Where Is Spam When You Want It?

Sean writes "In a complete twist to what everybody else is trying to do these days, I need to attract spam to an e-mail address for a research survey I am conducting. I have submitted a few articles to a handful of Usenet groups, and I have signed up to some general mailing lists but so far I have nothing to show for it. How come by personal account gets 100+ spam each day yet when I try to find it I get nothing? Where should I post my address so that it attracts spam?"

Outlook...

[krray]

I ran an experiment to do just this... Originally USENET (a decade ago I did that one), web pages, etc... Hundreds of trap address' across many of the domains in my control -- harvest and block 'em early has been my general method... :)

I recently took 1 Windows 2K box (SP2) and put it directly online in the DMZ type zone. Do NOT patch it and add no virus software. Load some trap address' (never used before) into the Outlook address book.

It took twelve (12) minutes from plugging it in to getting many, many infections, to the final spam. Typical time is 3-4 hours usually and I've seen the test go for as long as 8 hours.

How many people do you know that use Outlook and may have your email in their address book? The bitch of the matter? No Windows here anywhere, well, except for VirtualPC which makes such tests so damn easy -- too bad Microsoft had to buy them up too...

If you want to be scientific, don't

[gunner800]

If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.

Want to survey spam as it effects a normal, real-life, daily-use e-mail address? Get a new address and starting using it as your primary account. Anything less will be irrelevant statistics.

Re:Hotmail.

[napoleonin]

I don't know where Hotmail gets such a bad reputation from. I've had the same account there for 5+ years, and I get hardly any spam at all (5-10 spam messages per day).

worked for me

[pretzel_logic]

Buy a throw-away domain name and post an index page with a email address. you could also use the method where you record the IP address of the spider by generating the email address on the fly. with [IP of spider]@domain.com and then set up a catch all email box. then you are monitoring the spiders ips and the mail servers ips. this idea was posted on /. a few months back but I couldnt find the link.

Re:Outlook...

[Anonymous Coward]

I've done it a half a dozen times now -- and yes, it was monitored and some-what controlled. At the routing level outbound traffic to obvious ports (21,22,23,25,53,80,110,143,443,etc) was throttled or blocked. Unfortunately some infections use mail or web ports to call home...

A full tcpdump was also in progress (just watching :), logged, and looked through various ways. Honey-pot anyone?

That depends

[dmiller]

If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.

The relevance of a baited addres depends on how one does the baiting. I'd say that a handful of usenet posts, pasting it to a couple of web pages, use of it to create accounts on websites (e.g. here), etc would be very representative of common patterns of address disclosure.

Domains are wonderful

[sunF]

For the past couple years I've forwarded all emails for a domain to one account. Whenever I give out my email, I give their website/company@my-domain.com and try to insure they will not spam by doing the usual unsubscribing. Classmates was a violator, however I went back through and reunsubscribed and rarely get anything. The worst offenders I found were morpheus-musiccity, iseekyou(icq), and my-domain. Hotmail was pretty bad when I originally signed up because I didn't unsubscribe at passport.net.

Re:Outlook...

[dboyles]

Don't think I'm calling for honeypot operators to be arrested for setting out some bait. I think it's fine. In fact, I think it's a good addition to a security infrastructure. But dropping something insecure out in the open with full knowledge that it will probably be compromised and then likely used for undesireable activities isn't responsible.

Perhaps I should have made that point more clear initially.

Re:'Unsubscribe'

[Anonymous Freak]

I actually tested that not too long ago. I made a hotmail account, did not use it, or publish the address anywhere. After two months, I found I was getting 10-15 spams a day. So, I started using the 'unsubscribe' links in all of them. In two weeks, I was down to 1-2 spams a day.

Finally, after another two months, it was back up to 8-12 a day. So unsubscribing did seem to work, rather than hurt.

Who you use as an ISP is important

[Zero__Kelvin]

Is the account you want spammed provided by the same ISP as your personal account? It sounds like the ISP you are using for the research account might be doing a really good job killing off the spam before it ever gets to you. In order for the research to be uncorrupted you need to verify that your ISP passes all e-mails through to you, rather than spam filtering.

Re:Change your thesis - Decode the encryption.

[CaptBubba]

They aren't blocks of encrypted text. That text is there in an attempt to throw off spam filters. I think the idea is that if a certain amount of the message is unknown to the the spam filter, the filter won't flag the messgae as spam.

Also they break up words to avoid spam filters, like the following spam I recieved:

"Ge ni tal Enl arge ment - Me dic al Bre akth rou gh F or Me n ! 2 a m azi ng wa ys to e nl ar ge y our man h ood - re ad bel ow..

D oct ors work ed for ye ars crea ting a p il l to en lar ge t he ma le ge nit al ia b y len gt h a nd wi dt h.
T he ye ars of wo rk p rodu ced a pi l l c al led "V P R X", - V P R X P i l l s inf o c li ck her e .
a nd al so a pa tch simi lair to the qu it sm o king pat ch . - P e n i s P a t che s i nf o cl ic k her e . "

I just hope they don't discover this [slashdot.org], which is much more readable and still produces the same filter avoiding results. Fortunatly Bayesian filters learn these tactics and significantly reduce their useable lifespan. Expect to see the face of spam change more often and more dramticly with the widespread adoption of such filters by AOL and others.

Re:Outlook...

[dboyles]

If you leave a box of goodies outside your house, you may be asking for trouble, but you're not accepting responsibility for someone stealing it.

Okay, let's talk about the box of goodies. Let's say you leave a box of weapons outside with full knowledge that a neighborhood kid will probably find it and will likely use the contents for something illegal. If that happens, do you think you are partially responsible for whatever happens?

Before you jump all over me for such a hyperbole of an analogy, no, I don't equate running an insecure machine with handing out a small arsenal to the neighborhood kids. But I think you might be able to see my point given so many peoples' reactions of "What kind of parent leaves a gun where a kid can get it?" seemingly whenever a video game violence article is posted.

Take note of the bold text in the first paragraph. It's key to my point. If that box of weapons was in a place that you could reasonably assume wouldn't be accessible by the hypothetical gunman, I wouldn't place any blame on you, the owner.

So no, you're not responsible for other's actions, they are, don't be stupid.

You're exactly right - you aren't responsible for others' actions. In this case, you'd be liable for your irresponsible action.

how in the heck

[Twister002]

do questions like this make it to the front page?

Re:That depends

[MMaestro]

Thats true, but "common patterns of address disclosure" also varies based on the user. Slashdotters, for example, are usually intelligent enough to avoid the pitfalls of trap webpages people like Joe Average fall for. Because of that, the spam e-mails you'll get will vary against the type of spam between Jenny Girl seven year old who gets cartoonie spam while Grumpy Old Man seventy year old will get youth-restoring spam.

Re:Hotmail.

[Anonymous Coward]

I used to have a hotmail address that would get bombed with over 25 emails a day. Then just recently i stumbled on a free service called shadango.com. It uses Spamassassin(which so far has worked remarkably better then hotmail's filtering) and it allows me to check multiple addresses all from the same interface. I don't know if services like this are the answer to the spam problem but it's definitely worth checking out.

Re:Ebay

[Izago909]

About 3 or 4 years ago I started buying things on ebay. As a student, I spent much of my day on campus. Many times, if I needed to get on the internet, a workstation wasn't always available or convenient to get to. The school did have many old 386 and 486 linux boxes that did nothing more than ssh into PINE for email. These things were all over the place. So sometimes I need to be notified of bidding while I was out. Without thinking, I had these sent to my school account. Nobody outside of friends, family, or school related people ever got my address besides ebay. In one year's time, I was getting so much spam that my account (60M quota) would overflow up to 3 times a week. I found myself logging on between classes to delete 30-50 messages. Eventually, I paid the school $25 to give me a new name on the network. This time, I still have only given my address to friends, family, and school related people... but no ebay this tame. 2 years later I still have to get one piece. It should be noted that my school has promised to NEVER use any sort of filtering. They cite censorship concerns, but I have some thought otherwise.

Easy way to attract spam for filter testing

[CEO Guy]

Look up FFA on google and submit your E-Mail to thier forms. You should within minutes get a constant stream of spam that will never ever end.

Re:Outlook...

[MrLint]

shall we extend this for a second to the nth degree and see if your analogy holds up. Lets say the person that sells these weapons to people and he knows (because of all the market studies ) that more than 50% of the people buying this 'box of weapons' leave it out for kids in the neighborhood to play with and do illegal things. Who is liable now?

Re:Why isn't Microsoft responsible?

[NanoGator]

"After all, it's their product that set the stage for all of this."

Microsoft isn't responsible for people's actions. Would you want Redhat to be responsible of an exploit was found in their distro of Linux?

Me personally, I'd want them to be encouraged to fix it (i.e. risk losing sales etc.), but I wouldn't want them liable for somebody else being a shithead.

Liability in a case like this is a double-edged sword. Besides, every time something like this happens, everybody gets stronger. Microsoft (eventually) fixes it, the Linux Community has something they can make sure never happens to them (as well as Apple, etc.), and end users get stung and learn better computing practices. Me personally, I run Windows everywhere. Thanks to all these exploits (though none have hit me yet), I'm much better about making backups and I'm far less dependent on Windows being reliable. If I switch to Mac or Linux, then I'm a smarter user in those cases as well.

So, in short, spare us the 'Microsoft should be responsible' argument. Don't stick Microsoft with a responsibility that you wouldn't want your own favorite OS (developer?) to fall under.

Attractive Nuisance (was Re:Outlook...)

[Tripp Lilley]

What you're describing is called the attractive nuisance doctrine [cch.com], and really only applies to the situation with the neighborhood kid, not to an adult upon whom different expectations are placed.

One could argue that the real issue is negligence [cch.com], but proving negligence turns on the phrase (from the referenced definition) "the care of a reasonably prudent or ordinarily careful person in the circumstances".

It's unclear whether or not you'd be able to point to an "average user" and call them "ordinarily careful", in which case you'd definitely be doing about what's average. It might, instead, turn out that the court would say "you're a professional, a sysadmin, and we hold you to a higher standard of "reasonable prudence" by virtue of your knowledge of the consequences. This would be analogous to the trained fighter or black belt getting into a fistfight and whaling on some poor schmoe. Regardless of who "started it", the fighter is going to be held to a higher standard of control and "carefulness".

Of course, that said, you could also use a defense based on trespass, in which you argue that, because the attacker was not authorized to use your system, as long as you weren't specifically stockpiling "munitions" there :-), you're not liable for the attacks based out of your system. I'm not sure what case law in the real world says about this. If you left your front door open and a sniper walked in, sat down in your living room, and started taking potshots at passers-by, would you be liable? Would the court say that, because you failed to lock your door, or deadbolt it, or whatever, you were negligent?

Tough to say, these days.

Thankfully, I'm not a lawyer, so I don't have to worry about such weighty theoretical issues :-)

Outlook = Virus?

[chiasmus1]

Perhaps not criminally illegal, but I believe the owner could certainly be held liable for damages. Imagine if a virus writer put a destructive virus on a stack of floppies and left them precariously around a public computer lab. When the program on one of those disks gets run by some curious person, don't you feel that the virus writer is at least somewhat liable, even though he didn't "pull the trigger"?

I agree with you, but at the same time I also believe the issue is not the same. The machine with Outlook installed is what Microsoft provided. Using your arguments you could argue that installing Outlook on a machine is the same thing as putting a destructive virus on a floppy and leaving it in public place. Wouldn't the creator of the software/virus be held liable?

Re:Outlook...

[Qzukk]

When the program on one of those disks gets run by some curious person, don't you feel that the virus writer is at least somewhat liable, even though he didn't "pull the trigger"?

This scenario is good, but let me share one from my highschool days:

Our computer science department ran on a bunch of old MSDOS computers with no built-in virus scanning (if a computer was behaving oddly, the teacher would come around and boot from an antivirus floppy, and it would be all better). In those days, the popular viruses all spread via floppy boot sectors. Because of this, nearly every floppy anyone used at school was infected with the virus.

So, if I forgot my floppy in the computer and someone else rebooted the machine, is it my fault if that computer gets the virus? What if the computer already had the virus?

Re:Outlook...

[Jucius Maximus]

"How many people do you know that use Outlook and may have your email in their address book? The bitch of the matter?"

There is an easy defence against this:

Let's say your real address is your.name@yourISP.com. Tou need to first set up a sneakemail address. Use this address as the 'from' address in your e-mails. Then set up your 'name' as "Your Name [your.name-at-yourISP-dot-com]." This way, the sneakemail address (which can be changed whenever spam comes in) will appear in lusers' outlook address books, and clueful people will just copy the real address from the 'Name' field.

Re:Post it here

[RDFozz]

Actually, this is not necessarily a bad solution, and could provide a useful experiment.

Get spam sent to other people with "opt-out" instructions. The common wisdom has it that a significant number of the opt-out deals really verify your address for spammers. Try asking for your e-mail address to be removed (even though it's not really there), and see what happens....

Re:Outlook...

[Anonymous Coward]

The creator of the nuclear weapon didn't pull the trigger, but by your argument is somewhat liable for killing millions of Japanese. Aren't we, the scientists, just doing experiments?

I've got heaps 2347 messages in ...

[chris_sawtell]

... 22Megs, because I've been saving it to train Spamoricle.
Post your e-mail address here and I'll send the spam.tar.bz2 file to it.

There, what could be more helpful?

Re:Any honeypot will do

[terminal.dk]

I tried to put up what looked like an open proxy on port 8080, which simulated the right error codes in in case people connected to port 25 out in town.

Within a week I was getting 100.000 spam mails a day. Within 2 weeks I was over 1 million spam mails a day.

So just pretend to have an open mail server, and you can get all the spam you want, and harvest all the addresses you care about.

Re:Outlook...

[Splab]

That would be the US. Here in Denmark a case like "There wasnt any warning on my firecracker GIMMIE MONEY" would be thrown out faster than the fuse on said item.

A hack for getting spam into a honeypot.

[Berkana]

Here's a neat trick that I figured out for building a "honeypot filter" that identifies and blocks all incoming mail that matches the spam harvested in a honeypot e-mail address before any e-mail is delivered to personal mail accounts. Since the honeypot address is used for nothing else but harvesting spam, using the spam received in the honeypot to identify and block incoming spam guarantees that there will be never be false positives (which is more than most filters can say). If the honeypot is being spammed by the worst offenders, you can be sure the spam that is being received there is being sent to millions of others. This honeypot technique is one of the simplest solutions for reliably blocking spam, but it is contingent on having the honeypot being very thoroughly spammed.

So, here's the hack for getting a honeypot address into the databases of real spammers.

First, you need an existing address that is thoroughly infested with spam. If you look at most spams, they usually have some thing at the bottom that says something to the effect of "click here to be removed from our mailing list."

In some of the spams that I've looked at, the link has CGI script variables in the URL. You'll probably see the e-mail address in one of the fields. Replace this e-mail address with the address of the honeypot address, and go to that site.

The page you go to will usually have two options: "remove me from your list" and "Please continue to alert me of special offers". Select the latter, and submit the form. The e-mail address you substituted into the CGI script will probably start receiving spam real soon.

Some spammers will spam you even more if you click on the "remove me" list, because it just proves that the address is live. Before you click on the link, copy it, and edit the field in the CGI script that looks like an e-mail address, substituting the honeypot address for the one in the link. Then, go to the URL and "remove" yourself. You are likely to just start getting spam in the honeypot, especially from unscrupulous spammers.

Geeks are inquisitve...

[4mn0t1337]

Heh... you put a label like that on something and the first thing I think of is

hmmmm... this must do something really interesting to the computer or disk to have a warning like that...

Next step would be to see if I could induce what the intent behind the restriction would be. If I couldn't reason it out, then I might be tempted to try to dupe the disc and put it in another computer (*Always* mount a scratch monkey.)

In fact, putting an admonition involving tech in front of a geek is like putting something bright and shinny in front of some people.

but on the other hand you just found a way to physically "tar pit" a geek for a better part of an hour....

Re:Hotmail.

[Hoser McMoose]

Hotmail gets a bad reputation because it is attacked FAR more than any other mail server out there, with the possible exception of AOL. The problems with Hotmail are two-fold:

1. There are so many users of hotmail that you can easily end up with a previously used address (so even if you never give out your e-mail address, the previous owner of that address may have signed up to all sorts of crap). What's more, anytime someone puts out their hotmail address with a minor typo (either intentionally or accidentaly), it is usually a real address belonging to someone else.

2. Hotmail is CONSTANTLY being dictionary-probed by spammers. They have been subjected to this sort of dictionary-probe attack for over a year now. This is especially a problem for people with short (6 characters or less) usernames. If you have a username that is in any way related to a word or name and is fairly short, you will be probed.

Another major problem with Hotmail is that until recently it always opened all remote "images" by default. Almost all spam now comes with a "tracking image", which is just an HTML "IMG" url that points to a script to record your e-mail address. End result, if you open the message, the spammers know they have a live address even if you don't click on anything. Hotmail now has the option to disable remote image loading, though I don't know if it's turned on by default or not.

Re:'Unsubscribe'

[bluGill]

General wisdom suggests that some of those companies do unsubscribe you, but then they sell your email as a verified good address. By unsubscribing you they can claim in court that they are honest and ethical, afterall they can prove they unsubscribe everyone who requests it. Selling that address is sleezy, but they figgure they have a better chance of getting away with things, plus make some money.

Enter some contests

[superflippy]

Online sweepstakes are a great spam generator. Sign up for Publisher's Clearing House [pch.com] and opt-in to everything.

Register a domain, and join match.com from hotmail

[dspyder]

Easily the three best ways to collect spam are to create a hotmail account. Then register a brand new domain with that address publicly available. Then join match.com (I think they still offer a free trial of some kind) and watch the spam pour in.

My wife created a unique (with numbers) hotmail account when she joined match.com (we met on matchmaker.com) and used it only for that purpose. Today she gets hundreds and hundreds of spam on it even though it's been entirely inactive for 3.5 years!

Match customer service claims they don't sell addresses and that it's hotmail's fault. Either way, the two together seem to be a quite effective spam trap

Of course, if you're just looking for a corpus of spam to test against, there's plenty out there. Google for +"spam corpus" to find several good sites.

Hope that helps....

--D

Run for office and post your email address.

[rleibman]

Seriously, I ran in 2002 and made the mistake of giving my prefered email address to anyone who wanted to contact me, of course, every newspaper in my district posted it on their website, leagues of voters same, etc.
I now get about 50+ spams a day... nicely controlled with spamassasin.