|Elliott Sound Products||Death to all Spammers|
Copyright © 2003 - Rod Elliott (ESP)
Page Updated 21 Oct 2003
... That doesn't have much spam in it (With apologies to the Monty Python Team :-) Ok, now I have had enough! More than enough - I have had a gutful! Much as it may come as a surprise to those useless turds who abuse the Internet, I do not ...
We should never purchase anything from spammers, nor visit websites that use spam advertising. If everyone did just that - made no purchases from spam adverts, and never visited a website that used spam advertising, spam would stop! Just like that! No-one would ever dare use spam to advertise if it instantly meant that every recipient was a "customer never to be".
Some claim that spam is killing the Internet. This is not some far flung theory, this is the consensus of many experts in the field, and an opinion that has many of the indications of truth. The spammers are infesting the Net with Gigabytes of useless, unwanted, and unsolicited garbage every day, and with each passing day it get worse and worse (a 78% increase in 2003 over 2002, by one count).
The time has come for governments worldwide to crack down hard on these selfish bastards. Personally, I recommend the death penalty for the first offence, and more severe punishment for repeat offenders. Some may disagree, but I don't think that my suggested penalties are unreasonable. Actually, they may even be benevolent! (Hmmm, after much deliberation I have come to the conclusion that the aforementioned penalties are benevolent.)
Junk mail in my letter box is also a pain, but it is easy to see what should go straight into the recycle bin, and what should be kept. Not so easy with spam mail though, since there is only a title and a sender (both of which are generally bogus).
While this is covered briefly below, it has become sufficiently worrying to see the amount of criminal spam that now circulates. There is much consternation in many circles that organised crime syndicates are paying virus (and other 'malware' authors) for a specific number of infected machines. They may request (say) 1,000 machines with a specific piece of malevolent code that is purpose designed, and these are duly supplied.
The most common usage for such programs is to either do a controlled launch of spam directing people to phishing sites, or to capture the unsuspecting user's details over a period of time to facilitate identity theft. This is the fastest growing type of crime currently in existence, and the payoff to the criminals can be very substantial. In addition, it can be almost impossible to track down the identity thief - the unsuspecting (but I must add dumb!) user can be left with debts of thousands, as well as become the recipient of rather unwelcome attention from law enforcement officials because of crimes committed in their name.
It is vitally important that anti-virus software should be installed on every computer that has network access, but all too often users think that they will be safe if they have a dial-up account that is only used for perhaps ½ hour each day. Wrong ! According to recent information from ZDNet and other sources, a machine only needs to be on-line for about 15 minutes before it will be probed by someone looking for an open port that they can use to gain access. Once access is obtained, it could be too late - depending on the particular trojan or virus that might be installed, it may easily fool any subsequently installed anti-virus or firewall program.
If you find this alarming, then so you should. It is alarming ... in fact, it is terrifying. Every machine with network access should have the following software installed at the very least ...
The last point is very important. Micro$oft in its 'wisdom' by default does not display the extensions, so if you see an e-mail attachment called (for example) photos.exe then all you will see is photos and may be tempted to open the attachment to look. Bingo! Your machine is now running the virus, trojan horse or whatever form of malware was in the attachment. By disabling the hidden extensions, you can see that the extension is 'exe' (meaning an executable file). Other dangerous file extensions include 'bat', 'com' (a most unfortunate duplication of the common URL terminator of 'dot com'), 'scr' (screen saver - allegedly), but be aware that there are many other possibilities (e.g. dll, ocx, msc - and probably quite a few others).
A great many of the malicious software that may (will, if you don't protect yourself) infect your computer is used to send ... spam! This is one of the more common techniques that is used. Infect a suitable number of machines, and let them do all the dirty work. Most will obfuscate (in this case, meaning hide or modify) the actual sending e-mail address, probably using legitimate addresses harvested from your address book. This is very common with phishing schemes, where you are led to believe that your e-Bay, PayPal or bank account has been 'suspended' until you log in and verify your personal details. Never, ever enter any details on a site unless you are 100% certain that you have accessed the genuine site. Check that the site is secure (the little locked padlock at the bottom of the browser), and disable popups. New techniques are being used that provide a 'sub-screen' (that may be invisible) in front of a legitimate site, purely to capture your data. The best protection is to use a (comparatively) safe browser and e-mail client such as Mozilla/ Firefox/ Thunderbird.
It is worth noting that well over 90% of all virus, trojan horse and other malware is aimed at Micro$oft products - operating systems, e-mail clients and browsers. This is partly because they are the most prolific, and is helped along by the fact that traditionally these products are full of security holes. While M$ is definitely trying to clean up the systems to make them more robust against external attack, they are also used by a huge number of computer illiterates (relatively speaking) who fail to take reasonable precautions against attacks and computer virus infections.
One only needs to be half awake to recognise the major conventional spammers. What is more interesting (and very insidious) is who is selling what, and who benefits (and it's never the purchaser!). A great deal of current spam is aimed in four major areas ...
Are any of these legitimate? The answer is obviously 'no', since in 99% of cases the items on offer are either counterfeit or illegal. The online drug trade in particular is very worrying, and the vast majority of all online sales must be considered suspect. There is a great deal of information on the Net, and anyone tempted to avail themselves of 'bargain' drugs would do well to check the available information carefully. Even where the drugs sold are genuine manufacturer products, their storage and handling procedures have almost certainly been violated. They may be past their use-by date but re-labelled, and many are classified as 'sub-potent' - having less than the stated amount of active ingredient (or none at all).
In the case of software, the product is almost certainly fake. In some cases the supplier will actually tell you this! No support from the vendor or the original manufacturer - do you really think that Microsoft will support a pirated copy of their operating system? Of course they won't, and you might get caught and face criminal proceedings yourself if you ask.
The 'cheap watch' scam is another where you know that the 'Rolex' on offer can't possibly be the real thing. In recent times, a lot of market stall and shop vendors have been caught and either fined or imprisoned for selling counterfeit goods in violation of copyright and trade mark laws. While it has been claimed in some quarters that the manufacturers of the genuine watches don't care (people who buy cheap fakes are unlikely to ever pay the several thousand dollars for the real thing), this is not strictly true.
Porn is a very old 'profession', and has always been associated with criminal (or at least very seedy) characters. The Internet has allowed the prolific distribution of such material, with the potential for maximum gain for (relatively) minimal outlay. A great deal of the content is illegal in many countries, but the difficulty of preventing access via the Net has made this a thriving business (reputed to be one of the most profitable Web based businesses in existence). A great many 'Pay Sites' will happily take your credit card details, but do not encrypt the data. You have absolutely no redress if you provide your card details to an unencrypted site (regardless of what they are claiming to sell). In some cases, you can be fairly certain that the site's sole purpose is to obtain your credit card details.
In a word - criminals. They may be minor players (often unwittingly) in the scheme of things, but in most cases their activities are at the very edge of the law, if not beyond. There is increasing evidence (and concern) that the profits from the counterfeit activities in particular are used to fund terrorist organisations. Many of the sites selling fake software are based where intervention by international law is minimal or non-existent, and likewise a lot of porn sites (especially those dealing in the really nasty stuff) are located where they are very hard or impossible to track down. Domain names can be registered from anywhere, and there are no checks or balances to ensure that a registrant is who s/he says s/he is.
Who would be foolish enough to provide credit card details to a site with no security, no continued presence on the Net (here today, gone tomorrow sites are common), and with absolutely no guarantee that the card details will not be re-used, on-sold or used for further 'phishing' expeditions to allow identity theft (a very prevalent and growing cyber-crime).
All of the site types listed above use spam to advertise their 'services' - they rely on the gullibility of Internet users for their funds, and there is absolutely no guarantee that any of them will actually supply the goods they claim to sell. If they do provide goods, they will often be substandard, fake or have virtually no commercial value to the purchaser. Caveat Emptor (buyer beware) has never been more important than it is now.
What can you do if you are caught? In most cases, absolutely nothing! Unless you can provide law enforcement authorities with details they can use (such as a street address or a name), there is nothing they can do to help - you have lost your money, and may even have on-going credit card problems (unauthorised withdrawals or identity theft).
Never purchase anything from spammers, nor visit websites that use spam advertising. Never click on links in spam e-mails (they often use codes to indicate which recipients of their pestilential rubbish responded). Never provide personal details to any spammer's website, and never use unsecured web pages to provide credit card or other personal details. Never, ever respond to e-mail purporting to be from banks or online payment systems that want you to 'verify your details' - you will almost certainly be phished, and could lose everything you own!
One thing that everyone should do is configure their mail client so that it will warn you if a return receipt is requested. If it is spam, then the very last thing that you should do is allow the system to generate a message saying that the message was received. This merely indicates that the address is "live" - it is a working e-mail address, so your e-mail address will then go into a select database of known valid addresses.
One of the things that probably annoys me more than anything else, is the insistence in spam e-mails that it is not spam, but that I somehow "requested" that Freddies Fabulous Finds (a real spammer) should send me their crap! No way! I have never been to the site, and absolutely will not do so - ever! Others tell me that I consented to allow some un-named web site's "affiliates" to contact me. Que? Again, no way!
The ultimate spam is that which urges you to join their "program", and after 10 days you will have money to burn. Almost without exception, these bastards want you to join in, and the only way you will ever make a cent is to send more spam in the hope that some other poor sucker will buy in as well. (Of course, you may well find a sucker or two, but don't expect to see that cent!)
A typical "unsubscribe" message might look like the following ...
You have received this email because you visited our site or a partner site and commenced registration to receive our newsletter. If you feel that you have received this email in error or would like to unsubscribe, please follow the instructions below or simply reply to this mailing. We take great care in removing subscribers in a timely manner.
Bullshit I never went near their stinking site, nor any of their stinking spammer bastard "partner" sites. Interesting how these spammers seem to have more partners than an oversexed rabbit, but they will never disclose the site(s) that supposedly "referred" you. Unsubscribe? In your dreams! I once set up a free e-mail address, then waited for the inevitable - spam! I got some (of course), so tried "unsubscribing" to see what would happen. After a week or so, there were something like 245 e-mails waiting for me, and every single one of them was spam. By allegedly unsubscribing, all I did was let the spammers know that it was a live e-mail address, and the word obviously spread. What surprised me was how quickly it all happened - these unscrupulous bastards may well be bastards, but they have a system, and it works (more's the pity).
Have you ever gone to the website of a spammer? Lots of info on their "services", happy customers (what about the poor bloody recipients?), and so on, but will you find a contact page anywhere? Of course you won't - they send it, but they certainly don't want to receive steenkin' spam any more than the rest of us.
There are some very well known sites that seem to thrive on - or at least allow - spam. Yahoo is one, AOL is another, and so is Earthlink, Freeserve (UK), Bellsouth, MSN, etc, etc. To my mind this is unforgivable. That any ISP, hosting service or provider, regardless of anything, should allow its members to send spam is unbelievable - no-one wants it, everyone would like to see it stopped, but these bastards allow it to happen! I make a habit of boycotting any site that I get spammed by - you send me spam, and you will never get my business!
Death Really Is Too Good For Them
From a recent e-mail exchange on the subject, a reader did a few calculations (I quote from the e-mail) ...
lemme see...if every spam mail wastes about 2 seconds of time, a spammer wastes 1 life about every billion (109) spam mails.
In 2003 AOL blocked 500 billion spam mail, saving about 500 lives according to my quick-and-dirty calculation.
E-mail_spam says ...
- 10 billion spam emails are sent every day
- 30 billion are expected by 2005
- 150 spammers send 90% of all email
Okay, so each of these 150 spammers risks wasting 2 lives each month (of course, much of this sent spam doesn't get received, so the actual number of wasted lives will be smaller - and this also assumes that my assumptions are sort of accurate, which they might not be). Anyway...to paraphrase what you said in the rant ... "Death is too good for them!"
Thanks Klaus - I don't really care much if the calculations are 50% out, it is still a scary and troubling problem, and one that will not go away until all governments enact serious legislation to make spamming a criminal offence. I maintain that first offenders should be subjected to the death penalty, with harsher measures for subsequent breaches.
I urge anyone interested in the topic to look at E-mail_spam. Very informative, but somewhat depressing.
Now, how long would the spammers last? My guess is about 21 days. This approach is somewhat Draconian perhaps, but that is the only thing that will stop the rising traffic of junk mail. The "soft" options have been tried, and don't work. Legislation has been attempted, but politicians do not have the technical skills to know what legislation should be passed, and lobby groups get any potentially effective laws watered down so they are useless.
The risk to legitimate bulk e-mail senders would be minimal under this scheme. All they have to do is explain how they obtained a complainant's e-mail address, and malicious complaints could be treated with the same big stick as the spammers. The onus is on everyone to give everyone else a "fair go" - some people like junk mail, be it in their physical letter box or an electronic one, and they should not be denied the right to receive it if they wish. Others hate it with a deep passion, and they should likewise be treated with the dignity they deserve.
Now, I ask again ... "Is there anything wrong with this idea?"
I am open to suggestions, and if anyone can add anything useful to this scheme, you may send me an e-mail (see the Contact ESP page for details).
Above, I asked "Is there Anything Wrong With This Scheme". The answer (unfortunately) is 'yes'. Since much spam is generated from infected computers using the infected machine's address book, a bit of careful programming (and yes, this is done) ensures that the amount of e-mail sent from any one machine is small enough to 'stay under the radar' (as it were), and will not trigger global anti-spam blacklists and the like. As fast as we implement better anti-spam measures, the spammers (especially the criminal element) will adapt, modify their methods and generally remain one step ahead.
Having just spent a considerable past of the last ten days dealing with a spam-related problem, I revisited your rant with the new knowledge about spamming gained recently. Whilst your solution will have the effect of adding more dead mailboxes to the spammers' lists', it is unlikely to have any great negative effect on the operations of most of them.
Spammers generally avoid sending their bulk mailings over their own bandwidth. They use open relays - misconfigured mail exchangers that will relay inbound mail. A single 1KB message from their mail client addressed to 1000 recipients generates 1MB of traffic from the open relay.
Somebody made a configuration change recently to mail exchanger which I administer and it became an open relay. This type of development obviously travels fast in the spamming community. (Actually, there are web listings you can subscribe to which list open relays.) I'll know when I next see the bill how much additional traffic passed through that system. The amount of traffic generated was sufficient to grab all of the bandwidth on a 128KB leased line such that genuine incoming mail was being bounced.
The misconfiguration of this mail exchanger has now been corrected but considerable traffic is still be generated simply by the mail exchanger returning a "relaying prohibited" message to the originator of the message. It can take twenty to thirty minutes to process the "relaying prohibited" responses of a single incoming message - and that on a mail exchanger with 2 X 1GHz PIII processors and 1GB of RAM! I have had to put, at the last count, 82 separate rules in the firewall blocking SMTP traffic from the subnets from which spam relay has been attempted. In fact, I have had to excluded the whole of South America (220.127.116.11 - 18.104.22.168) because the firewall won't accept more than 100 rules! As you may imagine, checking the log files for the offending addresses and then changing the rules on the firewall has not been fun.
If you've stuck with me this far, you might be wondering why I am bothering to tell you all this. Well....
The flaw in your proposal is this: if the open relay cannot deliver a message because the address is non-existent, it sends a non-delivery report (NDR) to the originator. If the spammer has used a real IP address when sending the mail (and I don't think too many of them go to the trouble of spoofing the addresses), they could use the NDR to clean up their address list. Not that they probably bother although huge numbers of incoming NDRs do use up their bandwidth. If the originating address is false, an error is reported on the mail open relay that the NDR could not be sent.
Also, each false address requires a DNS lookup of the MX record which is more pointless use of bandwidth and further burden on the DNS servers - but not at the spammer's expense. If the domain actually exists, the mail exchanger for that domain will send a 'recipient unknown" or similar message. More traffic of which the spammer is blissfully unaware.
You could argue that those offering open relay on the Internet are "accessories" in the spamming business and I would not disagree with you. But I don't think that your solution does much damage to those actually originating the spam.
Unfortunately, this is all completely correct. The story continues ...Here is a depressing item from today's logs:
A relay attempt which started at 11.00 and stopped at 11.11 had attempted 1115 address and had only got from addv@domain to adge@domain. All good spammers keep their addresses in alphabetical order.
Death would be too easy. They should be incarcerated for life, with no chance of parole, fed only spam 3 times a day and have only mail logs to read. For quite a while now, spammers have been generating email addresses automatically. A common way to do this is in a range like this:
You will have got the idea. However, most email hosts have got wise to this and use an SMTP filter which will check (a) to how many addresses in this domain is this particular mail addressed and (b) how many of the addresses are actually valid? If either test fails, the mail will be rejected.
Here are some real statistics:
On 16/09/03 between 00.27.89 and 09.27.20 local time (UCT+8) the mail server received 119 SMTP connections. of these, only 38 were for mail intended for the hosted domains (and some of that was spam).
There were 81 attempts to relay UCE (spam). These came from 24 sources identified only by IP address and 8 where the originating domain name was shown (neophytes obviously because that proves the origin of the mail whereas the other addresses might be spoofed).
The relay attempts generated 50,274 "relaying is not allowed" messages, an average of 422 messages per attempt. One particular relay attempt had 5,294 addresses which commenced only with firstname.lastname@example.org which suggests that the originator has another list for adxxx etc! (You will appreciate that I don't have the time to analyse each attempt.)
Of the 81 attempts, some would have been repeat attempts to relay.
I have not yet counted how many additional attempts were blocked at the firewall because of the denied subnet ranges I have entered there.
Bear in mind that this is one mail exchanger out of hundreds of thousands now attached to the Internet.
During the period under discussion, the firewall blocked 237 attempts to establish an SMTP connection to addresses within the subnet on which the mail exchanger resides. I have not enumerated the number of sources involved but 14 separate firewall rules were invoked one of which excludes all addresses in South America. There were probably somewhere between 20 and 40 different sources.
(BTW, the firewall also blocks huge numbers of attempts to establish HTTP connections to a Webserver which does not exist on that subnet plus various other port scans. Until you have actually read such a firewall log you have no idea of how much trash is moving over the internet. How about if every 15 seconds somebody checked whether the front door to you house was locked!)
What can administrators of mail exchangers do in addition to ensuring that mail is not relayed? Not much, unfortunately. Spam abuse reports to the ISP concerned tend to elicit an automated reply along the lines of: "This is an automatically generated reply. Your report about spam abuse has been noted. Because of the large number of reports received, this is probably the only reply you will receive. Thank you for bringing this matter to our attention."
I am not pessimistic. I do not think that spam will destroy the internet. Ways will be found to combat it, perhaps by replacing SMTP with a protocol which requires verification that the originating IP address is valid before mail is passed by the routers which would stop the IP spoofers. (There are programs available which will do this at the recipient end but they are often not recommended because of the processing and bandwidth demands.) All ISPs ought, by now, to have configured their routers to block outbound traffic which originates from an IP address which is not on the subnet which the router handles but I fear that this is not the case.
Also, automatically generated "white" lists will help for those who, like you, receive large quantities of commercial mail. You probably know how such a system works. For example: You don't know me but I want to send you an email. That gets blocked and I receive a reply from you saying "Who are you?. If you really want me to receive this email then log on to this web site, confirm your particulars and I'll add you to my list of accepted correspondents (if I feel like it)." These services already exist.
When the postal service (snail mail) first started the recipient paid the cost of delivery. This was quickly found to be unworkable. Can you imagine how this would work now: "Bugger off, mate. I ain't giving you a dollar to receive another bill from that bunch of thieving bastards!" At the moment, the spammers do almost the electronic equivalent of walking to the mailbox and posting huge numbers of letters without either stamps or printing the letters and inserting them into envelopes. Once a system is created that charges some small amount for each email sent (perhaps even taking bandwidth utilisation into account) the spam abuse will stop because the spammers will not be able to make any money. There will also be a huge financial incentive for all those who operate mail exchangers to ensure that no mail other than that originating from their domain gets relayed. Also, any mail server will ultimately get blacklisted if it remains an open relay or spam source for long.
If you want more horrifying news, do a Google search on "SMTP DDOS" and look at the message from Kip. Sr. on lists.insecure.org: 30,000 NDRs per day to his server for mail he had nothing to do with!
This article is interesting: http://news.com.com/2100-1038_3-5058610.html. The poor bastards at AOL.com blocking 2.5 billion (sic) spam mails in one day makes my problems pale into insignificance. However, they do have more resources.
Our server is now behaving properly and not relaying anything but is still receiving sufficient attempts to keep me on my toes.
One type of whitelist solution is ISP based. It requires no action on the part of the mail recipient. If the correspondent does not fill in the details, the incoming mail does not get through. Outgoing mail is not affected. I suppose this could be implemented at the client level - perhaps already has been - but it would be, as you say, onerous to manage.
Charging need not necessarily be onerous - say 0.1c per mail. This would be expensive for the mail relayers, which is what needs to be stopped. However, this type of implementation would probably require changes to, at least, the router software, if not the hardware and probably won't happen.
If you want to know more, check out these websites:www.openrelaycheck.com
for a 'convenient' list of open relays. If you want the most recently found, you have to pay. How about an email list with over 200 million names? Or a tool to check that your email lists do not contain any invalid addresses? Bulk mailing software etc. Spamming tools are all available on these sites.
The bastards at openrelaycheck are scanning my server to see if it is still an open relay! Since it isn't, I'm letting them then maybe they take the subnet off the list.
Unfortunately, like many apparently simple things with computers, authentication is not easy to implement within the existing structure.
Articles have been written describing how authentication may be added to the existing SMTP. The author of one such article, however, is brutally realistic as he explains ... "Such a proposal is extremely unlikely to be implemented because there is too much money to be made in providing anti-spam software".
You have my permission to use this information.
The above is very sobering, and I learned a lot about SMTP (Simple Mail Transfer Protocol) and why the traffic generated by errors (e.g. incorrect addresses) is so great. When SMTP was written, it was used for a relatively closed group of academics - it was never intended as a mail transport for the entire world, but was simply adopted along with TCP/IP as the Internet grew.
The results are obvious (now), but back then no-one ever imagined that unscrupulous bastards (spammers) would attempt to hijack the entire system. Hindsight is, of course, an absolute science.
Also bear in mind that around 2/3 (or maybe a lot more) of the spam e-mails you receive are bogus - the "products" either don't exist, don't work or the descriptions are false or misleading. Without exception, you will be expected somewhere along the line to pay some money ... don't do it!
I'll say this again ... We should never purchase anything from spammers, nor visit websites that use spam advertising. If everyone did just that - made no purchases from spam adverts, and never visited a website that used spam advertising, spam would stop! Just like that! No-one would ever dare use spam to advertise if it instantly meant that every recipient was a "customer never to be".
The process I describe here is (unfortunately) completely useless, and a great many spammers don't even bother to use real addresses, but rely on automated systems that make them up on the fly. Since this is about as crude as it is possible to imaging, anything as "sophisticated" as a bogus list is completely pointless :-(
As a matter of policy, I (once would have) urge(d) web sites worldwide to do what I have done below. Create a bogus list (you may copy mine freely, but please, please, make changes to it - the more bogus e-mail addresses there are out there the better, since they pollute the spammer's lists, and create traffic (for which even steenkin' spammers have to pay something) for zero return. You may (of course) still do so, but the effects are unlikely to help at all - most regrettable.
BOGUS is a small program to generate complete web pages full of e-mail addresses. You may freely download and use BOGUS to create your own pages, richly populated with randomly generated e-mail addresses, all based on two dictionaries that you can modify yourself easily - as many e-mails as you want. Needless to say, the program (as with this web page) is completely free to use, distribute and copy. (Completely at your own risk, of course, - insert standard disclaimer absolving me of any responsibility whatsoever, regardless of what happens, how, why or to whom.)
A page can be created in about 2 seconds - it takes longer to type in a name, author and opening and closing "tags" than for BOGUS to write the page. You can edit the wordlists, substitute your own dictionaries (it supports any language ;-) and add more domain extensions (there is a comprehensive readme file in the zipped download). Easy to use, quite good fun (some of the stuff it can generate is highly amusing), and a great way to pollute spammers mailing lists. What more could you ask for?
There used to be a page full of Bogus' output here (as well as links to 'web pages' generated by the program, but they have now been removed. Because of the changes to the spamming methods, the usefulness of BOGUS is seriously limited - so much so that I can no longer recommend its implementation. You may still download the program and use it if you wish, but I would no longer expect it to have any real use in the eternal struggle against this unwanted invasion. At least with junk mail in your letter box it is possible to just chuck it into the recycle bin (sigh).
|Copyright Notice. This article is public domain, and may be copied, reproduced, republished, modified or stolen, without restriction of any kind (other than as set out below). There is no requirement to acknowledge The Audio Pages (or the author), however an e-mail saying that you have used this material would be appreciated so that I can judge how many people have joined in the campaign.|