Where Is Spam When You Want It? 580
Sean writes "In a complete twist to what everybody else is trying to do these days, I need to attract spam to an e-mail address for a research survey I am conducting. I have submitted a few articles to a handful of Usenet groups, and I have signed up to some general mailing lists but so far I have nothing to show for it. How come by personal account gets 100+ spam each day yet when I try to find it I get nothing? Where should I post my address so that it attracts spam?"
Outlook... (Score:5, Interesting)
I recently took 1 Windows 2K box (SP2) and put it directly online in the DMZ type zone. Do NOT patch it and add no virus software. Load some trap address' (never used before) into the Outlook address book.
It took twelve (12) minutes from plugging it in to getting many, many infections, to the final spam. Typical time is 3-4 hours usually and I've seen the test go for as long as 8 hours.
How many people do you know that use Outlook and may have your email in their address book? The bitch of the matter? No Windows here anywhere, well, except for VirtualPC which makes such tests so damn easy -- too bad Microsoft had to buy them up too...
Re:Outlook... (Score:5, Insightful)
Re:Outlook... (Score:3, Interesting)
A full tcpdump was also in progress (just watching
Re:Outlook... (Score:5, Interesting)
Perhaps I should have made that point more clear initially.
Re:Outlook... (Score:4, Insightful)
Re:Outlook... (Score:4, Insightful)
Re:Outlook... (Score:4, Insightful)
Very true.
It is not illegal to set out a machine to be compromised.
Perhaps not criminally illegal, but I believe the owner could certainly be held liable for damages. Imagine if a virus writer put a destructive virus on a stack of floppies and left them precariously around a public computer lab. When the program on one of those disks gets run by some curious person, don't you feel that the virus writer is at least somewhat liable, even though he didn't "pull the trigger"?
Re:Outlook... (Score:3, Interesting)
This scenario is good, but let me share one from my highschool days:
Our computer science department ran on a bunch of old MSDOS computers with no built-in virus scanning (if a computer was behaving oddly, the teacher would come around and boot from an antivirus floppy, and it would be all better). In those days, the popular vir
Re:Outlook... (Score:3, Insightful)
Geeks are inquisitve... (Score:4, Interesting)
hmmmm... this must do something really interesting to the computer or disk to have a warning like that...
Next step would be to see if I could induce what the intent behind the restriction would be. If I couldn't reason it out, then I might be tempted to try to dupe the disc and put it in another computer (*Always* mount a scratch monkey.)
In fact, putting an admonition involving tech in front of a geek is like putting something bright and shinny in front of some people.
but on the other hand you just found a way to physically "tar pit" a geek for a better part of an hour....
Re:Outlook... (Score:3, Informative)
Re:Outlook... (Score:5, Insightful)
More or less yes. The major difference is that with a honeypot you make sure that there's only a way in -- you make it impossible for the offender to use the honeypot to carry on attacks from the honeypot. And that does not seem to be the case in this example.
Why isn't Microsoft responsible? (Score:4, Insightful)
Re:Why isn't Microsoft responsible? (Score:3, Interesting)
Microsoft isn't responsible for people's actions. Would you want Redhat to be responsible of an exploit was found in their distro of Linux?
Me personally, I'd want them to be encouraged to fix it (i.e. risk losing sales etc.), but I wouldn't want them liable for somebody else being a shithead.
Liability in a case like this is a double-edged sword. Besides, every time something like this happens, everybody gets stronger. Microsoft (event
Re:Outlook... (Score:5, Funny)
Re:Outlook... (Score:4, Interesting)
Okay, let's talk about the box of goodies. Let's say you leave a box of weapons outside with full knowledge that a neighborhood kid will probably find it and will likely use the contents for something illegal. If that happens, do you think you are partially responsible for whatever happens?
Before you jump all over me for such a hyperbole of an analogy, no, I don't equate running an insecure machine with handing out a small arsenal to the neighborhood kids. But I think you might be able to see my point given so many peoples' reactions of "What kind of parent leaves a gun where a kid can get it?" seemingly whenever a video game violence article is posted.
Take note of the bold text in the first paragraph. It's key to my point. If that box of weapons was in a place that you could reasonably assume wouldn't be accessible by the hypothetical gunman, I wouldn't place any blame on you, the owner.
So no, you're not responsible for other's actions, they are, don't be stupid.
You're exactly right - you aren't responsible for others' actions. In this case, you'd be liable for your irresponsible action.
Re:Outlook... (Score:3, Interesting)
Re:Outlook... (Score:5, Insightful)
Gun's are designed to kill. Computers are not designed for cracking/spaming/etc. If you leave a chain saw out in your back yard, knowing that the kid down the block is (1) a bit whacked, (2) could be a potential danger, and (3) should not be on your property, are you partially responcible for when he kills some one with that chain saw? Now, what if it is the kid on the next block that could be the danger? Or the next city, county state of country? At what point is it no longer reasonable to expect that the public to know something is a threat?
It used to be enough to run a virus scanner every so often. Now you have to start by patching your systems regularly, then move on to running regularly updated virus scanners, installing and updating firewalls for the network, scanning for spyware, installing and updating desktop firewalls, updating spam filters, chasing drivers, updating applications (add more from the endless list here), all to keep a system going. So I ask again, at what point is it no longer reasonable to expect that the public will know something is or could be a threat?
And at what point does the public feel that it is no longer reasonable to expect them to know something is or could be a threat when it comes to that "harmless little box on the desk"?
Re:Outlook... (Score:3, Funny)
Re:Outlook... (Score:3, Interesting)
There is an easy defence against this:
Let's say your real address is your.name@yourISP.com. Tou need to first set up a sneakemail address. Use this address as the 'from' address in your e-mails. Then set up your 'name' as "Your Name [your.name-at-yourISP-dot-com]." This way, the sneakemail address (which can be changed whenever spam comes in) will appear in lusers' outlook address bo
Re:Outlook... (Score:3, Informative)
There is an easy defence against this:
That works just fine, but it gets even easier:
Own your own domain.
Have your e-mail setup to forward *@yourdomain.com to your actual e-mail address.
Never give anyone your e-mail address. Give everybody different e-mail addresses to e-mail you at. Your friend jenny can e-mail you at jenny@yourdomain or whatever she'd like
Re:Any honeypot will do (Score:3, Interesting)
Within a week I was getting 100.000 spam mails a day. Within 2 weeks I was over 1 million spam mails a day.
So just pretend to have an open mail server, and you can get all the spam you want, and harvest all the addresses you care about.
Hotmail. (Score:5, Informative)
Re:Hotmail. (Score:5, Insightful)
Re:Hotmail. (Score:2, Interesting)
Re:Hotmail. (Score:3, Interesting)
1. There are so many users of hotmail that you can easily end up with a previously used address (so even if you never give out your e-mail address, the previous owner of that address may have signed up to all sorts of crap). What's more, anytime someone puts out their hotmail address with a minor typo (either intentionally or accide
Re:Hotmail. (Score:5, Funny)
On Slashdot!?! (Score:3, Funny)
Some options... (Score:4, Funny)
Truly successful method (Score:2)
Post it here (Score:2, Funny)
usenet isnt that great (Score:2, Informative)
Domain registry (Score:5, Informative)
Re:Domain registry (Score:5, Funny)
I, on the other hand, will be out of here as soon as the transaction is complete. So long, suckers!
Why not (Score:5, Insightful)
try this one (Score:5, Funny)
click on it... (Score:3, Informative)
same problem (Score:2, Funny)
Re:same problem (Score:5, Funny)
Worked for me
Porn sites are your friends (Score:2)
How are Porn sites NOT my friend? (Score:3, Funny)
Murphy's Law part2... (Score:5, Funny)
We all know that the Spam won't show up if you want it. That's against the very nature of spam.
All annoying things always happen every time except for the one time you try and prove the phenomenon to a non-beliver. Well known fact.
Good luck at finding the spam (wow, I never thought I'd have say that.)
Re:Murphy's Law part2... (Score:3, Informative)
- Positive expectations yield negative results.
- Negative expectations yield negative results.
A special case of this is the demo effect: The best way to make your pride-and-joy crash on the first keypress is to invite your boss's boss in to watch it run.Likewise, the only way to attract spam is by trying to avoid it.
Ebay (Score:5, Informative)
You'll quickly become inundated with "How-tos" to Ebay, "official" emails from Ubid by people attempting to fraudulently gain access to your personal information, more tips-and-tricks, more offers from uBid, and of course a plethora of marvelous online drugstore advertisements.
Enjoy.
Re:Ebay (Score:3, Informative)
Re:Ebay (Score:3, Insightful)
Ebay specifically discourages this because lots of people have had their passwords to ebay stolen by people sending them fake email pretending to be from ebay and asking for their password for "security purposes".
graspee
Re:Ebay (Score:4, Interesting)
Free porn sites? (Score:3, Insightful)
Personal experience?
use online greeting card companies (Score:5, Informative)
If you want to be scientific, don't (Score:5, Interesting)
Want to survey spam as it effects a normal, real-life, daily-use e-mail address? Get a new address and starting using it as your primary account. Anything less will be irrelevant statistics.
That depends (Score:5, Interesting)
If you deliberately bait spam, your research will only be about spam as it effects bait e-mail accounts. Your conclusions won't be applicable to normal e-mail use habits.
The relevance of a baited addres depends on how one does the baiting. I'd say that a handful of usenet posts, pasting it to a couple of web pages, use of it to create accounts on websites (e.g. here), etc would be very representative of common patterns of address disclosure.
Re:That depends (Score:3, Interesting)
there was an article on worst jobs a few days ago (Score:2)
just kidding. on offense intended
if you want spam you just need to get a hotmail account.
a sure method (Score:5, Funny)
Re: a sure method (Score:5, Funny)
I can provide you with a LOT (Score:2)
'Unsubscribe' (Score:4, Informative)
Take the urls (DO NOT CLICK ON THEM) and strip them of the stuff after the '?'
Go to each of those 'unsibscribe' pages and put the test account in the email to be removed box.
Its the best way to get spam. The spammers will generally use it as confirmation that your address does indeed exist, and theyll happily put you in their alive list, where you are shure to get everything they are selling.
Re:'Unsubscribe' (Score:4, Interesting)
Finally, after another two months, it was back up to 8-12 a day. So unsubscribing did seem to work, rather than hurt.
Re:'Unsubscribe' (Score:3, Interesting)
General wisdom suggests that some of those companies do unsubscribe you, but then they sell your email as a verified good address. By unsubscribing you they can claim in court that they are honest and ethical, afterall they can prove they unsubscribe everyone who requests it. Selling that address is sleezy, but they figgure they have a better chance of getting away with things, plus make some money.
http://www.spamarchive.org/ (Score:5, Informative)
Re:http://www.spamarchive.org/ (Score:3, Informative)
Spamarchive (Score:2, Informative)
What's worked for me... (Score:2, Informative)
Based on a friend's suggestion, I created an alternate e-mail address and used it to create user IDs on classmates.com [classmates.com] and match.com [match.com] and, sure enough, until I kill the ID months later, I was getting 30+ spams a day after my ISP was done with its own filtering. I wasn't being very scientific and I don't know if it was one or the other or both, but it's a place to start...
A few thoughts (Score:5, Informative)
- If on a popular e-mail provider such as AOL, Hotmail, or Yahoo, put up a profile and go to a chat room.
- Allow your e-mail address to be listed on any of the directories.
- Put your e-mail on a Geocities website.
Change your thesis. (Score:5, Funny)
Re:Change your thesis - Decode the encryption. (Score:3, Funny)
Looks like....
I have been collecting them as I spot them, when I have enough samples and enough time I will have a bash at decrypting them.
So if you want to add a flourish to your thesis, you can also figure out what they are using the encrypted text for. (Probably some sort of tracking to measure success of campaigns.) I will happi
Re:Change your thesis - Decode the encryption. (Score:3, Informative)
Re:Change your thesis - Decode the encryption. (Score:3, Funny)
*looks left, looks right*
Re:Change your thesis - Decode the encryption. (Score:5, Funny)
You insensitive clod!
You've ruined the poor boy's dream!
Just think of the hours of fun he could have had "cracking" the "code".
Just think of the elaborate code -- and equally elaborate conspiracy behind it -- he might have created in a desperate obsession to make his data fit his theory!
It could have been a new formularization to rival the Illuminati [tripod.com], Ancient Astronauts [daniken.com], secret codes in the Bible [biblecodedigest.com], or some other tortuous, contrived theory! Why, he might even have constructed the ultimate conspirarcy theory, a religion [scientology.org]!
But no! You had to cruelly disillusion him. And rob us of the fruit(iness) of his labors.
For shame!
Re:Change your thesis - Decode the encryption. (Score:3, Insightful)
It wouldn't stop any spam filter I have seen.
Ah well, probably some ISP out there has such a silly filter.
I was envisioning something smarter along the lines of hidden fields (have a look at ye average web form , a lot of them have hidden fields to hold state and tracking info).
For example as I type this, let me look at the "Page Source". Ooo lookee, on slashdot itself....
I'm thinking along the lines of...
You're best bet (Score:2, Insightful)
It's easy. (Score:5, Informative)
steve
Research Survey (Score:5, Funny)
Lots of Contests (Score:2, Informative)
Some links of the sweet, sweet google:
Here [sweepstakes-contests.com]
Again [about.com]
And Again [acuwin.com]
If you search for 'contests' and click on the sponsored link then you should have an abundant source. Also, if you sign up for a few of those "Free" trials at porno websites, you should start to get some serious spam.
Try Free For All Links style sites.. (Score:3, Informative)
Hey I got plenty!
Posting in public forums (Score:3, Informative)
Post to Google Groups [google.com] on many well-frequented lists (don't cross-post!) with the address. Sign up for a Slashdot account and write generally informative (+5! +5! +5!) tripe with your real email address tied to it.
You also should've specified the test email in your story submission (i.e. Sean [mailto] writes:) -- too late for that now, of course. In the slashdot@myname.endjunk.com emails I've provided, I've easily gotten 10+/day within a few hours of first posting. Neat.
Look at my email addy... (Score:4, Informative)
I used it to attract spam so that I could train spamassassin for my use and for a few friends and family.
I went and dropped it all over usenet in the pr0n groups, went to every viagra site I could find, clicked on every banner add I saw.
It took a few weeks but I finally got the desired results. You'll have to put up with some extremely offensive email for awhile so make sure the wife and kids can't get to it during this phase.
After doing this for a few weeks I was getting 50+ spams a day. Now that I have spamassassin all tuned up I just don't check mail on that account. Once I feel that I no longer have the need to tweak SA, I'll just dump the account..
Too bad this doesn't work for TV commercials...
HEY! How about an app that, er, nevermind...
worked for me (Score:5, Interesting)
Re:worked for me (Score:3, Informative)
http://xult.org/email.html [xult.org]
Surprisingly few spams have arrived. I suppose the page isn't that high traffic.... yet
Spam heaven is right at your doorstep! (Score:3, Insightful)
Or in other words... (Score:4, Funny)
Ask Slashdot (Score:5, Funny)
I Have Your Answer (Score:3, Funny)
How about the front page of Slashdot?!? That ought to help you out a bit.
For real spam... (Score:3, Insightful)
Send one of those e-greeting cards (Score:3, Informative)
Use a control group (Score:4, Insightful)
Address 1 - (Control Address) Post No Where and read no messages until the testing time is over
Address 2 - Post On Usenet (Deja.com)
Address 3 - Post In Public ICQ program
Address 4 - Porn Sites
Address 5 - IRC
etc
My Spam corpus (Score:4, Informative)
I may have used it for a few web sites, but the only one I recall is a local political organization which I doubt would have sold, or had the expertise to sell, its list. Still, the data is tainted, and I can't say it all comes from usenet.
According to DejaGoogle, I last used it 18 April 2002, and it was last referenced in a follow-up message 5 May 2002. I first used it 15 February 2002.
For a while I had my ISP forward mail to that address to "nothing" until I worried it might be piling up on the server somewhere (I don't know what forwarding to "nothing" means in the ISP's web control panel). So there are no messages for most of the month of May 2003.
Disregarding the emails from the political organization, there are 1733 emails; the earliest is dated 16 July 2002, the lastest today 21 Sep 2003. (There are probably earlier emails to this address which have been archived.)
So that's a span of 432 days, not subtracting the period when I wasn't having the email forwarded. Again not subtracting the un-forwarded days, that's ~4 per day.
Note that this is only spam to this particular "sacrificial" address; it does not count the large amount of spam that, thanks to having some idiots as "friends", hits my "real" address.
I have not been subject to any dictionary attacks on my domain name, but I have gotten about 105 spams to admin@mydomain in the same time period. This pushes the daily average to ~4.25/day.
Since I started getting a lot of spam, I've made a practice of assigning each commerical contact or mailing list a different address (theirdomain.tld@mydomain.tld generally); surprisingly, these get very little spam, despite getting large volumes of legitimate mail each day.
Wait. (Score:5, Informative)
Who you use as an ISP is important (Score:5, Interesting)
Is the account you want spammed provided by the same ISP as your personal account? It sounds like the ISP you are using for the research account might be doing a really good job killing off the spam before it ever gets to you. In order for the research to be uncorrupted you need to verify that your ISP passes all e-mails through to you, rather than spam filtering.
Send yourself a Free!! E-Greeting!!! (Score:3, Informative)
Then start clicking on the Unsubscribe links.
SpamCop's list of websites == Game Over (Score:5, Informative)
http://www.spamcop.net/w3m?action=inprogress&ty
That's Spamcop's list of spam-vertised web sites. All of those sites have submission forms; just put the email address in there and you'll be rockin' and rollin' within a few hours. I got into a 'spam war' with one of my roommates back in college, and with that Spamcop list I was able to render his email account COMPLETELY useless within a couple of hours (If you're reading this, sorry 'bout that Brian... )
Speaking of spam, on a random side note, I've recently started checking all of my email accounts with Shadango.com. Anybody else tried that yet? Shadango allows you to have advanced filtering applied to ALL of your existing accounts (both POP and IMAP). It's frickin' great. So now I don't get any more spam, plus I can check all 5 of my email accounts from one place. They've also got file storage, a calendar, etc. It's money. Check it out.
-Nate
All you need to do (Score:3, Funny)
Some solutions (Score:3, Informative)
2. spamarchive.org [spamarchive.org]
3. Build a Spam Honeypot [google.com]
hth
pete
I've got heaps 2347 messages in ... (Score:3, Interesting)
Post your e-mail address here and I'll send the spam.tar.bz2 file to it.
There, what could be more helpful?
It'll take time (Score:3, Insightful)
I'm sure your now addresses have been harvested by a number of systems already. You'll have to wait, though for a client to buy a list, or another wave of mailings to go out before one is sent to you.
Got Spam? (Score:4, Informative)
Much harder than it seems. A spam trap address can take months or even years to get up to the same levels of spam as other addresses.
Some techniques;
Unsubscribe the address.
Apart from proving that some spammers actually do harvest from unsubscribes, this method isn't very effective, because some spammers actually do remove you from their lists.
(of course, if you only unsubscribe addresses that don't get any spam, it can't get worse.)
Dictionary attacks. If you run a mail server, you will occasionally be attacked. Either pick easy to guess names, or accept any name that fits a rule. It's a good idea to always reject the first name (unless it's already in your lists) since some spammers start with a 'test' name.
Also, there will be plenty of names tried, so there's no need to accept a suspiciously high percentage. Choose a simple rule that rejects a fair percentage of the names.
For example, accept any name which has a '5b' as the last hex character when hashed.
If your server has any extra delays after a bad name, remove them.
Buy expired domains.
Some of my best trap addresses are from previously owned domains.
Posting to usenet.
I've not had much luck with this.
Posting to mailing lists.
This also seems fairly hit or miss.
Posting to websites.
Works eventually, but it can take a long time.
Setting them in Ineternet Explorer.
Some web sites have javascript that can grab your email address from your browser.
(bonus points if you write this up in a proposal)
When you get spam...
Read the web pages. Once you actually get spam, either read it in a browser, or download all the links with wget. Some spammers are paying attention, in particular it seems, the ones who sell addresses to other spammers.
Respond. When you get one of those weird messages like "Are you the same noc-staff I went to school with?" Respond with a simple "sorry, wrong guy."
-- this is not a
Enter some contests (Score:3, Interesting)
Register a domain, and join match.com from hotmail (Score:3, Interesting)
My wife created a unique (with numbers) hotmail account when she joined match.com (we met on matchmaker.com) and used it only for that purpose. Today she gets hundreds and hundreds of spam on it even though it's been entirely inactive for 3.5 years!
Match customer service claims they don't sell addresses and that it's hotmail's fault. Either way, the two together seem to be a quite effective spam trap
Of course, if you're just looking for a corpus of spam to test against, there's plenty out there. Google for +"spam corpus" to find several good sites.
Hope that helps....
--D
Run for office and post your email address. (Score:3, Interesting)
I now get about 50+ spams a day... nicely controlled with spamassasin.
Re:FREE pr0n (Score:3, Funny)