There was a grain of seriousness to my second option for dealing with spammers. We can’t actually shoot spammers – however pleasant that might be – but we can expose them. The Blogosphere is a huge intelligence collection and dissemination service. There are agents (bloggers) everywhere. There are highly proficient engineers and scientists amongst us. How long could the whereabouts of a spammer remain secret with the the entire Blogosphere out to get them?
With personal contact details in hand there are simple, legal means of retaliation. We could make their life hell and do so without violating the libertarian ethos.
Small expressions of annoyance have little import if taken singly… but what happens when 10,000 people ring the spammer at home and say: “Please stop”? Or 10 people a day ring the doorbell and say the same? Or 100,000 each send one email to the home email address of the spammer? Or 1,000,000 bring a class action suit against the spammer for one pound each plus court costs?
It is not as if this hasn’t happened before. James Taranto (Opinion Journal) recently published the phone numbers of people and organizations involved in telephone soliciting. He caused them no end of grief. Six years ago the fax phone number for the London Metropolitan Police was published after they threatened a brutal and heavy handed censorship of internet news groups. They ran out of fax paper rather quickly and more importantly, ISP’s were neither raided nor shut down. (I will admit to a personal interest in the event as I was the Tech Director of the first ISP in Northern Ireland at the time).
Don’t get me wrong. I am not claiming this would wipe out spam. It raises the cost of doing business. That is enough because it means less spam.
*tantrum*
But WHY can’t we shoot them?
*/tantrum*
It’s a good idea though. Half an hour ago spammers hit Tim Blair’s blog.
“We could make their life hell and do so without violating the libertarian ethos.”
I don’t think punishing trespassers by any means available is anti-libertarian. My computer and my email address are my private property and if people want to force their way on uninvited, they have to take the consequences. (Personally, I favour the Glock option, but it would involve too much travel time.)
My own ISP tells me to report spam immediately on receipt because spammers have to stick with one email address long enough to get the hoped for replies from the dunces. They usually change addresses after one week. If they’re reported immediately, they can get caught and banned.
I wrote to a Hungarian (it may have been Czechoslovakian – anyway, a lot of cz combinations – Mark could tell us) ISP after getting a spam one morning and they wrote back late that afternoon saying thanks and the sender had been identified and banned. That was pretty nifty. It’s not always that fast, but it does work.
I know Samizdatas are more internet savvy than I am, but just in case there’s anyone out there as unknowing as me, all you have to do is write to abuse@[insert name of provider] and include the headers. I usually include the message as well, in case they can spot a pattern or they’re looking out for key words in cooperation with other ISPs.
Good idea, but I still want to see more spammers ending up in Federal pound-me-in-the-ass prison, where they belong. Or their home countries’ equivalents thereof.
That’s fine until an error propagates the wrong phone number or address…
Just as with government persecution, so with freelance persecution. The guilty will be prepared: only the innocent have anything to fear
I’ve just installed Jay Allen’s MT plug in which works against MT blog spammers.
Hopefully all goes well.
Like Mr. Amon, I’m puzzled by the way spammers seem able to get away with their disgusting activities. After all, they are all selling something, so it hardly takes a Sherlock Holmes to find out the address from which they are doing it. Armed with that information, any means of retaliation one would like to contemplate becomes possible.
I’m reasonably confident in my forensic abilities to read a header, but recent years have seen the increasing use of relays based in countries where it is a complete waste of time complaining to the ISP involved. Similarly, I’ve found software like Mailwasher absolutely useless – presumably for just that reason: the obtainable dotted quad is no use as an address for bouncing.
If governments are useless (which presumably comes as no surprise to most on Samizdata), surely it is time for the geeks to inherit the earth and take matters into their own hands?
Verity – you need to make sure the spammer isn’t spoofing their email address. Some don’t want replies sent to the email they send from – instead requiring people to click a link. The addresses these messages are sent from are usually not their own, as SMTP (the main mail sending protocol) merely asks you for a correct-syntax email address and doesn’t normally check for a legitimate email address, or legitimate user.
Thus it’s quite easy to send an email which at first glance appears to be from, I dunno, billgates@hotmail.com when really it isn’t. Spammers sometimes use a random “from” address which is in their datatbase of emails to send spam to – I’d hate to be reported to my ISP for something I didn’t do and I get enough people emailling me telling me to stop spamming them after a spammer uses my address…
How do you differentiate spam from a “mailshot to interested parties”?
For example, if I were a Boy Scout leader (or anything else with a similarly well distributed organisation) and wanted to send a notice to as many other people involved with the Scouts as possible (without waiting x months for the next centrally produced snail-mail newsletter to come out), why should I not set up a web-spider system to get as many Scouting email addresses as possible (particularly if I made a concerted attempt to weed out irrelevant addresses)?
Surely this is different to impersonal bulk industrial-scale spamming of adverts for products or websites that the majority of the recipients are likely to find annoying or repulsive?
The obvious difference is whether it is probable that a large proportion of the recipients will find the message interesting, relevant and useful, also whether any money is liable to change hands as a result of the message.
But however interesting, relevant and useful 99% of the recipients may find the message, every organisation (or section of society) is bound to have a 1% of awkward squad that will cause the sender no end of grief if they possibly can.
I suppose you could email “abuse@YourISP.com” with a copy of your proposed mailshot and evidence of address targetting and see if they are prepared to accept it (personally I can’t see any ISP endorsing anything like that).
Perhaps the ISP could limit you to some small number of addresses (eg 1000) instead of the millions that the industrial spammers send out to.
David-
“Verity – you need to make sure the spammer isn’t spoofing their email address. Some don’t want replies sent to the email they send from – instead requiring people to click a link. The addresses these messages are sent from are usually not their own, as SMTP (the main mail sending protocol) merely asks you for a correct-syntax email address and doesn’t normally check for a legitimate email address, or legitimate user.”
This actually happened to my girlfriend last night – she got bounced messages back from some ISP that were spam sent out with her spoofed address. Spammers have become very sophisticated (and very criminal) in their techniques which is one reason why I think this is a problem for law enforcement (oh, the heresy) – it’s beyond the capacity for individuals without massive amounts of time and resources and skills on their hands to deal with. The other reason is that given the mass fraud, electronic breaking and entering and identity theft that are routine aspects of spammers’ operations these days, they are far beyond being mere net.annoyances. They are criminals (often big time criminals) and properly belong in jail.
Guy Herbert writes:
“Like Mr. Amon, I’m puzzled by the way spammers seem able to get away with their disgusting activities. After all, they are all selling something, so it hardly takes a Sherlock Holmes to find out the address from which they are doing it. Armed with that information, any means of retaliation one would like to contemplate becomes possible.”
But what if the spammer isn’t motivated by the profit principle?
What if the spammer is one of those ‘people who knock at the door’ types who can now knock at a few million virtual doors at once instead of traipsing from one to the next?
What if the spammer is one of those born-again types? Like JESUS LOVES YOU! THE WAGES OF SIN IS DEATH MY DEAR LIBERTARIAN BROTHERS AND SISTERS! GRANT US ETERNAL LIFE!! CHRIST JESUS IS OUR LORD!! THE TRUTH SHALL SET YOU FREE!!!
Wait until that lot learn how to mailshot the blogging community ….
Perhaps they already have.
Charles appears worried about religious nutter spamming.
What about the spamming risk posed by some of those racist trolls who occasionally infest Samizdata?
I propose that we declare say Nov 2 as ‘answer spam’ day. On this day everyone from the Blogsphere will click through to the websites provided by spammers and fill out their order forms using invalid information.
This means that spammers have to troll through millions (?) of invalid orders.
Spam only works because a few idiots reply and everyone else just deletes the spam. If everyone replied then the cost of doing business would be enormous.
A pleasing thought, James, but those b*st*rds always want a valid credit card number or such- ya just can’t make bogus orders… although it would be sweet (alas, illegal) to obtain the personal credit cards of spammers, and make orders from other spammers. Set ’em all to biting each other’s tails.
Charles Copeland writes:
‘Guy Herbert writes:
“Like Mr. Amon, I’m puzzled by the way spammers seem able to get away with their disgusting activities.[…]”‘
No I didn’t, Chuck, that was G.Cooper–who is a distinct person or persons. I’m not puzzled by spammers. The people who feed them by responding puzzle me.
Sorry Guy … but after a hard day’s work building tomorrow’s Europe we can all make mistakes.
James Dudek writes:
“Spam only works because a few idiots reply and everyone else just deletes the spam. If everyone replied then the cost of doing business would be enormous.”
But — as I asked before — what about the religious nutters?
JAMES THE END IS NIGH! ANSWER MY QUESTION SOMEBODY OR THE LORD WILL STRIKE YE DOWN! WHAT ABOUT THE CHILDREN OF GOD WHO SEEK TO SAVE YE FROM DAMNATION?
O GENERATION OF VIPERS! YE WHITENED SEPULCHRES!!!
FOR WE SEEK NOT TO GAIN THE WHOLE WORLD, LIKE THE PORN BARONS, BUT TO SAVE YE FROM SIN !!!
Just as long, Charles, as the Europe you create is in every respect perfect, then I’m sure everyone here will forgive you the odd spare-time slip.
Spotting long passages in caps can’t be beyond the wit of machines these days… such a filter would also get rid of at least 95% of the generous offers I get to share vast riches with the heirs of third world dictators who can’t spell their uncle’s name.
Charles Copeland writes:
“But what if the spammer isn’t motivated by the profit principle?”
No doubt, when that becomes a problem, we will have to find a solution. And I shouldn’t be surprised if the religious cranks do eventually get round to it. They have certainly made their marks on various Usenet groups over the years.
However, in the meantime, I don’t see why the probability of a different problem emerging at some later date, militates against finding a solution for today’s difficulties.
I just had to take my blog offline, as the box hosting it had been hacked by spammers and was being used as a relay.
Shooting would be too kind.
Where is the profit in this kind of advertising anyways? Do people looking to comment on a blog post about gun control suddenly decide to buy some porn? It seems to me that if you want porn you’ll go looking for it. It’s not an impulse buy, like gum at the grocery store checkout.
These sites require a credit card signup too. Why in the world would you give your credit card number to a porn spammer operating out of Russia?
I’ve got to ask. Who is buying that garbage in the junk eMail? (I don’t call it Spam so I don’t defame the fine products of the Hormel Meat Company.)
Even if 1 out of 500000 person buys something, that’s too many. We must also punish people who encourage it. Perhaps they should be made to stand behind the junk mailer when they get shot.
From Bruce Schneier’s “Cryptogram” newsletter earlier this year:
In December 2002, the notorious “spam king” Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.
Ironic, definitely. But more interesting is the related paper by security researchers Simon Byers, Avi Rubin and Dave Kormann, who have demonstrated how to automate this attack.
If you type the following search string into Google — “request catalog name address city state zip” — you’ll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you’re a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone’s information on all 250,000 forms. You’ll have to do some parsing of the forms, but it’s not too difficult. (There are actually a few more problems to solve. For example, the search engines normally don’t return more than 1,000 actual hits per query.) When you’re done, voila! It’s Slashdot’s attack, fully automated and dutifully executed by the U.S. Postal Service.
If this were just a nasty way to harass people you don’t like, it wouldn’t be worth writing about. What’s interesting about this attack is that it exploits the boundary between cyberspace and the real world. The reason spamming normally doesn’t work with physical mail is that sending a piece of mail costs money, and it’s just too expensive to bury someone’s house in mail. Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it’s physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the Post Office and catalog mailings. All the pieces are required for the attack to work.
And there’s no easy defense. Companies want to make it easy for someone to request a catalog. If the attacker used an anonymous connection to launch his attack — one of the zillions of open wireless networks would be a good choice — I don’t see how he would ever get caught. Even worse, it could take years for the victim to get his name off all of the mailing lists — if he ever could.
Individual catalog companies can protect themselves by adding a human test to their sign-up form. The idea is to add a step that a person can easily do, but a machine can’t. The most common technique is to produce a text image that OCR technology can’t understand but the human eye can, and to require that the text be typed into the form. These have been popping up on Web sites to prevent automatic registration; I’ve seen them on Yahoo and PayPal, for example.
If everyone used this sort of thing, the attack wouldn’t work. But the economics of the situation means that this won’t happen. The attack works in aggregate; each individual catalog mailer only participates to a small degree. There would have to be a lot of fraud for it to be worth the money for a single catalog mailer to install the countermeasure. (Making it illegal to send a catalog to someone who didn’t request it could change the economics.)
Attacks like this abound. They arise when an old physical process is moved onto the Internet, and is then automated in some unanticipated way. They’re emergent properties of the systems. And they’re going to become more prevalent in the years ahead.
I think software has come some way in counteracting spam. I have a program called popfile (http://popfile.sourceforge.net) which uses a filter to filter out most spam I get – and since I have a honeypot email address to train it which gets over 200 spam emails a day, and only one or two spams slip through the net, it has proved quite effective.
Of course, you still need to download the email – but hell bandwidth is cheap if you have broadband.