bbs.spamgourmet.com

[denada]

I was reviewing the results to a contest form of one of my clients earlier today and noticed the following:

Code: Select all

| 450 18th Street 1-C          | assoc.30.rootbeer@recursor.net      |
| 450 18th Street #K2          | tnt.30.ibm@xoxy.net                 |
| 412 Ave. of the Flags #4S    | aol.97.aolnet@neverbox.com          |
| 412 Ave. of the Flags Num 2E | aol.95.aolnet@neverbox.com          |
| 412 Ave of the Flags, Num 2B | aol.75.aolnet@neverbox.com          |
| 412 Ave. of the Flags 2C     | aol.55.aolnet@neverbox.com          |
| 412 Ave. of the Flags - 2C   | aol.35.aolnet@neverbox.com          |
| 412 Ave. of the Flags #2B    | aol.90.aolnet@neverbox.com          |
| 412 Ave. of the Flags N. 4C  | aol.70.aolnet@neverbox.com          |
| 412 Avenue of the Flags 2C   | aol.50.aolnet@neverbox.com          |
| 412 Ave of the Flags 2S      | aol.30.aolnet@neverbox.com          |
| 446 18th Street A-2B         | sbs.56.rootbeer@neverbox.com
| 446 18th Street Apt C7       | aol.25.msmail@neverbox.com          |
| 446 18th Street Apt A7       | aol.90.msmail@neverbox.com          |
| 446 18th Street F1           | aol.80.msmail@neverbox.com          |
| 446 18th Street C6           | aol.70.msmail@neverbox.com          |
| 446 18th Street D2           | aol.60.msmail@neverbox.com          |
| 446 18th Street Apt C8       | aol.50.msmail@neverbox.com          |
| 450 18th Street J1           | osha.41.msmail@neverbox.com         |
| 450 18th Street 3A           | osha.65.msmail@neverbox.com         |
| 450 18th Street K4           | osha.31.msmail@neverbox.com         |
| 450 18th Street #C3          | osha.21.msmail@neverbox.com         |
| 2139 Carlyle Ave. 502        | us.81.rootbeer@antichef.net         |
| 450 18th Street F6           | netop.25.rootbeer@recursor.net      |
| 2139 Carlyle Ave. 406        | us.91.rootbeer@antichef.net         |
| 1158 26th Street S#. 278     | cnet.35.msmail@xoxy.net             |
| 2139 Carlyle Ave. #105       | link.26.rootbeer@antichef.net       |
| 2139 Carlyle Ave. #503       | us.71.rootbeer@antichef.net         |
| 2139 Carlyle Ave. #203       | link.91.rootbeer@antichef.net       |
| 2139 Carlyle Ave. #101       | us.61.rootbeer@antichef.net         |
| 2139 Carlyle Ave. #307       | link.81.rootbeer@antichef.net       |
| 2139 Carlyle Ave. Apt. 401   | us.51.rootbeer@antichef.net         |
| 2139 Carlyle Ave. Apt. 305   | link.71.rootbeer@antichef.net       |
| 2139 Carlyle Ave. Apt.403    | us.41.rootbeer@antichef.net         |
| 2139 Carlyle Ave. 301        | link.61.rootbeer@antichef.net       |
| 1158 26th Street Num. 278    | cnet.25.msmail@xoxy.net             |
| 2139 Carlyle Ave. #203       | link.51.rootbeer@antichef.net       |
| 2139 Carlyle Ave. #107       | link.36.rootbeer@antichef.net       |
| 2139 Carlyle Ave. #103       | link.41.rootbeer@antichef.net       |
| 2139 Carlyle Ave. Apt. 205   | us.21.rootbeer@antichef.net         |
| 2139 Carlyle Ave. #201       | link.31.rootbeer@antichef.net       |
| 2139 Carlyle Ave. #207       | us.31.rootbeer@antichef.net         |
| 2139 Carlyle Ave. #101       | link.21.rootbeer@antichef.net       |

this is just a small sampeling of over 1000 entries... This is a concern for me, and obviously makes me consider blocking all spamgroumet related domains from posting to any forms I create for any of my clients... obviously this will prevent many of your legitimate users from using them, and there was at least one participating in this contest...

Any comments from the spamgourmet users/admins?

[denada]

From what I can tell there are 3 legitimate spamgourmet accounts in an SQL dump of around 1200 emails. The remaining accounts all belong to the usernames rootbeer, ibm, mci, aolnet and msmail.


The problem here:

with a dynamic email address and the ability to add an apartment number to a house, so all real mailings will still arrive properly, and not to mention faking the name (90% are using the same last name or variations thereof with a fake first name)...

It's a shame, I am 100% for privacy (I use a different email address for every site I signup to, such as here) and I can see this being a useful tool for many people, but this kind of thing makes it a pain for me to do my job.... I think I will simply be taking the easy way out on this, sadly enough.

[Guest]

obviously makes me consider blocking all spamgroumet related

You would block all 65,000 users of an absolutely fantastic service because you found 3 individuals that use that service contrary to its terms of service?

Presumably it's contrary to the entry rules for the contest, too. Just delete that respondant.

To quote the FAQ:
Q. This would be perfect for signing up for online sweepstakes and coupon offers, etc.
A. It is! Keep this in mind though: do use a spamgourmet address to sign up instead of using your regular address, it'll save you from getting spammed to death later - don't write a script that repeatedly signs up using different spamgourmet addresses (or any other email addresses, for that matter) - this may be considered fraud, and is squarely contrary to the spamgourmet terms of service.[/b]

[josh]

I've puzzled over this one -- problem is that when people do this, they aren't using our system to create the addresses -- they get created automatically later *if* they're used. I can shut off the accounts, but they can create new ones - you know that drill.

Where I'm at with it is that if you want to pursue fraud charges and present credible evidence pursuant to a legitimate claim (you've gone a long way toward that already), I'll be happy to cooperate with whatever information I have.

Remember also that spamgourmet is not an anonymizing service. If you have an email dialog through one of these addresses (even if "address masking" is turned on), you'll be able to see the server where the user's email orginated in the headers - spamgourmet does not remove prior headers, it just adds to them. The only thing you wouldn't be able to see is the user's email address (if masking was on), but that would only be useful if you wanted to send spam - it wouldn't help identify the user, and it's absence won't hurt.

Blocking these addresses will be an uphill battle for you - spamgourmet isn't the only service that could be used this way (e.g. yahoo disposable email addresses and many others). The best policy might be to go ahead and pick the winner, then analyze the db to see if something like this has happened -- if it has, then draw again? Good luck...

[xdcdx]

Like Josh said, a lot of services allow this.

Cheaters can set up a mail server that accepts all mails sent to their domain. Like cheat1@domain.com, cheat2@domain.com, etc.

Even with Gmail you can use: any_word#user@gmail.com and mails will arrive to user@gmail.com account. Would you ban *@gmail.com because of this? I don't think it's a good idea.

[denada]

Thank you for your replies... I am not disagreeing that this is a useful service, I would use it if I didn't have my own methods (domain catchall with a server side perl script I wrote to route my emails to the appropriate places if someone sold my email address etc... pretty much what xdcdx was explaining.)

As Guest was stating, yes I would consider blocking 65k of users, the same way alot of my clients end up requesting me to block the millions of yahoo, hotmail etc users because of the simple fact that they are easily created and in essence considerd disposable addresses. Are my clients significant to enough to make this an issue, not in all cases no, but I have worked with the U.S. Treasury, McDonalds, The International Olympic Comitee in the past, (and of course couple of thousands of little mom&pop sites that would not be significant). The client I discovered this issue on is a leading cosmetics company, and the contest was publicized in one of the larger magazines targetted at a female/16 to 30 demographic, and they received over 20,000 entries in about two weeks. Measures were taken to only allow one entry per person, and this starts to defeat that when each e-mail address ends up unique etc. From a budget perspective, my time is better spent doing actual work then weeding out this kind of issue.

It's definatly nothing personal against spamgourmet. As stated before I would use it myself if I had a need for it, but for my clients, as well as attempting to be profitable in business by not wasting valuable hours attempting to weed this out, it would be in my best interest to block this out.

I appreciate Josh's explanation, and yes it is a moot point, because you are right, users will continue to misuse something if they have found out a way of doing so. I for one would never sell the e-mails gathered from the sites I work on, nor want to work with companies that do so, but obviously it's in the users best interest to protect themselves, because they don't know me nor my policies since so many sites claim to respect your privacy, yet a week later you are getting hundreds of emails to that address.

I wish I had a better solution, and for now you're suggestion of simply choosing a winner and then analyzing just that entry would be the best bet, but for future scenarios I will need to come up with a better solution.

Thanks for your time, I'll be back to check on this thread again ;)

[denada]

xdcdx, on a slightly off topic note, I would like to point this article out in regards to gmail http://www.seroundtable.com/archives/000323.html

(do note, I myself have a gmail account and use it occasionally)

[xdcdx]

Hi there,

thanks for the advice, but the person who made the blog misunderstood the thread. They are talking about some kind of corporation refusing to answer back to a Gmail user, not an ISP blocking Gmail outbound mail.

Anyway, I have made my Gmail account my main email address, and I don't plan to quit using it unless the whole word forces me to do so. I trust Google a lot more than I trust Yahoo, or (even worse) Microsoft. For further details, please read the second post starting from the end that I wrote here: http://bbs.spamgourmet.com/viewtopic.php?t=235

[denada]

I don't blame you, gmail is far more trustworthy then the others, and keeping in mind the fact that it could tie into their data gathering efforts, I know not to use my gmail account for sensative information, same goes for orkut.com

As a closing note on this thread, I will come back to spamgourmet, and see what is new, it looks like a promising service, and who knows, perhaps a solution to this kind of issue will come up.

Thank you to those that replied, I was seriously expecting to getting flammed with my remarks, and am pleasantly suprised that I didn't. You have a good community going here, keep it up

[Guest]

Go ahead and block it. If people were serious about enterting a contest they would be using valid email address and not a bunch of asshole cheaters.

[jbs]

I can hardly begin to address the absurdity (and vulgarity) of the prior post -- in my view only the most naive of internet users would regularly sign up to contests with their true email address and not a spam trap one. Using your "real" email for contest entries is the surest way to turn it INTO a spam trap.

What I wanted to comment on instead was the increasing prevalence of disposable email address functionality from providers. Spamgourmet is the first service I used with this, but now I can get it with Gmail, Yahoo, Runbox, etc etc etc. As also mentioned above anyone can create countless addresses from their own domains.

It will therefore be IMPOSSIBLE to block all sources of these addresses (unless you decide to ONLY accept addresses from domains that you know don't do this, but even AOL and ISPs allow for 5~10 addresses per account).

Since this will be impossible to maintain, I'd tend to agree that the right approach is to make it clear when signing up that multiple entries will be disqualified, and that a selected winner who turns out to have input false info (i.e. the 80 different first names or a made-up apartment number) will be disqualified. You then pick your winner and spend some time confirming that THAT one is legit. Statistically, it won't affect the outcome to have the extra 1000 dummy entries in there when you draw, and in fact the more times a cheater cheats, the better your chances of recognizing them if they are selected. That is, I could enter 3 times, triple my chances and if you pick me you'd never catch the cheating (home address with wife's name and email, work address with my name, dad's address with his name). If I enter 1000 times, though, you're sure to catch me if I win.

--Jason

[Guest]

I use my spamgourmet address for entering contests which is a hobby of mine. I would be upset to see these addresses banned because a few people are taking advantage of the system.

Couldn't these same people sign up for 10 yahoo, hotmail, gmail accounts if they really wanted to?

I have thought about signing up for an account with one of the aforementioned services just for sweeping, however, one bad (fraudulant) contest I signed up for has generated about 17k plus spam emails since March. If it hadn't been a spamgourmet address I would have been forced to abandon this account long ago.

[SysKoll]

Maybe I'm beating a dead horse and rehashing the obvious here, but I think this problem (multiple entries into contests by cheaters using sg addresses) is pretty much solved now.

If you run a contest, all you have to do is send a confirmation email (to which the contestant must reply for validation) to the email address entered by the contestant.

Since Josh recently added a counter to the message receiving code, each sg user can receive at most N emails per hours before his account is blocked for a time T. I'm not sure about the current values of N and T (Josh, care to comment?). I believe it's N = 100 and T = 1 hour.

The net effect is that a cheater could enter at most N entries in a row. N is statistically very small compared to the expected amount of entries, hence the cheater cannot overwhelm the context anymore. If you have 100,000 entries and N is 100, what's the cheater's odds? 0.1%.Not worth the trouble.

[Paul]

It occurs to me (sometimes the gears turn slowly) that the multiple-entry problem is in no way constrained: anybody can buy their own domain and create as many email addresses on that domain as they wish, dedicated to a specific contest if they choose and retiring (filtering) addresses as necessary later on.

Which leaves the contest managers with the same problem as was faced above: keeping the contest fair requires diligence. I would therefore tend to lend my support to the suggestion given above, that when the potential winner is identified the entry is validated against all the other entries for duplicates, and disqualified as necessary.

Of course, any time there is a restrictive rule there is opportunity for abuse. In this case, I could attempt to disqualify friends whose relevant information I knew, by simply submitting a couple entries on their behalf. At least that opportunity should be narrow - I shouldn't be able to guess the information for general participants. And while a challenge-response system would limit even that chance, it isn't always practical and could lead to disgruntled customers if they believe they entered the contest but in fact did not.

[Onlooker]

Wouldn't a logging of the IP address of the entrant allow the creation of code to check for this type of thing?