down, maybe slowing their spamstream down to the point that they're sending only one message per hour. If we could get just a small percent of the SMTP servers on the 'net running such a tarpit, that would reduce the amount of spam that we all get. That is, until the spammers rewrite their software to give up on slow relays.
    • One of the system administrators that I have worked with for a client has actually done this. He owns an ISP. Basically what he does is he setup the SMTP server to sleep for .001 milliseconds (or something small like that) for every email that you send. So if a person sends one email, there is no slow down. But if a person sends 100,000, after the 1000th or so, you'd have to wait close to a minute after each message sent. So at that point, the spammer figures his autospam program is bugging out and cancels to try again.
  • by Dimensio ( 311070 ) <darkstar@noSpam.iglou.com> on Monday February 25, 2002 @12:47PM (#3065420)
    The only real solution to the spam problem is to kill spammers brutally, horribly and publically -- placing their heads on pikes as a warning to others. The US should encourage foreign governments to do the same under threat of airstrikes (though said airstrikes should only be centered on the locations of known spammers).

    Yes, I'm serious about this. I despise spam and wish all spammers DEAD.
  • by linuxrunner ( 225041 ) on Monday February 25, 2002 @12:54PM (#3065459) Homepage
    I decided that one day I would reply to all the spam that I received in my non-personal mailbox.

    I did
    I then received all the mail back as undeliverable.
    I replied the same day it was received so what good are these spammers doing? I mean, how do they expect to make any money if they were not there to take mine?

    • I blame it on viruses.

      My guess is that these spams come from infected computers that are infested with a virus designed to send out spam and infect more computers at random. It might have been months or years since the first round hit and the email address of the satan who sent it is long gone (hopefully dead.)
    • Most spams do not use valid return addresses. They either have you click on a URL to go to a website or have you call a number or mail something to an address. The reason that this happens is that if they were to use valid emails, they could be tracked down easily. Their accounts would close once they are detected to be spammers. So they use dummy accounts at one of the free email services online. Or they setup dummy return address fields. This hides their tracks to an extent.

      Another thing that they do is they send you spam just to check if you have a valid email address. There is probably greater profits in the sale of email addresses than what they seem to be selling in the emails. Even if you don't respond to it, 1) they don't get a auto-response bounce back (therefore it's valid) 2) at times HTML emails contain images located on a server. This allows them to track if a message has been read and which message.
      • by Binestar ( 28861 ) on Monday February 25, 2002 @01:29PM (#3065671) Homepage
        2) at times HTML emails contain images located on a server. This allows them to track if a message has been read and which message.

        This is exactly that, most HTML e-mail messages you get contain an image. Alot of those images are formatted in such a way like:

        img src="http://www.spammersite.com/spampic.jpg?you@yo urisp.com"

        So the image display's, and they now have a list of e-mail addresses of people who looked at the message.

        So now you don't even have to click anything, they know you are looking at the message just by your mail client opening the picture.
        • That's why I never open spam. Instead, in Outlook Express, I use Properties/Message Source.

          I got one spam that had code to cause a banner advertising hit for the spammer. I notified the banner ad company. I suspect the spammer was unhappy about the result.

    • The same thing happened to me, sort of. I had an email address that I was using through Mail.com and besides the fact that it's a horrible service, the amount of spam I was receiving was nuts - I just used it too much on the web during the 90s not realizing what I was doing.

      So I changed email addresses and I set up the Mail.com email system to auto-respond with a message that said that it was an old email account and to check my website for the new one (thus not sending my email to Spammers ... Yes I know about web-scrapers... what can I do). Anyways, now I have to go into the mailbox every week or so to check for bozos who still email me at the old address and to clean out all the SPAM I receive AND all the Bounced Mail messages. It seems that every single instance of Spam uses a fake email address or an address at Yahoo or Hotmail which fills up in 10 minutes.

      So trying to figure out why the hell would anyone send me a message from a fake address, I determined it was obvious if you read the email. They always include a link to some random website (.ru anyone?) and when you arrive, there's absolutely no contact info, but always a pitch for some product or service and a form to put your credit card info in. Fuckers. I HATE SPAMMERS.

      From this experience I thought I'd really like to implement a sort of "thank you note validation" system on my mail server where every message that comes in would be responded to automatically with a "thank you note". Any response email that bounced would automatically mark the original message as spam. This of course would bring the Internet to it's knees if everyone did this (here's a thank you note for your thank you note) and temporary mail server or router outages would also cause false-readings, but still...

      My COMPLETELY INEXPERT opinion is this: We're all using SMTP - SIMPLE message transport protocol. It's now time for a NON-SIMPLE solution. The CMTP if you like (c for complex). If you want to send mail, you have to register your email address with an officially sanctioned registrar (yes, I know, it'd be like ICANN except worse) and then those messages would be digitally signed and your mail server could be set up with levels and filters. You could still receive unsolicited mail, but if it was from a known corporate entity, you could acurately filter it out.

      I remember when I set up my first SMTP server and email system and found out that you can basically lie in all the to and from fields and IT DOESN'T MATTER, I thought, that's sort of weird. Now I realize it's completely broken, not weird.

      My thoughts...

      -Russ
  • most effective (Score:5, Insightful)

    by TheSHAD0W ( 258774 ) on Monday February 25, 2002 @12:55PM (#3065465) Homepage
    The most effective solution for fighting spam is NOT legal; it is also not honeypots, or open server bans. It's community action.

    Did you receive a spam directing you to a website? Good. Surf there. Reload. Reload a few hundred times. 800 number? Call it and complain. When they hang up on you, call back.

    Multiply this by even a small fraction of the people the company sent spam to and swamp their lines and slashdot their servers. They won't be making any sales, and any earnings they do make won't come close to paying their bandwidth or phone bills.

    • www.overture.com [overture.com] (formerly GoTo.com) is a search engine where advertisers pay for clickthroughs, and each search result shows you how much your click costs that advertiser (more $ == higher search ranking).

      Search for "bulk email".

      Click through the first 10 or so.

      Multiply by the Slashdot Effect.

      Smile.

      (I am not associated with overture.com, nor is this an endorsement of their services. But anything that bleeds money from spammers is good IMHO).
    • Yep, make them pay (Score:2, Informative)

      by bleeeeck ( 190906 )
      and any earnings they do make won't come close to paying their bandwidth or phone bills.

      You can usually make the top 10 spammers on this list [overture.com] pay between $1 and $10 by clicking their link.

  • by Anonymous Coward
    I remember a while back, someone did a story about a day in the life of a script kiddie type person. I think a day in the life of a spammer would be much more educational!
  • by cecil36 ( 104730 ) on Monday February 25, 2002 @12:55PM (#3065472) Homepage
    We first got a way that can punish spammers that dates back to the 1600's, and now a way that we can trap them. Just think, instead of locking up Bernard Shifman in a damp dungeon in England, we could honeypot his resume, then smear real honey all over Bernie and leave him near an anthill with a bunch of red ants.
  • shameless plug

    I posted an article that deals with stopping spambots [slashdot.org] with common apache tools last week in the apache section [slashdot.org] of slashdot. hopefully some can find use of it here as well :)

    here's the link directly to the article as well:
    Stopping Spambots II - The Admin Strikes Back [evolt.org]

  • On a Related Note... (Score:3, Informative)

    by thesolo ( 131008 ) <slap@fighttheriaa.org> on Monday February 25, 2002 @12:59PM (#3065495) Homepage
    There is an excellent article [evolt.org] on Evolt.org [evolt.org] about how to configure Apache to set up a honeypot for email-harvesting spam robots. It has some outstanding details on configuration & implementation, too.

    Definitely worth a read.
    • It's also fairly simple to set up a CGI trap which puts harvesters into an infinite loop.

      I have a script (source at http://squirrel.mine.nu/Infinospam_cgi.txt) which generated an infinite sequence of pages full of what look like email addresses.

      I put a link to it in most pages, with the link the same colour as the background.

      I'd post a link to the author's site, if I remembered where I got it from... :)
  • by CyberQ ( 304799 ) on Monday February 25, 2002 @01:00PM (#3065500)
    While I agree that we should use any technical measures there are to fight spam I think the only thing that will stop spammers is the fear of having to pay large amounts of money.

    I don't even dare to say it: Maybe more lawyers should be retained by ppl getting unwanted spam. [There, I actually said it: MORE lawyers might be the solution of a problem shared by the /. community. That will probably get me a lifelong ban ;) ]

    German courts have ruled that sending UCE to a private e-mail address is a violation of that person's sphere of privacy. Theoretically the recipient can collect any damages - even immaterial ones. Some decisions are reported here [cauce.org].

  • Perhaps this has been discussed before, but why not have ISPs levy a per-email-charge so that the real cost of sending these messages is reflected? It's not like it would take a quantum leap in billing technology.

    Let's make it $0.01 per email, which will cost near nothing to the average email user, but for the lousy spammer who sends out 10,000 emails, this will set him back $100.

    People will only change their behavior if it hits them right in the pocket, as soon as they carry out that unwanted behavior. Why should email be free for people to abuse?
    • That wouldn't help at all. The reason is that almost all spammers send all their mail through open relays which are located in Asia most of the time. Nowadays, they also often tunnel their smtp connections through open http and socks proxies, so even port 25 blocking/intercepting wouldn't help.

      The only thing your suggestion would do, is increase the cost of complaining to the originating ISP's about spam sent by their customers.

    • If you told the public that a $0.01 charge per email would reduce spam and lower the costs of ISPs doing business, I think they would accept it.

      I think it would pretty simply eliminate the open relay servers flooding the world with unwanted email -- if they don't pay for what they send, then their emails are rejected.

      Email is surprisingly similar to real mail. We want to receive something, but not get flooded with useless junk. It's a security risk. It's a nuisance. Let's apply models that have worked -- pay for email. Why not?
  • Move it up a level? (Score:3, Interesting)

    by martyb ( 196687 ) on Monday February 25, 2002 @01:03PM (#3065523)

    Question: If this idea is viable, why don't ISPs implement it, too? For example, if AOL used this technique on a few of its dial-up (or cable) IP addresses, they could potentially make quite an impact. Futher, they could apply this technique across each of their address blocks. They could also rotate through the address block the particular addresses which act as the honeypot.

    Now imagine that AT&T, Earthlink, MSN, and other ISPs implemented this, too, that should put a HUGE DENT in spamming.

    Granted, this would chew up bandwidth on their network, but delivering spam chews it up, too.

    Please, if there are mistakes in this, don't mod me down but instead point out what ISPs COULD DO to make this work. Thanks!

  • But any spammer worth his TOSsing will simply salt the list with a known address or two he set up himself to check his spam run.
  • Want to stop span? (Score:5, Interesting)

    by Anonymous Coward on Monday February 25, 2002 @01:09PM (#3065559)
    Get 1000 /.ers to setup a web page on a simple box they already have or on a free web server... in fact, setup hundreds of pages. Embed in the page every political email address you can find as well as a honeypot one you setup. Set the honeypot one up to forward to the political addresses as well (all of them).

    After senator what's his face gets spammed by 10000+ p04n addresses a day for weeks on end he might take notice.
    • by TeddyR ( 4176 )
      Years ago a friend of mine used to do something similar: He had a web page that celarly stated the terms which he would accept mail.

      The page had a clearly stated no-spam accepted policy, and that the spam would be reported to the authorities; and in the wording of the policy, he had the email addresses (both semi-private work and public function) for legislators and gov. offices that deal with spam. [with of course abuse@[localhost] ]

      This way if someone was using a harvester to get email addresses, they would end up possibly sending to the legistlators that did not think spam was a problem.. [ in 1997]

      So it was not JUST a honeypot. It did have a function of informing.
    • by /tmp ( 84345 )
      I might be wrong but I am pretty sure that the spammers know enough not to send their crap to any address that ends in .gov The email spiders they use probably screen it out so that the addresses never get put onto their lists.

      Of course if some unscrupulous person were to set up some fake email addresses in hotmail,yahoo etc etc.. and set them up to forward anything sent to the addresses to the senators email the results might be interesting. especially after using the fake email addresses in a few select newsgroups.
  • Anyone ever... (Score:5, Interesting)

    by digitalsushi ( 137809 ) <slashdot@digitalsushi.com> on Monday February 25, 2002 @01:16PM (#3065592) Journal
    anyone ever responded to a spam pretending to be interested in the product? I get about a 20% turnaround on "serious inquiries". If I am using a real email address and look like a real customer, and they arent even writing back to me... they must be spamming several times what they could "legitimately" handle.
    • I've occasionally replied to spam posing as a potential customer, usually when I want to know who's really behind a particular spam. I don't hear back from humans very often, either. I doubt it's that the spammer (or his client) doesn't want our "business." In most cases I think it can probably be explained by one of the following,

      a) Spammer sent spam, checked for replies for awhile, then abandoned that dropbox for a fresh one. By the time I replied to his spam, he was no longer checking on that box.

      b) Spammer sent spam, and because everything under the sun was in tune, someone with a clue was reading abuse@ and nuked his dropbox.

      c) Spammer sent spam, got mailbombed with thousands of junk letters and didn't bother to clean the dropbox out. Both Hotmail and Yahoo - from my experience, anyway - will spool new messages for you even when you exceed your storage quota. Those messages won't show in your inbox until you delete some of the existing drek, but they don't bounce either; we could be sending order inquiries to a "full" dropbox that's never cleared.

      Of course, we can always dream about

      d) Spammer sent spam, was visited by a few guys with baseball bats, and was rendered physically unable to reply to our solicitations!

      Shaun
  • by eth1 ( 94901 ) on Monday February 25, 2002 @01:28PM (#3065663)
    Maybe we can capitalize on the It's For The Children idiocy that seems so prevalant in government:

    1) Have your 14-year-old kid set up and email account somewhere.

    2) Help him/her write an innocent letter to your representative complaining about the inappropriate spam s/he is recieving.

    3) Watch them trip over themselves to Save The Children =P
    • by Ldir ( 411548 )
      I actually had this happen to my 11-year-old. When I first tried to set up an @home account for him, his name (first.last) was already in use so I used another variant. With the disintegration of @home, their customers are moving to new ISPs. In the process, we discovered that my son's name had become available, both at @home and at our new ISP.

      We switched his account to the first.last format, and he immediately started receiving lots of spam - including porn - meant for the previous user. My wife was horrified, and wouldn't let him check e-mail until she screened it first. Once we moved entirely off of @home, the problem went away ... for now.

  • replying to this article as an isp with about 12k email accounts, I'd like to point out that the biggest thing holding an ISP back from implementing large global spam blocking routines is the fear of dropping more than zero legitimate emails. It's like that old legal thought, "better to let 10 guilty men go free than to jail 1 innocent man". If I blocked an email inviting someone's grampa to the family reunion and killed 500 pr0n spams, and found out about it, I'd feel miserable for days. (Not that such a ruleset would be that likely to trigger for both- if it did I'd prolly end up with a giant R branded to my forehead for "regex")
    • Look, you don't have to make this decision. Install a solution, default it to "off" for all customers, put up a web-form for them to turn it on FOR THEIR INDIVIDUAL ACCOUNT if desired, and send all customers instructions including a full and accurate description of the consequences.

      If they don't want to live with the possibility of not getting their invitation to the family reunion, well, fine, they can live with the spam. If they're willing to risk losing that invitation in order to kill the corresponding 50 spams that they would receive with it, great, they can turn on the solition for themselves and then they have no right to complain if some legitimate email gets lost because, well, YOU WARNED THEM.
    • What an ISP should do is not necessary block spam, but to simply add a header (something that should be agreed on) like "X-Possible-Spam: Yes", then instruct the end users that they can choose to ignore the header together, use the header to filter the mail into the right places, or simply refuse to accept the header altogether. Of course, in such instructions, a big blazing notificiation that "You may lose legitimate email by setting this option" for the last choice would be necessary else face a lawsuit. Or, even more detailed, use something like "X-Spam-Level: (number)" where a level of 0 is nothing that looks like spam, while some higher number, say 5, are perfect matches for known spam messages. Intermediate levels may or may not be spam. Of course, I don't believe that the GUI mail clients can do 'math' on the headers for filters, but the idea is there.

      Basically, this doesn't block the delivery of any message to the end-user but gives the end user of filtering out spam if they desire. However, this puts the burden on the ISP to actually do such filtering, and unless one has a mail client with CPU cycles to spare, that might be hard to do. However, given what the averge person knows on email filtering, this might not seem unreasonable for an ISP to impliment to keep & gain customers. Of course, a key part of this is that there needs to be agreements on what format to take such that users that swap ISPs don't have to reconfigure their clients to use a different filtering system.

    • What about the bounce message? When you use a good open relay blocking list (like ordb, my favorite), your mail server refuses to let the offending server send the message. The offending server reports back to the sender that the message did not go through. So, if Aunt Alice is sending out the message to Grandpa about the family reunion and receives a message back that the message couldn't be delivered... she'd just call him. The only really bad anti-spam technique is filtering that just discards messages. The sender doesn't know it wasn't delievered. With blacklists, the sender knows.
      • So, if Aunt Alice is sending out the message to Grandpa about the family reunion and receives a message back that the message couldn't be delivered... she'd just call him.
        Problem is, most endusers are far too daft for this. They get the bounce message, and because they're deathly afraid of these crazy machines, they read the message which very clearly says "We thought this was spam so we bounced it, call our customer service line at 800 555 1234 if we made a mistake"; then they turn around and ask their local guru "why did this bounce and what should I do"? And the local guru says, "Well, it looks like they thought this was spam so they bounced it, you should probably call their customer service line at 800 555 1234 and tell them they made a mistake". The problem here is that the boneheads with no guru will stumble off to the living room for a refreshing episode of "Everybody Loves Raymond" and gramps won't get to the reunion.
  • Hmmm (Score:4, Insightful)

    by NiftyNews ( 537829 ) on Monday February 25, 2002 @01:36PM (#3065712) Homepage
    This isn't flamebait, but what is the point of doing all of this?

    So now the spammers have a lot of worthless addresses. Well let's think about that for a minute. Spam is built around a theory that next-to-no-one will reply anyway, so that doesn't matter much. Spammers also rarely pay for their own bandwidth, choosing instead to spoof unsecure machines to do their dirtywork. So in the long run, you only end up giving them more worthless addresses that creates more wasted bandwidth, neither of which really harms the people you are attempting to target.
    • This isn't flamebait, but what is the point of doing all of this?

      So now the spammers have a lot of worthless addresses. I believe the point is/was to trick the spammers into wasting their time sending out emails to a server that they believed would relay them, but in fact was not.

      This concept is a separate tactic from hosting pages filled with bogus addresses intended to "poison" the spammers lists.

    • Seriously, I don't particularly care about the bandwidth as long as the mails don't get to my mailbox.

  • by warpSpeed ( 67927 ) <slashdot@fredcom.com> on Monday February 25, 2002 @01:41PM (#3065736) Homepage Journal
    We do not need more laws "protecting" us! What we really need is a easy to use universal email crypto standard where everyone will sign thier email. Any mail not signed is immediatly suspect. Any keys you do not recognize are suspect.

    Standard crypto would serve us much better then any new law (set of laws) and the possible abusive applications of said law(s). We would surly end up with all sorts of lawful and awful unintended consequences as a result af anything that is generated by any government.

    ~Sean
  • SpamAssassin! (Score:5, Informative)

    by mr.nicholas ( 219881 ) on Monday February 25, 2002 @01:44PM (#3065760)
    I guess I have to throw in my $0.02 here. Instead of relying on a single services or technique for stopping SPAM, try something heuristic that combines the best of multiple worlds: SpamAssassin [spamassassin.org], for example.

    It uses a weighted score that derives it's values from a variety of sources including Razor and various Black Hole Lists.

    The type of heuristics are along the lines of:

    SPAM: -------------------- Start SpamAssassin results ----------------------
    SPAM: This mail is probably spam. The original message has been altered
    SPAM: so you can recognise or block similar unwanted mail in future.
    SPAM: See http://spamassassin.org/tag/ for more details.
    SPAM:
    SPAM: Content analysis details: (12.24 hits, 5 required)
    SPAM: Hit! (1 point) From: contains numbers mixed in with letters
    SPAM: Hit! (1.2 points) From: does not include a real name
    SPAM: Hit! (1 point) 'Message-Id' was added by a relay (2)
    SPAM: Hit! (1 point) Subject contains lots of white space
    SPAM: Hit! (1 point) BODY: List removal information
    SPAM: Hit! (1.56 points) Contains phrases frequently found in spam
    SPAM: [score: 26, hits: accept credit, credit cards,]
    SPAM: [fill out, for your, more information, our]
    SPAM: [company, phone number, receive further, remove]
    SPAM: [the, reply this, subject line, thank you, the]
    SPAM: [subject, this email, wish receive, word remove,]
    SPAM: [you for, you like, you wish, your]
    SPAM: [email]
    SPAM: Hit! (1 point) spam-phrase score is over 20
    SPAM: Hit! (1 point) Received via a relay in inputs.orbz.org
    SPAM: [RBL check: found 14.54.162.63.inputs.orbz.org.]
    SPAM: Hit! (2 points) Received via a relay in relays.osirusoft.com
    SPAM: [RBL check: found 6.223.155.212.relays.osirusoft.com., type: 127.0.0.9]
    SPAM: Hit! (1.48 points) Subject contains a unique ID number
    SPAM:
    SPAM: -------------------- End of SpamAssassin results ---------------------

    • I guess I have to throw in my $0.02 here. Instead of relying on a single services or technique for stopping SPAM, try something heuristic that combines the best of multiple worlds: SpamAssassin [spamassassin.org], for example.

      Just for laughes, here's the record SpamAssassin [taint.org] score in one of my spam's:

      SPAM: --- Start SpamAssassin results ---
      SPAM: This mail is probably spam. The original message has been altered
      SPAM: so you can recognise or block similar unwanted mail in future.
      SPAM: See http://spamassassin.org/tag/ for more details.
      SPAM:
      SPAM: Content analysis details: (31.38 hits, 5 required)
      SPAM: Hit! (1 point) From: contains numbers mixed in with letters
      SPAM: Hit! (1.2 points) From: does not include a real name
      SPAM: Hit! (2.37 points) Message-Id generated by a spam tool
      SPAM: Hit! (1.94 points) From: ends in numbers
      SPAM: Hit! (0.9 points) Message-Id is not valid, according to RFC-2822
      SPAM: Hit! (0.01 points) BODY: Asks you to click below
      SPAM: Hit! (1.32 points) BODY: Contains word 'guarantee' in all-caps
      SPAM: Hit! (1.93 points) BODY: Contains a 1-800- number
      SPAM: Hit! (1.2 points) BODY: HTML mail with non-white background
      SPAM: Hit! (4 points) BODY: Uses control sequences inside a URL's hostname
      SPAM: Hit! (1 point) BODY: Link to a URL containing "opt-in" or "opt-out"
      SPAM: Hit! (1.82 points) BODY: Link to a URL containing "remove"
      SPAM: Hit! (1 point) BODY: Image tag with an ID code to identify you
      SPAM: Hit! (1.56 points) Contains phrases frequently found in spam
      SPAM: [score: 20, hits: click here, email address,]
      SPAM: [from future, future mailings, here for,]
      SPAM: [including shipping, offer order, this email,]
      SPAM: [with our, with this, you not, your]
      SPAM: [email]
      SPAM: Hit! (3 points) Listed in Razor, see http://razor.sourceforge.net/
      SPAM: Hit! (1 point) spam-phrase score is over 20
      SPAM: Hit! (3.33 points) HTML-only mail, with no text version
      SPAM: Hit! (1.8 points) No MX records for the From: domain
      SPAM: Hit! (1 point) Received via a relay in orbs.dorkslayers.com
      SPAM: [RBL check: found 11.124.183.200.orbs.dorkslayers.com.]
      SPAM:
      SPAM: --- End of SpamAssassin results ---

      Now I've turned spam into something of a game. I have procmail rules tell me when a new record has come in so I can laugh at how cliché the message is. It's fun. Really.

      The sad thing is that spammers are most likely already using these rules to try and author messages that will sneak in "under the radar" so to speak. I wouldn't be suprised if I start getting messages in pig-latin one day.

      -AP

  • Follow my sig into the spam death chamber....
  • While I was doing my CS degree I spent my placement year at a small data mining software company. Once we got a request from marketing company based in Estonia asking if we could clean some 'addresses', as their cutomers had a tendancy to deliberately mis-spell their addresses. We found their attempts to hide the company background and extent of their business odd especially the ordinary ISP email address (not their own domain), but never thought any more about it. We asked them for a sample data set of these 'addresses' so we knew what we were dealing with, initially they did not want to hand them over after a while we said if you don't show us the data we are unable to tender for the work. What arrived was a text files containing email addresses along the lines of:
    someone@REMOVETHISdomain.com
    me@SPAMOFFhost. com
    NOSPAMme@isp.net etc.

    Suffice to say we did not tender for the work. What worried me was the fact that they were willing to pay good money (arounf 5,000 sterling) to extract maybe 250,000 email addresses, this goes to show there must be a good incentive to do all this spamming.

  • by swb ( 14022 ) on Monday February 25, 2002 @03:08PM (#3066258)
    I'm far from a sophisticated programmer, but I can bang out the odd script in Perl and I use procmail.

    I've been actually collecting Spam for an idea that I have -- Spam can be identified by the subject matter based upon the vocabulary. This weekend I hacked out a script that goes through a spam mbox and builds an index of words and two-word phrases.

    I ran it against my main inbox and it generated an entirely different vocabulary than the one generated by my spam mailbox. This leads me to believe that a new mail message could be judged by subject alone to see if contained a lot of spam vocabulary, and if it did its words could get added to the dictionary.

    The virtue of this is that its self-learning -- the more you get, the better it gets at finding them since the spam vocabularly gets even better defined.

    Of course, I haven't worked out the scheme for matching new mail against the dictionary yet (either in a logical sense or an implementation sense), so it may prove much harder than it seems -- but the fact that Spam is spottable in the subject by me just reading it vs normal mail shows me that the vocabulary is significant.
  • by helloRockview ( 205000 ) <chris@nospam.cju.com> on Monday February 25, 2002 @04:23PM (#3066653) Homepage
    A group of colleagues and I have had an email server of our own for almost 7 years now and have always had the same email addresses. Between years of USENET post and webpages with our email addresses on the, our SPAM intake got out of control. In a sampling taken in October of last year, we were getting about 350 pieces of SPAM per day between only *4* people with account on the box.

    We had previously tried a number of anti-spam solutions, including combinations of RBL, ORBS, locally-maintained blacklists and lots of Sendmail hacks.

    We had very little luck until November, when we implemented Spam Assassin [spamassassin.org] on all of our mailboxes. After turning on Spam Assassin, the SPAM seemed to just go away. In the first day alone, we caught over 300 pieces of SPAM with ZERO false-positives with less than 10 pieces of junk making it through to the end user's mailbox. The program is, simply put, amazing.

    It's multi-faceted approach works very well. It uses a combination of simple logical string checking, in addition to things like distributed databases like RBL and Razor.

    The program can also place SPAM's in a dedicated mailbox file so you can see what got rejected. Each piece of rejected mail contains a report that includes the reasons that contributed to the rejection. Each reason has a weighted value that contributes to the final "good" or "bad" disposition. All of this is highly customizeable, but it does work very well out of the box without any tinkering.

    I highly recommend this program. Take the time to sit down and install it on your mail server.

Civilization, as we know it, will end sometime this evening. See SYSNOTE tomorrow for more information.

Working...