Where Is Spam When You Want It? 580
Sean writes "In a complete twist to what everybody else is trying to do these days, I need to attract spam to an e-mail address for a research survey I am conducting. I have submitted a few articles to a handful of Usenet groups, and I have signed up to some general mailing lists but so far I have nothing to show for it. How come by personal account gets 100+ spam each day yet when I try to find it I get nothing? Where should I post my address so that it attracts spam?"
Outlook... (Score:5, Interesting)
I recently took 1 Windows 2K box (SP2) and put it directly online in the DMZ type zone. Do NOT patch it and add no virus software. Load some trap address' (never used before) into the Outlook address book.
It took twelve (12) minutes from plugging it in to getting many, many infections, to the final spam. Typical time is 3-4 hours usually and I've seen the test go for as long as 8 hours.
How many people do you know that use Outlook and may have your email in their address book? The bitch of the matter? No Windows here anywhere, well, except for VirtualPC which makes such tests so damn easy -- too bad Microsoft had to buy them up too...
If you want to be scientific, don't (Score:5, Interesting)
Want to survey spam as it effects a normal, real-life, daily-use e-mail address? Get a new address and starting using it as your primary account. Anything less will be irrelevant statistics.
Re:Hotmail. (Score:2, Interesting)
worked for me (Score:5, Interesting)
Re:Outlook... (Score:3, Interesting)
A full tcpdump was also in progress (just watching
That depends (Score:5, Interesting)
If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.
The relevance of a baited addres depends on how one does the baiting. I'd say that a handful of usenet posts, pasting it to a couple of web pages, use of it to create accounts on websites (e.g. here), etc would be very representative of common patterns of address disclosure.
Domains are wonderful (Score:2, Interesting)
Re:Outlook... (Score:5, Interesting)
Perhaps I should have made that point more clear initially.
Re:'Unsubscribe' (Score:4, Interesting)
Finally, after another two months, it was back up to 8-12 a day. So unsubscribing did seem to work, rather than hurt.
Who you use as an ISP is important (Score:5, Interesting)
Is the account you want spammed provided by the same ISP as your personal account? It sounds like the ISP you are using for the research account might be doing a really good job killing off the spam before it ever gets to you. In order for the research to be uncorrupted you need to verify that your ISP passes all e-mails through to you, rather than spam filtering.
Re:Change your thesis - Decode the encryption. (Score:2, Interesting)
Also they break up words to avoid spam filters, like the following spam I recieved:
"Ge ni tal Enl arge ment - Me dic al Bre akth rou gh F or Me n ! 2 a m azi ng wa ys to e nl ar ge y our man h ood - re ad bel ow..
D oct ors work ed for ye ars crea ting a p il l to en lar ge t he ma le ge nit al ia b y len gt h a nd wi dt h. .
T he ye ars of wo rk p rodu ced a pi l l c al led "V P R X", - V P R X P i l l s inf o c li ck her e
a nd al so a pa tch simi lair to the qu it sm o king pat ch . - P e n i s P a t che s i nf o cl ic k her e . "
I just hope they don't discover this [slashdot.org], which is much more readable and still produces the same filter avoiding results. Fortunatly Bayesian filters learn these tactics and significantly reduce their useable lifespan. Expect to see the face of spam change more often and more dramticly with the widespread adoption of such filters by AOL and others.
Re:Outlook... (Score:4, Interesting)
Okay, let's talk about the box of goodies. Let's say you leave a box of weapons outside with full knowledge that a neighborhood kid will probably find it and will likely use the contents for something illegal. If that happens, do you think you are partially responsible for whatever happens?
Before you jump all over me for such a hyperbole of an analogy, no, I don't equate running an insecure machine with handing out a small arsenal to the neighborhood kids. But I think you might be able to see my point given so many peoples' reactions of "What kind of parent leaves a gun where a kid can get it?" seemingly whenever a video game violence article is posted.
Take note of the bold text in the first paragraph. It's key to my point. If that box of weapons was in a place that you could reasonably assume wouldn't be accessible by the hypothetical gunman, I wouldn't place any blame on you, the owner.
So no, you're not responsible for other's actions, they are, don't be stupid.
You're exactly right - you aren't responsible for others' actions. In this case, you'd be liable for your irresponsible action.
how in the heck (Score:2, Interesting)
Re:That depends (Score:3, Interesting)
Re:Hotmail. (Score:1, Interesting)
Re:Ebay (Score:4, Interesting)
Easy way to attract spam for filter testing (Score:2, Interesting)
Re:Outlook... (Score:3, Interesting)
Re:Why isn't Microsoft responsible? (Score:3, Interesting)
Microsoft isn't responsible for people's actions. Would you want Redhat to be responsible of an exploit was found in their distro of Linux?
Me personally, I'd want them to be encouraged to fix it (i.e. risk losing sales etc.), but I wouldn't want them liable for somebody else being a shithead.
Liability in a case like this is a double-edged sword. Besides, every time something like this happens, everybody gets stronger. Microsoft (eventually) fixes it, the Linux Community has something they can make sure never happens to them (as well as Apple, etc.), and end users get stung and learn better computing practices. Me personally, I run Windows everywhere. Thanks to all these exploits (though none have hit me yet), I'm much better about making backups and I'm far less dependent on Windows being reliable. If I switch to Mac or Linux, then I'm a smarter user in those cases as well.
So, in short, spare us the 'Microsoft should be responsible' argument. Don't stick Microsoft with a responsibility that you wouldn't want your own favorite OS (developer?) to fall under.
Attractive Nuisance (was Re:Outlook...) (Score:2, Interesting)
What you're describing is called the attractive nuisance doctrine [cch.com], and really only applies to the situation with the neighborhood kid, not to an adult upon whom different expectations are placed.
One could argue that the real issue is negligence [cch.com], but proving negligence turns on the phrase (from the referenced definition) "the care of a reasonably prudent or ordinarily careful person in the circumstances".
It's unclear whether or not you'd be able to point to an "average user" and call them "ordinarily careful", in which case you'd definitely be doing about what's average. It might, instead, turn out that the court would say "you're a professional, a sysadmin, and we hold you to a higher standard of "reasonable prudence" by virtue of your knowledge of the consequences. This would be analogous to the trained fighter or black belt getting into a fistfight and whaling on some poor schmoe. Regardless of who "started it", the fighter is going to be held to a higher standard of control and "carefulness".
Of course, that said, you could also use a defense based on trespass, in which you argue that, because the attacker was not authorized to use your system, as long as you weren't specifically stockpiling "munitions" there :-), you're not liable for the attacks based out of your system. I'm not sure what case law in the real world says about this. If you left your front door open and a sniper walked in, sat down in your living room, and started taking potshots at passers-by, would you be liable? Would the court say that, because you failed to lock your door, or deadbolt it, or whatever, you were negligent?
Tough to say, these days.
Thankfully, I'm not a lawyer, so I don't have to worry about such weighty theoretical issues :-)
Outlook = Virus? (Score:2, Interesting)
I agree with you, but at the same time I also believe the issue is not the same. The machine with Outlook installed is what Microsoft provided. Using your arguments you could argue that installing Outlook on a machine is the same thing as putting a destructive virus on a floppy and leaving it in public place. Wouldn't the creator of the software/virus be held liable?
Re:Outlook... (Score:3, Interesting)
This scenario is good, but let me share one from my highschool days:
Our computer science department ran on a bunch of old MSDOS computers with no built-in virus scanning (if a computer was behaving oddly, the teacher would come around and boot from an antivirus floppy, and it would be all better). In those days, the popular viruses all spread via floppy boot sectors. Because of this, nearly every floppy anyone used at school was infected with the virus.
So, if I forgot my floppy in the computer and someone else rebooted the machine, is it my fault if that computer gets the virus? What if the computer already had the virus?
Re:Outlook... (Score:3, Interesting)
There is an easy defence against this:
Let's say your real address is your.name@yourISP.com. Tou need to first set up a sneakemail address. Use this address as the 'from' address in your e-mails. Then set up your 'name' as "Your Name [your.name-at-yourISP-dot-com]." This way, the sneakemail address (which can be changed whenever spam comes in) will appear in lusers' outlook address books, and clueful people will just copy the real address from the 'Name' field.
Re:Post it here (Score:2, Interesting)
Get spam sent to other people with "opt-out" instructions. The common wisdom has it that a significant number of the opt-out deals really verify your address for spammers. Try asking for your e-mail address to be removed (even though it's not really there), and see what happens....
Re:Outlook... (Score:1, Interesting)
I've got heaps 2347 messages in ... (Score:3, Interesting)
Post your e-mail address here and I'll send the spam.tar.bz2 file to it.
There, what could be more helpful?
Re:Any honeypot will do (Score:3, Interesting)
Within a week I was getting 100.000 spam mails a day. Within 2 weeks I was over 1 million spam mails a day.
So just pretend to have an open mail server, and you can get all the spam you want, and harvest all the addresses you care about.
Re:Outlook... (Score:2, Interesting)
A hack for getting spam into a honeypot. (Score:2, Interesting)
So, here's the hack for getting a honeypot address into the databases of real spammers.
First, you need an existing address that is thoroughly infested with spam. If you look at most spams, they usually have some thing at the bottom that says something to the effect of "click here to be removed from our mailing list."
In some of the spams that I've looked at, the link has CGI script variables in the URL. You'll probably see the e-mail address in one of the fields. Replace this e-mail address with the address of the honeypot address, and go to that site.
The page you go to will usually have two options: "remove me from your list" and "Please continue to alert me of special offers". Select the latter, and submit the form. The e-mail address you substituted into the CGI script will probably start receiving spam real soon.
Some spammers will spam you even more if you click on the "remove me" list, because it just proves that the address is live. Before you click on the link, copy it, and edit the field in the CGI script that looks like an e-mail address, substituting the honeypot address for the one in the link. Then, go to the URL and "remove" yourself. You are likely to just start getting spam in the honeypot, especially from unscrupulous spammers.
Geeks are inquisitve... (Score:4, Interesting)
hmmmm... this must do something really interesting to the computer or disk to have a warning like that...
Next step would be to see if I could induce what the intent behind the restriction would be. If I couldn't reason it out, then I might be tempted to try to dupe the disc and put it in another computer (*Always* mount a scratch monkey.)
In fact, putting an admonition involving tech in front of a geek is like putting something bright and shinny in front of some people.
but on the other hand you just found a way to physically "tar pit" a geek for a better part of an hour....
Re:Hotmail. (Score:3, Interesting)
1. There are so many users of hotmail that you can easily end up with a previously used address (so even if you never give out your e-mail address, the previous owner of that address may have signed up to all sorts of crap). What's more, anytime someone puts out their hotmail address with a minor typo (either intentionally or accidentaly), it is usually a real address belonging to someone else.
2. Hotmail is CONSTANTLY being dictionary-probed by spammers. They have been subjected to this sort of dictionary-probe attack for over a year now. This is especially a problem for people with short (6 characters or less) usernames. If you have a username that is in any way related to a word or name and is fairly short, you will be probed.
Another major problem with Hotmail is that until recently it always opened all remote "images" by default. Almost all spam now comes with a "tracking image", which is just an HTML "IMG" url that points to a script to record your e-mail address. End result, if you open the message, the spammers know they have a live address even if you don't click on anything. Hotmail now has the option to disable remote image loading, though I don't know if it's turned on by default or not.
Re:'Unsubscribe' (Score:3, Interesting)
General wisdom suggests that some of those companies do unsubscribe you, but then they sell your email as a verified good address. By unsubscribing you they can claim in court that they are honest and ethical, afterall they can prove they unsubscribe everyone who requests it. Selling that address is sleezy, but they figgure they have a better chance of getting away with things, plus make some money.
Enter some contests (Score:3, Interesting)
Register a domain, and join match.com from hotmail (Score:3, Interesting)
My wife created a unique (with numbers) hotmail account when she joined match.com (we met on matchmaker.com) and used it only for that purpose. Today she gets hundreds and hundreds of spam on it even though it's been entirely inactive for 3.5 years!
Match customer service claims they don't sell addresses and that it's hotmail's fault. Either way, the two together seem to be a quite effective spam trap
Of course, if you're just looking for a corpus of spam to test against, there's plenty out there. Google for +"spam corpus" to find several good sites.
Hope that helps....
--D
Run for office and post your email address. (Score:3, Interesting)
I now get about 50+ spams a day... nicely controlled with spamassasin.