Attacking the Spammer Business Model

Stephen Samuel asks: "Spammers spam because it's an 'easy way to make money'. They send out millions of spams knowing that 99.995% of them will be ignored, but the other 0.005% of responses are pure gold (Andrew Leung at Telus has an excellent report on the economics of spam). Responses to mortage spams are reportedly worth $50.00 each. What would happen if, instead of technical and legal approaches, we simply started attacking their business model? If people started responding to just 1% of the spam we received, spammers would drown in the responses, and the mortage spam responses wouldn't be worth an email, much less $50. The Nigerian Sweet Revenge is an example of this. The nice thing about this sort of statistical approach is that it would start to reward spammers for sending out -fewer- emails. (fewer emails -> fewer bogus responses). What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?" Of course, the one major drawback to this is the likelihood of more spam, since you'll be giving them a valid email address. However, many of you may be receiving increasing amount of spam as it is (even through your filters) so might an organized spam-the-spammers movement work?

My spam is better then your spam

[mvpll]

This works fine for spam that requires a valid return address, but what about all the spam that is just trying to get you to visit a website. Replying to such a spam just gets you a bounce message.

Does this mean I now have to read all my spam to decide which I should reply to and which I should ignore???

As for giving them a valid email address.....

[Dark Nexus]

Somebody suggested this in another /. article talking about spam: For those of us with our own mail server, just create a unique email address to respond with.

Once you're done messing with them, just kill the address. Not exactly a foolproof solution, but I don't see why it wouldn't work most of the time.

Filters that fight back...

[RevJim]

Paul Graham wrote an article about this regarding spam filters that fight back. If everyone installs a spam filter that detects spam and then automatically crawls any links listed in the spam, it would bring their web servers to their knees.

Here's a link to the article.

http://www.paulgraham.com/ffb.html

Re:Richest spammers could afford to handle replies

[spence2680]

The only problem I see with this is that most spam is not designed to be replied via email. In most situations, spammers rely on people going to a website that they have setup.

Re:The Best Way to Attack Spammers

[sfe_software]

You could always do what I do.

Add all the spammers to an e-mail list and automatically forward any spam I get (using an address I use only for this purpose) to everyone on that list.

Having recently been a victim of having my addresses spoofed by spammers, I don't think this is a good idea. Only if the SPAM actually says to reply for more information (or to make a purchase) would this work; in other words, only if you have a reason to believe that the address is in fact going to reach the spammer.

The majority of SPAM I get does not come from a valid email address, but instead includes a URL to visit or a telephone number to call. Thus, forwarding SPAM to the From/Reply address will either just bounce, or worse, go to the unsuspecting person who's address was inappropriately used.

I know that often the spammers just use a random address from their list as the From/Reply-To, but for a couple of weeks I was the proud recipient of many thousands of bounced SPAM messages, to the extent that I had to temporarily /dev/null my Postmaster alias (violating RFCs of course).

Re:Bogus spams?

[rsilvergun]

>> I told Mozilla mail to never, ever display HTML email (and can't figure out how I did it, to replicate on my laptop!)

In Mozilla Mail, going to View->Message Body As and select Plain Text turns off HTML for email.

Red Condor does this

[Anonymous Coward]

The Red Condor (www.redcondor.com) spam filter does this. It even fingerprints the images on site. Only drawback is that it is a gateway filter, so you must have control over your own mail server.

Re:Bogus spams?

[Stephen Samuel]

Sorry, I don't think it will work. 90% of my spams are either gibberish or are otherwise not selling anything.

This might be the result of blocking remote images in email, to avoid spam filters, some spammers now have an email consisting of little more than a pointer to an image on their (zombie?) servers. The image has all of the text in it.

If you have images blocked, try reading the source and see if that's the case.

Re:automated replies / anon remailers

[Stephen Samuel]

The only way this would work, (and it probably woulnd't unless everyone id it), is for the responses to be as real as possible, from real email addresses.

For the most part, reply addresses are bogus. They usually expect you to visit a web site. It's only 419 spammers (and the like) who usually give (and read) legitimate reply addresses. I'll often use those as my 'response' address.

Actually, you'd enrich spammers

[alexhmit01]

As a rule, things like mortgage leads, is that most players work with brokers (BTW: email spam mortgage leads don't net $50/lead). So the spammers are all dumping to the brokers. In general, the brokers combine search engine placement leads, search engine spam leads, legit leads (people that solicit it from financial sites, etc.), into one lead pool that is sold. What would happen, is that over time, you would drive the value of that broker's leads down (although that assume perfect information), but you would INCREASE the percentage of the leads that are from that spammer.

That means that everyone dealing in leads makes less money, but the spammers make more. That would squeeze everyone, until the only ones making money in mortgages are spammers. This would result in rich spammers, plowing more money into spam.

The lead business is much less efficient than you think, with hundreds/thousands of buyers and sellers, so if one company dumps the lead broker, another one will pick up their leads. The leads are mostly unpriced, and buyers are chasing lead sources.

Alex

Re:in the short run...

[Anonymous Coward]

Well, in the short run, loan referrals are STILL worth $50

Thats not how it works. They only get a commission if the loan closes- otherwise people would be just making up names and email addresses to get the $50.

The affiliate programs work on commission- if there is no sale, there is no commission and the spammer does not get paid.

Re:Richest spammers could afford to handle replies

[einer]

Now what about sending them bogus email addresses and phony information? That would send them on a wild goose chase.

That would be form fucker [slashdot.org]

The plan would work if enough people did it (the single reply, not necessarily the form fucker), and it would work for the same reason that spam makes my inbox useless. A poor signal to noise ratio. Someone has to dig through all of those garbage e-mails and harvest the truly interested parties (both of them).

How many spams have 800 numbers?

[Teppy]

I just took the first 3 spam in my box, and 2 of them had 800 numbers - surprising. I called them and let them record for a while while I coded. One of them timed out after a few minutes and said "to replay this message, press 1". So I did that a few times also.

Re:Richest spammers could afford to handle replies

[shird]

Because they are often hosted on unsuspecting peoples hijacked machines, through worms and trojans etc. They are often only compromised for a short period of time, just enough to gather a few dozen responses. So there is no point in attacking these machines, they arent going to be sticking around for long anyway, and dont even belong to the spammer.

Re:Spam their 800 numbers..

[gnovos]

Well, there is usually a set fee after which they don't pay any more... So you aren't doing as much damage as you think.

Re:Filters that fight back...

[grotgrot]

All the schemes are easily overcome by a spammer. And it is still easy for them to pick on innocent bystanders. For innocent people, all they have to do is include their URLs in a spam message. Thousands of individual servers checking an innocent person's server even if they decide it is harmless will still be a DDOS against a good guy.

So here are several ways a spammer can get around everything that is proposed:

• Include several links in the spam message. For example point at the BBC and CNN as containing relevant content about whatever product you are spamming. (You can use CSS to hide the text behind images or pull other stunts to help obscure it)
• Include links to your "enemies". Put them last since the automated tools will spider them, but users read sequentially. Again they can be obscured, but they will hurt whoever is on the end of those sites.
• Always give legitimate content back the first time your web server is connected to from an IP address. You could even put a timer in it that redirects to the real spam page after 30 seconds. Are the crawlers going wait? Will a human spam checker realise it is a spammer site.
• Put up legitimate content when you think a spam fighter is looking at your site. If the spam fighters are building good guy and bad guy databases, you could try to ensure they always see good content. You could figure out some of their ip addresses, you could be more cautious if the user has a Linux based browser, you could use a popup since more technical people are likely to have popup blockers.
• Make extensive use of javascript to make it hard for programs to automatically fill out your forms. You can do the same with ActiveX controls, flash, java and various other tricks.

It is way easier to do this stuff playing defense. Using RBLs etc when someone tries to get access to your mail server works pretty well. Worst case you deny legitimate email, and the only one hurt is you.

When going on the offensive, you are trying to hurt others. How much collateral damage is ok? One poster in this thread posted their web site. If a spammer included that URL in several billion spams and you had hundreds of thousands of hits against you, how would you feel? How would you feel if your site was listed as a bad guy site? How would you feel if your system had done something automated as an offensive action against another site (eg trying to fill out name and address forms with bogus information) and it turned out that site was mistakenly listed as a bad guy site?

And if you think it is easy classifying sites, try these two: jennifer [jennifersblog.com] and jamie [iagreewithjamie.com] (answers at Metafilter: jennifer [metafilter.com] and jamie [metafilter.com]).

Re:3 Lawyers, 3 geeks

[starcraftsicko]

Also, it seems to me that if you go so far as to purchase the product, you're going to be hard pressed to show how you were harmed by an unsolicited email.

I think you missed the point here.

1) The plan in question is being carried out by a Government, not by you or me or some random geek. ... In case anyone slept through civics or government class back in school, let me educate you: The government is a big organization with great coercive powers over everyone on its "turf", kind of like a gang, or "the mob". They make money via a protection racket; they agree to protect you from Hitler, Stalin, Sharon, Arafat, Hussein, Arab Terrorists, Thieves, Murderers, and (the companies care about this one) Fraud, but only if you do EXACTLY what they tell you to, and pay them as much protection money (taxes) as they demand. The GOVERNMENT is going to tell the credit card companies to close some accounts to avoid broken kneecaps, charges of aiding and abetting, a destroyed public image, or all of the above.

2) The bulk emails sent out are already in violation of the law. Many jurisdictions require valid list removal options and reply-to addresses. The purchase serves only to identify the spammer through his accounts and whatnot.

3) V/MC is probably breaking numerous laws if they knowingly complete transactions solicited in an illegal manner. Usually they will use the "Ebay" "we didn't know" defense to avoid liability, therefore, the purpose of these GOVERNMENT actions would be to make sure that they (V/MC/DISC/AMEX) officially "know".

4) The purpose of this activity is not to bring charges, but rather to compel and coerce V/MC etc. into using their various merchant agreements for the public good.

5) Finally, maybe a few prosecutions wouldn't be a bad thing after all. First we freeze the assets of the spammer and the company being illegally advertised, then we send in some goons to collect "evidence"... and well, you know the rest.

V/MC and the others will cooperate. They have no choice.

And no, you will never look at your government the same way again.

Re:3 Lawyers, 3 geeks

[djeaux]

There are literally thousands of banks that offer merchant services in the US alone.

Sounds like a huge market for the enterprising lawyer, who only yesterday thought that tort reform had cut off his cash cow.

P.S. It ain't entrapment if the 'entrappee' is already committing or planning to commit a crime.

Re:Richest spammers could afford to handle replies

[SWroclawski]

I believe you're missing the point.

The idea isn't to attack at all, rather to reply as an interested customer.

The scenario is that you recieve a mail about getting, say pills that make your nostrils bigger. All spammers will need a way to ensure that you can make a purchase, and it's through that mechanism that you inquire for more information about nostril enhancement through magic pills.

If everyone who recieved an email did this, they would get thousands of requests.

If they only reply to a few of them then the company selling the pills looses sales.

So instead, they hire more staffers. When they do that, they are potentially eating into thier own profits.

Given sufficient numbers of respondants, this would make it suddenly unprofitable to mail everyone in the world, leading to an incentive to stop mass spamming.

That's the idea at least. There's no "attack" involved.

- Serge Wroclawski

Hitting their lifelines

[Frodo420024]

Scams are fun to hit back. I chose one at random (LuckyWin Lottery, in case anyone cares), and pretended to be in on it. When I requested info about the company (history, corporate URL etc - trivial stuff for any real company) before plunking down any money, the guy was quick to anger - he had almost seen my check in the mail already and felt cheated. Fat irony :)

After playing the game a couple weeks, I reported his banking connection (a real person) to the London Met Police and his email info to his ISP (SIFY of India - *great* customer service!) and had his accounts terminated.That was a laugh and a breeze.

If you look for the lifelines of 419 scammers, they have their email and their banking connection. Shutting down their email account fast makes their spamming futile. Shutting down their banking connection is harder, but very painful for them. Bottom line: MeThinks 419 scamming will stay benign, they're too easy to wipe out.

Looking for the lifelines of the real spammers (the Viagra, Mortgage, Patches etc. stuff), there are three: Ability to send loads of email, ability to recieve responses (web site or phone number) and ability to receive money. Kill any one of these, and the situation is solved.

The ability to send email is tricky to fix. We all want that email can be sent freely, preferably for free. Fixing/replacing SMTP to include authentication would be great! But we're still awaiting news from this front.

Hitting their web sites could be done in several ways. Proper legislation could make it a felony to operate spam-advertised web sites, and they could be taken out. If spam filters included the ability to automatically spider the web sites referred in the mails, they would have to pay for loads of useless traffic to their sites - and their ISP's would look at disconnecting them. It's not a DoS attack per se, we're just making backup copies of potentially useful information :)

And for hitting back on their payment options, there was an excellent suggestion earlier that the FTC take care of this. That looks very cool,. Much better than more laws that are not enforceable anyway :) So clearly an FTC issue if I ever saw one.

Getting the spammers on any one of these three lifelines would be sufficient - getting them on all three would be very, very effective.

Re:Attacking Business Model - Posted Anonymously!

[CvD]

Either Lynx has a conscience, or wants to make sure it ends up in logs files:

Warning: User-Agent string does not contain "Lynx" or "L_y_n_x"!

And for some other reason, it doesn't seem to work, but try to retrieve a help file (on my Debian version of lynx).

So you can use wget, which doesn't have any trouble with a conscience. Replace the 'lynx string with:

wget --delete-after --user-agent="By sending e-mail...

Cheers,

Costyn.