Re: Spam filters

Replies:

Parents:

  • None.
Gerald,

Your spam filter doesn't work with Microsoft OutLook.

Joking aside, every since I used Travelocity's Web site, and unfortunately gave
them my e-mail address, I have been getting about 4-7 spam messages a day and
it is getting really irritating.

I would like to write a "double spam" anti-spam filter. In addition to
filtering rubbish, once the filter (or user) has found a 'spammer' (via the
originator e-mail address), any messages received from the spammer triggers 100
messages (filter configurable) back to that originator address. Even if the
originator's mailbox has magically disappeared, hopefully it would cause pain
for the ISP's that allow spammers to work.

I remember hearing a lot about U.S. anti-spam legislation -- and how 'tough' it
is. Is it too vague, or is it just not being enforced?

Curtis.



On Dec 18, Gerald Oskoboiny <[email protected]> wrote:
>
> On Sun, Feb 20, 2000 at 11:38:10PM -0500, Gerald Oskoboiny wrote:
> :
> > So now I just delete spam from my inbox as it arrives, and try not
> > to get annoyed by it.
> >
> > I think if I ever try to deal with it again, I'll handle it using
> > a whitelist (as opposed to a blacklist), with a list of people or
> > domains I expect to receive mail from, and filter everything else
> > into a mailbox that I scan once a week or so.
>
> I've been getting a ton of spam lately (~36 messages per day this
> December, out of a total of 384 messages per day), so I implemented
> this whitelist-based filtering. Notes/code:
>
>     http://impressive.net/people/gerald/2000/12/spam-filtering.html
>
> Woohoo, no more spam in my inbox, ever!
>
> --
> Gerald Oskoboiny <[email protected]>
> http://impressive.net/people/gerald/
>
>
>

Re: Spam filters

Replies:

Parents:

On Mon, Dec 18, 2000, Curtis Johnstone wrote:
> I would like to write a "double spam" anti-spam filter. In addition to
> filtering rubbish, once the filter (or user) has found a 'spammer'
> (via the originator e-mail address), any messages received from the
> spammer triggers 100 messages (filter configurable) back to that
> originator address. Even if the originator's mailbox has magically
> disappeared, hopefully it would cause pain for the ISP's that allow
> spammers to work.

Hmmm... I am not sure that it is a good idea, especially because
spammers almost often use a fake email address. However, I thought that
there was a law which was forcing them to use a valid one, or at least
provide a way to write them back.

I always wondered if it was possible to sue spammers - I am in the US,
so why not?

If I say : "My email address is [email protected]. You may use this
address only if you are my parents or cousins. Any other person using it
without my approval will be prosecuted.", what value does it have?

--
Hugo Haas <[email protected]> - http://larve.net/people/hugo/
- I know you feel bad about the juice incident, but I'm sure you can
make up for it somehow. - That's it! Somehow! -- Homer Jay

RE: Spam filters

Replies:

  • None.

Parents:

Yeah it is easy enough to spoof an SMTP address. Usually in the message
headers there is enough information to make a valid attempt at the address
or the Gateway though (of course if it went through a gateway that allow
relaying you just nailed the wrong person). I just got a spam from an e-mail
address : "uniqueproduct" just now (that's all in the originator address --
no '@' or right-hand side). The message header says shows it came from the
gateway : (nwb1.nwb.co.jp [210.164.95.2]) -- see below. I telneted to port
25 and it accepted a message to "uniqueproduct". Who knows where it actually
went though.

I am very surprised there has not been more (any?) lawsuits in the U.S.
claiming loss productivity / downtime from mass spammers. The laws are
probably slippery and lack precedent.

Curtis.


Spam Message Header:

Received: from nwb1.nwb.co.jp (nwb1.nwb.co.jp [210.164.95.2])
by in3.magma.ca (8.9.3/8.9.3) with ESMTP id WAA18194
for <[email protected]>; Mon, 18 Dec 2000 22:47:32 -0500 (EST)
Received: from [210.162.95.82] ([63.15.28.127]) by nwb1.nwb.co.jp
         (Post.Office MTA v3.1.2J release 205-101-J ID# 0-0U10L2S100)
         with SMTP id AAC272; Tue, 19 Dec 2000 12:31:36 +0900
Message-ID: <[email protected]>
To: <Undisclosed.Recipients>
From: uniqueproduct
Subject: CHECK OUT THE HOTTEST PRODUCT SINCE THE PET ROCK
Date: Mon, 18 Dec 2000 21:30:03 -0600
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
X-UIDL: f8e711c3017a44a077db3e2db522324e



-----Original Message-----
From: [email protected] [mailto:[email protected]]On
Behalf Of Hugo Haas
Sent: Monday, December 18, 2000 10:38 PM
To: [email protected]
Subject: Re: Spam filters


On Mon, Dec 18, 2000, Curtis Johnstone wrote:
> I would like to write a "double spam" anti-spam filter. In addition to
> filtering rubbish, once the filter (or user) has found a 'spammer'
> (via the originator e-mail address), any messages received from the
> spammer triggers 100 messages (filter configurable) back to that
> originator address. Even if the originator's mailbox has magically
> disappeared, hopefully it would cause pain for the ISP's that allow
> spammers to work.

Hmmm... I am not sure that it is a good idea, especially because
spammers almost often use a fake email address. However, I thought that
there was a law which was forcing them to use a valid one, or at least
provide a way to write them back.

I always wondered if it was possible to sue spammers - I am in the US,
so why not?

If I say : "My email address is [email protected]. You may use this
address only if you are my parents or cousins. Any other person using it
without my approval will be prosecuted.", what value does it have?

--
Hugo Haas <[email protected]> - http://larve.net/people/hugo/
- I know you feel bad about the juice incident, but I'm sure you can
make up for it somehow. - That's it! Somehow! -- Homer Jay

Re: Spam filters

Replies:

  • None.

Parents:

On Mon, Dec 18, 2000 at 10:38:00PM -0500, Hugo Haas wrote:
:
> I always wondered if it was possible to sue spammers - I am in
> the US, so why not?

The other day on the list-managers list I read:

   [...] some states have written anti-spam
   laws with teeth.  See www.suespammers.org.  One fellow in
   Colorado claims to have collected $13k from spammers (money in
   hand, not just court awards).

   -- murr rhame
      http://www.egroups.com/message/list-managers/10638
      mid:[email protected]

Hmm... seems like it was actually in Washington state, not
Colorado, unless that $13k is just a coincidence:

   [Suespammers] Suing Spammers Successfully in WA
   http://www.suespammers.org/pipermail/suespammers/2000-July/000318.html

(linked from http://www.suespammers.org/ )

--
Gerald Oskoboiny <[email protected]>
http://impressive.net/people/gerald/

Re: Spam filters

Replies:

  • None.

Parents:

On Mon, Dec 18, 2000 at 08:48:38PM -0500, Curtis Johnstone wrote:
> Gerald,
>
> Your spam filter doesn't work with Microsoft OutLook.

If you're using MS Lookout, you have bigger problems than spam :)

> Joking aside, every since I used Travelocity's Web site, and
> unfortunately gave them my e-mail address, I have been getting
> about 4-7 spam messages a day and it is getting really
> irritating.

Hmm... they shouldn't be giving out your email address without
your consent. Some people use specific variations of their email
address for each site they sign up for, so they can tell for sure
who to blame for the spam.

It's also fairly likely that your address was harvested from the
fogo mailing list archives.

> I would like to write a "double spam" anti-spam filter. In
> addition to filtering rubbish, once the filter (or user) has
> found a 'spammer' (via the originator e-mail address), any
> messages received from the spammer triggers 100 messages
> (filter configurable) back to that originator address. Even if
> the originator's mailbox has magically disappeared, hopefully
> it would cause pain for the ISP's that allow spammers to work.

When I was a student with lots of time on my hands and spam was
just starting, I used to write back to each one saying "here is
the core dump you requested, please let me know if you need any
more", with a 4 meg attachment (which was big in those days ;)

But I have found that trying to track down spammers is just a
waste of time -- by the time you reply, either the open relay
has been shut down (or flooded with other complaints), or the
spammer's temporary ISP account has been shut down.

Once all the open relays are shut down, all the spam will have
to come from temporary ISP accounts. Some ways I have thought
of to elimate that problem are:

1. ISPs should enforce a limit on the number of outgoing
   messages per day per account (maybe 10/day for new accounts,
   increasing to 100/day otherwise.)

2. ISPs should require a credit card for signup (maybe they do
   already), with a condition in the agreement that they will
   charge $1000 to the credit card if it's used for spamming.

But ISPs want to make it as easy as possible for new people to
sign up, so they need to be convinced this stuff is worth doing
somehow.

(#1 above seems easy and cost-effective to me, but #2 is trickier
to justify unless they can collect enough $1000 penalties to make
up for the loss of potential new customers.)

> Yeah it is easy enough to spoof an SMTP address. Usually in the
> message headers there is enough information to make a valid
> attempt at the address or the Gateway though (of course if it
> went through a gateway that allow relaying you just nailed the
> wrong person).

Open relays deserve to be nailed...

> I just got a spam from an e-mail address : "uniqueproduct" just
> now (that's all in the originator address -- no '@' or
> right-hand side). The message header says shows it came from
> the gateway : (nwb1.nwb.co.jp [210.164.95.2]) -- see below.  I
> telneted to port 25 and it accepted a message to
> "uniqueproduct". Who knows where it actually went though.
:

I use a perl script called rlytest to check for open relays:

   http://www.unicom.com/sw/rlytest/

The previous system I used for spam filtering [1] could block mail
from known open relays using ORBS [2], but I found that it didn't
really solve my problem since a lot of spam was still getting
through, yet it would occasionally block a valid message. So I
decided to try a whitelist-based approach instead for a while.

So far, so good -- it trapped 18 messages from unknown senders,
three of them non-spam: one test message from a friend, and a bulk
email each from amazon.com and ebay (I could opt out of those,
but I'm interested in how those companies use email for marketing.)
I haven't enabled this filter for my w3c mail yet, or it would
have caught a lot more.

[1] http://impressive.net/archives/fogo/[email protected]
[2] http://www.orbs.org/

--
Gerald Oskoboiny <[email protected]>
http://impressive.net/people/gerald/

Re: Spam filters

Replies:

  • None.

Parents:

At 20:48 12/18/2000 -0500, Curtis Johnstone wrote:
>Joking aside, every since I used Travelocity's Web site, and unfortunately
>gave
>them my e-mail address, I have been getting about 4-7 spam messages a day
>and
>it is getting really irritating.

Mine's been getting very high, and I redid my strategy a couple of months
ago which is a combination of white-list/black-list but it's still far  from
perfect.

1. things to my personal addresses from known friends -> In.
2. things to work address from known colleagues -> In.
3. everything else goes through filtering trying to snoop out if its spam or
not and these sometimes catch too much (particularly things to public work
aliases to which I'm responsible), and sometimes not enough (when friends
send goofy emails from other addresses).


>I would like to write a "double spam" anti-spam filter. In addition to
>filtering rubbish, once the filter (or user) has found a 'spammer' (via the
>originator e-mail address), any messages received from the spammer triggers
>100
>messages (filter configurable) back to that originator address. Even if the
>originator's mailbox has magically disappeared, hopefully it would cause
>pain
>for the ISP's that allow spammers to work.

I have this little windows application that sends fake bounce message making
it looking like the email address doesn't exist. I don't think I can pipe
things to it (being windows) but if I can (or if I find another) I might
hook it up to my confirmed spams...

>I remember hearing a lot about U.S. anti-spam legislation -- and how
>'tough' it
>is. Is it too vague, or is it just not being enforced?

On that note, a recent excerpt from an email to a spammer (they didn't
respond the second time!):

At 11:30 12/7/2000 -0500, Shoe Chair wrote:
>Mr. Reagle,
>
>You are not being spammed, as your name came up as a potential customer for
>our products.

I am being spammed, I don't care where you got my name from.

>This message sent to you is sent in compliance of the new email bill
>section 301. Per Section 301., Paragraph (a)(2)(C) of S. 1618, further
>transmissions to you by us of this email will be stopped at no cost to you.

First: your counsel has done a poor job! S1618/HR3888 expired in Committee
two years ago and IS NOT law.

Second: Even if 3888 was law I would sue for a civil remedy of no more than
$15,000 because you DID NOT comply by providing the spam removal as part of
your original email. [1]

Get some Net clue and stop sending this crap, and if you can't manage that
then get legal counsel at least.


[1] http://thomas.loc.gov/cgi-bin/query/D?c105:1:./temp/~c1051PmDAB:e29527:
H.R.3888Anti-slamming Amendments Act (Introduced in the House)
(2) COVERED INFORMATION- The following information shall appear at the
beginning of the body of an unsolicited commercial electronic mail message
under paragraph (1):
...
(C) A statement that further transmissions of unsolicited commercial
electronic mail to the recipient by the person who initiates transmission of
the message may be stopped at no cost to the recipient by sending a reply to
the originating electronic mail address with the word `remove' in the
subject line.

__
Regards,          http://www.mit.edu/~reagle/
Joseph Reagle     E0 D5 B2 05 B6 12 DA 65  BE 4D E3 C1 6A 66 25 4E
MIT LCS Research Engineer at the World Wide Web Consortium.

* This email is from an independent academic account and is
not necessarily representative of my affiliations.

HURL: fogo mailing list archives, maintained by Gerald Oskoboiny