Attacking the Spammer Business Model 655
Stephen Samuel asks: "Spammers spam because it's an 'easy way to make money'. They send out millions of spams knowing that 99.995% of them will be ignored, but the other 0.005% of responses are pure gold (Andrew Leung at Telus has an excellent report on the economics of spam). Responses to mortage spams are reportedly worth $50.00 each. What would happen if, instead of technical and legal approaches, we simply started attacking their business model? If people
started responding to just 1% of the spam we received, spammers would drown in the responses, and the mortage spam responses wouldn't be worth an email, much less $50. The Nigerian Sweet Revenge is an example of this. The nice thing about this sort of statistical approach is that it would start to reward spammers for sending out -fewer- emails. (fewer emails -> fewer bogus responses). What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?" Of course, the one major drawback to this is the likelihood of more spam, since you'll be giving them a valid email address. However, many of you may be receiving increasing amount of spam as it is (even through your filters) so might an organized spam-the-spammers movement work?
Bogus spams? (Score:4, Interesting)
automated replies / anon remailers (Score:5, Interesting)
in the short run... (Score:5, Interesting)
A better idea... (Score:3, Interesting)
Re:The Best Way to Attack Spammers (Score:3, Interesting)
Add all the spammers to an e-mail list and automatically forward any spam I get (using an address I use only for this purpose) to everyone on that list.
Spam Site? (Score:2, Interesting)
We should also spam their ISPs after a generous warning.
Spam is out of control, and I think everyone here knows that until some universal SMTP replacement or SMTP extension is implemented, spam ain't going away.
For spam that wants you to call a 1-800 number (Score:5, Interesting)
The only downside is I don't think many spammers use this approach, but it'd certainly be effective against those who do. I don't think it'd be illegal (as long as each person didn't call more than once) either, but IANAL.
Blacklists (Score:3, Interesting)
From a spammer's programmer (Score:5, Interesting)
As a programmer working to keep the data flowing smoothly part of my job entails building programatic methods of detecting false data. Some of this is easy (i.e. people who put "I WANT TO RAPE YOUR DAUGHTER" in the first name field). Sometimes this is harder. IP checking helps, but distributed attacks are always a difficult thing to catch. However, all that said I don't know that this would be a significant problem.
One of our upcoming process changes will include an attempt to contact each customer via phone or email to verify their order before following through with it. Futher, automated credit-card checking will automatically drop orders with bogus data in them. CreditCard declined statistics would rise, but ultimately it wouldn't be that much hassle.
If you really want to hurt a spammer, get thousands of people to order a product, then send it back and charge-back the order on their cards. Creditcard merchant accounts have limits on the chargeback rates, and when they get too high the merchant provider will cut you off. Of course you have to front the money and the hassle, and at the end of the day there's only 1 less spammer out of a million (unless he tries to find another merchant provider and succeeds). But for some, perhaps the cost-benefit analysis would still find it worth it.
Total Due: $0.02
Re:Bogus spams? (Score:5, Interesting)
1) Verify that the email address is deliverable. It makes no sense to keep a bad email address in your database of spam targets.
2) Seed statistical spam filters with bogus data.
I've been really happy with bogofilter on my IMAP server. Once I got the bus worked out of my scripts, it's running about 98% accuracy with zero good emails getting filtered as spam.
Re:in the short run... (Score:2, Interesting)
You could tell the mortgage company what you are doing: "I'm wasting your time because you employ spammers to waste mine. I never had any intention of dealing with a company employing spammers."
.0005% response rate can be handled by 10-20 staff, say, but if the response rate goes up to 1% they either have to employ lots more people to filter the crap or retain the same staff numbers and let the few legitimate sales leads be buried in noise, or suffer huge backlogs.
That would have the plus of losing them money since a
It really is a reverse DDoS attack. Might work. Worth a try if everyone does it.
Re:in the short run... (Score:3, Interesting)
Re:Bogus spams? (Score:5, Interesting)
I don't know about everyone else, but a good portion of the seemingly blank SPAM I receive are actually HTML email with no text version. I told Mozilla mail to never, ever display HTML email (and can't figure out how I did it, to replicate on my laptop!) If I look at the email in a text editor, I realize that it's full of either HTML or Base64-encoded text/html.
Mozilla Mail does properly convert normal HTML mail to text, even when a text version isn't included -- so obviously whatever tool the spammers use to compose their messages is non-compliant in some way (I haven't been bothered enough to figure out what exactly they are doing wrong).
I do quite often get other messages that appear to be just junk, or possibly Chinese/Korean characters (the majority simply look like binary data)... those I haven't figured out yet.
This is a really neat idea (Score:3, Interesting)
Yes, I am very interested in your product. Please send more information to my address at fictionalPerson@non-existantDomain.net.
Now that would be funny.
Works with physical mail (Score:2, Interesting)
The problem is that with spam we often have no address to send anything to, or the address we have is one that will do any good. It is like those 'work at home' signs on the road. We may think we are attacking the business plan by calling the number and racking up minutes, while what we are really doing is making the business plan succeed by enriching the person at the top of the pyramid.
So, we can't reply by email, because the address is likely either bogus or that of an innocent party. If we go to the web site in an effort to consumer bandwidth, we are likely going to receive a couple ads that will then make the spammer money. For the spammer to make real money, spam has to generate a real contact, which means that we much supply the contracting company with real contact information, which will then likely get sold to many other companies.
The 419 anti-scams work because the people invest a lot of time and money. I suppose if we all get throw away fax number, voice mail number, and PO boxes, we could mess with the spammers. But is the expense really worth while. Sure such things would only cost each of us 10 dollars a month, and would cause spammer and the evil companies they work with a lot of money, but not like the 419 thing, would not likely change much at the end of they day.
Re:Filters that fight back... (Score:4, Interesting)
http://www.toad.net/~mischief/archives/00000084.s
This tool is a "honeypot." The idea is that you install this software on a Linux/Unix machine (believe there might also be an NT version available) and it pretends to be like multiple computers on the network, acting as virtual hosts. Whenever a worm comes along and probes one of those virtual hosts, La Brea hangs on to the thread and slows down the process of infection, logs all the relevant info, etc. It's actually a brilliant idea and now, thanks to some of our genius legislators, potentially illegal to possess or use.
Someone created a tar-pit for Code Red. google for la brea code red
any ideas?
or am I suggesting a DoS?
Re:Richest spammers could afford to handle replies (Score:3, Interesting)
Yep. That's what I generally do... I usually 'harvest' the Email addresses of Nigerian spammers, and use those as my 'reply' email address. (Perhaps I can get them talking to each other! :-o ).
If a spam site I visit gives me a non-800 phone number, I'll often put that in my files, as well.
1.5 new anti-spam ideas (Score:2, Interesting)
The second idea is to publicly identify the actual spammers and their collaborators and organize protests and boycotts. Yes, I know about Spamhaus and ROKSO, which is why this is only half an idea, because they don't go far enough. I want to see web pages that not only tell me that Alan Ralsky is a major spammer, but tell me which spams he sends, plus his home address, phone numbers, personal email addresses, and car make/model/license number. I want to see photos of him. I very much want to know who provides him with Internet connectivity so that they can be publicly shamed and boycotted. It shouldn't take much money to hire a few private eyes to dig out this information.
Might these ideas provoke lawsuits? Possibly, but I doubt spammers will risk even more public exposure by suing.
3 Lawyers, 3 geeks (Score:5, Interesting)
A very significant percentage of spam meets two criteria: 1) it already breaks some existing state or federal law and 2) it ultimately desires someone to supply a US-based credit card (Visa or Mastercard).
The problem with all our wonderful anti-spam laws is that they are not being enforced, and probably never will be, except erratically for 1 or 2 really, really bad repeat offenders. So, instead of using laws to take bad people to court, use laws to make law-abiding people quit aiding and abetting spammers.
Thus, the weak underbelly of many spammers is that some minion of MC/VISA is letting them process cc transactions.
Solution: the FTC should allocate 3 lawyers and 3 geeks, and (the easy part) demand the cooperation of MC/VISA. The 3 geeks maintain emailboxes in all 50 states and a batch of email addresses designed to gather spam. They essentially provide the 3 lawyers with "quality" spam, that meets the 2 criteria mentioned above.
The 3 lawyers select spam that has broken a law, follow the spam-requested transaction to the point where it requires a cc transaction, and do it. At that point, there is a CC transaction involving a broken law. The lawyers provide MC/VISA with the information on what merchant processor handled the transaction and what laws were broken. MC/VISA shutdown that account, or simply dings them $20,000 for each offense.
Note that, unlike the FTC, MC/VISA can penalize any customer they choose to without due process (and they have a record of doing so). They definitely do not want to participate in illegally advertised transaction if a spotlight is shown on it.
The need to process credit cards is the weak link in much of the spam business, and it is very hard for them to work around an inability to obtain the services of a merchant credit card account. MC/VISA have tightened up the requirements for getting CC services in the past, and they can certainly do so again.
MC/VISA might even elect to make the process more automated by issuing the lawyers some "special" credit cards. When they see a transaction for any "special" number come through, they immediately shutdown that processor. (But you better make sure those special numbers aren't as easy to steal as all other credit card numbers seem to be!)
3 lawyers plus 3 geeks could make a bigger dent in spam than any collective effort to date has produced.
Re:Richest spammers could afford to handle replies (Score:2, Interesting)
And why are we NOT DDoS'ing these websites?
Make it legal to hack spammers (Score:1, Interesting)
The thrill is in the kill..
Re:From a spammer's programmer (Score:4, Interesting)
Reducing the profit from spam (Score:2, Interesting)
What makes or breaks this scheme is: what is the fixed cost of processing each of the leads? If it is low, the spammer and commission payer only lose a little profit. If the per-lead processing cost is high, the profits disappear.
So, what resources are required to process each lead?
Re:From a spammer's programmer (Score:2, Interesting)
Unfortunately that's fraud and will get you in a hell of a lot more trouble than the spammer if the spammer can show that you legitimately ordered that product.
Give me a fscking break (Score:5, Interesting)
Let's look this post a bit and do a little translation:
Part of my companies' income is from sales of various and sundry products sold via soley online "stores." Part of that traffic is via banner ads, text links, etc, and another portion is via bulk mail (spam)
Translation: I am a spammer.
If you really want to hurt a spammer, get thousands of people to order a product, then send it back and charge-back the order on their cards.
Translation: Give me your credit card number.
Spammers are the wise guys and con men of the digital age. DO NOT TRUST THEM. I mean really - if this guy makes his living this way is he honestly going to give you a stick to beat him with???
It's more likely he'll take your credit card number, charge it to the hilt and take off to Zaire.
Give me your credit card number and I'll be hurt. Please!
Re:Richest spammers could afford to handle replies (Score:5, Interesting)
Brings new meaning to the concept of a Spam-bot...
Anybody care to write one?
The only problem I see is that the spammers could then prosecute you for forged identity/ misuse of computer equipment...
Instead of doing a dictionary-style counter attack (which could accidentally frame someone), we would have to use the same name-mangling as the spammers use...
Example counter-spam:
Dear Sir:
Please sign me up for 9en1s 3nlar6ement!
Name: B0gus B0b
Address: 12-34 Stat St, Washington UL 12345
Email: anon_tip@fbi.gov
Hopefully, the fake @fbi.gov email will get them in even more hot water...
Re:Ironic, don't you think? (Score:5, Interesting)
The Basics:
SD would allow users to connect to a peer to peer network which would enable thousands of users to share information about Spam they have received which warrants a response. Individual users would have the opportunity to nominate a Spam email for response. Once an email is nominated, it would be reviewed by several moderators in good standing. If those moderators certify a Spam for response, a distributed network of computers running SD would begin to flood the Spammer with bogus information either by email or by their websites.
More Ideas:
Moderators could be effectively metamoderated by comparing their votes with the votes of other moderators. A moderator's standing could be stored in a distributed fashion so when you rejoin the network, you don't have to start building your standing from scratch.
Reponses by website could be templated by the original nominator and reviewed by the moderators. Each form field could be given a type such as name, email address, phone, etc. A facility for templating a series of screens would be useful, and probably could be accomplished by having the nominator make a dry run through the website. Additional heuristics could be added that would allow the program to make guesses if the templating doesn't match. In cases when heuristics are used, moderators could be prompted to verify that the responses make sense. It's critical that the responses be difficult to weed out of actual responses from real customers in order to confound the Spammers.
Responses by email would require very careful moderating as the results, if misdirected, could be worse than the original problem (Spam). Some moderators may need to be certified as experts on email tracking. Also, some very clever test emails may need to be sent as confirmation before a response can be authorized. Responses by email should be anonymous. SD should be able to keep a healthy list of open relays by analyzing the Spam emails.
A very clever use of SD could allow for response throttling ensuring that a website remains responsive for SD. It would be a real shame to have SD hammer a website into submission only to end up with no real work being done. The cruft should be added slowly & steadily at first & possibly release the floodgates later in the process.
Finally, SD could be VERY useful for exchanging information about the Spam that is circulating and be used as raw information for filtering engines to reduce the amount of delivered Spam. If the system were to be well used, Spam might only be delivered to a smallish number of people before SD gets the email submitted, moderated, and certified as Spam. Once that's done, Spam filters worldwide could begin using that information to VERY specifically filter those Spam emails and blocking their delivery to suspecting throngs. Now wouldn't THAT be nice?
White Lists! (Score:3, Interesting)
Spam holes are not the answer, but with friend list they sure look a lot saner (c'mon, everyone in
Attacking Business Model - Posted Anonymously! (Score:5, Interesting)
Not really related to the parent; I posted it up here because I think it's a good idea. I don't want to be too associated with it, anticipating the spammers fighting back.
At the very least, I'd like to have a good Windows programmer put together something akin to this:
#!/bin/bash
COUNT=0
while [ $COUNT -lt 2000 ]; do
lynx -dump -traversal -useragent="By sending e-mail to my domain, you agreed to the published Terms of Service of my privately owned domains and servers, including the stipulation that all spam would result in your webserver log being filled with garbage. If you don't like it, don't send e-mail to my domains. I f you don't want me to visit your website, don't solicit my visit by sending me unsolicited e-mail. You do not have a First Amendment right to waste my bandwidth, electricity, CPU time or hard disk drive space with your crap, characteristically illiterate or otherwise."$1?YOU_FILL_MY_MAILBOX_WITH_UNSOLICITED _C
RAP_AND_WE_WILL_DO_THE_SAME_TO_YOUR_WEBLOGS
let COUNT=COUNT+1
echo $COUNT
done
I use this on all my spam.
Such a program would need to have a drag-and-drop interface, automatically replace the user's e-mail address (wherever it appears in HTML bugs) with uce@ftc.gov or something similar, trim serial numbers, cope with obfuscated URLs and hijacked Yahoo/Google redirectors, and eat both image tags and links.
As it is, I open each message, manually extract all the HTML tags, and plop 'em into a terminal window on one of my servers.
The only real worry is a spammer using a GeoCities or other free webpage. But if a few people hit the site with this kind of program, it would get it shut down faster than an abuse complaint.
Of course, if the spammer is being paid per hit, the advertiser is spending a lot of money to advertise to /dev/null, so it's unlikely that they'll continue the current business model.
I've also got it on the advice of a Federal Court judge (who is blind and can no longer read his e-mail in public places because he's too embarrassed by all the penis enlargement spams being read by his screen reader) that, since they've solicited my visit AND been warned on my website, there's very little the spammers can do about it. (Even so, I'd be hauled up in front of him, and I know how he feels about spam...)
Such a program could be very popular with the general public, since there's a definite feeling of satisfaction. But I think it should also be distributed anonymously. Spammers are likely to DoS any download sites and flood any mailboxes.
Sure, this is essentially a denial of service attack against the spammer. But the spam itself is a denial of service attack against MY mailbox, and nothing else seems to be able to stop it.
Any Windows programmers out there?
Re:Give me a fscking break (Score:2, Interesting)
I worked at a (non-spamming) porn host for a while a couple of years ago, and the biggest headache to our business was people signing up for sites, having a tug, and then charge-backing the order. we probably went through 4 or 5 merchant accounts a year.
Chargebacks abosolutely kill internet business.
Re:Richest spammers could afford to handle replies (Score:3, Interesting)
Too right. While $20 shared hosting accounts are available without sufficient proof of ID and a mechanism for ensuring you pay a hell of a lot more than $20 if you abuse the TOS and spam, then spamming will continue to be a commercially viable proposition.
The easiest step in the chain for the victims of the spamming to address is those $20 shared hosting accounts. If it's not commercially viable for companies to offer them, they'll stop. At that point the spammers can't buy them any more, and they stop. We, the victims, win.
I'm sorry to those who have a business model which requires you to sell hosting for $20 and not confirm who you're selling to. Hang on a second, no I'm not. You're making money my expense as I clean up the crap spewed by your 'valued customers' - and I'm quite happy to make you value those customers a little less, thank_you_very_much.
FormFucker good idea, but risky. (Score:3, Interesting)
If formfucker doesn't have a good time delay between signups then they could delete the records between time A and B. Finding times would would be obvious with a count(*) group by hour (or minute) type statement. Or maybe I give the spammers too much credit.
FormFucker should probably sleep a random interval between submissions.
The bigger problem which would make it easier to filter out would be IP address. Your spammer gets ten responses from the same IP address, all with different data, and they're clearly bogus. So the usefulness of FormFucker is limited to being once against each spammer from a given IP address.
Many times, I'm seeing the forms have an ID number of some sort which would be passed when the link is followed:
A HREF = http://www.spammer.com/form.pl?recipent@email.com
or
A HREF = http://www.spammer.com/form.pl?ID=666
Again, same problem. Different data from ten submissions with the same ID or e-mail address, and the spammer knows the data is garbage.
Same if the spammer crosses a randomly-generated e-mail address against his list and finds that it's not there. Garbage data, easily culled.
Furthermore, if you run FormFucker, the data would have to include your e-mail address or ID number so the spammer can't weed it out as illegitimate. What's he gonna do when he finds out that it's taken him half an hour to pursue your dead lead? He's got your e-mail address, and because you fought back against his assault on your mailbox, I'd bet money the bastard would pull a joe-job on your address.
FormFucker is a great idea, but I wouldn't use it on the spam that comes into my e-mail addresses.
Working on this right now... (Score:2, Interesting)
- You have a java application that scans a website, identifies HTML input tags, and figures out how to fill out the form with plausible, although fictitious data.
- That application submits the generated data and ensures success by checking the http response code to the submission. Rinse and repeat.
- The application can pound about 100 submissions per minute on a broadband connection.
- The full source and app are released on sourceforge about a week from now under GPL.
- Anyone who gets some insipid email can run this app without having to create HttpUnit or HtmlUnit scripts.
- App is console based, uses java.io, java.net and java.util packages only to make install easy and ensure cross-platform reliability.
- "Random" string-based data (names, streets, cities, etc.) is contained in text files that users can maintain on their own making it difficult for spammers to identify bogus data and produce countermeasures.
- No site to check for "orders", you control where your app will pound, you are responsible for employing it wisely.
Instead of using humans to respond to computers, let's have the computers do the work, eh? Isn't that what they're for?
Re:Give me a fscking break (Score:2, Interesting)
Unless they have a signed receipt the credit card company will side with you every time.
Re:For spam that wants you to call a 1-800 number (Score:3, Interesting)
How do you know that the 800 # was actually sent with spam? It could be a prankster, or someone wanting revenge for a non-spam-related reason, or it could be spammers themselves trying to discredit the anti-spam community.
Five maybe six years ago there was this one really bad spam that listed an 800 number. Got at least one a day and it was for the 800 number. It didn't take long for the message on the voicemail for this number to state that they would take revenge on any anti-spammers leaving messages. It would say that they have recorded your number, and if you left any message other than one to do business with them that they would use your phone number as a complaint number on the next spam that they would send out.
To prove it the system would tell you what your number is. You would year "Your number is 999-555-1212" or whatever. Too bad they didn't block calls from payphones.
I do sometimes call 800 numbers. Not as often as I used to. It is good to make sure they were really using spam before doing anything that could be considered harassment. Actually, don't do anything that could be considered harassment, that would be illegal, immoral and wrong!
It might be interesting to ask the person if their company sends out email advertising. The person you are talking to might not have anything to do with the spamming, but it might be interesting to explain why it is bad. Then again, most people, at least in the states, have probably already heard of spam.....
A slightly easier method (Score:3, Interesting)
A short C program to randomise the identification codes in a spam, a web server, and a downloader such as WebReaper.
From a spam I take the URL, e.g.
http://spammer.com/script.cgi?id=12345 and convert it to
http://spammer.com/script.cgi?id=#####
the C program loops over this N times where N depends on how hacked off with spam I'm feeling, converting the # to random digits and adding the new URL to a
Most of the time it just hits single webpages with nothing but a graphic, but sometimes it hits gold and downloads gigs of stuff. Of course this does nothing for my bandwidth, but it makes me feel better.