Elliott Sound Products Death to all Spammers 

Copyright © 2003 - Rod Elliott (ESP)
Page Updated 21 Oct 2003

IndexSpam, Scam & Security Index
Main IndexMain Index


Spam, Spam, Spam, Sausage and Spam

... That doesn't have much spam in it (With apologies to the Monty Python Team :-)  Ok, now I have had enough! More than enough - I have had a gutful! Much as it may come as a surprise to those useless turds who abuse the Internet, I do not ...

We should never purchase anything from spammers, nor visit websites that use spam advertising. If everyone did just that - made no purchases from spam adverts, and never visited a website that used spam advertising, spam would stop! Just like that! No-one would ever dare use spam to advertise if it instantly meant that every recipient was a "customer never to be".

Some claim that spam is killing the Internet. This is not some far flung theory, this is the consensus of many experts in the field, and an opinion that has many of the indications of truth. The spammers are infesting the Net with Gigabytes of useless, unwanted, and unsolicited garbage every day, and with each passing day it get worse and worse (a 78% increase in 2003 over 2002, by one count).

The time has come for governments worldwide to crack down hard on these selfish bastards. Personally, I recommend the death penalty for the first offence, and more severe punishment for repeat offenders. Some may disagree, but I don't think that my suggested penalties are unreasonable. Actually, they may even be benevolent! (Hmmm, after much deliberation I have come to the conclusion that the aforementioned penalties are benevolent.)

It's bad enough when you have a private e-mail account that is used only to contact family and friends, but the problem is much, much worse for anyone foolish enough to have a public e-mail address, such as that used by most businesses. Leaving an e-mail address on a web page in plain text is asking for trouble, and sure enough, the steenkin' spam-bots (SSBs) will troll through any website, looking for e-mail addresses. Unicode (a character numbering system understood by web browsers) used to work, but the spam-bots have now been reprogrammed, haven't they? Unicode is no longer secure, as the SSbs can decode it - that had to happen. Other techniques have also been suggested - Javascript, for example, but how long will it be before that is "cracked" as well?

As visitors to my pages will know, the e-mail address is in an image (as well as Javascript), and thus far there is no way for the SSBs to do anything with that, but alas, I shut the stable door way too late! Receiving anything up to 200 (!) spam messages every day (and having to sift through all of them looking for valid e-mails from customers and people with queries) is very tedious.

Junk mail in my letter box is also a pain, but it is easy to see what should go straight into the recycle bin, and what should be kept. Not so easy with spam mail though, since there is only a title and a sender (both of which are generally bogus).

From ZDNet comes one of many, many articles on the subject of spam, and what it is doing to our lives - see The Hidden Gotchas of Spam and make sure that you look at the other articles as well.

Criminal Spam - Worse Than You Think!

While this is covered briefly below, it has become sufficiently worrying to see the amount of criminal spam that now circulates. There is much consternation in many circles that organised crime syndicates are paying virus (and other 'malware' authors) for a specific number of infected machines. They may request (say) 1,000 machines with a specific piece of malevolent code that is purpose designed, and these are duly supplied.

The most common usage for such programs is to either do a controlled launch of spam directing people to phishing sites, or to capture the unsuspecting user's details over a period of time to facilitate identity theft. This is the fastest growing type of crime currently in existence, and the payoff to the criminals can be very substantial. In addition, it can be almost impossible to track down the identity thief - the unsuspecting (but I must add dumb!) user can be left with debts of thousands, as well as become the recipient of rather unwelcome attention from law enforcement officials because of crimes committed in their name.

It is vitally important that anti-virus software should be installed on every computer that has network access, but all too often users think that they will be safe if they have a dial-up account that is only used for perhaps ½ hour each day. Wrong ! According to recent information from ZDNet and other sources, a machine only needs to be on-line for about 15 minutes before it will be probed by someone looking for an open port that they can use to gain access. Once access is obtained, it could be too late - depending on the particular trojan or virus that might be installed, it may easily fool any subsequently installed anti-virus or firewall program.

If you find this alarming, then so you should. It is alarming ... in fact, it is terrifying. Every machine with network access should have the following software installed at the very least ...

The last point is very important. Micro$oft in its 'wisdom' by default does not display the extensions, so if you see an e-mail attachment called (for example) photos.exe then all you will see is photos and may be tempted to open the attachment to look. Bingo! Your machine is now running the virus, trojan horse or whatever form of malware was in the attachment. By disabling the hidden extensions, you can see that the extension is 'exe' (meaning an executable file). Other dangerous file extensions include 'bat', 'com' (a most unfortunate duplication of the common URL terminator of 'dot com'), 'scr' (screen saver - allegedly), but be aware that there are many other possibilities (e.g. dll, ocx, msc - and probably quite a few others).

While the above guidelines will provide reasonable protection, the user still needs to exercise extreme vigilance. Spammers are getting more and more cunning at hiding their malicious 'offerings' so that users will not recognise them for what they are. Javascript can be used for malicious purposes, and many websites are set up for the sole purpose of attacking your computer. This is most commonly done by using some of the 'advanced' features of IE (Internet Explorer). Active-X should be disabled if you insist on using one of the most commonly attacked web browsers in existence!

A great many of the malicious software that may (will, if you don't protect yourself) infect your computer is used to send ... spam! This is one of the more common techniques that is used. Infect a suitable number of machines, and let them do all the dirty work. Most will obfuscate (in this case, meaning hide or modify) the actual sending e-mail address, probably using legitimate addresses harvested from your address book. This is very common with phishing schemes, where you are led to believe that your e-Bay, PayPal or bank account has been 'suspended' until you log in and verify your personal details. Never, ever enter any details on a site unless you are 100% certain that you have accessed the genuine site. Check that the site is secure (the little locked padlock at the bottom of the browser), and disable popups. New techniques are being used that provide a 'sub-screen' (that may be invisible) in front of a legitimate site, purely to capture your data. The best protection is to use a (comparatively) safe browser and e-mail client such as Mozilla/ Firefox/ Thunderbird.

It is worth noting that well over 90% of all virus, trojan horse and other malware is aimed at Micro$oft products - operating systems, e-mail clients and browsers. This is partly because they are the most prolific, and is helped along by the fact that traditionally these products are full of security holes. While M$ is definitely trying to clean up the systems to make them more robust against external attack, they are also used by a huge number of computer illiterates (relatively speaking) who fail to take reasonable precautions against attacks and computer virus infections.

Major Spam Users - Who Benefits?

One only needs to be half awake to recognise the major conventional spammers. What is more interesting (and very insidious) is who is selling what, and who benefits (and it's never the purchaser!). A great deal of current spam is aimed in four major areas ...

Are any of these legitimate? The answer is obviously 'no', since in 99% of cases the items on offer are either counterfeit or illegal. The online drug trade in particular is very worrying, and the vast majority of all online sales must be considered suspect. There is a great deal of information on the Net, and anyone tempted to avail themselves of 'bargain' drugs would do well to check the available information carefully. Even where the drugs sold are genuine manufacturer products, their storage and handling procedures have almost certainly been violated. They may be past their use-by date but re-labelled, and many are classified as 'sub-potent' - having less than the stated amount of active ingredient (or none at all).

In the case of software, the product is almost certainly fake. In some cases the supplier will actually tell you this! No support from the vendor or the original manufacturer - do you really think that Microsoft will support a pirated copy of their operating system? Of course they won't, and you might get caught and face criminal proceedings yourself if you ask.

The 'cheap watch' scam is another where you know that the 'Rolex' on offer can't possibly be the real thing. In recent times, a lot of market stall and shop vendors have been caught and either fined or imprisoned for selling counterfeit goods in violation of copyright and trade mark laws. While it has been claimed in some quarters that the manufacturers of the genuine watches don't care (people who buy cheap fakes are unlikely to ever pay the several thousand dollars for the real thing), this is not strictly true.

Porn is a very old 'profession', and has always been associated with criminal (or at least very seedy) characters. The Internet has allowed the prolific distribution of such material, with the potential for maximum gain for (relatively) minimal outlay. A great deal of the content is illegal in many countries, but the difficulty of preventing access via the Net has made this a thriving business (reputed to be one of the most profitable Web based businesses in existence). A great many 'Pay Sites' will happily take your credit card details, but do not encrypt the data. You have absolutely no redress if you provide your card details to an unencrypted site (regardless of what they are claiming to sell). In some cases, you can be fairly certain that the site's sole purpose is to obtain your credit card details.

Who Benefits?
In a word - criminals. They may be minor players (often unwittingly) in the scheme of things, but in most cases their activities are at the very edge of the law, if not beyond. There is increasing evidence (and concern) that the profits from the counterfeit activities in particular are used to fund terrorist organisations. Many of the sites selling fake software are based where intervention by international law is minimal or non-existent, and likewise a lot of porn sites (especially those dealing in the really nasty stuff) are located where they are very hard or impossible to track down. Domain names can be registered from anywhere, and there are no checks or balances to ensure that a registrant is who s/he says s/he is.

Who would be foolish enough to provide credit card details to a site with no security, no continued presence on the Net (here today, gone tomorrow sites are common), and with absolutely no guarantee that the card details will not be re-used, on-sold or used for further 'phishing' expeditions to allow identity theft (a very prevalent and growing cyber-crime).

All of the site types listed above use spam to advertise their 'services' - they rely on the gullibility of Internet users for their funds, and there is absolutely no guarantee that any of them will actually supply the goods they claim to sell. If they do provide goods, they will often be substandard, fake or have virtually no commercial value to the purchaser. Caveat Emptor (buyer beware) has never been more important than it is now.

What can you do if you are caught? In most cases, absolutely nothing! Unless you can provide law enforcement authorities with details they can use (such as a street address or a name), there is nothing they can do to help - you have lost your money, and may even have on-going credit card problems (unauthorised withdrawals or identity theft).

Never purchase anything from spammers, nor visit websites that use spam advertising. Never click on links in spam e-mails (they often use codes to indicate which recipients of their pestilential rubbish responded). Never provide personal details to any spammer's website, and never use unsecured web pages to provide credit card or other personal details. Never, ever respond to e-mail purporting to be from banks or online payment systems that want you to 'verify your details' - you will almost certainly be phished, and could lose everything you own!

I Really Hate Spam

So, we all know that spam is insidious, hateful and a terrible time-waster, but there is worse to come. I use Mozilla for mail and browsing, and it has some very nice features (as well as some bugs, but that's another story). One of the really neat things I can do is turn off Javascript for mail, which means that the e-mail's "payload" usually does not show up at all. Along with the e-mail payload (whatever crap the useless turds are trying to sell you), I have seen Javascript that also passes information back to a central steenkin' spammer's site - is that scary? If this does not scare you, then I suspect that you are one of the great many who do not realise how much information Javascript can glean from your hard drive(s). I am no Javascript expert (far from it) but I do know that almost anything can be sent as an attachment using Javascript - have you ever visited a website where you can browse your hard disk for a file to attach to an on-line message? That's Javascript!

One thing that everyone should do is configure their mail client so that it will warn you if a return receipt is requested. If it is spam, then the very last thing that you should do is allow the system to generate a message saying that the message was received. This merely indicates that the address is "live" - it is a working e-mail address, so your e-mail address will then go into a select database of known valid addresses.

One of the things that probably annoys me more than anything else, is the insistence in spam e-mails that it is not spam, but that I somehow "requested" that Freddies Fabulous Finds (a real spammer) should send me their crap! No way! I have never been to the site, and absolutely will not do so - ever! Others tell me that I consented to allow some un-named web site's "affiliates" to contact me. Que? Again, no way!

The ultimate spam is that which urges you to join their "program", and after 10 days you will have money to burn. Almost without exception, these bastards want you to join in, and the only way you will ever make a cent is to send more spam in the hope that some other poor sucker will buy in as well. (Of course, you may well find a sucker or two, but don't expect to see that cent!)

A typical "unsubscribe" message might look like the following ...

Bullsh*t I never went near their stinking site, nor any of their stinking spammer bastard "partner" sites. Interesting how these spammers seem to have more partners than an oversexed rabbit, but they will never disclose the site(s) that supposedly "referred" you. Unsubscribe? In your dreams! I once set up a free e-mail address, then waited for the inevitable - spam! I got some (of course), so tried "unsubscribing" to see what would happen. After a week or so, there were something like 245 e-mails waiting for me, and every single one of them was spam. By allegedly unsubscribing, all I did was let the spammers know that it was a live e-mail address, and the word obviously spread. What surprised me was how quickly it all happened - these unscrupulous bastards may well be bastards, but they have a system, and it works (more's the pity).

Have you ever gone to the website of a spammer? Lots of info on their "services", happy customers (what about the poor bloody recipients?), and so on, but will you find a contact page anywhere? Of course you won't - they send it, but they certainly don't want to receive steenkin' spam any more than the rest of us.

There are some very well known sites that seem to thrive on - or at least allow - spam. Yahoo is one, AOL is another, and so is Earthlink, Freeserve (UK), Bellsouth, MSN, etc, etc. To my mind this is unforgivable. That any ISP, hosting service or provider, regardless of anything, should allow its members to send spam is unbelievable - no-one wants it, everyone would like to see it stopped, but these bastards allow it to happen! I make a habit of boycotting any site that I get spammed by - you send me spam, and you will never get my business!

Death Really Is Too Good For Them
From a recent e-mail exchange on the subject, a reader did a few calculations (I quote from the e-mail) ...

Thanks Klaus - I don't really care much if the calculations are 50% out, it is still a scary and troubling problem, and one that will not go away until all governments enact serious legislation to make spamming a criminal offence. I maintain that first offenders should be subjected to the death penalty, with harsher measures for subsequent breaches.

I urge anyone interested in the topic to look at E-mail_spam. Very informative, but somewhat depressing.

Is There Anything Wrong With This Idea?
Since every IP address on the planet is known, logged and registered, and it is not difficult to determine the service running on that IP address, what is wrong with the following? ...

Now, how long would the spammers last? My guess is about 21 days. This approach is somewhat Draconian perhaps, but that is the only thing that will stop the rising traffic of junk mail. The "soft" options have been tried, and don't work. Legislation has been attempted, but politicians do not have the technical skills to know what legislation should be passed, and lobby groups get any potentially effective laws watered down so they are useless.

The risk to legitimate bulk e-mail senders would be minimal under this scheme. All they have to do is explain how they obtained a complainant's e-mail address, and malicious complaints could be treated with the same big stick as the spammers. The onus is on everyone to give everyone else a "fair go" - some people like junk mail, be it in their physical letter box or an electronic one, and they should not be denied the right to receive it if they wish. Others hate it with a deep passion, and they should likewise be treated with the dignity they deserve.

Now, I ask again ... "Is there anything wrong with this idea?"

I am open to suggestions, and if anyone can add anything useful to this scheme, you may send me an e-mail (see the Contact ESP page for details).

Above, I asked "Is there Anything Wrong With This Scheme". The answer (unfortunately) is 'yes'. Since much spam is generated from infected computers using the infected machine's address book, a bit of careful programming (and yes, this is done) ensures that the amount of e-mail sent from any one machine is small enough to 'stay under the radar' (as it were), and will not trigger global anti-spam blacklists and the like. As fast as we implement better anti-spam measures, the spammers (especially the criminal element) will adapt, modify their methods and generally remain one step ahead.

More Information
From one of my regular correspondents comes the following information (published with his permission). Fred (not his real name) administers a mail server in the Asia/ Pacific region, and recently had a spam problem ...

Unfortunately, this is all completely correct. The story continues ...

The above is very sobering, and I learned a lot about SMTP (Simple Mail Transfer Protocol) and why the traffic generated by errors (e.g. incorrect addresses) is so great. When SMTP was written, it was used for a relatively closed group of academics - it was never intended as a mail transport for the entire world, but was simply adopted along with TCP/IP as the Internet grew.

The results are obvious (now), but back then no-one ever imagined that unscrupulous bastards (spammers) would attempt to hijack the entire system. Hindsight is, of course, an absolute science.

Also bear in mind that around 2/3 (or maybe a lot more) of the spam e-mails you receive are bogus - the "products" either don't exist, don't work or the descriptions are false or misleading. Without exception, you will be expected somewhere along the line to pay some money ... don't do it!

I'll say this again ... We should never purchase anything from spammers, nor visit websites that use spam advertising. If everyone did just that - made no purchases from spam adverts, and never visited a website that used spam advertising, spam would stop! Just like that! No-one would ever dare use spam to advertise if it instantly meant that every recipient was a "customer never to be".

My Bogus List

The process I describe here is (unfortunately) completely useless, and a great many spammers don't even bother to use real addresses, but rely on automated systems that make them up on the fly. Since this is about as crude as it is possible to imaging, anything as "sophisticated" as a bogus list is completely pointless :-(

As a matter of policy, I (once would have) urge(d) web sites worldwide to do what I have done below. Create a bogus list (you may copy mine freely, but please, please, make changes to it - the more bogus e-mail addresses there are out there the better, since they pollute the spammer's lists, and create traffic (for which even steenkin' spammers have to pay something) for zero return. You may (of course) still do so, but the effects are unlikely to help at all - most regrettable.

Download your own copy of BOGUS now and join the fight against spam
BOGUS is completely free for personal or commercial use, and may be given to anyone who wants it

BOGUS is a small program to generate complete web pages full of e-mail addresses. You may freely download and use BOGUS to create your own pages, richly populated with randomly generated e-mail addresses, all based on two dictionaries that you can modify yourself easily - as many e-mails as you want. Needless to say, the program (as with this web page) is completely free to use, distribute and copy. (Completely at your own risk, of course, - insert standard disclaimer absolving me of any responsibility whatsoever, regardless of what happens, how, why or to whom.)

A page can be created in about 2 seconds - it takes longer to type in a name, author and opening and closing "tags" than for BOGUS to write the page. You can edit the wordlists, substitute your own dictionaries (it supports any language ;-) and add more domain extensions (there is a comprehensive readme file in the zipped download). Easy to use, quite good fun (some of the stuff it can generate is highly amusing), and a great way to pollute spammers mailing lists. What more could you ask for?

There used to be a page full of Bogus' output here (as well as links to 'web pages' generated by the program, but they have now been removed. Because of the changes to the spamming methods, the usefulness of BOGUS is seriously limited - so much so that I can no longer recommend its implementation. You may still download the program and use it if you wish, but I would no longer expect it to have any real use in the eternal struggle against this unwanted invasion. At least with junk mail in your letter box it is possible to just chuck it into the recycle bin (sigh).

IndexSpam, Scam & Privacy Index
ESP Main IndexMain Index

Copyright Notice. This article is public domain, and may be copied, reproduced, republished, modified or stolen, without restriction of any kind (other than as set out below). There is no requirement to acknowledge The Audio Pages (or the author), however an e-mail saying that you have used this material would be appreciated so that I can judge how many people have joined in the campaign.

Redistribution specifically excludes the ESP logo, which is a registered trade mark of Elliott Sound Products.
Page created 25 Apr 2003