Attacking the Spammer Business Model

Stephen Samuel asks: "Spammers spam because it's an 'easy way to make money'. They send out millions of spams knowing that 99.995% of them will be ignored, but the other 0.005% of responses are pure gold (Andrew Leung at Telus has an excellent report on the economics of spam). Responses to mortage spams are reportedly worth $50.00 each. What would happen if, instead of technical and legal approaches, we simply started attacking their business model? If people started responding to just 1% of the spam we received, spammers would drown in the responses, and the mortage spam responses wouldn't be worth an email, much less $50. The Nigerian Sweet Revenge is an example of this. The nice thing about this sort of statistical approach is that it would start to reward spammers for sending out -fewer- emails. (fewer emails -> fewer bogus responses). What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?" Of course, the one major drawback to this is the likelihood of more spam, since you'll be giving them a valid email address. However, many of you may be receiving increasing amount of spam as it is (even through your filters) so might an organized spam-the-spammers movement work?

Richest spammers could afford to handle replies

[eaglebtc]

The top 1% of spammers who can afford the bandwidth and the hardware could still theoretically handle the volumes of email they would receive. Then they just have to expand their operations to go after the potential business contacts.

Now what about sending them bogus email addresses and phony information? That would send them on a wild goose chase.

Ironic, don't you think?

[The Munger]

They work by flooding us with crap, hoping that they get one in a million to answer. We could fight them by flooding them so they have to look through a million emails to find the one legit order. Hmmm...

Sorting through a pile of junk to get the stuff you're looking for. Sound familiar email junkies?

The Best Way to Attack Spammers

[Qweezle]

The best way to get at these spammers, is not to use a spam filter, because even the best aren't always reliable.

What you should do if you are serious about getting on the nerves of some spammers is create an extra e-mail address for yourself that you send responses to spammers with, and get replies(maybe) in. Eventually, you could take all of those spam messages in that email box to a judge somewhere and win yourself a considerable amount at the pocket of a crass spammer somewhere.

So long as we can outthink them, we can win. :-)

Re:Bogus spams?

[Rascally]

Those are usually just spams sent out to verify valid email address and filter out bounces, etc so they have a "cleaner" (I use that term in a very loose fashion) list to use for their actual "real" spamming operation.

Reply.

[Absurd Being]

Reply to EVERY spam. Heck, set up a site where a spam is displayed, and every member of said site goes to the spam's link at say 12:00 EST. The resulting delta-function like demand should break their server, and prevent their legitimate customers from entering. So sending spams, or paying direct advertisers will COST your business. 100000 spams won't be worth $50, but $-50000.

Re:in the short run...

[Stormie]

How long will people pay spammers $50 a referral once it becomes clear that 99% of said referrals are for non-existent names and addresses?

Re:Richest spammers could afford to handle replies

[magarity]

It isn't about bandwidth. This plan is to make the flood of loan referrals, or whatever, have lower value. If the only people who respond to loan spams are people searching for loans then each one has a good chance of being a customer. But if there are a thousand bogus loan seekers then there are suddenly less real customers and the loan companies will not want to pay very much to chase bad leads. At least, that seems to be the idea here.

No good for invalid reply-to addreses

[Powercntrl]

I'd say the vast majority of spam that I get is just a vehicle for delivering a URL. The spammers don't want a reply, they want you to go to their website.

Frequently, I get spam that seems to be selling NOTHING. The reply-to is invalid, and they don't bother including any kind of URL.

On the bright side, the vast majority of my spam gets caught in the filters - so I only see it if I check the spam folder. And may the spam rot there...

Spam their 800 numbers..

[James_G]

If I get a spam that makes it through spamcop and spam assassin, and contains an 800 number (this doesn't happen often), I'll try and call them. It's not cheap to run an 800 number, and they tend to have a several minute long message rather than a real person answering the phone. If you have multiple lines, the fun thing to do is to call up on one line, let the message finish, get to the part where you get to record a message and then call them up again on a second line and conference the two together. Record their outgoing message as your message, rinse, repeat.

It feels good to cost the spammers some money, even if it does waste your time to do it.

The BIG Problem here.....

[baximus]

...is that the majority of spam I receive has forged headers, so I would in effect be sending the bogus replies to some poor sucker who had no idea their email address was being used as the "From:" header in a major spam operation.

The number of spam emails that get through SpamAssassin because of forged "From:" headers is ridiculous. And worse is the number of bounce messages I get because someone has used my email address as the "From:" header in a massive spam mailout.

Not applicable to most spam

[MobyDisk]

Most of the spam I receive doesn't ask me to reply to purchase anything. They simply direct me to a web site of some sort. This eliminates mass-email replies as a possibility. If they use web forms, they can easily tell legitimate orders from phony ones by verifying the credit card numbers, phone numbers, addresses, etc.

Re:Spam their 800 numbers..

[Anonymous Coward]

Remember that "phone number privacy" usually doesn't work with 800-class phone numbers!

Best to call from the fax machine at work or some other "useless" number.

Blacklisting for spammers

[pla]

Although I like the idea (since we can't really implement my preferred method of dealing with spam, "hunt them down and kill them in the most painful way imagineable"), I see one major flaw with it...

Namely, the very methods we've come up with to avoid spam would work for the spammers.

How long do you think it would take before, in addition to lists of live email addresses, spammers also begin keeping lists of "people wasting our time"? I'd give it a week, if this really caught on suddenly.

For that matter, I believe this would leave them in a better position than now, since they'd not only have a list of people who won't buy from them (allowing them to cull their list of live email addresses a bit), but also a list of people likely to actually take steps to stop spammers.

Think about that for a minute - The few spammers we have managed to put out of business have gotten nabbed by a few small groups of dedicated, annoyed, and technologically-saavy people. Taking action along the recommended lines would give the spammers a way to identify and steer clear of similar groups of people.

While some of us may consider that a win ("they don't bother me anymore"), I think most of us realize that we need to do more to stop spam than unclog our own individual inboxes - We need to permanantly shut down all spammers in general. Or, put another way, my filters already block most of the spam I get (literally over 300/day now). That doesn't do a damn thing to help friends and relatives who don't understand how to maintain a good filter (like it or not, good spam filters require a fairly high level of understanding about the workings of email to properly tune - Not so much to simply block spam, but more importantly, to not block legit email).

I like that people keep thinking about this problem, and eventually look forward to a good solution. This does not seem like "the" solution, though.

Re:Filters that fight back...

[grotgrot]

automatically crawls any links listed in the spam, it would bring their web servers to their knees

It doesn't distinguish between good guys and bad guys. In fact none of the "automatic" schemes mentioned do. Say the spammers decide they hate Paul, they can very easily deliver several spams pointing to his web site/email address/phone number. Remember that the cost of sending extra emails by a spammer is pretty much zero.

The spammers are already picking on the anti-spam people. [theregister.co.uk]

So how will your auto-responders etc tell the difference between bad guys and good guys?

Re:Filters that fight back...

[mrklaw]

Wow, what an easy way to DDoS. Just send out a bunch of Spam with a link to your least favorite website. The spam filters take care of the work for you.

Re:automated replies / anon remailers

[bgog]

If we all used anonymous remailers, they could simply filter them out and then they would have the legitimate responses. The only way this would work, (and it probably woulnd't unless everyone id it), is for the responses to be as real as possible, from real email addresses. That way they have to spend the time and effort to follow up on the leads. All 10 trillion of them.

Re:Richest spammers could afford to handle replies

[perrat]

In addition to this there is the costing model used by most ISP's, where the user will pay for items that they download but not for what they upload. In the current situation the 'economy of SPAM' is based upon having a massive number of emails and a very small number (percentage wise) of responses. The current ISP costing model advantages the spammers. If your anti SPAM software actualy sent a 'no-thanks' type response of the origionator, they would by paying to download each of these messages. Even by counter blocking at the other end they still need to download the message first before they can determine it's legitimacy. If you can break the economy of SPAM your put the spammer out of business. Even the richest spammer still has to rely on a tiny percentage return to generate their income.

UMM Can you say distributed denial of service?

[bgog]

So I want to take down yahoo. I send out millions of emails about viagra with a link to them. Down they come. Bad news.

Distributed Denial Of Service & Joe Jobs

[joelparker]

Your approach of ordering the spam products
causes major problems if someone forges.

Example: a disgruntled employeee forges
many emails about his company's products.
When your anti-spam army calls for info,
they overload the company's phone system.

This is called a Joe Job, and is bad and wrong.
Why? Imagine it done to a hospital phone line.

Spam is a real problem. This is not the answer.
If you want ideas, try this overview [netextend.com]

Cheers, Joel

Won't work... not that way anyways

[Rogs]

The only effect this would have is to force spammers or their clients to incur extra costs to follow fake leads, but since you wouldn't decrease the size of the pool of people who respond sincerely, the effect would only be marginal. Your only hope would be to drive their costs up so much as to drive the spammer out of business entirely, but that would take a lot of coordination and resolve on the part of the responders. Remember, spammers keep making money while they're at it, whereas responders just get some measure of satisfaction, which is likely to wear off the more spam you respond to.

Finally, your assertion that it would incentivate less spam from individual spammers is wrong, since the ratio of fake to real responses is the same for a large mailing list as it is for a smaller one. In other words, you have "constant returns to spam." The only way it would incentivate less spam is if you managed to drive some of the spammers out of business. More likely, it would lead to more spam, as spammers scramble to find more addresses to offset their lower "spam margin."

Re:Richest spammers could afford to handle replies

[NightSpots]

Because many of them are in datacenters on hosting accounts that were purchased from reputable companies who didn't know they were selling to spammers, and DDoS'ing these poor hosting companies will likely put them out of business for nothing more than a simple mistake.

Find out who owns the netblock before you go DDoS'ing everything you find objectionable. You're probably hurting someone who has nothing to do with it.

Re:The Best Way to Attack Spammers

[gbjbaanb]

well the principle is still OK - and, in fact, better for spammed.

If you go to the web site and fill in the details with bogus-but-almost accurate data, they won't be able to contact you, and you get to flood them with 'spam' referrals. If its a telephone number to call... well, make sure you get through to a person, walk them through the whole 'yes, of course I want x' routine, then hang up right at the point where they ask for completion.

Even better is to get them to send a salesman round, as you obviously really would like to hear more about their other products, then.. tell him to sod off when he arrives. Or give them the address of big dave and his pit bull breeding business.

The whole point isn't anything to do with email - but to give the spammer's *client* so much bad referrals they'll accept that spamming is not an acceptable (from their point of view) means of selling.

Re:in the short run...

[orthogonal]

Realise that it's an automated near-instant process for the spammer to submit leads and days/weeks/months of worker-hours of doing followups to discover there's a lot of bad leads.

Well, not necessarily. The trick is to craft "leads" that are obviously bogus to a human at the mortgage company, but aren't easily filtered by a machine.

What makes this especially interesting is that, in other words, it's precisely like creatng spam designed to get around spam filters.

With names that are obviously bogus to people, but mot machine, the bogus "lead" is either

• sent to the mortgage company, which realizes immediately that the "lead" leads nowhere, and pretty soon that too many of the spammer's leads are bogus;
• or, you make the spammer himself weed out the bogus "leads" so as to keep the mortgage company as a client.

The mortgage company (or the spammer, if he's weeding) will quickly realize that "Felix Thecat" and "Kiss M'Ass" are bogus. "Heywood Jablowme" might get by a weeder, but won't last too long at the mortgage ccompany. "Gloria Mundi" probably gets several calls before somebody at the mortgage company remembers high school Latin or a Roman Catholic upbringing.

While a dictionary of first names will allow some machine weeding, could a 95% coverage of last names be built? What percent coverage of last names is needed to keep a mortgage spammer from being dumped by the mortgage spammer? What's the distribution of last names? Help me out, Slashdot.

Re:New Internet Business Model

[Cheeze]

Who would be the ISP? In a tiered market like the internet, everyone always buys internet from someone else, or peers with someone else. That's why it's a World Wide Web. What's to stop someone from setting up a dialup account in Brazil and just spamming through it instead of using the ISP's mail system? Sure, you can not allow SMTP traffic on your network, but then how do you support business customers that want to run their own mail server?

Re:3 Lawyers, 3 geeks

[enjo13]

The amount of money MC/Visa stand to lose is a drop in the bucket. We've seen time and time again these companies trade a few bucks for their public image.

The bread and butter of the credit companies lies in standard retail purchases.. The idea here is that by exerting pressure on the credit card companies you can cut spam off at the source (the companies who finance it in the first place), as their lifeblood is most definitely in credit card purchases. In other words, they have much more to lose than MC/Visa do. At the same time it exerts tremendous pressure on the middle men who create these accounts in the first place.. they MOST DEFINITELY need the support of the credit card companies or they don't have a livelehood.

Assuming the fundamental thesis is true (these companies are in fact breaking the law with spam), this is the most plausible plan of attack I've seen yet.

Not entrapment....

[Anonymous Coward]

IANAL, but I do know that for entrapment to be such the law officer must make the overt act first to "lure into performing a previously or otherwise uncontemplated illegal act".In such cases as described, the spammer is committing the illegal act already by sending spam which violates a State or Federal law. He is obviously contemplating as he is already breaking the law. The credit card is merely the tracking mechanism by which he can be identified and charged.

I like this plan.

Re:in the short run...

[soft_guy]

It would be better to use realistic names, addresses, and phone numbers. The reason is that you want some human at the mortgage company to actually have to place a sales call. The most expensive way for the call to fail is to be to a valid phone number where someone picks up and the caller asks for a name that doesn't match. When they actually place the call, there's an expense, when the human has to talk to them, there's an expense. Plus, the real person they call will likely bitch them out (because it is a cold call). Hey, they might even be on the Do Not Call list. The fact that they got a "lead" for that number offers no protection as the lead is bogus (i.e. incorrect name, incorrect address.), so now you are putting the mortgage company in a position where they may be liable for fines. End result: you give Spam a very bad name in the leads generation business by poisoning the well.

Re:Richest spammers could afford to handle replies

[ashkar]

That's actually a rather poor idea considering how often spammers "Joe Job" using valid email accounts belonging to other victims of spam.

The REAL fix...

[The_Obfuscator]

If we all just used digital signatures, and blocked any emails without signatures, our filters could be nearly perfect. Spammers trying to get multiple signatures should be denied, etc. Lets face it, email is a pathetic joke of a technology that should be forced into extinction (or at least updated)

Re:Richest spammers could afford to handle replies

[Bronster]

Because many of them are in datacenters on hosting accounts that were purchased from reputable companies who didn't know they were selling to spammers, and DDoS'ing these poor hosting companies will likely put them out of business for nothing more than a simple mistake.

Those reputable companies might be a bit more careful in future to ensure that they aren't selling to spammers - by doing background checks, by educating their customers (for those spammers who don't actually realise it's a bad idea) and by being very public about kicking spammers when they're caught.

Provide a strong enough financial dis-incentive to host spammers and eventually spam friendly ISPs will dry up - but while there's profit to be made hosting spamers, then of course these "reputable companies" will 'accidentally' host them.

Business Model? You call spamming a Business Model

[Lead Butthead]

Since when is spamming considered a business model? It's no more a business model than theft, break-in blackmail, or high way robbery.

Brilliant

[Weaselmancer]

Absolutely the best post in this whole thread. Bravo.

The need to process credit cards is the weak link in much of the spam business, and it is very hard for them to work around an inability to obtain the services of a merchant credit card account.

"THOU SHALT NOT SPAM" = Seven Revival...

[da5idnetlimit.com]

News -- Spammer Found strangled with 47" dick
News -- Spammer go to jail after opening 198 mortgage loans
News -- Spammer suffer heart attack, found covered with what looks like dermo patches and surrounded weird "New Pa Tch sdogh Here only" messages...

I can see myself following the news more eagerly 8)

Re:Richest spammers could afford to handle replies

[Knetzar]

Because if people were to start doing this all someone would have to do is sending out spam claiming it's from an innocent company (amazon, buy.com, apple.com, etc) and then they have people DDoSing for them.

Re:Richest spammers could afford to handle replies

[gartogg]

If, in fact, this were a DDOS attack, I could understand the hesitancy, and thus the response that is is their problem.

However, it is not. What is being suggested (And you might want to read the post, if not the article...) is to resond with email, not in a multiple reply per person fashion, but rather just to reply, and make the spammer go through 5000 replies per spam attack, so that it takes several hours to find the one respondant that genuinely wants a morgage. This is NOT DDOS, or even flooding the server, but simply a function of the time of the spammer to get a genuine response since it is now 1%, or better .001%, of the total volume of mail he receives. It is suddenly economically unviable to attemt to sort through 1,000,000 emails to find a couple of genuine responses.

The only problem that I see is that the first 10,000 or so people that start doing this will really just be confirming the email address for the spammer, and will be burned for it.

PS. Maybe slashdot needs some kind of m3 program, where people who mod up stupidity, or off-topic responses are shot, or at least lose their ability to mod...

Have you responded to spam?

[KjetilK]

Folks, does spam really work? Have you ever responded to spam? Really? I've responded to a few spams, and most of the time, it is really, really difficult to get in contact with them. In the very few cases where I have gotten through, guess what, the guy who actually was selling a product, he was scammed too. Some of them have actually sued the spammer afterwards.

What is the source of the info that spam works? That's right, it's the spammers. Spammers tell you that spam works. Bzzzzt! Rule #1: Spammers lie!

Who are the spammer's customers? No, not you who get the spam. The spammer's customers are those who order spam services. And there are enough idiots who buy spam services to make those 180 spammers very wealthy.

Even though the spammer's customer get burnt once and stop, well, some of them are probably stupid enough to try several times anyway, there are enough of these morons to keep it going for a very long time.

They're not making a single sale, not even 0.0001%, but that doesn't matter, because the spammer got his money, and that's why this continues.

So, if you want to end spam, forget the spammers: Go after those who purchase spam services instead.

Well, that's my theory. It may not hold up, but after all, this is /.! :-)