My Short Life As An Unintentional Spammer

from the leave-me-be dept

Regular readers of Techdirt will remember that two months ago I got hit with a “spam attack” of sorts where a spammer put my personal email address as the “reply-to” in a series of porn spam emails – meaning that approximately 500 bounce messages, autoresponders, and angry replies all came directly to my inbox in approximately 36 hours. It was not a fun experience, and I wouldn’t wish it on anyone – but it does appear to be happening with increasing frequency to plenty of people. Two weeks ago, a friend of mine contacted me, afraid that someone had hijacked her email when she was a victim of such an attack. All the major news articles talking about spam seem to ignore this sort of attack. I’ve decided that since this does appear to be a growing issue, I would simply publish the article I wrote about it here. Click “Read More” below to read the entire story about my short-life as an unintentional spammer – where I explain just what sorts of people actually do reply to spam, and what they say.


My Short Life As An Unintentional Spammer
by Mike Masnick

Ever wonder what sorts of emails end up in a spammer's email database? Want to know who actually responds to spam and what they say? Want to know the myriads of formats (and languages) a bounced email message can take? I can now tell you all of this. Without my knowledge, I recently became an accidental porn spammer.

When I got home one evening a few weeks ago, I noticed that I had more than the expected amount of email waiting for me. A quick glance through the inbox showed about fifty "bounced" emails - saying that email addresses of people I had emailed did not exist. The problem with this, of course, was that I hadn't actually emailed anyone.

It did not take long to figure out what happened. While some bounces simply told me that the recipient didn't exist, others included the original text of the email I had supposedly sent. It claimed to be from someone named "Chris" or "Ali" and was a reply to an alleged message from an online dating site. Chris and Ali apologized for taking so long to reply, and nervously suggested that the recipient find out more information about them by going to a website. Clearly, this was porn spam. Out of principal I won't visit the websites that were in the spam messages.

The problem was, I hadn't sent these messages at all. I'm not Chris or Ali. I don't use dating sites. I don't have a porn website. I don't send spam.

One of the popular "tricks" among spammers nowadays is to set the "reply-to" address as the same as the recipient's email address. That cuts out on the problems of bounce mails, and also has a psychological effect on recipients who are curious what email they've sent themselves. Most spam filters have figured out ways to still capture these spam messages (though, I'm now hearing stories of legitimate emails that people send to themselves being classified as spam). I've received plenty of these types of spam, and most are filtered away, never to be bothered with.

It seems that this particular spammer took things one step further, and made the "reply-to" address for all of his spam message set to my personal email address. If anyone looked at the headers, it was clear that I had nothing to do with the email whatsoever. However, most mail servers aren't so smart.

With any spam list, there's a certain percentage of "bad" or outdated email addresses. Generally speaking, a server that receives an email for someone they don't have an account for will "bounce" the message. Those bounces go to the person who sent the message - normally found in the "reply-to" line. Since my email address was in the reply-to line, all those bounces started coming my way, regrettably informing me that my pornographic spam emails had not found their intended recipient.

After dealing with the rapidly growing desire to reach through the internet and strangle whatever lower-than-life scum did this to my email address, I resigned myself to looking at this from an anthropological perspective. Suddenly, I was in a position to offer information on things that few others would (hopefully) ever willingly have access to.

Should anyone want it for research purposes, I now have a fairly large collection of bounce messages. It appears there is no standard format for a bounce message (which, by the way, makes them painfully difficult to filter). They have infinitely different subject lines. They say different things in the body of the message, sometimes nicely, sometimes rudely. They show up in different languages with different explanations. Some admit that the account has been closed due to too much spam. Others simply don't exist any more (if they ever did at all). Some bounces quote the original message; some don't. Some include full headers; some don't. Who knew there was such variety in how mail servers bounce their email?

Beyond the bounce messages were all sorts of auto-responders. It seems that some of the email addresses in the spammer's database were emails people used to send responses to those who "request more info". Suddenly I was receiving huge files of information that I really had no use for whatsoever. I also found out about a number of people who were on vacation that week, or who had recently switched jobs. One even had an auto-responder saying "this is closed...I am tired of the internet... all internet access for me is closing". Some of the addresses were to subscribe to various mailing lists. Many bounced back confirmation emails, asking to prove that I really wanted to subscribe, while others just subscribed me automatically (which will now force me to manually unsubscribe).

While most of the "information" was fairly useless, I suddenly had the opportunity to peek into the lives of people I had no association with whatsoever - connected only by spammer. I felt like reaching out and commiserating with those who were sick of the spam and wondered if I should congratulate those with new jobs. However, there was no time for that, I had more erroneous spam fallout to deal with.

Next, came the responses. I, like many people, often wonder what sorts of people actually respond to spam emails. For years, it has been beaten into my head that you never, under any circumstance, respond to a spam email. It just shows that you're a live human being, making your email address more valuable. I'm still shocked when I come across people who haven't heard this. However, they are out there, and they come in all different shapes and sizes. I have their emails to prove it.

There are the confused, but polite people. One woman wrote me a nice message saying that a "horrible" mistake had been made, and that she had not replied to my online dating ad. She did warn me, however, that there are "plenty of strange people out there" and that I should be careful. How nice. Another woman couldn't remember what she had said in her reply to my non-existent online dating profile and wanted to be reminded. A few others just asked who I was.

Then there are the unsubscribers, who are under the unfortunate delusion that asking spammers to take them off their list will help. They send simple messages saying simply "unsubscribe" or "unsubscribe, please", as if that will ever get to the actual spammer, or that they would actually pay any attention to it.

Lastly, are the angry, but clueless. I feel their pain, but they need to find a better outlet. I received emails telling me things I never knew (and find unlikely) about my lineage and suggesting I go places I have no interest in going, using all sorts of language you wouldn't use in polite company. I also received a threatening letter saying that I would be hearing from some company's corporate lawyer.

None of these people stopped to think that it was odd that my email address includes, pretty clearly, my name - which is neither Chris nor Ali. With the number of spam messages that go out every day, I wonder if these people reply to them all. I guess, for some people with anger management problems, this is a kind of outlet. All day, every day, respond angrily to spam messages, and maybe it will have a calming effect on your life.

What's scary is that, for the most, part, I only saw the bounced messages. They continued for approximately 36 hours, and then stopped abruptly. In the end, about 500 email messages bounced back to me, so I can only guess at how many thousands of poor, unsuspecting email boxes are currently dealing with spam sent with my email address as the reply-to. I apologize to all of you, even if I had nothing to do with it. I don't want to date you, and please, feel no compulsion to look at the web page in the email.

Most people agree that spam is evil. It's a waste of time and a general nuisance. I can argue against spam from a variety of levels. It's bad for the internet. It's bad for users. It's bad for business. It's just bad. Luckily, there's a rapidly growing industry of companies (and simply concerned individuals) creating software solutions to help stop the spam menace. While there are debates over how well any of these systems work, it is possible to at least reduce your spam intake. Personally, I use a spam filter that is pretty effective in reducing my spam load to a mostly manageable level.

However, with something like this, there simply is no effective preventative measure in place. The spammers spoof the reply-to, making it whatever they want - so it never even touches my mail server at all. My inbox gets bombarded because there's no simple way to filter out the bounced messages since they are all so different. It's difficult to track down a spammer normally - and more so when the spam isn't even sent to you. Despite the fact that my address was the reply-to, it seems the spammer never sent me the message directly. I found a bounce message that showed the full headers and tracked it back. The email came from a mail server in the Philippines, and pointed to a website hosted in China, owned by a company in London. Tracking down the actual spammer would likely be close to impossible. Assuming they could be found, suing them would be nearly impossible as well, not to mention costly.

One potential solution to this would be to require every outgoing email to have a verified identifier of some sort, so that any email can automatically be traced back to the original sender. This (as does every solution) brings up other problems. There are benefits to anonymous email, and we wouldn't want to take that away (though, perhaps you could limit the number of emails that could be sent anonymously to prevent bulkmailers from abusing the system).

In the end, though, this sort of stunt has killed off the tiniest amount of support I had for spammers. These spammers stand behind their First Amendment rights to speak their minds (which is an argument that can be shot full of holes in a second). In this case, though, the spammer made no use of any First Amendment rights. What they did was just mean and nasty and a complete waste of my time.


Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “My Short Life As An Unintentional Spammer”

Subscribe: RSS Leave a comment
154 Comments
Brian S says:

Re: Happened to me as well....here is what I did...

Happened about 6 months ago to me. I did a lookup on the website that the spam was pointing people to, in the logic that ultimately, they could be held responsible, because either they personally, or through a marketing contract to someone else, was using my email address as the reply for sending out spam.

They were nice enough to have had full information in the website DNS registration. I contacted both their ISP as well as the website owners/operators, with the jist of the message being, I know who you are, I will sue you for defamation of character as sending these messages with “MY” identity, makes many people believe that I am sending the message. If you immediately stop using my address and remove me from any and all lists, I may consider not bringing the lawsuit to court.

In all seriousness, a defemation of character suit could very well hold up in court in a case like this. Because of their actions, people believe that you are a) a spammer, b) a porn monger, c) disgusting person whom they will never do business with. Could be easily seen to meet the requirements of a defimation of character suit.

Recieved a VERY quick response saying that they would take care of everything. And I have not had a problem since.

P.S. Sorry about the spelling, I am a programmer, not an english major or teacher ๐Ÿ™‚

mja says:

Re: No Subject Given

This happened to me. I was so angry. I did a little more than figurativily reach into the internet and wring their mangy necks.

I went to their grubby little site (which turned out to be litle more than a scam to get credit card numbers) and shut them down.

They made the mistake of not properly trapping responses to their on their form meaning you could get rubbish into their database.

Boy did I get them some rubbish. Their site was almost unaccessable on a bandwidth basis with me filling their database with hundreds of thousands of crappy entries, the script changing format every hundred or so , so there would be no easy way to filter it out.

They tried blocking the address range I was on, I simply moved the attack through another ISP. 4 ISP’s later they went down and stayed down.

Not proud. And think I should have shown more self control. No one has used my email address as a return to again though.

John D (user link) says:

Re: Re: No Subject Given

One really cool trick we did to “get their attention”… is that if you go to a website advertized by the spammer, and if they are stupid enough to have a forms page, you can spam the spammer.

But in order to do this, you have to have access to a server that can run CGI programs.

First, copy the HTML forms page to your server. Replave the ACTION tag with one of your own, but save the “real one” in a variable in the CGI code.

Add a button “SPAM” to the forms page, and also a text field so you can enter in how many times you want to submit the form.

Then build up a file of various ficticious accesses and forms field values you want inserted in the forms page.

Access the page through your browser, and put in some very large numerical value in the new text field you added, and press the “SPAM” button.

your CGI would them make multiple submissions to their forms page (as many as you want), and it would then either get the field data from a file somewhere on the server, or you can just put in things like:

Name: Mr No Spam
Address: 1234 No Spam Ave
City: NoSpamsVille, USA
Phone:
Email:
(So they can contact you)

Believe me, they WILL contact you… but be careful when you write the CGI script, to put in a 2 – 3 sec delay between each “submission” so’s not to DDOS their server (we wouldn’t want to do that, legal reasons).

Remember, you would be doing them a favor – by showing them how interested you are in wanting to enlarge the anatomy between your legs, and providing them with an infinite supply of honeypot addresses.

Of course they may get pissed off, but then you can make is clear that YOU are pissed off at them for not providing a way to opt out.

It DOES get their attention….

DONT ask me to write the script, I’ll leave that up to you.

JD

Phibian says:

1st Amendment Rights

The best rebuttal I ever read is as follows (NY Times, “Tangled Up in Spam” by James Gleick.

“Many people who hate spam believe, honorably enough, that it’s protected as free speech. It is not. The Supreme Court has made clear that individuals may preserve a threshold of privacy. ”Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit,” wrote Chief Justice Warren Burger in a 1970 decision. ”We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another.””

Matthew Stein (user link) says:

Re: 1st Amendment Rights

My last job was the webmaster for a campaign and our organization got both the positive and negative side of spam. As the webmaster, I received hundreds of viruses and spam at the webmaster account daily, and when we made a mistake re-configuring our SMTP server for access from a second office, our SMTP server was innundated by spam and therefore got it blacklisted.

However, we also opted to send out non-commercial spam right before the election. While our ISPs insisted that we violated their Acceptable Use Policies (which was debatable), we certainly did not brake the law. Political speech is protected by the Constitution, and the Courts have consistently ruled that it is immune from any such restrictions – in other words, campaigns and other political organizations can legally ignore don’t call lists and (if it ever happens) don’t e-mail lists. However, it’s worth noting that campaigns are harmed by bad press in a way that firms (or fly-by-night organizations) aren’t.

Of the messages I received back from our political spam, the majority were positive interest in receiving more information and liked our initiative. A few wanted to know how we got their e-mail address, and a few (for no good reason, really) sent us back death threats and obscene writing.

(However, for a campaign to use the political excemption from don’t call lists, etc., it must identify itself truthfully. Otherwise it’s in violation of FEC and state-based committee regulations, which result in heavy fines and perhaps even jail time.)

Anymouse Custard says:

Re: Re: 1st Amendment Rights

Well, it may or may not be within your first ammendment rights, but an ISP’s TOS is a contract you sign – not the constitution. I don’t know or care which party you support, but the political climate these days is that a contract has more power than the constitution.

That aside, if you spam me with your “non-commercial” spam, you will have an effect. That of making me much more likely to vote for the opposition, as I have no respect for someone who feels the only way to get their opinion out is to shove it down everyone’s throat.

fluffy says:

Re: Re: 1st Amendment Rights

Spam is not illegal in most states, and sure, probably political campaigns will always be legally able to spam for 1st amendment reasons, but I would certainly never vote for that candidate again. In fact, I would be likely to vote against that candidate no matter what his qualifications, simply because he a/dor his campaign showed such poor judgement. What kind of judgement would the candidate show while in office?

On the other hand, prohibiting spam is a time-and-place restriction on free speech that just might withstand 1st amendment scrutiny. You can’t drive your campaign station wagon down my street at 3AM blasting out “Vote for me!” on a loudspeaker. Not only would my neighbors come after you with shotguns, but the police would arrest you for violating noise ordinances and probably for disorderly conduct. Prohibiting spam is basically the same thing, IMHO. It’s not the content of the message that trips the restriction, but the manner of delivery, and manner of speech *can* be restricted.

Anonymous Coward says:

Re: Re: 1st Amendment Rights

Spam is not about non-commercial! Spam is about consent. If you don’t have my consent I don’t care if you are the President, you don’t have the right to spam me. I also don’t care if its legal or not – we all know that the reason spam pisses people off is not that its illegal – its that its really annoying.

Its simple, if a politician spams me I will vote against them and I will tell all my friends to vote against them.

John Draper (user link) says:

Re: Re: Re: 1st Amendment Rights

I have no beef with spammers, as long as they follow the rules…. which are:

1) Honor all opt out requests… and don’t give my Email to other spammers

2) Provide valid contact information in the event I MAY be interested in what they have to sell, and can contact them if I want more info.

3) And use ONLY opt in addresses.

And when I find something I’m interested in, and want to recieve ocassional Emailings of events, announcements, and such, to deploy a DOUBLE OPT-IN mechanism (one which asks for confirmation).

If people would follow these simple rules, then spam would never be a problem in the first place.

But they don’t – and their greed will be their downfall.

JD

Anonymous Coward says:

Re: Re: BF Clue Stick

Spam is theft. You steal my computing resources and personal time. I don’t give a rats ass what your cause is, or what criminal (polotician) you are representing. Unless I have a prior personal relationship with you, I don’t want to hear from you.

Political spam still comes postage due. This is NOT PROTECTED. YOUR right to speach ENDS when I HAVE TO PAY FOR IT. GET IT?????

When YOU pay my ISP bill, THEN you have the right to send me crap. Until then, bugger off!

You cannot justify spam for ANY reason. None. There is no defense. All spammers must die (figurativly speaking.)

David Horrar says:

Re: Re: 1st Amendment Rights

Mr. Stein:

Although your comment that political speech is immune to the rules applied to commercial messages is correct (thanks to a self serving set of the government), you and whomever you were representing seem to be missing the point.

If I have registered that I would rather not receive spam, telemarketing, etc. types of communications, what would make you or anyone else think I would appreciate getting political propaganda? Pushing the cost of receiving your messages off onto me is not likely to make me think much of the person being so presented. In fact, I deal with politicans that do such things the same way I do spammers. You don’t get my money, you don’t get my vote and I will take every opportunity to spread that message to everyone I know, (without sending undesired email).

There is a difference between what is legal and what is ethical. As an Information Analyst at a university, I take every opportunity to point this out to the uniformed. I’m surprised that you, posting from such well regarded institution, don’t do the same.

Anonymous Coward says:

Re: Re: 1st Amendment Rights

>However, we also opted to send out
>non-commercial spam right before the election.
>While our ISPs insisted that we violated their
>Acceptable Use Policies (which was debatable),
>we certainly did not brake the law.

You even spell like a spammer.

You may or may not have broken the law. If the ISP’s AUP says “No spam”, as most do, then you did break violate the AUP.

And no matter how you look at it, you admit that you were spamming. That means you’re a slimeball.

Levi (user link) says:

Re: Re: 1st Amendment Rights

I’d be the one who sent no reply.
But started a stealth portscan on your
domain in a search for exploitable holes.
I hate all spam regardless if it’s content.
Since most of it comes from juristictions
where it’d be a pain to prosecute (ie china).
Note I’m smart enoug to trace headers, and will
do the smart thing and target the webserver
advertized in the spam. 99.99% of spam has
as it’s main content, a link to a website.
The website is where I’ll attack first.
Most abuse addresses point to competant
adimns that’ll shut down accounts and
even thank you, except chinanet. Most spam
I get is routed through china net, and I’ve
never had any success reporting abuse to
chinese admins. Mabey they don’t speak english,
but I don’t speak chinese, so it can’t be helped.
Woe-to-the-spammer-whos-bot-snarfs-my-edress-ly yours,
-Levi

Edward Scissorhands says:

Re: 1st Amendment Rights

Remember, that the first amandment applies only to the constitution of the United States of America.
Other countries ( Phillipines, China, and England ) their own constitutions that grant other constitutional rights for their citizens. Whether these rights include the right to send spam is a matter for constitutional lawyers who know about those countries.

Bill Stewart says:

Re: Better than spam laws

Spam laws can be useful, because they’ve usually got a relatively low threshold of proof required, as long as you can really identify the spammer. But in your case, assuming you can really demonstrate that it’s the spammer, why not use an approach with more teeth – criminal forgery charges don’t get you any money, but there’s probably some tort like defamation of character or even conversion (if MD lets you do that for intangibles) that you could use to collect (ideally in addition to the spam charges…)

Stephen Samuel (profile) says:

Re: Re: Better than spam laws


why not use an approach with more teeth – criminal forgery charges don’t get you any money, but there’s probably some tort like defamation of character or even conversion

Defamation of Character is a definite one there — making people believe that yhou’re a spammer, and porn-muffin.

Also: I’m pretty sure that criminal action that directly affects you is usually an acceptable basis of a tort for recovery from the results of the criminality.. Add an extra $400K in punitive damages, and …..

Pete says:

Re: There is a way (sort of)

I think it would be safe to assume that each batch of emails would originate from the same IP, or same subnet at least.
So just use mailwasher and put in a filter rule to delete (probably not worth bouncing) any email with the ip in the header once they start coming in. You said some bounces didn’t contain the full header info so I guess it wouldn’t work for them but for the rest it would. Reduce the amount anyway.
I filter out 64.70.53. 64.70.44. 64.70.20. and 12.158.240. as I very frequently got spam from hi-speed-mail which use a ton of different domain names. I see pretty much none from them now. It seems to go through cable and wireless but since I live in Australia not the US I feel I can pretty safely block these.

Sharon says:

yeah, but on AOL........

If you use AOL and this happens to you this is what you get, first, kicked off. Your password is no longer valid. Puzzled, you call AOL. AOL informs you that your password has been scrambled because you were reported for sending out pornographic mass mailings to other AOL members. You say, “say what?” They then tell you that someone using one of your screen names was logged on at such and such time, and you say, “ha?, no one was even here at that time.” “Oh well”, says AOL, “you must have a virus.” At this time AOL doesn’t acknowlege the fact that spammers use “bots” to get passwords. I have Nortons System Works, Firewall, and Trojan Hunter. There is NO WAY I have a virus. “Ok,” says AOL, we will change your password to blah blah blah, then you go back in and change it, this is your first offense, two more times this happens and you will be kicked off for violation of TOS.” (Thats Terms of Service although it means absolutely nothing as far as action) And you say “say what? I just told you I didn’t do this.” So angrily you tell AOL, “do you realize how much porn I delete everyday from my mailbox? Ok, if this is how you want to play the game, from this moment on, I will forward EVERY piece of mail that OFFENDS me, to TOSmail at AOL. I think I’ll clog YOUR mailbox with the crap I get everyday and see how many other INNOCENT people get reported for spamming they had nothing to do with, then terminate YOU!”

Yes, this is a personal story, I know how it feels.

Jim says:

Re: yeah, but on AOL........

This happened to me too. I got my account restored after getting someone on the phone, but they said the same thing — “must have been a virus.” I know there was no virus for the same reason as you: Norton scans, sw firewall, and a router that’s the only thing visible to the Internet.

Scanning bots are ceratinly one possiblility, but there is another: “trojan” sites. A few days after my spam experience, I remembered getting an e-mail with an Instant-kiss or other such greeting. Clicking on the link without looking carefully at the URL, I was given a sign-on screen that looked like AOL. I enetered my name and password and got an innocuous message that I soon forgot. Unfortunately, whoever ran the site now had my AOL name & password.

Since my screenname was hijacked, I’ve been more careful. I have gotten more notices of Instant-kisses and such (at least five this week), but have taken the time to read the URLs — each was hosted somewhere other than AOL. I now forward any such message to AOL’s Community Action Team in the hopes that they can get the sites shut down (one of my neighbors is an AOL lawyer, and she has plenty of colleagues.)

Just a word of caution. Even one careless moment can open your account to SPAM senders.

Anonymous Coward says:

Re: Re: yeah, but on AOL........

It gets even better than that. Imagine this url:
http://www.aol.com/%73%6e%6f%77%70%6c%6f%77%2e%6f%72%67/martin/
Now, this url certainly looks like it’s on aol. In fact, the url above is on aol, but the link is pointing you somewhere different. (in internet explorer; mozilla throws up an error, even though it clearly decodes things properly) Unless you see that the linked url is different from the one that the link claims to be pointing at (and different only in that subtle “@” character), you’ll think that the page is on aol.
In fact, it’s just my personal page, but I could easily replace that with something that looked just like an aol signon page.

I_Hate_AOL says:

Re: Re: yeah, but on AOL........

I had AOL when I got my first PC. I used the then 100 free hours to access the net until I could get a real ISP.
My son liked AOL (IM I guess) so I kept it for a while. After he moved out I tried to terminate the service.
Each time instead of terminating the service AOL would give me two free months.
This went on for several months, each time on the third month when I received a charge and my American Express card I would call AOL again to end the service.
After dealing with AOL 3 or 4 times and not getting the service ended as I wanted I called AMEX and explained the situation and did a charge back.
I thought the ordeal would be over at that point after AMEX removed the charges but that wasn’t the case.
AOL sent me several letters showing usage times and dates. True the account was being used but not by me or anyone in my household.
The master account was in my name and being charged to mt CC. If I wanted the account terminated for what ever reason it should have been done at the time of
my request.
A couple of months later I received an AMEX statement with ALL the AOL charges back on my account again.
I called AMEX and asked about the charges and was told that AOL did not respond to their requests so the charges were reinstated on my account.
I told AMEX that was absurd, to do nothing and they are rewarded for it when I took the time to make copies af all the emails I sent to AOL requesting to end the
service and faxed them to AMEX as per their instructions showing the dates and times I requested the AOL service to be ended.
AMEX told me the charges would remain, they had made their decision and it was final, I would have to pay the charges.
At that time I had an A1, 100% spotless credit rating for more than 20 years.
I decided that I wasn’t going to make another payment on my AMEX account and didn’t.
I will never have anything to do with AOL or AMEX again, not even if they paid me.
Most credit card Companies will side with the customer, AMEX will side with the merchant in almost every instance.

That’s how I ended my AOL service.

a system administrator says:

Re: The importance of good passwords...

“spammers use “bots” to get passwords”

Crackers and script kiddies use password crackers to find the most vulnerable and easy to guess passwords.

My accounts (being a system administrator, I have access to lots of different servers with lots of different passwords) have never been cracked by password crackers, and I’m fairly confident they never will.

Be careful with your passwords and follow these rules:

  • never give your passwords to others, including system administrators. sysadmins don’t need your password to do their work; people who claim they need your password to do their job are lying — if they are sysadmins, they have full access to your account anyways. Sometimes tech support people ask for your password (they’re usually no sysadmins themselves); never tell them, especially if you use the same password for other accounts (not recommended, but with a lot of accounts, it can be hard to keep track of all the different passwords
  • never write your password down, send it in an e-mail or store it unencrypted in a computer.
  • Don’t use your name, a friend’s name, you pet’s name, or any other name as a password. Don’t use any ordinary word or brand name. Crackers try to crack your account using huge dictionaries of words and names which they process automatically in a short time. Like thousands of tries per second.

In spite of what you might think after reading the strict rules above, a password that is hard to guess doesn’t have to be hard to remember. A trick I use sometimes is thinking of a sentence (of at least 8 words) and taking the first characters of every word as my password. It also helps if you can sneak in a number or a punctuation symbol. The last part of the previous sentence would get you ‘Sianoaps’ with this trick — a password that won’t be found with dictionary crackers.

Don’t think I’m being overly paranoid about this. There are a lot of password cracking tools available, and a lot of script kiddies worldwide want to play with them.

regards,
a system administrator

Evil says:

Re: Re: Re: The importance of good passwords...

>> If you don’t want to give your password to tech support, fine. But don’t be surprised if they can’t help you with your accunt after that. < That is, for lack of a better word, stupid. NEVER… EVER… give your password to ANYone. The tech support guys at your ISP/Company can simply *change* your password if its use is really required. They shouldn’t even need it in the first place – THEY’RE the one with administrator rights. If you tell anyone your password, the conversation is open to interception. Also, it means you plan to be slothful and not change the password afterward: Do you want some part-time ISP Admin going home, having a few drinks, and then deciding it might be fun to read through your personal correspondence (since he still remembers your password)? Always make them reset it, then change it back when they’re done.

David (user link) says:

Me too!

Yup, had the same thing happen to me, twice. I get any email with my domain on the end of it. Some spammer made up a name like “adelstre”, tagged it onto my domain email, and sent the spam off. Got a few hundred bounces. What really amazed me was that *not one person* wrote back to complain that I’d sent them spam. All I got were the bounces… I tracked the stuff down to a server somewhere in China. Sent a few abuse reports to the ISP, but heard nothing back.

Lawrence (user link) says:

Re: Re: Chinese and Spam

Not totally true.

More and more providers here in China have no spam as part of their terms of service. Some of the smarter ones are starting to realise that spam degrades their service and are putting in enforced server authentication for sending messages. This stops the majority of spam through open servers in china isp’s (which is sent by you US users mostly).

The main problem is the people who have clue are not usually the people who run things.
It can be difficult getting to the right people in the states too (as experience tells).

Lawrence.

Tim (user link) says:

Nice article

I remember when it started happening to you. As I recall, it took you a while to “resigned [your]self to looking at this from an anthropological perspective”. Nice article. I’m sorry that you weren’t able to sell it, but I am glad you wrote it and posted it.

How many people actually wrote you?

What do you use for a spam filter?

Thanks,
Tim

Mike (profile) says:

Re: Nice article

I remember when it started happening to you. As I recall, it took you a while to “resigned [your]self to looking at this from an anthropological perspective”. Nice article. I’m sorry that you weren’t able to sell it, but I am glad you wrote it and posted it.

Thanks. It did take some adjustment period… I’ll admit the article was a tough sell because it’s not clear what sort of news organization it fits with. However, the responses I did get from a couple were kind of amusing. I was told that since there’s no way to prevent it from happening “why should we bother publishing this?” and another news organization told me that the spam story has been done and “this doesn’t further the story in any meaningful way”… I disagree, since clearly this is different than the thousands of spam stories that still get published and this particular thing is happening more often (sometimes confusing the hell out of its victims)… but, it’s not my call.

How many people actually wrote you?

How many wrote me to say the same thing happened, or who responded to the spam?

What do you use for a spam filter?

SpamCop. It has it’s problems, but it does the job.

Brian says:

Can you make the bounce messages available?

I’m trying to integrate some bouncing features into POPFile (a great open source spam filter btw, popfile.sourceforge.net, which uses bayesian word counting, so catches things that “hardcoded” filters can’t) and could use some examples of the automatic bounce messages. Is there any chance you could make them available? Perhaps via ftp, or in a zip file that you could email?
I have no interest in any of the addresses in them, just the formatting, so if you have any concerns, feel free to mangle the mentioned addresses (it’s a shame that search and replace can’t do random substitutions).
And I can sympatize with you. I own a domain as well (mooman.com) and someone did the same thing a while back, using one of my email addresses as the “reply-to”. Thankfully it must have been a small mailing (or a relatively clean address list) because I only got a few bounces from it. But I’d like some more samples to improve my own spamfilter…
Thanks!
(the above “ZZN” address is a throwaway one I just signed up for given how often my preferred ones seem to get harvested..)

Tim Stone says:

Re: Can you make the bounce messages available?

Popfile and Spambayes are both sourceforge.net projects designed to deal with spam in a “machine learning” style of filtering. Simple filtering technology is becoming less effective in dealing with wiley spammers. Bayesian filtering technology, which is trained as you go, is very effective. I would encourage anyone to check out these projects at sourceforge, and find out what a joy spam-free living can be ๐Ÿ™‚ Look at spambayes.sourceforge.net and popfile.sourceforge.net for more information.

John Draper (user link) says:

Re: Can you make the bounce messages available?

There are so many cool features you can add to a “pop3proxy” to do all of what you want to do.

You might want to go to spambayes.sourceforge.com and check it out. It’s written in Python (my favoriate language – no flames please), and it has a really nice web based GUI, and interfaces with the SpamBayes Classifier and Tokensizer.

As part of our proposed SMS (Spam Management System) we intend to also develop an SMTP proxy that’s going to be really awsome.

Also, if you are running OpenBSD servers, you might be interested to know that Theo (author of OpenBSD) has added some really cool anti-spam features down at the really low Packet Filter level that can cause spammers huge headaches if they target OpenBSD systems.

Details on the OpenBSD.org web site.

Jesse (user link) says:

Only two things to do...

There’s really only two things to try in this situation, neither of which seem to do much good:

1) Trace the headers back. Send e-mails to the admins of that (probably open) mail server as well as the upstream ISP.

2) Find out to whom the domain of the ‘advertised’ web site is registered. They might be less likely to let spammers do their mailings (or do it themselves) again if they have real live people calling with threats of litigation.

John Draper (user link) says:

Re: Only two things to do...

Tracking down through the domain registration is a really good way to get to the Site owners.

However, in my endeavers, I find that a large percentage of the site owners are not even aware that spammers are hawking their site.

However, you can put a lot of pressure on them to assist you in tracking them down, but don’t be surprised to find that MOST domain owners are totally unaware and powerless to do anything aboout it, assuming they would even be willing to cooperate.

In some cases, we discovered a rather elaborate “stock pump up scam” where spammers would target a company through their web site, spam the heck out of them, with the company totally unaware this is taking place, and only leaving them wonder why they are getting a lot of interest.

Prior to the massive spamming binge, they buy out a lot of stock at their low opening price, and when the stock increases they sell it. How do they sell it? By spamming of course.

They would target companies just going IPO.

But most of the “fly by night” companies will hire spammers living outside the country, stealing open gateway service.

It’s perfectly legal of course, and most of the spammers live in the USA, are filthy rich, and need to be “exposed”.

I’m in process of developing the tools to make that easier to do.

JD

Anonymous Coward says:

Re: Those volumes were pretty low

I was getting hit at a rate of about 1500 emails per 6 hours…and that’s pretty much when it filled up my 10mb mailbox. This happened for several weeks in a row. And since these are only the bounced emails, I can’t imagine how many spams were sent and actually got through as well.
Since this was a web mail interface, I was able to delete only 100 at a time, the limit of the web mail interface. After a while, I just let the inbox stay full because it was taking too much time to delete.

500 in 36 hours is almost nothing.

๐Ÿ™‚

Antonio says:

Hypothetically speaking..

Imagine that maybe spammers don’t spam you directly but spoof your email so you get bouces off of their servers. The actual spam would be bounces off their servers. Why you ask? Well, for one thing, it is difficult to filter spam that has your reply-to address. Most filters just let email with your reply-to address through. Devious and very very annoying. ๐Ÿ™

Anonymous Coward says:

Re: One word... ASK (Active Spam Killer)

It requires a one time confirmation from all new email addresses that email you. EMail from yourself to yourself requires an identifier in the email you send. All emails that do not get a reply from the sender stay in a queue on the server and you never have to see them(you can if you want by sending a special command to the server).

You need a *nix mail server though :).

Harald says:

Re: Spam filters should look at the content!

Attempt to use “spam filters” that don’t look at the actual content of the mail is futile. Microsoft, for one, just doesn’t get it, as don’t most webmail services. If you can afford it use something like Spamassassin, utilizing Bayesian filtering and sending reported spam to Razor and other fingerprinting services. I was on the Spamcop route for a while but with 30-50 spams per day it took me more time than just deleting all the crap. Spamassassin gives me > 99% success and no false positives so far.

Unfortunately, Spamassassin requires Perl, and I don’t know if it runs on non-Unix systems. But if you use M$ stuff you’re doomed anyway.

John Draper (user link) says:

Re: Re: Spam filters should look at the content!

With such an amazing amount of interest in stopping spam, and even more people wanting to contact spammers, I’m almost compelled to offer a service to the anti-spam community. Some of the things I’m considering are:

1) POP Proxy spam filtering – Of the Baysian type, for those who want web based mail like “hotmail” who just cannot run Perl scripts or have access to their own UNIX box.

2) WEB based access to their Email like “hotmail”.

3) Spam management and reporting services

4) Spammer tracking services – where we track them down for you.

Obviously, I cannot offer these services for free, but I’m open for suggestions on what is a reasonable amount to charge.

Any comments?

John

aNonMooseCowherd says:

envelope information vs.

You’re wrong about servers using the “reply-to:” field for bouncing email. They normally use the envelope information (see RFC 2821), which does not have to match anything in the header or the body of the email. The “reply-to:” field is intended for the mail user agent (the recipient’s email program), not the mail transfer agent (the email server).

C Medler says:

Re: envelope information vs.

If the writer was “wrong” about servers’ use of the reply to field, then why am I getting about 10 “failed delivery” messages per day from servers?
Like other people, when I have tried to trace the origin of the original spam, I find servers in China or, in one case, in South America. Up to now, the careful letters containing complete headers I’ve sent to the tech response people for those ISPs have not resulted in the spam being halted.

Richard Remer says:

I'd like to get a copy

Mike,

If you’ve still got the spam could you send it to me at nospam@wwnet.net?

(Yes, that is a real e-mail address). I work at an internet service provider and while you said yourself there were no discernible patterns on bounced messages, I’d still like to peck through them and see if I find anything usefull for spam filtering.

BTW, I use spamassassin for my spam filtering and all I have to say is this: 6 months, one spam has got through, and I haven’t missed an e-mail (that I know of; if I missed it then I missed it).

Lee T (user link) says:

spam spoofing

One of my email accounts is currently suffering the same plight. I get 20-50 undeliverables a day from all over the world and there is nothing I can do about it. I think very detailed information should be included in e-mail headers, screw anonymous. I would be willing to give up that right in order to make people accountable for their actions. Spammers seek out poorly secured systems and exploit them for personal gain, is that not “cyber terrorism?” What makes them any different than Kevin Mitnick or any other “hacker” who has ever been prosecuted? The difference is most of the “hackers” never did any harm, whereas the spammers cost businesses money for bandwidth, disk usage and time. America has a really twisted idea of right and wrong, that’s my 2 cents.

John Draper (user link) says:

Re: spam spoofing

One of the really cool things we’re going to be able to do with the SMS, is to “generate” honeypot addresses. Then infiltrate their spam lists with them. We can generate an infinate amount of “honeypot” addresses, all are perfectly valid (No bounces), but go into a single folder.

So each spam coming in, is entered into a database, and “assigned” a honeypot address. So as mail starts coming in, a single click on the address looks up the specific spammer, and we can instantly tell if the spammer sells our Email address.

This is great for using in Opt out attempts, and instantly points the finger to the spammer.

All this is automatic, as the spam being processed is added to the database. Each record in the database allows for notes to be added, so when time permits, the spam hater can add other bits to the database record like the “Domain name” contact information (which is also automatically added to the database record).

It can also go in and attempt to Opt out, and failed attempts would then classify the spam into a special section that automatically sends it to “uce@ftc.gov”, and others can be “classified” to be sent to SpamCop automatically. But you still would have to individually give each one your attention for the final spamcop submission.

All of this is handled automatically of course, and as it’s processed, it logs everything, identifies any errors and when I have time, I can go in and see how it’s doing.

Ahhhh! the wonderful things you can do with ‘real expressions’….

John

Sean Reifschneider says:

Only 500?

It sounds to me like they are clearly sending out their message using a huge group of Reply-To addresses, of which yours is one… 500 bounces is nothing…

I’ve had this sort of thing happen to me several times in the past, though not for a few years currently. One Saturday morning I woke up to find my mail server chugging along trying to deliver me over 10,000 messages, and still going strong. I set up a filter to prevent those messages from coming in but it took a while for the currently queued messages to finally get delivered to me.

Another time I got nearly 30,000 messages when someone in Texas sent out an advertisement for a cookie recipe…

Unfortunately, we’re probably going to have to do something like confirming every message, signing messages, or smarter filters that understand not only the sender address but also the path that was taken to get to you.

Sean

John Draper (user link) says:

Re: Only 500?

I know how the spam programs work. I collect them to analyse them so I can develop pattern recognition to combat them.

One such program is “mail-safe.com” – and each of these spammer programs allow for anyone to put anything they want in the “reply-to” field, and forge any of the headers in any way they see fit. Some can get this information from large files of other Email addressed they “harvest” from the web.

I’ve developed a good collection of “spam rules” that can catch these programs, and not only identify where they are used, but also positively identify anything they send out as spam.

Most of these programs come from “Spam Packages” sent to people who reply to yet more spam like “Make money at home”… there are literally MILLIONS of these spam packages out there, complete with lists of open gateways, specific spam to send, and how to find more.

If anyone wants to go after spammers, then these would be the first ones I would want to go after.

Of course what can you do….. NOTHING… except flood the uce@ftc.gov with your spam, and continue the time consuming process of spamcop submissions.

Adam says:

Partial solution..

This has happened to me twice now, although I only received only 5-8 bounces each time (no telling how many actually were sent, of course).
A partial solution I’m thinking about trying is simply to have my SMTP server keep track of the message-ids of the mail that I send out, store the ids for some number of days, verify against received bounce messages’ ids, and flag mismatches as being spam (more likely, anyway).
Of course, determining if something is a bounce message isn’t perfect, and this assumes that the message ids aren’t mangled on the way back, but it _should_ help somewhat for this sort of spam spoof problem.

Moira (user link) says:

Urgh...deja vu

I had this happen, and was highly concerned that spam messages were reaching people from my account! My husband and I responded to one of them that had a URL in the body of the message (which was, as it turned out, a site to help people become spammers.) I politely but firmly informed them that if they did not stop using my domain immediately, I would take legal action. The e-mail I received in return was one of the crudest, most vulgar (and, I might add, laughable) things I’ve ever read. My husband was very offended, however, and responded…leading to a brief e-mail war with someone who apparently possessed limited linguistic skills.

However, I did stop getting bounced messages.

*sigh*
M.

Anonymous Coward says:

Be careful about fighting back...

My company was guilty of running an open relay about 6 years ago. When it was first used by a spammer (which ate up all our bandwidth at the time), we tracked them down and reported them to their ISP.
About 3 months later, another pornographic spammer (who I’m assuming to be the same individual) used two non-existent email addresses at my company as the both the to and from addresses in their message. All the recipients were BCC’d. Not only did we get all the non-delivery receipts, but we got two copies of every message sent. To make matters worse, since the To address was an invalid email address, each message was returned to the “sender”. Since the sender was also a bad address at our company, the returned message got returned as well, this time to postmaster@our domain. All in all, each initial message created 4-5 messages in our e-mail system (until we created the bogus accounts which reduced it to two). We received over 200,000 messages (including the duplicates) in just a couple days. It was extremely difficult to keep our server up and running for our business mails.
Next came the rash of angry letters from the people who thought we sent the message. We got about 200 responses from the original mailing, a noticeable percentage of which threatened bodily harm for sending their kid on AOL an inappropriate e-mail. After that the most interesting responses came from the people that felt it was necessary to send us “Make Money Fast” schemes since we were obviously disreputable anyway.
It hasn’t happened since, and I’m VERY thankful.

Piet in China says:

Re: A quick and dirty fix

Now that is a great solution! NOT
How about ppl who do business in Asia and/or South America???
Yeah right, great advice u give for all ISP’s in the States. Do u actually have a brain cell working in your head or what? Do you have the slightest idea on how much business is conducted between the US and mentioned continents?

Me says:

SPAM

This happened to me once. I immediately closed that email address and created a new one. I only told the people I like my new email and I never get spam to that address.

1. Create a throwaway email account that you input for any website that demands it.
2. Never post your email. Always write it so a bot can’t use it (or better, type it into MS Paint and post the picture of your email address)

Simple.

A. Nonymous says:

What would happen if the "reply-to" was also inval

For example:
Spammer sends message to joe@six-pack.com, with a “reply to” of jim@foobar.com.

Joe’s account is invalid, so the six-pack.com mail server bounces a message to jim@foobar.com. The foobar.com mail server does not have a “jim” account, so it bounces the message back to joe@bloe.com.

Would this continue on forever?

Anonymous Coward says:

Re: What would happen if the

Yes, it’s a mail loop. Eventually they get killed, I think there’s a TTL on bounce messages, but we had a mail server go down because some joker sent a message to someone who didn’t exist with the same address as a reply to. It’s even better when he does it to a mailing list, then you get 500 bounces at the same time.

zcat says:

Re: Re: What would happen if the

It’s not a mail loop. The first bounce will be from “Mailer Daemon”, not joe.

And usually the second mailer will recognise that anything from a “Daemon” address shouldn’t be replied to. If it does reply, that will go back to the mailer daemon address which is usually a black hole or sometimes an alias for postmaster. Either way it’ll always be a valid address and not generate any more automated replies.

John Champion says:

receiving end of guy claiming virus

a couple of weekends ago, a guy spammed a whole bunch of rr users from his rr account and then from a hotmail account sent via his rr account.

the emails pitched his realty services.

he got so many calls and complaints that he began to lie and claim that this was a virus.

and those of us who are technically literate think he’s lying. no virus would create an email targetting the users of rr in his city, point them to a website touting his realty services and asking the user to do business with the spammer.

we gave him so much grief i don’t think he’ll ever use email again. i still call him and harass him right back.

i want him to think twice before he sells my email address to other spammers.

DogMeat says:

How I beat back the spam

I use SneakEmail.com religiously for my email addresses and it’s allowed me to not only reduce to almost nil the amount of unwanted spam but also to pinpoint exactly WHO gave out my address in the first place!
–quoted text from sneakemail.com site–
The original disposable email service, created for email users to regain power over their email from commercial forces and catch them spamming.

Fully user supported and operating free of exploitable commercial ties. No debt, no operating loss, fully self sustaining… a virtual vault for your email address.
Quick Start
1. Create an account: Providing a username, a password, and an email address you wish hidden from spammers.
2. Every time you need to give out your email address to somebody you don’t trust, log in to Sneakemail and create a new Sneakemail address.
3. Give this Sneakemail address to them instead.
Mail sent to this Sneakemail address is rerouted to your real address, and when you reply it is rerouted back to the sender. Your real address is never seen. If you receive unwanted mail through this Sneakemail address, such as spam, you can take control by either filtering incoming mail using the Sneakemail filters, disabling the Sneakemail address itself, or disposing of it permanently. You also now know where a spammer got your address.
–end quoted text–
And for those email accounts that are already spammed but I just can’t bear to get rid of (like my ancient hotmail addy) I use MailWasher from mailwasher.net Works on POP3/HotMail/MSN with support for IMAP/AOL/Yahoo coming later.
I still need to try SpamAssassin on my little Linux firewall, I hear good things about it but haven’t had the chance. But between SneakEmail and MailWasher I can quickly kill almost all of my spam.

DogMeat says:

Re: How I beat back the spam

What’s funny is I’ve already recieved two pieces of SPAM thru the email address I used here, check out this snippet of message header:

From: “nova12-at-ms41.hinet.net |techdirt.com spam article/1.0-Allow|”

The subject immediately tells me where the spammer got my address so I can go block future emails from them.

John Draper (user link) says:

Spam Conference

For anyone who might be reading this forum, I was one of the speakers at the Spam Conference in Cambridge.

I talked about how I tracked down some of the really nasty spammers. Go to “spamconference.org” for a recording of my talk, but with only 20 mins speaking time, I just barely was able to cover the material.

I’m trying to find time next month to kick off the SMS project. Spam Management System. It empowers the ability of Spam haters to track these suckers down, and make it very expensive for them to do their Dirty deeds.

I don’t have time to explain it here, but anyone can individually contact me if they want more information.

If you use things like POPFile, or other SpamBayes type technolgies, then this is something you might want to look into.

John
crunch@shopip.com

nSpectre Anatomy says:

Re: Spam Conference

John Draper… THE John Draper? Right on. Was wondering what you’ve been up to these days. I met you eons ago when you gave a talk at Electronic Cafe in L.A., on a different subject. *cough* =8-)

As an 0ld sk00l IT Wrangler, I’m very interested in what you’re working on. More info would be greatly appreciated. I’ll fire off an e-mail toot sweet.

^5^

SysKoll (user link) says:

It's called a Joe Job

Sending a spam with a fake return address is called a Joe Job in anti-spam circles. This is why you should never, ever reply to a spam.
The only effective countermeasure I found was to use SpamGourmet. It’s a web site that allows you to define disposable addresses forwarded to your real (secret) address. The disposable addresses can be disabled. They automatically shutdown after 20 messages from unknown senders (not in your whitelist). So, a Joe Job would generate, at most, 20 replies into your forwarded mailbox. After that, you’d have to re-enable the disposable email, although you’d rather leave it disabled because it WILL be spammed again.
— SysKoll

Karl Stephens says:

Re: It's called a Joe Job

An explanation can be found in the TechTV article Beware the ‘Joe Job’ –
http://www.techtv.com/news/culture/story/0,24195,3415219,00.html .

I’d like to solicit your opinion on using technology to stop spam. I’ve choosen a technical solution because it’s too difficult to change human behaviour short of a big stick and hunting down every spammer – (hey, what you do with the stick once you’ve found the spammer is your own idea).

Do you believe that these messages would be helpful?

  1. Joe
    Jobs ? Internal Return Address Control – Discard all mail with a return
    address in your realm that originates from outside of your network. Your
    clients/staff must use authenticated SMTP.
  2. Kill UCE from open relays using the RBL just behind your SMTP gateway
  3. Kill explicated unwanted mail (on a user-by-user basis) with a black-list.
  4. Filter sender addresses not explicated trusted using a user controlled white-list to a quarantined area then respond with a request to verify the validity of the address by visiting a web site and performing a minor hand spring/Turing test (such as type the number you see in the graphic).
  5. Next is the anti-virus scanner (off topic I know but essential to stop your address book being stolen) to catch harmful mail from a trusted sender address [where the sender is using an email client with an exploited address book ? not mentioning any names here 8-)]
  6. Stop Faked Headers by allowing users to explicted decline email not using a digital certificate (freebies from Thawte – http://www.thawte.com) by issue users (and their corrospondants) with a free digital certificate.

This should ensure that the following types of mail doesn?t hit my users mailboxes:

  • Joe Jobs replies and removal requests stopped at the gateway by step #1.
  • Spam with faked return addresses stopped at the whitelist server in step #4

Pardon me but I’m off to visit http://www.spamgourmet.com
– (Corrected link from original message).


Karl Stephens – karl.stephens_AT_ihug.co.nz

Change the ‘_AT_ to the “@” symbol.

Ykaens says:

No Subject Given

Hello,

First I see all the e-mail addresses are published on this site as regular
e-mail addresses. Talking about easy e-mail address harvesting! What about
my DOT name AT hotmail DOT com ? Damn.. THINK!!!!!!!!

But anyway, I was a postmaster for a newswire company that sends out
aprox.. 50.000 to 230.000 e-mail messages every 24 hours. Just to make
CLEAR: these are valid newspaper subscription e-mail-lists I do not want to
be associated with spam in any supportive way.

I have A lot of experience with e-mail and spam because I studied AI (data
mining) and worked in several data mining companies.

The SPAM problem will NEVER be solved because people can and will make
money of it.

Other thing, look at the ip addresses in the headers of spam. Want to hack
a e-mail server ?

Receive as many spam as you can get, have a script filter out the ip
addresses and voila, you will come up with at least two cracked servers a
day. Which can be accessed by you just like the spammer did. I automated
these steps in just 20mins .. If I can do it, anyone can do it.

My point: Large spam amounts never get send by the advertising company’s
themselves… So it is impossible to do something about it in any legal
way.

People might argue that a lot of people are using the Internet in terms of
numbers. But if one looks at the world-population, only a couple percent
is using the Internet. Try to imagine if 80 percent of the world
population has access to the Internet. Than spam will rise also with a
huge factor. I get about 67 spam e-mails a day, the average Internet user
24, hmmzzz.. 24 * 6.. That will become a lot of spam in the next upcoming
years.

You mention the company’s who produce anti-spam tools in a good way. This
should be forbidden to my view. Because they make money of spam and
turning spam into a industries which will grow BIG and has grown BIG in the
past few years.

Anti-spam tools should be produced by the open-source community or issued
by the government to ensure every Internet citizen is protected in their
right to say NO effectively..

You mention that there are no standards for SMTP 550 bounces. You are
correct.The standards are at least 10 years old and one could hardly call
them standards. Who looks after the SMTP standard, every BIG IT company
can implement just as they wish new standards. should not our legal
representors the government be watching over this ? So that future
implementation of e-mail will be come less faulty?

I can continue for hours like this.. But if we really look down in our
common sense we will feel that unless OUR LEGAL REPRESENTORS (the
government) will take a stand, we will never get rid of ADVERTISING.

The computer has grown from a calculator to a medium………… and it deserves the same rights…..

Good night..

Yaekns

p.s.
I saw some people searching for spam archives..
I have over 600 GIG’s of clean spam..

Contact me.. or search google for spam archive..

Stew LG says:

Re: As they say on Slashdot, Mod this one up

This gentleman is correct: we are innocent victims in an arms race that neither party is truly motivated to fix.
The anti-spam guys are not really on your side. In all of these arms races, both sides contribute to the problem. Why are there so many security firms falling over themselves to release exploits? Why are so many viruses being written? Money isn’t the only reason, but it might be the principal one. People make money selling junk or selling cures for junk, not eliminating the entire problem.
Look at SSL web transactions. People got off their duffs and solved that problem. Why? So that people wouldn’t be afraid of using their credit cards on the internet. So that people would spend money. (And, hey look, companies like Verisign & Microsoft got to make money on the certificate infrastructure too, bonus.) The whole thing was a t risk of being a bad medium, so they fixed it.
Nobody stands to benefit as directly from clean email as spam senders and spam defenders do from bad email.
A set of RFCs for secure DNS and secure SMTP surely already exist. Why aren’t we already moving to them? Why aren’t they already here?
Oh, sure, naysayers will say that installed base is too big an issue. It isn’t trivial. But having a beefy gateway that provides the secured SMTP interface *IS* way the hell possible.
SMTP is a perfectly adequate protocol for its time – 1982 – 1989. Let’s move on.

Philip Olson (user link) says:

What do we do about it?

Okay so this is a problem. Can someone write a detailed article on solutions/bandaids/caveats? Simply deleting them is getting old. In the meantime I use a combination of spamassassin, procmail, and my overused delete button. Am also learning how to understand email headers and related goodies but it’s a bit overwhelming. Btw, I don’t have a porn site nor do I sell Ganja balls from Russia.

Ominous Coward says:

My technique

I have a link at the bottom of every page on my website that says “If you would like us to read email for USD$1000 per page, _payable_ in advance, send it _here_.”

The link “_payable_” goes to a page of terms and conditions. The link “_here_” is mailto:Bill-me-USD1000-and-read-this-######@domain” where “######” is a randomly-generated serial number which is databased and correlated with incoming email.

If I get email to one of those addresses, I respond with an invoice for USD$1000.00, terms and conditions attached, and a statement thanking them for establishing a business relationship with me, offering bulk rates for reading lots of their emails, and reminding them that until they came to a bulk-rate arrangement, the fee is USD$1000 per email to any address in the domain, payable in advance.

I could concievably add details of the mail to a spam database, since only spam goes to those addresses.

I have not yet seen a second spam from any of them. (-:

Chris (NOSPAM) Wiltshire says:

Re: My technique

If I get email to one of those addresses, I respond with an invoice for USD$1000.00, terms and conditions attached, and a statement thanking them for establishing a business relationship with me…

I have not yet seen a second spam from any of them. (-:

Not seen any replies? – Do you assume you’ve ever managed to send your invoice to the originator??


On another note, it puzzles me why so many people who have posted replies to this column have used what would seem to be their own, unmasked email addresses.

Also, don’t think that masking your email in humanly removable character additions will save you. – Given a list of the email addresses in this forum so far, it would take someone around 3-4 minutes to filter through the obviously bogus emails, correct the masked ones, and apply the remainder and fixed ones to a new list.

I have a question for those people who say: “Never reply to a SPAM email”..? – Systems which respond automatically to SPAM which request an end user to perform a human recognition test (such as entering the numbers seen in a graphic etc..) ARE performing exactly this REPLY action…

Does anyone have any decent information on the effect of this kind of system on an email account’s long term SPAM hit-count? Does this auto reply system actually go to AID the long term propogation of the email address through more and more spam lists? Or does it slowly reduce the number of spam attempts made on an account?


Another item worth some thought if we are forced to use an accessible email address to register software with / register for services it IS worth using a mail system which allows you to identify each subscription / sign up:

My mail server allows me to suffix my username with a – then a mailbox name, this will file those emails directly into a sub folder of my mail account. I used chris-MORPHEUS@… to sign up for Morpheus. – This is the WORST affected abuse from a known product I have EVER seen! I get 60+ a day to this address alone.! Needless to say, they are deleted in bulk and never read.

I have a mail protection system in place on my inboxes (3 main accounts..) – one which I wrote myself.. It simply requests the end user to visit a webpage, and enter their email address into my acceptance list, then re-send the email. – I’ve YET to ever have a spammer add and resend. (-It’s too much effort, and I’m guessing that most of my auto replies never reach the originator too…)

The net result is that I’ve ended up with a nice long list of all of my friends from whom I love to accept emails… – I’d be happy to sell this list for a small fee? ๐Ÿ˜‰ – Joking..!


Last point: DON’T ever use fake emails to sign up to anything, you MAY hit someone else’s legit email address.. – I was horrified to see someone here had used ‘nospam@nospam.org’ – Well guess what?… I’m PRETTY sure that could well be an active account?

Don’t ever use a fake email address with an active TLD ie: anything.com or anything.org etc if you HAVE to use a bogus email address use something@rubbish.invalid

– Just my 2.854cents worth (I tried to keep it to just 2, but I get carried away.. – I HATE SPAM!)

Chris.

(If you really want to reply to me by email, see if you can track me down.. Google is a wonderful thing isn’t it?…)

Stoat says:

Re: Revenge

A couple of years ago I got some spam from a company in the UK (where I live), advertising their services. They’d even included full contact details and a FREEPOST address, meaning that they would pay the postage on any correspondance. So I used it and posted them a large bag of gravel, weighing a few kilograms, and a short message explaining why they should stop spamming. ๐Ÿ™‚

Brian says:

My Short Life As An Unintentional Spammer

This happened to our domain exactly one year ago.
Over three hundred BOUNCED emails per day for about a week.
Our domain belongs to a professional company so it added insult to injury by tarnishing our image.
I hate to think how many emails actually got to their targets.
We did as much tracking down as we possibly could and contacted the server owners, etc.
We even contacted the FBI who told us that “Unfortunately you are not within our jurisdiction”.

Jason says:

Unsubscribing

I know that replying to the message with “unsubscribe” tell the spammer that there is alive person there, but I have followed the unsubscribe in some spams, and it has reduced my spam slightly. Strangely enough, some spammers actually do honor unsubscribe requests. Keep in mind that this wasn’t porn spam. This was probably legitimate commercial spam to buy a product.

John says:

My Short Life As An Unintentional Spammer

Thanks to Mike Masnick for a great article.
I just had the same thing happen to me, although the number of bounces I recieved was far less than he experienced. It was nice to read about someone else’s similar experience with the growing, unethical spam industry.
Let’s find a solution to end the madness!

John Draper (user link) says:

I did some investigation, and came up with this..

Thanx for all the Email, and with your help, I came up with this following information.

First of all, these Bozo’s are already in my database and are way up there as far as the baddest of the bad.

With the spam sample that was provided to me, I dug up the following dirt on them….

This is who owns the domain name of the site advertized in the spam mail.

Registrant:
Quiksilver Enterprises
816 Elm Street, #472
Manchester, NH 03101
US
401-722-6043

Domain Name: LOAKING.COM

Administrative Contact:
Milton, John aaru109@yahoo.com
816 Elm Street, #472
Manchester, NH 03101
US
401-722-6043 —- Calls to this number reveals the person is Chinese, and they don’t speak
english.

Technical Contact:
Milton, John aaru109@yahoo.com
816 Elm Street, #472
Manchester, NH 03101
US
401-722-6043

Calls to the phone number reach a person sho only speaks Chinese. Their Yahoo address is BOGUS – Totally in violation of the policy of their domain name registrant.

Domain Name: LOAKING.COM
Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM
Whois Server: whois.directnic.com
Referral URL: http://www.directnic.com
Name Server: NS1.GOTDAY.COM
Name Server: NS2.GOTDAY.COM
Status: REGISTRAR-LOCK
Updated Date: 26-jan-2003
Creation Date: 26-jan-2003
Expiration Date: 26-jan-2004

Going to the domain registrant’s site, I obtained their “abuse” Email address and brought it to their attention.

I would say that within 2 weeks, they will loose their domain name.

Gary Garner says:

Re: I did some investigation, and came up with th

John,

They appear to have changed the domainname, but not lost it…

Gary Garner

Registrant:
Quiksilver Enterprises
816 Elm St., #472
Manchester, NH 03102
US
877-289-7300×112

Domain Name: LOAKING.COM

Administrative Contact:
Moore, Alan info@never-paymore.com
816 Elm St., #472
Manchester, NH 03102
US
877-289-7300×112

Technical Contact:
Moore, Alan info@never-paymore.com
816 Elm St., #472
Manchester, NH 03102
US
877-289-7300×112

Record last updated 02-13-2003 07:20:22 PM
Record expires on 01-26-2004
Record created on 01-25-2003

Domain servers in listed order:
NS1.GOTDAY.COM 218.246.33.64
NS2.GOTDAY.COM 218.5.77.19

John-Hans Melcher (user link) says:

Re: Re: thank you guys

I just got a Grant Pitch for $19.95…..and before I paid….I decided to do a google search…and came upon this site….

thank you for your diligence….

You saved me $20….

I’m lookng for a guide to Grants for my kids reading program….

so I’ll look elsewhere…

Hope Your Wednesday is Wonderful!

John-Hans Melcher
johnmelcher@juno.com
The 21st Century Learning Technique ?
http://www.21stCenturyThinking.com

Ozmiroid says:

If this happens to you...

Another term for this is “joe job”.
If this happens to you, there are some things you can do – take a look at
http://groups.google.com/groups?selm=3C703AAC.3923EDA5%40tls.msk.ru
(helps to read it with a Russian accent ๐Ÿ™‚
and try to get help from your ISP. Often your ISP can do things to stop, slow, or divert the flood of bounce messages. Your ISP and many sites (examples http://www.spamcop.net, http://www.stopspam.org) can help you figure out where the original spam came from.

Adrian Ng (user link) says:

If only....

Things could have been controlled at the mail server level. Spammers send out their emails through open relays (normally one at a time, with thousands of “rcpt to:” commands or maximum possible), the open relays connect to the mail servers of the recipients, the recipients’ mail server do a reverse DNS using bl.spamcop.net and found the open relays to be blacklisted, deny it. The open relays bounce the mail back to the victim (you).

Here you deal only with the open relays and no fustrated spam recipients. Your steps for recourse is very much simplified. Unfortunately though many mail servers cannot handle that, plus many mail admins do not want to implement it because of worries about bouncing legit mails.

If only…

Nick says:

spam fighting

Unfortunately ISP abuse desks are understaffed and so getting a response regarding spam is almost impossible. I spent 18 months tracking and reporting every piece of spam I received, and the only headway i made was to go for the originating spammer, then target the email addresses they use, and the web hosts of any sites they advertise. This is a 3 pronged attack to cut their communications, and their finances. Afterall, people won’t hire spammers if they no-longer have a website to advertise in the first place. The onyl alternative is to contact the police in some cases if the spammer is ofering perscription only medicine or pornography that is illegal. Unfortunately, spam crosses national boundaries. As a UK citizen I regularly get spam which is country specific, and therefore worthless to me even if I was interested in the principle. Other people I know from reading ISP support newsgroups on Usenet found themselves bombarded with 40+ emails per day from Korea, written in korean, during the months leading up to the 2002 World Cup. Maybe changing the SMTP protocol is one answer, but anonymous email does have its uses as you said.

Anonymous Coward says:

What I do

SPAM in my inbox got so bad that I set my preferences to block everything that didn’t have :cardkey: in the subject line.

Sad that such things are needed, but it works marvelously. All my friends can reach me, and no spammer can. Granted, I probably loose a lot of e-mail that way. But everyone I care to recieve e-mail from knows this, so it’s mostly okay.

Antony D (user link) says:

HappenING to me right now

Just a note – it’s been happening to me for the last 4 days. Doesn’t seem to be a joe job because the name is obviously not a match with my email address. So far I’ve had 37041 of these pass through my inbox! (that’s the actual number)

What surprises me is that so for I have had NO verified human replies (angry or otherwise), a change from when it happened a year or two ago when many, many people vented their frustration in many, many ways.

Nevertheless, it’s no fun having to download spam just because there’s not enough bandwidth left to run the spam filter AND mail prog.

Alan Doherty (user link) says:

Why do mail servers allow people to lie about

sorry but the above commenter obviously has no idea of the distributed nature of e-mail
it is impossible for an smtp server to check wheither the e-mail address on the recieved mail is/is-not forged hell most of the people and isp’s on the internet don’t even use the same servers to send and recieve e-mail god knows i wouldn’t allow any of my customers to send outgoing mail via my servers {i’ll tet the pickup but its their isp that can handle their outgoing and any subsequent abuse complaints}

Alan Doherty (user link) says:

What would happen if the "reply-to" was also i

shouldn’t be posisible without a BADLY broken mailserver at both ends as all bounces are sent with an envelope_sender {the address bounces would be returned to} of to ensure this never happens
so bounces can’t generate bounces
that said if an mailserver is ignoring the smtp rules and sending bounces with a real envelope sender then yes bounces can create further bounces
, but even then a loop can only happen if the bounce messages are sent from a non-existant envelope sender
, even on mis-configured systems bounces are sent from mailer-daemon@ postmaster@ or somesuch

so to get a loop both servers have to illegally send bounces from an envelope sender of say postmaster@….
and both admins have to be stupid enough to delete the postmaster@ address from the server
{so returned bounces also generate bounces that will be returned etc.}

so unlikely and will only work if used against the most idoticly setup systems

teenytotstales (user link) says:

Currently a victim of joe jobbing

Hi all, been reading through the comments to try to find a solution to this “joe jobbing” thing. I have about 120 bounce backs and its depressing. I hate to think about all the people/companies that have received emails from these low life spammers with teenytotstales name on it.
I never sent any emails and am scouring the web for a viable solution.
If anyone can help It would be greatly appreciated. Thanks!

Gerald Lenhard says:

No Subject Given

For 5 days last week, all my outgoing/incoming emails went to someone else. Fortunately, changing my password seemed to work for a couple days. Then, I started getting emails bounced back to me. On a hunch, I sent a REPLY stating; “you have stolen my password for illegal use. I have reported it to the proper authorities & hope you hear from them soon”. Haven’t had a “bounceback” since & have my fingers crossed.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ยป

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...