Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Spam The Almighty Buck

Attacking the Spammer Business Model 655

Stephen Samuel asks: "Spammers spam because it's an 'easy way to make money'. They send out millions of spams knowing that 99.995% of them will be ignored, but the other 0.005% of responses are pure gold (Andrew Leung at Telus has an excellent report on the economics of spam). Responses to mortage spams are reportedly worth $50.00 each. What would happen if, instead of technical and legal approaches, we simply started attacking their business model? If people started responding to just 1% of the spam we received, spammers would drown in the responses, and the mortage spam responses wouldn't be worth an email, much less $50. The Nigerian Sweet Revenge is an example of this. The nice thing about this sort of statistical approach is that it would start to reward spammers for sending out -fewer- emails. (fewer emails -> fewer bogus responses). What other ways can people think of to attack the spammer business models, and what are the expected downsides of such approaches?" Of course, the one major drawback to this is the likelihood of more spam, since you'll be giving them a valid email address. However, many of you may be receiving increasing amount of spam as it is (even through your filters) so might an organized spam-the-spammers movement work?
This discussion has been archived. No new comments can be posted.

Attacking the Spammer Business Model

Comments Filter:
  • by eaglebtc ( 303754 ) * on Monday November 17, 2003 @08:13PM (#7497884)
    The top 1% of spammers who can afford the bandwidth and the hardware could still theoretically handle the volumes of email they would receive. Then they just have to expand their operations to go after the potential business contacts.

    Now what about sending them bogus email addresses and phony information? That would send them on a wild goose chase.
    • by magarity ( 164372 ) on Monday November 17, 2003 @08:17PM (#7497941)
      It isn't about bandwidth. This plan is to make the flood of loan referrals, or whatever, have lower value. If the only people who respond to loan spams are people searching for loans then each one has a good chance of being a customer. But if there are a thousand bogus loan seekers then there are suddenly less real customers and the loan companies will not want to pay very much to chase bad leads. At least, that seems to be the idea here.
      • by perrat ( 724979 ) on Monday November 17, 2003 @08:41PM (#7498174)
        In addition to this there is the costing model used by most ISP's, where the user will pay for items that they download but not for what they upload. In the current situation the 'economy of SPAM' is based upon having a massive number of emails and a very small number (percentage wise) of responses. The current ISP costing model advantages the spammers. If your anti SPAM software actualy sent a 'no-thanks' type response of the origionator, they would by paying to download each of these messages. Even by counter blocking at the other end they still need to download the message first before they can determine it's legitimacy. If you can break the economy of SPAM your put the spammer out of business. Even the richest spammer still has to rely on a tiny percentage return to generate their income.
    • "Now what about sending them bogus email addresses and phony information?"

      Reply with the the email addreses of other spammers :-)

    • Now what about sending them bogus email addresses and phony information? That would send them on a wild goose chase.

      Yep. That's what I generally do... I usually 'harvest' the Email addresses of Nigerian spammers, and use those as my 'reply' email address. (Perhaps I can get them talking to each other! :-o ).

      If a spam site I visit gives me a non-800 phone number, I'll often put that in my files, as well.

    • by einer ( 459199 ) on Monday November 17, 2003 @09:04PM (#7498357) Journal
      Now what about sending them bogus email addresses and phony information? That would send them on a wild goose chase.

      That would be form fucker [slashdot.org]

      The plan would work if enough people did it (the single reply, not necessarily the form fucker), and it would work for the same reason that spam makes my inbox useless. A poor signal to noise ratio. Someone has to dig through all of those garbage e-mails and harvest the truly interested parties (both of them).
    • by nuntius ( 92696 ) on Monday November 17, 2003 @09:44PM (#7498591)
      So, instead of SpamAssassin simply blocking your incoming junk mail, it should also send out bogus contact info/sign up for fake stuff?

      Brings new meaning to the concept of a Spam-bot...

      Anybody care to write one?

      The only problem I see is that the spammers could then prosecute you for forged identity/ misuse of computer equipment...

      Instead of doing a dictionary-style counter attack (which could accidentally frame someone), we would have to use the same name-mangling as the spammers use...

      Example counter-spam:
      Dear Sir:
      Please sign me up for 9en1s 3nlar6ement!
      Name: B0gus B0b
      Address: 12-34 Stat St, Washington UL 12345
      Email: anon_tip@fbi.gov

      Hopefully, the fake @fbi.gov email will get them in even more hot water... :) Hopefully it won't also get us in trouble. :(
  • by Mirk ( 184717 ) <slashdot@@@miketaylor...org...uk> on Monday November 17, 2003 @08:13PM (#7497888) Homepage
    This is actually a good thing.

    Why? Sheesh, I don't know, but whatever story gets posted here, someone always claims it's a good thing, so I figured it might just as well be me this time.

    • by Anonymous Coward on Monday November 17, 2003 @08:50PM (#7498255)
      This is actually a good thing.

      Why? Sheesh, I don't know, but whatever story gets posted here, someone always claims it's a good thing, so I figured it might just as well be me this time.

      This is a bad thing. Why? Well, I don't know either, but whatever comments get posted here, someone always claims you're wrong, so I figured it might just as well be me this time.

  • Bogus spams? (Score:4, Interesting)

    by cravey ( 414235 ) on Monday November 17, 2003 @08:13PM (#7497892)
    Sorry, I don't think it will work. 90% of my spams are either gibberish or are otherwise not selling anything. Passages from shakespeare and the like or blank emails are pretty common for me these days.
    • Re:Bogus spams? (Score:5, Insightful)

      by Rascally ( 89279 ) on Monday November 17, 2003 @08:15PM (#7497922)
      Those are usually just spams sent out to verify valid email address and filter out bounces, etc so they have a "cleaner" (I use that term in a very loose fashion) list to use for their actual "real" spamming operation.
    • While most of the "spam" I get nowadays is sent by fast spreading Microsoft worms, these empty or seemingly "useless" spam messages are something I wondered about as well. Who sends them and whatfor? I just don't get the motivation to waste your time/resources to send empty messages.. does anything have any insights to offer? - Thanks!
      • Re:Bogus spams? (Score:5, Interesting)

        by cravey ( 414235 ) on Monday November 17, 2003 @08:25PM (#7498025)
        My belief is that they are sent for possibly two reasons.

        1) Verify that the email address is deliverable. It makes no sense to keep a bad email address in your database of spam targets.

        2) Seed statistical spam filters with bogus data.

        I've been really happy with bogofilter on my IMAP server. Once I got the bus worked out of my scripts, it's running about 98% accuracy with zero good emails getting filtered as spam.

      • Re:Bogus spams? (Score:5, Interesting)

        by sfe_software ( 220870 ) on Monday November 17, 2003 @08:26PM (#7498034) Homepage
        Who sends them and whatfor?

        I don't know about everyone else, but a good portion of the seemingly blank SPAM I receive are actually HTML email with no text version. I told Mozilla mail to never, ever display HTML email (and can't figure out how I did it, to replicate on my laptop!) If I look at the email in a text editor, I realize that it's full of either HTML or Base64-encoded text/html.

        Mozilla Mail does properly convert normal HTML mail to text, even when a text version isn't included -- so obviously whatever tool the spammers use to compose their messages is non-compliant in some way (I haven't been bothered enough to figure out what exactly they are doing wrong).

        I do quite often get other messages that appear to be just junk, or possibly Chinese/Korean characters (the majority simply look like binary data)... those I haven't figured out yet.
    • Re:Bogus spams? (Score:5, Informative)

      by Stephen Samuel ( 106962 ) <samuel AT bcgreen DOT com> on Monday November 17, 2003 @08:44PM (#7498200) Homepage Journal
      Sorry, I don't think it will work. 90% of my spams are either gibberish or are otherwise not selling anything.

      This might be the result of blocking remote images in email, to avoid spam filters, some spammers now have an email consisting of little more than a pointer to an image on their (zombie?) servers. The image has all of the text in it.

      If you have images blocked, try reading the source and see if that's the case.

  • by The Munger ( 695154 ) on Monday November 17, 2003 @08:14PM (#7497898) Homepage
    They work by flooding us with crap, hoping that they get one in a million to answer. We could fight them by flooding them so they have to look through a million emails to find the one legit order. Hmmm...

    Sorting through a pile of junk to get the stuff you're looking for. Sound familiar email junkies?
    • by chriton ( 29476 ) on Monday November 17, 2003 @09:57PM (#7498655) Homepage
      Let's be clever & at least semi responsible at the same time. I propose a blend of technologies ripped from slashdot, P2P, and maybe 1 or 2 key innovations. Let's call this system "Spam Devil" or SD for short.

      The Basics:
      SD would allow users to connect to a peer to peer network which would enable thousands of users to share information about Spam they have received which warrants a response. Individual users would have the opportunity to nominate a Spam email for response. Once an email is nominated, it would be reviewed by several moderators in good standing. If those moderators certify a Spam for response, a distributed network of computers running SD would begin to flood the Spammer with bogus information either by email or by their websites.

      More Ideas:
      Moderators could be effectively metamoderated by comparing their votes with the votes of other moderators. A moderator's standing could be stored in a distributed fashion so when you rejoin the network, you don't have to start building your standing from scratch.

      Reponses by website could be templated by the original nominator and reviewed by the moderators. Each form field could be given a type such as name, email address, phone, etc. A facility for templating a series of screens would be useful, and probably could be accomplished by having the nominator make a dry run through the website. Additional heuristics could be added that would allow the program to make guesses if the templating doesn't match. In cases when heuristics are used, moderators could be prompted to verify that the responses make sense. It's critical that the responses be difficult to weed out of actual responses from real customers in order to confound the Spammers.

      Responses by email would require very careful moderating as the results, if misdirected, could be worse than the original problem (Spam). Some moderators may need to be certified as experts on email tracking. Also, some very clever test emails may need to be sent as confirmation before a response can be authorized. Responses by email should be anonymous. SD should be able to keep a healthy list of open relays by analyzing the Spam emails.

      A very clever use of SD could allow for response throttling ensuring that a website remains responsive for SD. It would be a real shame to have SD hammer a website into submission only to end up with no real work being done. The cruft should be added slowly & steadily at first & possibly release the floodgates later in the process.

      Finally, SD could be VERY useful for exchanging information about the Spam that is circulating and be used as raw information for filtering engines to reduce the amount of delivered Spam. If the system were to be well used, Spam might only be delivered to a smallish number of people before SD gets the email submitted, moderated, and certified as Spam. Once that's done, Spam filters worldwide could begin using that information to VERY specifically filter those Spam emails and blocking their delivery to suspecting throngs. Now wouldn't THAT be nice?

    • by Kynde ( 324134 ) <kynde AT iki DOT fi> on Tuesday November 18, 2003 @05:28AM (#7500692)
      That's not ironic. Why? Hell if I know. But whenever someone says ironic here, there's always a reply moaning about missuse of the word ironic, links to webster et al and raving how Alanis is to blame for all this confusion. I figured it might as well be me this time.
  • by dynamo ( 6127 ) on Monday November 17, 2003 @08:14PM (#7497900) Journal
    what if we sent all the replies through anonymous remailers set up specifically for the task, or even better, had a system that you could foreward all your spam to that would do the replying for you - from an address that would send a random spam back in reply to anything you send it - you would literally spam the spammers.
    • Even better: We write a bunch of viruses to take over underprotected computers. Then we use those computers to respond, en masse, to spammers' solicitations...

      Hmmmm. I started out trying to be funny, but if we really want to turn the tables... Anyone know someone in the Russian Mob?

    • by bgog ( 564818 ) * on Monday November 17, 2003 @08:39PM (#7498158) Journal
      If we all used anonymous remailers, they could simply filter them out and then they would have the legitimate responses. The only way this would work, (and it probably woulnd't unless everyone id it), is for the responses to be as real as possible, from real email addresses. That way they have to spend the time and effort to follow up on the leads. All 10 trillion of them.
      • The only way this would work, (and it probably woulnd't unless everyone id it), is for the responses to be as real as possible, from real email addresses.

        For the most part, reply addresses are bogus. They usually expect you to visit a web site. It's only 419 spammers (and the like) who usually give (and read) legitimate reply addresses. I'll often use those as my 'response' address.

  • by Qweezle ( 681365 ) on Monday November 17, 2003 @08:14PM (#7497902) Journal
    The best way to get at these spammers, is not to use a spam filter, because even the best aren't always reliable.

    What you should do if you are serious about getting on the nerves of some spammers is create an extra e-mail address for yourself that you send responses to spammers with, and get replies(maybe) in. Eventually, you could take all of those spam messages in that email box to a judge somewhere and win yourself a considerable amount at the pocket of a crass spammer somewhere.

    So long as we can outthink them, we can win. :-)
    • You could always do what I do.

      Add all the spammers to an e-mail list and automatically forward any spam I get (using an address I use only for this purpose) to everyone on that list.
      • by sfe_software ( 220870 ) on Monday November 17, 2003 @08:32PM (#7498086) Homepage
        You could always do what I do.

        Add all the spammers to an e-mail list and automatically forward any spam I get (using an address I use only for this purpose) to everyone on that list.

        Having recently been a victim of having my addresses spoofed by spammers, I don't think this is a good idea. Only if the SPAM actually says to reply for more information (or to make a purchase) would this work; in other words, only if you have a reason to believe that the address is in fact going to reach the spammer.

        The majority of SPAM I get does not come from a valid email address, but instead includes a URL to visit or a telephone number to call. Thus, forwarding SPAM to the From/Reply address will either just bounce, or worse, go to the unsuspecting person who's address was inappropriately used.

        I know that often the spammers just use a random address from their list as the From/Reply-To, but for a couple of weeks I was the proud recipient of many thousands of bounced SPAM messages, to the extent that I had to temporarily /dev/null my Postmaster alias (violating RFCs of course).
        • well the principle is still OK - and, in fact, better for spammed.

          If you go to the web site and fill in the details with bogus-but-almost accurate data, they won't be able to contact you, and you get to flood them with 'spam' referrals. If its a telephone number to call... well, make sure you get through to a person, walk them through the whole 'yes, of course I want x' routine, then hang up right at the point where they ask for completion.

          Even better is to get them to send a salesman round, as you obviou
  • in the short run... (Score:5, Interesting)

    by magarity ( 164372 ) on Monday November 17, 2003 @08:14PM (#7497910)
    Well, in the short run, loan referrals are STILL worth $50, so spamming a spammer who is doing that will result in an insane windfall for said spammer. And if the reverse attack isn't sustained... well, it just pays for a new boat and house in Tuscany for the spammer. Then it's back to spamming as usual. I vote against this plan unless you guarantee you can sustain it.
    • by Stormie ( 708 ) on Monday November 17, 2003 @08:17PM (#7497935) Homepage
      How long will people pay spammers $50 a referral once it becomes clear that 99% of said referrals are for non-existent names and addresses?
      • Well, 1% of millions is tens of thousands. Tens of thousands times $50 each is a nice house in Tuscany. Realise that it's an automated near-instant process for the spammer to submit leads and days/weeks/months of worker-hours of doing followups to discover there's a lot of bad leads. Each individual would-be loan closer is going to think he/she is just having a bad week until a supervisor or other higher-up connects the dots and realises the spammer submitted a bad lot.
        • by orthogonal ( 588627 ) on Monday November 17, 2003 @09:02PM (#7498340) Journal
          Realise that it's an automated near-instant process for the spammer to submit leads and days/weeks/months of worker-hours of doing followups to discover there's a lot of bad leads.

          Well, not necessarily. The trick is to craft "leads" that are obviously bogus to a human at the mortgage company, but aren't easily filtered by a machine.

          What makes this especially interesting is that, in other words, it's precisely like creatng spam designed to get around spam filters.

          With names that are obviously bogus to people, but mot machine, the bogus "lead" is either
          • sent to the mortgage company, which realizes immediately that the "lead" leads nowhere, and pretty soon that too many of the spammer's leads are bogus;
          • or, you make the spammer himself weed out the bogus "leads" so as to keep the mortgage company as a client.
          The mortgage company (or the spammer, if he's weeding) will quickly realize that "Felix Thecat" and "Kiss M'Ass" are bogus. "Heywood Jablowme" might get by a weeder, but won't last too long at the mortgage ccompany. "Gloria Mundi" probably gets several calls before somebody at the mortgage company remembers high school Latin or a Roman Catholic upbringing.

          While a dictionary of first names will allow some machine weeding, could a 95% coverage of last names be built? What percent coverage of last names is needed to keep a mortgage spammer from being dumped by the mortgage spammer? What's the distribution of last names? Help me out, Slashdot.
          • It would be better to use realistic names, addresses, and phone numbers. The reason is that you want some human at the mortgage company to actually have to place a sales call. The most expensive way for the call to fail is to be to a valid phone number where someone picks up and the caller asks for a name that doesn't match. When they actually place the call, there's an expense, when the human has to talk to them, there's an expense. Plus, the real person they call will likely bitch them out (because it is
    • Well, you could respond to spam, they get the referral fee, but you find out who got the spammer to send the spam, and then publicize the shit out of them in an effort to put them out of business.

      If you put the people that support spam out of business, they won't be hiring spammers, and people who see what's going on won't either...?

      Just a thought.
    • Well, in the short run, loan referrals are STILL worth $50, so spamming a spammer who is doing that will result in an insane windfall for said spammer. And if the reverse attack isn't sustained... well, it just pays for a new boat and house in Tuscany for the spammer.

      You could tell the mortgage company what you are doing: "I'm wasting your time because you employ spammers to waste mine. I never had any intention of dealing with a company employing spammers."

      That would have the plus of losing them m

      • As a rule, things like mortgage leads, is that most players work with brokers (BTW: email spam mortgage leads don't net $50/lead). So the spammers are all dumping to the brokers. In general, the brokers combine search engine placement leads, search engine spam leads, legit leads (people that solicit it from financial sites, etc.), into one lead pool that is sold. What would happen, is that over time, you would drive the value of that broker's leads down (although that assume perfect information), but you
  • by mvpll ( 542255 ) on Monday November 17, 2003 @08:15PM (#7497919)
    This works fine for spam that requires a valid return address, but what about all the spam that is just trying to get you to visit a website. Replying to such a spam just gets you a bounce message.

    Does this mean I now have to read all my spam to decide which I should reply to and which I should ignore???
  • Somebody suggested this in another /. article talking about spam: For those of us with our own mail server, just create a unique email address to respond with.

    Once you're done messing with them, just kill the address. Not exactly a foolproof solution, but I don't see why it wouldn't work most of the time.
  • by RevJim ( 564784 ) on Monday November 17, 2003 @08:16PM (#7497924) Homepage
    Paul Graham wrote an article about this regarding spam filters that fight back. If everyone installs a spam filter that detects spam and then automatically crawls any links listed in the spam, it would bring their web servers to their knees.

    Here's a link to the article.


    • by spacefrog ( 313816 ) on Monday November 17, 2003 @08:26PM (#7498032)
      automatically crawls any links listed...bring their web servers to their knees

      Oh, the Slashdot business model!
    • mmm, that's a very neat idea. You could fill forms with random junk and submit them if you had the filter set on "properly evil" ;)

      I do wonder if it might be straying into legal definitions of DoS and the like?
    • Just take a look [yonderway.com] at the technology that drives some of the lower end spamhauses and then you try telling me that hitting a web site is going to hurt them.
    • by grotgrot ( 451123 ) on Monday November 17, 2003 @08:30PM (#7498067)
      automatically crawls any links listed in the spam, it would bring their web servers to their knees

      It doesn't distinguish between good guys and bad guys. In fact none of the "automatic" schemes mentioned do. Say the spammers decide they hate Paul, they can very easily deliver several spams pointing to his web site/email address/phone number. Remember that the cost of sending extra emails by a spammer is pretty much zero.

      The spammers are already picking on the anti-spam people. [theregister.co.uk]

      So how will your auto-responders etc tell the difference between bad guys and good guys?

    • by mrklaw ( 98550 ) * on Monday November 17, 2003 @08:32PM (#7498084)
      Wow, what an easy way to DDoS. Just send out a bunch of Spam with a link to your least favorite website. The spam filters take care of the work for you.

    • by UnderScan ( 470605 ) <jjp6893NO@SPAMnetscape.net> on Monday November 17, 2003 @08:32PM (#7498094)
      Is there a way to keep their porn/mortgage/penis size ad server busy so that it can not open more connections?
      http://www.toad.net/~mischief/archives/00000084.sh tml [toad.net]

      This tool is a "honeypot." The idea is that you install this software on a Linux/Unix machine (believe there might also be an NT version available) and it pretends to be like multiple computers on the network, acting as virtual hosts. Whenever a worm comes along and probes one of those virtual hosts, La Brea hangs on to the thread and slows down the process of infection, logs all the relevant info, etc. It's actually a brilliant idea and now, thanks to some of our genius legislators, potentially illegal to possess or use.
      Someone created a tar-pit for Code Red. google for la brea code red

      any ideas?

      or am I suggesting a DoS?
    • So I want to take down yahoo. I send out millions of emails about viagra with a link to them. Down they come. Bad news.
  • Reply. (Score:3, Insightful)

    by Absurd Being ( 632190 ) on Monday November 17, 2003 @08:16PM (#7497928) Journal
    Reply to EVERY spam. Heck, set up a site where a spam is displayed, and every member of said site goes to the spam's link at say 12:00 EST. The resulting delta-function like demand should break their server, and prevent their legitimate customers from entering. So sending spams, or paying direct advertisers will COST your business. 100000 spams won't be worth $50, but $-50000.
  • A better idea... (Score:3, Interesting)

    by woodhouse ( 625329 ) on Monday November 17, 2003 @08:17PM (#7497940) Homepage
    Most spams I get are trying to convince me to click on a link rather than reply by email. Perhaps we should all just click the links to confuse the spammers instead?
  • by Powercntrl ( 458442 ) on Monday November 17, 2003 @08:18PM (#7497947)
    I'd say the vast majority of spam that I get is just a vehicle for delivering a URL. The spammers don't want a reply, they want you to go to their website.

    Frequently, I get spam that seems to be selling NOTHING. The reply-to is invalid, and they don't bother including any kind of URL.

    On the bright side, the vast majority of my spam gets caught in the filters - so I only see it if I check the spam folder. And may the spam rot there...
  • Spam Site? (Score:2, Interesting)

    by sethadam1 ( 530629 ) *
    How about someone set up a few mail servers in China or something and we plug in the e-mail addresses of the spammers and just inundate their emailboxes with ...yes, SPAM!

    We should also spam their ISPs after a generous warning.

    Spam is out of control, and I think everyone here knows that until some universal SMTP replacement or SMTP extension is implemented, spam ain't going away.
  • by James_G ( 71902 ) <<gro.procagemlabolg> <ta> <semaj>> on Monday November 17, 2003 @08:20PM (#7497968)
    If I get a spam that makes it through spamcop and spam assassin, and contains an 800 number (this doesn't happen often), I'll try and call them. It's not cheap to run an 800 number, and they tend to have a several minute long message rather than a real person answering the phone. If you have multiple lines, the fun thing to do is to call up on one line, let the message finish, get to the part where you get to record a message and then call them up again on a second line and conference the two together. Record their outgoing message as your message, rinse, repeat.

    It feels good to cost the spammers some money, even if it does waste your time to do it.

    • by Anonymous Coward
      Remember that "phone number privacy" usually doesn't work with 800-class phone numbers!

      Best to call from the fax machine at work or some other "useless" number.
    • Well, there is usually a set fee after which they don't pay any more... So you aren't doing as much damage as you think.
  • by Maestro4k ( 707634 ) on Monday November 17, 2003 @08:20PM (#7497972) Journal
    How about setting up a website that lists all the 1-800/866/etc. numbers from spam E-mails. Then everyone who wanted to could call and drag them along as long as possible to run the bill up. Probably wouldn't take too long before their phone costs ate up all their profits and more.

    The only downside is I don't think many spammers use this approach, but it'd certainly be effective against those who do. I don't think it'd be illegal (as long as each person didn't call more than once) either, but IANAL.

    • How about setting up a website that lists all the 1-800/866/etc. numbers from spam E-mails. Then everyone who wanted to could call and drag them along as long as possible to run the bill up. Probably wouldn't take too long before their phone costs ate up all their profits and more.

      Please, think evil. I know you can do better than that. At least try.

      What we do is, every time we get a spam with an 800 number, we use our modems to FAX that number...

    • The main reasons against it would be accountability and Joe-Jobs.

      How do you know that the 800 # was actually sent with spam? It could be a prankster, or someone wanting revenge for a non-spam-related reason, or it could be spammers themselves trying to discredit the anti-spam community.

      Five maybe six years ago there was this one really bad spam that listed an 800 number. Got at least one a day and it was for the 800 number. It didn't take long for the message on the voicemail for this number to state that
  • by baximus ( 552800 ) on Monday November 17, 2003 @08:21PM (#7497986)
    ...is that the majority of spam I receive has forged headers, so I would in effect be sending the bogus replies to some poor sucker who had no idea their email address was being used as the "From:" header in a major spam operation.

    The number of spam emails that get through SpamAssassin because of forged "From:" headers is ridiculous. And worse is the number of bounce messages I get because someone has used my email address as the "From:" header in a massive spam mailout.
  • by fanatic ( 86657 ) on Monday November 17, 2003 @08:22PM (#7497990)
    ...for anyone who buys anything as the result of receiving spam. Anyone that fucking stupid doesn't deserve to live.
    • by fdiskne1 ( 219834 ) on Monday November 17, 2003 @08:55PM (#7498294)
      I was talking with a salesperson of an anti-spam package last week. She said that I could tweak the rules so the spam I WANT to receive makes it through. I asked her why in the world I would want any through, and she said, "Sometimes you can find some good deals in spam." She then told me about something she had recently purchased from spam. I can't remember just what it was. I was too busy trying to get my brain around the fact that she actually purchased something from spam. 8-/
  • by MobyDisk ( 75490 ) on Monday November 17, 2003 @08:22PM (#7497995) Homepage
    Most of the spam I receive doesn't ask me to reply to purchase anything. They simply direct me to a web site of some sort. This eliminates mass-email replies as a possibility. If they use web forms, they can easily tell legitimate orders from phony ones by verifying the credit card numbers, phone numbers, addresses, etc.
    • That brings up an obvious question:

      If it's clear that the spammer is doing something illegal (selling something that's illegal, hosting the website on a hacked cable modem computer, etc...), would it be legal for you to give them a fake/bad credit card number?

  • Blacklists (Score:3, Interesting)

    by Preach the Good Word ( 723957 ) on Monday November 17, 2003 @08:24PM (#7498012)
    I run several domains and use multiple blacklists. The blacklists are incredibly effective, especially those which are country-wide like taiwan.blackholes.us and china.blackholes.us. I, and the other users of my domain, don't communicate with people in China or Taiwan. If I disable the blacklists, the ONLY thing that comes to us from those countries is spam. It has a tremendous impact on the amount that I get. Because of those punitive "broadlists", many ISPs like AT&T and PSI who used to write "pink contracts" and host spammers no longer will. The broadlisting makes harboring spammers unsafe. AT&T is not going to piss off their entire subscriber base just to get one big pink contract from some spam house. It's not worth it to them. Many ISPs, especially dial-up ISPs have blocked outgoing port 25 so spammers can't use them for throwaway accounts from with to spam. No ISP wants to risk some spammer paying $9.99 for a month of service which will get the ISP blacklisted.
  • by Anonymous Coward on Monday November 17, 2003 @08:25PM (#7498017)
    Part of my companies' income is from sales of various and sundry products sold via soley online "stores." Part of that traffic is via banner ads, text links, etc, and another portion is via bulk mail (spam), generated by affiliates and run from an outside-the-us operation (that is to say we are not technically pressing the "go" button to spam people).

    As a programmer working to keep the data flowing smoothly part of my job entails building programatic methods of detecting false data. Some of this is easy (i.e. people who put "I WANT TO RAPE YOUR DAUGHTER" in the first name field). Sometimes this is harder. IP checking helps, but distributed attacks are always a difficult thing to catch. However, all that said I don't know that this would be a significant problem.

    One of our upcoming process changes will include an attempt to contact each customer via phone or email to verify their order before following through with it. Futher, automated credit-card checking will automatically drop orders with bogus data in them. CreditCard declined statistics would rise, but ultimately it wouldn't be that much hassle.

    If you really want to hurt a spammer, get thousands of people to order a product, then send it back and charge-back the order on their cards. Creditcard merchant accounts have limits on the chargeback rates, and when they get too high the merchant provider will cut you off. Of course you have to front the money and the hassle, and at the end of the day there's only 1 less spammer out of a million (unless he tries to find another merchant provider and succeeds). But for some, perhaps the cost-benefit analysis would still find it worth it.

    Total Due: $0.02

    • by Anonymous Coward on Monday November 17, 2003 @09:01PM (#7498336)
      This is a stunning. I have a better idea, if some grey hat wants to be a hero. This idea is extremely illegal. Purchase or get lots and lots of stolen credit cards. Target a spammer. Buy lots and lots of his product with the stolen cards. When the owners charge these back, the spammers will be *blacklisted* by Visa and Mastecard under the theory that, if that many stolen cards got used at one place, the spammers must be members of organized crime syndicates. Not just the spammers' companies will be blacklisted, by the way - the individual executives will be blacklisted, as well. Some selfless vigilante could solve the whole problem for us!
    • by Weaselmancer ( 533834 ) on Monday November 17, 2003 @09:42PM (#7498584)

      Let's look this post a bit and do a little translation:

      Part of my companies' income is from sales of various and sundry products sold via soley online "stores." Part of that traffic is via banner ads, text links, etc, and another portion is via bulk mail (spam)

      Translation: I am a spammer.

      If you really want to hurt a spammer, get thousands of people to order a product, then send it back and charge-back the order on their cards.

      Translation: Give me your credit card number.

      Spammers are the wise guys and con men of the digital age. DO NOT TRUST THEM. I mean really - if this guy makes his living this way is he honestly going to give you a stick to beat him with???

      It's more likely he'll take your credit card number, charge it to the hilt and take off to Zaire.

      Give me your credit card number and I'll be hurt. Please!

  • by pla ( 258480 ) on Monday November 17, 2003 @08:27PM (#7498041) Journal
    Although I like the idea (since we can't really implement my preferred method of dealing with spam, "hunt them down and kill them in the most painful way imagineable"), I see one major flaw with it...

    Namely, the very methods we've come up with to avoid spam would work for the spammers.

    How long do you think it would take before, in addition to lists of live email addresses, spammers also begin keeping lists of "people wasting our time"? I'd give it a week, if this really caught on suddenly.

    For that matter, I believe this would leave them in a better position than now, since they'd not only have a list of people who won't buy from them (allowing them to cull their list of live email addresses a bit), but also a list of people likely to actually take steps to stop spammers.

    Think about that for a minute - The few spammers we have managed to put out of business have gotten nabbed by a few small groups of dedicated, annoyed, and technologically-saavy people. Taking action along the recommended lines would give the spammers a way to identify and steer clear of similar groups of people.

    While some of us may consider that a win ("they don't bother me anymore"), I think most of us realize that we need to do more to stop spam than unclog our own individual inboxes - We need to permanantly shut down all spammers in general. Or, put another way, my filters already block most of the spam I get (literally over 300/day now). That doesn't do a damn thing to help friends and relatives who don't understand how to maintain a good filter (like it or not, good spam filters require a fairly high level of understanding about the workings of email to properly tune - Not so much to simply block spam, but more importantly, to not block legit email).

    I like that people keep thinking about this problem, and eventually look forward to a good solution. This does not seem like "the" solution, though.
  • Andrew Leung at Telus has an excellent report on the economics of spam

    The link seemed to be slow, so here's mirror: Go ahead, slashdot it to your heart's content [herrvinny.com]
  • Spam is bad because it takes up time. It takes time away from users who have to filter their mailboxes and miss important emails or skim through the spam themselves. It takes time from sysadmins who have to deal with abuses of their services. Replying makes no sense. The time it takes to reply is far greater than the time it takes to click `delete.' But maybe this is just me talking. I'm careful, I use disposable e-mail addresses (spamgourmet.com), and I don't get spam. Who needs spamassasin and over-agress
  • by rsilvergun ( 571051 ) on Monday November 17, 2003 @08:29PM (#7498056)
    you could have spammer spamming software :). Imagine if every time your filters tagged a message as spam it could send an auto reply with a forged header (fake email address and stuff like that, assuming this doesn't get ruled illegal). Then the spammer would get a randomly generated email along the lines of:

    Yes, I am very interested in your product. Please send more information to my address at fictionalPerson@non-existantDomain.net.

    Now that would be funny.
  • One thing some people do with physical junk mail is to stuff as much advertising and other paraphernalia into the postage paid replied envelope as possible. This has the effect of increasing the costs to those that send junk mail, and encourages them to keep their lists as targeted as possible.

    The problem is that with spam we often have no address to send anything to, or the address we have is one that will do any good. It is like those 'work at home' signs on the road. We may think we are attacking th

  • I like the idea of sending stuff back to spammers and I don't mind sending it from an address that I've created for that purpose but, even better I'd like to get other spammer's information and submit that! Perhaps we could create a database of spammers information or create a newsgroup to exchange this information. This way, we could inconvenience them twice, once when they get the bogus reply and once when they are spammed by other spammers!
  • 3 Lawyers, 3 geeks (Score:5, Interesting)

    by RonBurk ( 543988 ) on Monday November 17, 2003 @08:41PM (#7498172) Homepage Journal

    A very significant percentage of spam meets two criteria: 1) it already breaks some existing state or federal law and 2) it ultimately desires someone to supply a US-based credit card (Visa or Mastercard).

    The problem with all our wonderful anti-spam laws is that they are not being enforced, and probably never will be, except erratically for 1 or 2 really, really bad repeat offenders. So, instead of using laws to take bad people to court, use laws to make law-abiding people quit aiding and abetting spammers.

    Thus, the weak underbelly of many spammers is that some minion of MC/VISA is letting them process cc transactions.

    Solution: the FTC should allocate 3 lawyers and 3 geeks, and (the easy part) demand the cooperation of MC/VISA. The 3 geeks maintain emailboxes in all 50 states and a batch of email addresses designed to gather spam. They essentially provide the 3 lawyers with "quality" spam, that meets the 2 criteria mentioned above.

    The 3 lawyers select spam that has broken a law, follow the spam-requested transaction to the point where it requires a cc transaction, and do it. At that point, there is a CC transaction involving a broken law. The lawyers provide MC/VISA with the information on what merchant processor handled the transaction and what laws were broken. MC/VISA shutdown that account, or simply dings them $20,000 for each offense.

    Note that, unlike the FTC, MC/VISA can penalize any customer they choose to without due process (and they have a record of doing so). They definitely do not want to participate in illegally advertised transaction if a spotlight is shown on it.

    The need to process credit cards is the weak link in much of the spam business, and it is very hard for them to work around an inability to obtain the services of a merchant credit card account. MC/VISA have tightened up the requirements for getting CC services in the past, and they can certainly do so again.

    MC/VISA might even elect to make the process more automated by issuing the lawyers some "special" credit cards. When they see a transaction for any "special" number come through, they immediately shutdown that processor. (But you better make sure those special numbers aren't as easy to steal as all other credit card numbers seem to be!)

    3 lawyers plus 3 geeks could make a bigger dent in spam than any collective effort to date has produced.

    • Brilliant (Score:4, Insightful)

      by Weaselmancer ( 533834 ) on Monday November 17, 2003 @09:51PM (#7498621)

      Absolutely the best post in this whole thread. Bravo.

      The need to process credit cards is the weak link in much of the spam business, and it is very hard for them to work around an inability to obtain the services of a merchant credit card account.

  • by joelparker ( 586428 ) <joel@school.net> on Monday November 17, 2003 @08:45PM (#7498212) Homepage
    Your approach of ordering the spam products
    causes major problems if someone forges.

    Example: a disgruntled employeee forges
    many emails about his company's products.
    When your anti-spam army calls for info,
    they overload the company's phone system.

    This is called a Joe Job, and is bad and wrong.
    Why? Imagine it done to a hospital phone line.

    Spam is a real problem. This is not the answer.
    If you want ideas, try this overview [netextend.com]

    Cheers, Joel

  • by Rogs ( 625889 ) on Monday November 17, 2003 @08:48PM (#7498234)
    The only effect this would have is to force spammers or their clients to incur extra costs to follow fake leads, but since you wouldn't decrease the size of the pool of people who respond sincerely, the effect would only be marginal. Your only hope would be to drive their costs up so much as to drive the spammer out of business entirely, but that would take a lot of coordination and resolve on the part of the responders. Remember, spammers keep making money while they're at it, whereas responders just get some measure of satisfaction, which is likely to wear off the more spam you respond to.

    Finally, your assertion that it would incentivate less spam from individual spammers is wrong, since the ratio of fake to real responses is the same for a large mailing list as it is for a smaller one. In other words, you have "constant returns to spam." The only way it would incentivate less spam is if you managed to drive some of the spammers out of business. More likely, it would lead to more spam, as spammers scramble to find more addresses to offset their lower "spam margin."

  • by Teppy ( 105859 ) * on Monday November 17, 2003 @09:12PM (#7498406) Homepage
    I just took the first 3 spam in my box, and 2 of them had 800 numbers - surprising. I called them and let them record for a while while I coded. One of them timed out after a few minutes and said "to replay this message, press 1". So I did that a few times also.
  • Money talks (Score:3, Funny)

    by whatch durrin ( 563265 ) on Monday November 17, 2003 @09:48PM (#7498608)
    Whatever the solution, it has to have monetary consequences for the spammer. A little hassle here and there just won't cut it.

    Case in point: for every credit card application I get via snail mail, I seal the return envelope (empty or with trash) and mail it back at their expense. The idea is the company loses money by having to pay for the reply postage and for the labor to open my bogus reply.

    But I've noticed lately that companies are designing it so you have to include the application form to mail the return envelope (the city/state are printed on the app, which is viewable through a window on the envelope). Apparently, credit card companies weren't taking enough of a hit to say "fuck it, these people don't want our mailings." Instead, they seemed to have paid some poor schmuck more money to come up with a way to outsmart the scheme many of us have been using.

    Doesn't matter, though. I'll tape the city/state info to the envelope if I have to. And soak the envelope in cat piss. Take that.

  • White Lists! (Score:3, Interesting)

    by msimm ( 580077 ) on Monday November 17, 2003 @10:08PM (#7498724) Homepage
    Jeez, all these post mentioning black lists make you almost want to believe its a good idea. White listing in combination is the way (eg Tagged Message Delivery Agent [tmda.net]):
    The technical countermeasures used by TMDA to thwart spam include:

    • whitelists: accept mail from known, trusted senders.
    • blacklists: refuse mail from undesired senders.
    • challenge/response: allows unknown senders which aren't on the whitelist or blacklist the chance to confirm that their message is legitimate (non-spam).
    • tagged addresses: special-purpose e-mail addresses such as time-dependent addresses, or addresses which only accept certain kinds of communication. These increase the transparency of TMDA for unknown senders by allowing them to safely circumvent the challenge/response system.

    This combination was chosen based on the following assumptions about the current state of spam on the Internet:

    1. You cannot keep your email address secret from spammers.

    2. Content-based filters can't distinguish spam from legitimate mail with sufficient accuracy.

    3. To maintain economies of scale, bulk-mailing is generally:
    * An impersonal process where the recipient is not distinguished.
    * A one-way communication channel (from spammer to victim).

    4. spam will not cease until it becomes prohibitively expensive for spammers to operate.
    I used bluebottle.com's [bluebottle.com] webmail service for quite a while with no more spam trouble, ever (until they got DDOSed into dropping the service).

    Spam holes are not the answer, but with friend list they sure look a lot saner (c'mon, everyone in .tw isn't going to spam you).
  • by MrChuck ( 14227 ) on Monday November 17, 2003 @10:37PM (#7498876)
    If the FBI took even a vague interest in this, they, along with the FDA and FTC should be HAMMERING on the spammers that are breaking the existing laws.

    No matter if it comes to you via brazil, argentina, russia, etc, 90% of spam is US sourced.

    A HUGE amount of spam is pushing products/schemes that involve fraud, fake drugs that the FDA does not allow, etc, etc.

    A HUGE amount of spam is sent by stealing services from legit users (using open relays, etc). Technically bad, not illegal to have. But the spammers take advantage and steal bandwidth.
    pre-sendmail 8.9 and when open relays were just becoming bad, a friend had an ISDN line kept open for several hundred dollars of connection time when he was away on vacation and his relay was found (connection would come up periodically to pull down mail). The police and FBI could not have been less interested in this event which cost real money to a real taxpayer.

    Were the FBI to go after Joe Schmo Spammer who kicks off 5000 messages to my company to an alphabet list of users from over 200 different relays, and charge him with breaking into his relays' computers and fraud (sorry, Herbal Viagra or Guaranteeed Stock Schemes and Pyramid Schemes are illegal), then perhaps spammers would have a cost associated - JAIL!

    Me? I have a fantasy that plays out thusly:
    The Judge:

    You are sentenced to 2 years in jail with brutus and 5 years probation, plus fines to the people you stole computer use from, or you may go on Fox's "Cane a spammer" TV show and be canes 20 times by 20 of the people who run the companies which you sent 1 million messages to. What do you decide?
  • by KjetilK ( 186133 ) <kjetil@kjernsm[ ]et ['o.n' in gap]> on Tuesday November 18, 2003 @05:33AM (#7500704) Homepage Journal
    Folks, does spam really work? Have you ever responded to spam? Really? I've responded to a few spams, and most of the time, it is really, really difficult to get in contact with them. In the very few cases where I have gotten through, guess what, the guy who actually was selling a product, he was scammed too. Some of them have actually sued the spammer afterwards.

    What is the source of the info that spam works? That's right, it's the spammers. Spammers tell you that spam works. Bzzzzt! Rule #1: Spammers lie!

    Who are the spammer's customers? No, not you who get the spam. The spammer's customers are those who order spam services. And there are enough idiots who buy spam services to make those 180 spammers very wealthy.

    Even though the spammer's customer get burnt once and stop, well, some of them are probably stupid enough to try several times anyway, there are enough of these morons to keep it going for a very long time.

    They're not making a single sale, not even 0.0001%, but that doesn't matter, because the spammer got his money, and that's why this continues.

    So, if you want to end spam, forget the spammers: Go after those who purchase spam services instead.

    Well, that's my theory. It may not hold up, but after all, this is /.! :-)

  • by Frodo420024 ( 557006 ) <henrik&fangorn,dk> on Tuesday November 18, 2003 @05:44AM (#7500726) Homepage Journal
    Scams are fun to hit back. I chose one at random (LuckyWin Lottery, in case anyone cares), and pretended to be in on it. When I requested info about the company (history, corporate URL etc - trivial stuff for any real company) before plunking down any money, the guy was quick to anger - he had almost seen my check in the mail already and felt cheated. Fat irony :)

    After playing the game a couple weeks, I reported his banking connection (a real person) to the London Met Police and his email info to his ISP (SIFY of India - *great* customer service!) and had his accounts terminated.That was a laugh and a breeze.

    If you look for the lifelines of 419 scammers, they have their email and their banking connection. Shutting down their email account fast makes their spamming futile. Shutting down their banking connection is harder, but very painful for them. Bottom line: MeThinks 419 scamming will stay benign, they're too easy to wipe out.

    Looking for the lifelines of the real spammers (the Viagra, Mortgage, Patches etc. stuff), there are three: Ability to send loads of email, ability to recieve responses (web site or phone number) and ability to receive money. Kill any one of these, and the situation is solved.

    The ability to send email is tricky to fix. We all want that email can be sent freely, preferably for free. Fixing/replacing SMTP to include authentication would be great! But we're still awaiting news from this front.

    Hitting their web sites could be done in several ways. Proper legislation could make it a felony to operate spam-advertised web sites, and they could be taken out. If spam filters included the ability to automatically spider the web sites referred in the mails, they would have to pay for loads of useless traffic to their sites - and their ISP's would look at disconnecting them. It's not a DoS attack per se, we're just making backup copies of potentially useful information :)

    And for hitting back on their payment options, there was an excellent suggestion earlier that the FTC take care of this. That looks very cool,. Much better than more laws that are not enforceable anyway :) So clearly an FTC issue if I ever saw one.

    Getting the spammers on any one of these three lifelines would be sufficient - getting them on all three would be very, very effective.

"Oh my! An `inflammatory attitude' in alt.flame? Never heard of such a thing..." -- Allen Gwinn, allen@sulaco.Sigma.COM