Martin Pool's blog

An earnest plea to web spammers

Hi,

If you would like to run ads for asian midget facial porn sites on sourcefrog, please just write and ask me. Advertisements can be hosted for very reasonable rates. Sending so many web spam attempts, looks tacky and achieves nothing.

Yours, etc.

posted Thu 18 Nov 2004 in /issues/spam | link

SpamAssassin turns 3.0

I'm happy to see that SpamAssassin has shipped v3.0. It includes a feature I have long desired: scoring based on the IPs of URLs included in the message: if I get anything containing http://asdhaslhdaskljhd.teenage-goat-sex.biz/ then I almost certainly don't want to see it.

SpamAssassin already made it hard for spammers to use keywords like "viagra"; now they shouldn't be able to point to sites about them either. "Tell me, what good is an open proxy when you are unable to speak?" [*]

Well done, guys.

(I am kind of sad that they removed the cute cartoon ninjas from the logo; they were about half the reason I originally installed it.)

posted Thu 23 Sep 2004 in /issues/spam | link

Spammer's advice column: choosing an OS 

69 N   Aug 24 Stacey Hopper ( 134) never use illegal Windows software

Great idea

posted Wed 25 Aug 2004 in /issues/spam/wierdness | link

Spamusement rocks

jmason pointed out Spamusement: truly a thing of beauty.

Subject: Where did you go?

posted Fri 13 Aug 2004 in /issues/spam | link

Wierd spam

Some people seem to have really wierd and specific fetishes:

From: "Hostelries F. Misadventure" <ricketiest@nesd.net>
Subject: Average Teen Cumming movies
Date: Wed, 14 Jul 2004 21:38:41 -0400

Precisely average teens?

posted Thu 15 Jul 2004 in /issues/spam/wierdness | link

Spam of the Day du Jour

From nqqap@loggain.nu Mon Jul 12 20:14:29 2004
From: "Yesenia Brooks" <nqqap@loggain.nu>
Subject: chat with assholes on the internet!

Thanks, but no. I do that enough already.

posted Wed 14 Jul 2004 in /issues/spam/wierdness | link

SPF, MTAs and SRS

Linux Journal article about using SPF to prevent mail forgery.

posted Tue 8 Jun 2004 in /issues/spam | link

Stupid amateurs 

 177 O + Sun 30 May 04   6.1K Unleashes S. Morphem   Stupid Amateur Girl online now

posted Sun 30 May 2004 in /issues/spam/wierdness | link

Please just jail spammers

aj continues our discussion about email postage as a solution to spam/viruses, charging that “from someone whose Orkut profile lists him as a ‘libertarian’, [it] seems odd” to want criminal remedies for spam.

(I am not accurately "libertarian". I'd rather be small-l-liberal but translated into American "libertarian" was the closest match.)

I think it's entirely consistent for moderate libertarians to want the government to enforce laws against fraud, trespass, theft, etc.

People can get so wrapped up in the technical fight against spam, or so used to thinking of it as just a nuisance that they forget almost every message represents evidence of a felony.

Spam is fraud and theft of service on an industrial scale, activities which are already illegal. No new spam laws are required. At the very most, perhaps the illegality needs to be made more clear in the law, but I don't think that is needed.

A majority of spam messages are sent through consumer machines that have been compromised through Windows worms or similar means. Unauthorized access to a computer system is illegal in Australia and punishable by up to ten years in prison. I would like to see that law enforced.

(I'd like to see criminal negligence charges against people who knowingly allow their systems to be used in commission of fraud.)

Spam usually involves unauthorized access to a computer system on the sending end. It also involves unauthorized access on the receiving end: if unsolicited advertisements are specifically disallowed by the terms of service of a computer system, then posting them is also unauthorized insertion of data, and possible a breach of the law.

A large volume of spam advertises products that are likely to be either illegal or fraudulent. In a random sample: bogus pharmaceuticals, child pornography, bogus home loans, unlicensed software, fraudulent invoices, 419 scams... Even if spam was sent legally, the majority of people sending it are involved in some other criminal enterprise.

There are reports that great volumes of spam are sent by organized crime gangs also involved in credit card fraud, illegal pornography, drug trafficking, theft, and so on. This single point I can't verify for myself, but it does seem like it ought to motivate police to investigate more energetically.

You have to go pretty far out on the scale of anarcho-libertarianism to say that there should not be laws against theft and fraud, or that those laws should not be enforced by publicly-funded police. Interesting late night thought-experiment though that may be, it is practically irrelevant.

If I only received spam that did not fake its sender, was not sent through compromised machines, was not advertising criminal or fraudulent products, did not contravene terms of use and did not breach any other laws then I would see far less need for government involvement. Oh happy thought!

I don't see the point in introducing a new email postage system. Existing laws are being flouted on an industrial scale by hundreds of perpetrators. Any new system will be abused too. If you cannot have at least a shade of a threat of sanctions against fraud and theft, it is hard for a free market to work.

I can imagine there are practical problems in enforcing these laws globally. But let us, at least, punish every spammer and con-artist in Australia and the USA. If that works, but we are still being attacked by criminals in China or Nigeria or Russia then let us handle that through some international process.

Stealing a car for use in a robbery is, and should be illegal. Stealing control of a computer for use in fraud and theft is illegal, but seems to be rarely prosecuted. Send a few spammers to prison for five years, a punishment they richly deserve, and the spam problem might start to go away. Failing that I would like to see more civil suits.

posted Fri 14 May 2004 in /issues/spam | link

spam statistics; spam as steganographic cover

In a 24-hour period on samba.org, we received about 12751 messages, of which about 10950 were blocked by the system as either spam or viruses. So roughly 86% of incoming messages are trash. A bit more than half of them were blocked by blacklists such as Spamhaus and a third were rejected for containing malware signatures such as PE headers. Many of the remaining ones are bounced because they're going to invalid addresses, presumably coming either from dictionary attacks or spammers who collected random strings containing @. SpamAssassin deals with the remaining 528.

(SpamAssassin could probably pick out many more, but it's relatively expensive so we only run it on things that are not obviously bad.)

In fact, the fraction of spam is probably a bit higher because the system-wide filters are pretty conservative, and I am not counting messages filtered out by individual users. I think we're certainly over 90% spam/malware; possibly over 95%. It's a bit like John Birminham's description of a sewer of pure shit coming straight into our living room.

On the other hand, it rather reminds me of Rivest's great Chaffing and Winnowing: Confidentiality without Encryption paper, and of the idea of steganography in general. Hiding messages is technically easy; the hard part is finding cover traffic. (In the standard example, the FBI wonders why Alice and Bob are posting each other so many pictures of puppies.) Spam is the perfect background noise to send invisible steganographic messages, as long as you can agree on a method for your eligible receiver to pick out the good bits.

Rivest writes

We could thus have the following intriguing scenario: Alice is communicating with Bob using a standard packet-based communication scheme. Each packet is authenticated with a MAC created using a secret authentication key known only to Alice and Bob. (In practice, they might use a different key for packets in each direction, although this is not necessary if the packet contents identify sender and receiver.) Furthermore, each packet happens to contain only a single `message bit.'' (Alice wrote their software, and it contained a bug that caused this unusual behavior.)

So far, Alice and Bob are not encrypting anything, and are using standard messaging techniques that would not be considered as encryption and that would not be export-controlled. Alice and Bob have no intention of achieving confidentiality of their messages from an eavesdropper.

Now, Alice's packets to Bob may be routed from her computer through the computer of her Internet service provider, run by Charles, on another floor of her building, before being sent on to more major trunks of the Internet and then on to Bob.

Charles' computer, for whatever reason, then adds `chaff'' packets to the packet sequence from Alice to Bob. All of sudden, Charles' activities provide a very high degree of confidentiality for the communications between Alice and Bob! Alice's and Bob's software have not been modified in the least to achive this confidentiality! Charles does not know the secret authentication key used between Alice and Bob! Alice and Bob did not even want or care to have confidential communications! Charles is not using encryption and does not know any encryption key! Amazing!

In this case, Charles is COL CHARLES MOGUBE of the LIBERIAN ARMY.

posted Thu 6 May 2004 in /issues/spam | link

500,000 search engines

Name of company replaced.

I have visited sourcefrog.net and noticed that your website is not listed on some search engines. I am sure that through our service the number of20 people who visit your website will definitely increase. $MONKEYTURDS is a unique technology that instantly submits your website to over 500,000 search engines and directories -- a really low-cost and effective way to advertise your site. For more details please go to MONKEYTURDS.net.

Do you suppose there really are 5e5 search engines? Does it matter?

posted Fri 23 Apr 2004 in /issues/spam | link

poor listproc 

13 N   Apr 23 robertl@gmrs.de (  24) Listproc, Exotic sex is urgently necessary for you!

Poor listproc, never gets any sweet lovin.

posted Fri 23 Apr 2004 in /issues/spam | link

More on pay-for-email; orkut categorizations

aj continues our discussion about email postage as a solution to spam/viruses, pointing out that “from someone whose Orkut profile lists him as a "libertarian", this seems odd”.

[digression] I don't see any category on Orkut I'm really happy with (so perhaps I should choose Other/None.) I'd rather be called a "liberal", perhaps, but that's not an option and anyhow the term has been degraded in different directions in both the US and Australia. Given that they had "Very Libertarian" I choose the weaker one as indicating just a leaning in that direction.

Spam is fraud and theft of service on an industrial scale, activities which are already illegal. I think it's completely consistent with moderate liberalism/libertarianism to want existing laws to be enforced either by the government or by civil suit. You have to go pretty far out on the scale of libertarianism to say that the government shouldn't take a role in preventing trespass, theft, fraud, etc.

posted Tue 20 Apr 2004 in /issues/spam | link

blacklist forbidden URLs

A large majority of spam now contains a URL: either pointing to some kind of store where suckers can spend money, or carrying images or web bugs, or something else. A quick count shows the string "http" in over 90% of recent spam.

I'd like a spamassassin plugin that scans messages for URLs, resolves the URL, and then checks whether the URL is in a blacklisted IP space. As a start you could just check against the usual Spamhaus lists; eventually it might want to be turned

Tracking by source IP is not working so well anymore. It's too easy for spammers to send through a compromised Windows machine or open proxy. Websites, however, are a bit more established, possibly need to be on larger machines, and need to be pointed to by DNS. I suspect there are fewer of them and they move more slowly.

It's a shame SA is in Perl...

I guess Bill Stearn's blacklists come close to this, but I think listing IP blocks might be a little better than listing domains.

The most recent crap mentions http://railway.cosmic.demarcate.excretory.breast. d.bunny.deere.halfoffsalenow.biz/.

This IP is in the SBL. As of now, the Stearns blacklist blocks mail from that domain, but not mail mentioning that domain.

(Actually I think I would be pretty happy just not seeing any mail from .biz, or indeed anyone who has a bizness.)

Looking through spam missed by SpamAssassin, I see one case which would have failed, which is a supposed porn site on Geocities. It's dead now, and presumably was dead by the time I looked at the mail.

Another loophole is a goatse-style redirector: http://g.msn.com/0AD0000G/573055.1?http://128jyw.com/?rd=12&e=

That's really MSN's problem though.

posted Mon 29 Mar 2004 in /issues/spam | link

email fees and viruses

aj discusses the problems of pay-per-email transmission:

One objection to email fees is related to email viruses: if every email you send costs a cent, and you get a virus that sends out 20,000 emails you've just lost $200. That sucks. Fortunately, that's straightforward avoidable by limiting the amount of money your computer can access without your authorisation (by way of password, eg). If you limit the amount of money your computer has access to to $5, that's 500 emails you can send before you have to worry about recharging your account (more presuming you get sent some emails), and if you do get infected by a virus, you only lose $5, which is a nuisance, but not a big deal. Odds are you lose that much in time anyway. And even better, instead of sending out 20,000 emails, you've only sent out 500, reducing the problem globally.

I don't think this is a very good fix. Suppose that this plan was adopted and we had paid-for stamps on email. Suppose as well that, as at present, a lot of spam is sent through compromised end-user machines.

Presumably there would be some way for your email client to prompt you to buy some more stamps when you run low. Perhaps Outlook pops up a little dialog prompting for your credit card. There is already a large increased risk that people will become accustomed to typing in their credit card when their MUA asks, and some users will store their credit card number in the MUA's memory.

An analog for this already exists in trojan dialler programs, where a compromised machine calls a premium-rate 1-900 or 0055 number to generate a large phonebill, some fraction of which gets back to the scammer. It seems like the law or policy here is that because the user's system really did dial the number, the user is liable for the call. Presumably the same would happen for spam.

In particular, it would be easy for a trojaned machine to ask the user to buy more stamps, but to actually buy $500 rather than $5, and to use the rest for sending spam.

We are no longer in the c1998 situation of lazy ISPs hosting spammers. Instead, most spam (cite?) is sent from compromised machines. An adequate defence these days needs to cope with a horde of compromised zombies. I don't think payment systems do that.

Organized crime is attracted by the combination of money and weak systems. Adding more money to the email system will probably make the problem worse.

On the one hand, the risk on losing $500 might make people more likely to worry about computer security. On the other hand, it is a powerful disincentive to even think about installing an email client that can make payments.

If you're in an organisation, and you don't want your 1000 staff members all losing $5 at once to a virus, you can setup your mail server to require manual authorisation if anyone tries sending more than a couple of emails every few minutes. That's possible now, of course, but there's no reason to do it: it doesn't stop the organisation from getting infected by the virus, since it already is, and it doesn't much matter that other people get infected.

Another way to produce that backpressure would be to sue or prosecure someone for negligently continuing to transmit viruses. I think it is fairly clearly negligent to send mail; it might even be covered by existing computer crime legislation.

Maybe a good way of looking at this is thus: email postage is free to you as long as the number of emails you send is less than the number of spams you receive.

So we only need to worry about high-volume senders. Most people won't need to send more than say 100-200 emails per day, and it would be a good start to cap dial-up/DSL users to that. Perhaps organizations which do need to send in large volumes should pay a bond to some kind of underwriter.

posted Tue 16 Mar 2004 in /issues/spam | link

Bizarre spammer tricks

An apparently real yacht advertisement, with porn links. I wonder what degree of overlap there is between luxury motor yacht buyers and horse sex fanatics? You might think they'd have more luck here.

posted Fri 12 Mar 2004 in /issues/spam | link

Referrer spam

Somebody is sending fake referrer fields:

66.98.224.39 - - [02/Feb/2004:10:19:45 +1100] "GET /weblog/random/blogs HTTP/1.1" 200 37480 "http://www.pornwizzard.com/review_34950.html" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 1 sourcefrog.net
66.98.224.39 - - [02/Feb/2004:10:19:47 +1100] "GET /weblog/random/blogs HTTP/1.1" 200 37480 "http://www.pornwizzard.com/review_34950.html" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 1 sourcefrog.net
66.98.224.39 - - [02/Feb/2004:10:20:01 +1100] "GET /weblog/random HTTP/1.1" 200 46174 "http://www.pornwizzard.com/review_34950.html" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 1 sourcefrog.net

posted Mon 2 Feb 2004 in /issues/spam | link

The short story on Spews

Spews is a blacklist of IPs that can be used to filter spam. Most spam filtering solutions abide by the principle of "first, do no harm", but Spews does not.

In fact, just the opposite: the Spews administrators consider it a positive good to block as much non-spam email as possible from customers of ISPs that the anonymous Spews maintainers dislike. Essentially it is a boycott of ISPs that Spews consider to be soft on spam. The definition of who will be listed is pretty vague and elastic, and sometimes sites are added in error. I support their right to publish their opinion, even though I think it's silly.

So the short story on Spews is this: if you want to block legitimate email so as to participate in a boycott, use Spews. If you want to discard mail addressed to you from friends, family and colleagues, use Spews. If you don't, don't.

More on this from LaneChange.net.

posted Fri 23 Jan 2004 in /issues/spam/spews | link

Best description of Spews ever

From Slashdot:

SPEWS only gives advice, which anyone who runs a router is free to use or not use as they see fit.

If you think they list too many netblocks, try using another list, or no list at all.

Bullshit.

This argument only works if you're 10 years old, and start kicking, and blame anyone who walks into your foot for it.

posted Wed 21 Jan 2004 in /issues/spam/spews | link

Snopes on darkprofits

The ever-reliable Snopes urban legends site reports on darkprofits. This seems to be one of a stream of joe-job attacks on them. The site seems to be down now, perhaps as a result. A page that used to be on darkprofits says:

Please note that we do not send Spam of any kind. The Spam you received is from a disgruntled banned member of our forum. We thank our host for seeing that the claims of content are ludicrous and this is what is known as a "joe job".

We apologize for the Spammer's actions and if you are here looking for what is contained in the Spam you will be disappointed. We do not have any porn for you perverts. We also do not have any nuclear weapons or pounds of drugs for you junkies. We are also fresh out of gay slaves, hookers and the like.

Please check the headers of your Spam and complain to the true senders account.

posted Sat 27 Sep 2003 in /issues/spam | link

More on darkprofits

More information on darkprofits from aota.

posted Fri 26 Sep 2003 in /issues/spam | link

darkprofits.com credit card scam

Spam to a mailing list today, trapped by spamassassin:

I wonder what kind of sucker rate they get?

posted Wed 24 Sep 2003 in /issues/spam | link

The real problem with C-R systems

Karsten has a pretty good page about the problems of CR systems, but I don't think he pays quite enough attention to the problems of using From addresses as an authenticator.

At the moment there is a certain amount of spoofing of From addresses. This can be done as a social-engineering attack, such as when sending a virus from security@microsoft.com. Or it can be done as a “Joe Job” to incidentally annoy or harm somebody the spammer dislikes. But neither of these is a really strong motivation.

However, if many people started filtering by From address either through TMDA or some other mechanism then you can bet that spammers would start forging them.

As other people have pointed out, to fix spam you need to address the economic problem: spam is cheap to send. Making spam expensive to send by e.g. requiring hashcash will penalize desirable communication such as mailing lists.

A good way to make it expensive is to impose hefty criminal sanctions. It is theft of service and it is unauthorized access to a computer system. In some cases it is merely akin to these existing crimes, but in the more common case where spammers actually break into a zombie machine to send spam it is very clearly illegal. We just need enforcement, and perhaps for the law to be made more clear.

Something on the order of $1000 for a small offense and three years in prison for a repeated offender ought to provide an appropriate deterrent. Some would-be spammers might baulk at the idea of being on the other end of M0NSTER C0CK!!11

In the case of heroin, criminalizing supply has increased the price, but demand still remains high. However, I suspect that people hawking penis-enlargement devices are less addicted to spam than others are to heroin. Hopefully, increasing the cost of would reduce the overall voulume.

On the other hand, making it more clearly criminal might attract a more desparate element. There are already reports of organized crime gangs being involved in say credit-card theft. Increasing the proft margins might encourage them to move into spamming, which might make the whole thing rather more nasty than it currently is.

posted Wed 27 Aug 2003 in /issues/spam | link

TMDA Loses

From Kuro5hin:

If TMDA sends any "challenge" messages at all, it has completely failed. It is no good and must be removed. It's a kick in the fucking teeth to anyone who receives one. How would you like it if every single website you visited, no matter what page it was, just to view a page (not sign up for an account, but to provide the basic transaction of HTTP -- delivery of pages, like delivery of email is the basic transaction of SMTP), asked you to fill in a challenge/response to prove you weren't an address harvesting robot?

Even if you don't believe that "every" person would use TMDA, you should at least see what happens to websites that demand hoop-jumping, like the New York Times -- people are openly willing to post to message boards asking for copyright-breaking reposts, direct links and login details rather than jump through any hoops just to see the article. No sane human likes jumping through hoops, and should DETEST jumping through hoops to benefit someone else rather than themselves.

You might think "I'm worth it", and people who want to mail you should jump through a hoop. Well, you're not. I am worth it, however. If you want any technical support for my software, you will NOT use TMDA or any other such system. If I discover you have used it (by getting a challenge), you go on my shitlist and never, ever receive my support again.

I love your "if configured correctly" dreaming. Here's a fucking good idea: if all mail servers in the world were "configured correctly", none of them would be open relays! The amount of spam in the world would drop dramatically, as spammers would have to use their own mail servers to mail out every single spam, as opposed to raping thousands of broken, badly configured open relays. Here's another idea. If nobody replied to SPAM (remember, we're in a fantasy world where pink unicorns roam the land and all anti-spam systems are configured correctly and I never get bounce or challenge messages for replying to people), spammers would give up! Hey! This fantasy, make-believe world is pretty good!

posted Tue 26 Aug 2003 in /issues/spam | link

New Depths in Tasteless Spam 

From: The American Resolve <sales@theamericanresolve.com>
Subject: The American Resolve Prayer and Tribute Poster
Date: Fri, 1 Aug 2003 08:58:17 -0700
X-Spam-Status: No, hits=2.9 required=4.0
        tests=BAYES_60,HTML_80_90,INVALID_MSGID,MIME_HTML_ONLY,
              PRIORITY_NO_NAME
        version=2.55


The American Resolve Logo



                              A Tribute for Posterity



   "The American Resolve" prayer and image is intended to render a
   tribute to the victims of 9/11 and to exalt the spirit of America.



   This September and always, let us display "The American Resolve" at
   every household, every government precinct, every corporate
   premise, every learning center and every public and private environment.



   Please log on to www.theamericanresolve.com to own and treasure
   this magnificent, commemorative memento and help us help do a lot
   of good to the children victims and starving children wherever they
   are.

posted Sat 2 Aug 2003 in /issues/spam | link

More on remove.org

(previous message on this topic)

I'm not the only person who has come to the conclusion that remove.org seem to be spammers.

A usenet search finds additional evidence.

The whole point of remove.org (a global opt-out list that people pay to join) is a bit implausible and at odds with every other antispam organization. How is somebody who paid up meant to know if remove.org actually did anything with the money?

Other patterns on the web make them look more like a sleazy referral-marketing scam than a genuine anti-spam organization, such as duplicated pages on MLM directories.

posted Tue 29 Jul 2003 in /issues/spam | link

spam from remove.org

remove.org, who claim to be an anti-spam organization, just sent this spam to an address that was certainly not obtained legitimately. (I can guarantee that our mailer-daemon did not sign up for their messages!)

What do you suppose are the chances that anyone who signs up for their supposed opt-out list will have their address sold to spammers? For 50c I'd set up a dummy address and try it.

If I were an American I'd be pretty pissed off at having my national icons spread across the banner of such a sleazy enterprise. 

From: Danielle Cushman 
Subject: FWD: concerned parent
Date: Tue, 22 Jul 2003 18:42:45 -0500
To: mailman(a)lists.samba.org


[-- Attachment #1 --]
[-- Type: text/html, Encoding: 7bit, Size: 2.7K --]



[-- Autoview using /usr/bin/links -dump ''/tmp/mutt.html'' --]
   This is worth checking out... please pass it on.



   ----- Original Message -----
   From: Danielle Cushman
   To: Sharron Kelly
   Cc: Karla Anderson; Megan_Jim_Davis@hotmail.com;
   EdWaldon@lycos.com;
   Andrea Manning; Bill Barnes; Mark and Karen Whyte-Iowa;
   danrogers3@alaska.net;
   alex.urban@gci.net; stephens_03@attbi.net; Laura Clark-Glacial
   Sent: Tuesday, July 22, 2003 10:20 AM
   Subject: concerned parent



   There is a large problem facing our nation that we all need to work
   together to fix. My children have received pornographic emails and
   I want
   it to stop. I found this site, www.remove.org that stops Spam and
   pornographic material in emails. We need to make sure that everyone
   knows
   there is a way to stop these emails.



   Please forward this to everyone you know so that we can stop this
   huge
   problem for good.



   Thanks
   -----------------------------------------------------------------------
   >
   >
   >To have your email address added to the national opt-out directory
   >please click on the following link: http://www.remove.org.
   >
   >
   -----------------------------------------------------------------------



   Notice:
   We honor our recipient's choice to receive information about our
   available products and services.
   To unsubscribe click here

posted Wed 23 Jul 2003 in /issues/spam | link

Archives 2008: Apr Feb 2007: Jul May Feb Jan 2006: Dec Nov Oct Sep Aug Jul Jun Jan 2005: Sep Aug Jul Jun May Apr Mar Feb Jan 2004: Dec Nov Oct Sep Aug Jul Jun May Apr Mar Feb Jan 2003: Dec Nov Oct Sep Aug Jul Jun May

Copyright (C) 1999-2007 Martin Pool.