bbs.spamgourmet.com

[RTrev]

I'm kind of new here, and new to web design and web issues, so please forgive me if this is an old subject which has been hammered into the ground already.

I've got a little site I set up as a way to learn web design, PHP, MySQL, and so on. In chatting with some other folks, I decided to join those who set traps for the spam bots and feed them a lot of poisoned addresses, link them to other sites which do the same, and so on.

What I've done is to grab 5 inexpensive domains, and set up their DNS "A" records to be 127.0.0.1 - the localhost address. Any mail addressed to any user name on any of those domains will never leave the spammer's server.. although the server will try, sometimes for days, to send it before giving up. It keeps the spam from clogging the net because it never gets sent at all. And there is no chance of accidentally generating a random address that someone else actually owns - or might own in the future.

Then I wrote a page for my own site which looks like a normal index.html page in a directory called /email. The HTML page is actually a PHP page which is parsed by PHP due to a .htaccess file in that directory. When the page is accessed, it generates a random number of 100-1000 bogus email addresses, all pointing to one of those 5 domains. There are some links on the bottom of the page to direct the bot either back to the same page again with a freshly generated list of new bogus addresses, or to some other sites which use different methods of messing with bots.

And finally, to provide a link for the bots to find that special page, I wrote a short article about what I was doing and included the link.. along with the suggestion that it not be clicked unless the visitor was in fact a bot.

So, does this sound like a good approach? If so, would any others be interested in doing similar things, and linking to each other? We could all share our "black hole" domains, so that our lists would have more variety, and any bot stumbling into any of our "traps" would hopefully go on a feeding frenzy and suck up enough bad addresses to really screw up the spammer's address list.

Any comments, thoughts, interest?

Thanks,
Bob

[josh]

Poisoning the lists is a great idea (and one of the overall motivations of spamgourmet, really), and the method you're using is better than some of the older methods that try and make up unlikely addresses on arbitrary domains (which probably led to a bunch of error messages on unsuspecting email servers, and maybe even a few hits to real mailboxes).

I know sendmail gives up right away when it detects an MX resolving to a local IP address (including localhost), when that same host isn't listed in the "local-host-names" file -- there are a lot of ways that spammers use to send spam, but it's likely that most of them won't get tripped up after the initial resolution, but that's not to say it doesn't take some time. Also, my theory is that anything that reduces the value of a commoditized list of email addresses is a good thing. It's easy enough to clean the list with a script that performs MX resolution for each host and removes the loopbacks (and ones that resolve to our server, for that matter), but with widespread distribution of invalid addresses, the cloud still hangs over those lists.

[RTrev]

Thanks for the reply, Josh.

What I've been looking for is a list of other domains which have set their "A" record in the same way. Can't seem to find any, or I don't know how to search for them. Surely there must be lots of them out there, as I have some and I know of at least 2 other people who do. If we all shared them, we could generate much more effective lists of poisoned addresses, with more variety in them.

I'm not sure I want to link to sites which merely generate random names and domains.. too much chance of "collateral damage" and since at least some of the email actually gets on the net and gets routed around I'm not sure it isn't doing more harm than good.

Got any leads to finding other domains set up to do this the right way? I'll be happy to add mine to any such public list.. although I'm not sure that's such a hot idea since the spammers will have access to the list also. Sigh.

Tks,
Bob

p.s. If I were to PM my domain names to you, would that be helpful in any way to you?

[gourmetBink]

I'm very fond of Project HoneyPot (http://www.projecthoneypot.org)

I've captured a few harvesters this way on my sites, and have received emails letting me know that I'd identified a previously unknown harvester (and poisoned its list), and it's quite satisfying to be able to contribute this way.

I am, however, thinking about implementing your darling little scheme. It sounds fun, too!

[RTrev]

I'm very fond of Project HoneyPot (http://www.projecthoneypot.org)

I've captured a few harvesters this way on my sites, and have received emails letting me know that I'd identified a previously unknown harvester (and poisoned its list), and it's quite satisfying to be able to contribute this way.

I am, however, thinking about implementing your darling little scheme. It sounds fun, too!

Well, the more the merrier!

I've spiffed it up a bit, by grabbing the most popular first and last names from the census, and putting them in MySQL tables, and randomly generating valid looking names that still point to the loopback domains. What I need now is to get some bots to come sniffing. I had a few, but that was before I set this up. Now all I see is Google occassionally, and because that's a polite bot it honors the robots.txt and the meta-tags on each page. I figure it's only the kind of bot that would *not* honor those that we are really targeting.

Since my site is new, and I'm just using it to learn, I get almost no traffic there.. so I can't really test out this approach yet as much as I'd like to.

I've looked at Honeypot a bit, but will go back and look again.

Thanks,
Bob

[gourmetBink]

RTrev:

Since my site is new, and I'm just using it to learn, I get almost no traffic there

Backlinks. You'll need a lot of backlinks from highly-trafficked, relevant sites. Optimize your site for whatever your main keyword(s) is/are, then get links to your site onto related sites that are frequently indexed, and update your site often. (If you can't do that, then include RSS newsfeeds.) Traffic will follow.

Wait: that's how you get good traffic. You're looking to get bad traffic. Okay; that's easy, too: post to newsgroups, especially the highly-trafficked ones. Make sure the URL is in each post, in your .sig. Post the URL to FFA pages. Post the URL to free ad forums. Using a SpamGourmet email address, sign up for safelists and distribute the URL that way. Same goes for splogs.

That should get you started!

[RTrev]

Thanks.. all of those sound good. But I went and checked out Project Honey Pot as you suggested, and now I'm thinking that a better use of my extra domains might be to contribute them to these folks. Hmm. Got some thinking to do. Thanks again for the ideas!

Bob

[Paranoid2000]

Rather than using the loopback address 127.0.0.1, how about a private IP address? (especially 192.168.x.x). Connections to these should be rejected by any Internet routers but they may correspond to local routers (especially 192.168.0.1). Most spam relays will be hijacked PCs so a spammer isn't likely to notice loopbacked connections, but some local routers may react to overzealous connections by blocking traffic temporarily, forcing the real owner to take steps to clean their system.

[RTrev]

Rather than using the loopback address 127.0.0.1, how about a private IP address? (especially 192.168.x.x). Connections to these should be rejected by any Internet routers but they may correspond to local routers (especially 192.168.0.1). Most spam relays will be hijacked PCs so a spammer isn't likely to notice loopbacked connections, but some local routers may react to overzealous connections by blocking traffic temporarily, forcing the real owner to take steps to clean their system.

Interesting thought! I'd like to do whatever it takes to make the spam problem decrease, and maybe this would help.

There was an interesting discussion on one of the GRC newsgroups the other day, where a guy showed up saying he had this big project in mind which would essentially amount to a careful collecting of spammer's addresses and then launching attacks at their site via distributed little programs that he hoped people would download and run. He got blasted, of course, and told that the collateral damage would inevitably be high, that he couldn't accurately target the spammers, and that the end didn't justify the means. He's remaining rather staunch in his outlook, from what I can see. He seems like a nice guy, but the folks in the groups didn't feel he had really thought this out very well.

Anyway, I bring that up because I wonder about the ethics of doing something that could cripple a home network.. or a small business.. even possibly putting them out of business if they didn't figure out the problem in time. Know what I mean?

The idea certainly has appeal, but, I'm not sure if this might be crossing that line. I think of the medical credo of "First, do no harm."

It's a complex issue, isn't it? As this one guy was arguing, to win a war sometimes one must go on the offensive. It was a great thread, which you can read here if you're interested:

http://12078.net/grcnews/article.php?id=26705&group=grc.spam#26705

This is just a temporary web interface to Steve's news server until he can get around to writing a full-featured one. If anyone wants to participate the nntp server is news.grc.com.

Regards,
Bob

[Paranoid2000]

There was an interesting discussion on one of the GRC newsgroups the other day, where a guy showed up saying he had this big project in mind which would essentially amount to a careful collecting of spammer's addresses and then launching attacks at their site via distributed little programs that he hoped people would download and run.

Check out the Kill Spammers forum for more "active" spam countermeasures - the most effective at the moment is a Firefox extension that allows users to place fake orders (with plausible CC numbers) on spammers' websites.

Anyway, I bring that up because I wonder about the ethics of doing something that could cripple a home network.. or a small business.. even possibly putting them out of business if they didn't figure out the problem in time. Know what I mean?

On the other hand, if their system/network has been compromised by a spammer, it is also likely being used for other purposes like DDoSing websites, intercepting sensitive data or hosting illegal/fraudulent websites.

The idea certainly has appeal, but, I'm not sure if this might be crossing that line. I think of the medical credo of "First, do no harm."

Another medical analogy to consider is that of "enforced quarantine". A system that has been hijacked in this way is a danger to itself and others, like a patient with a virulent disease - isolating it "for the greater good" would seem an appropriate response.

It's a complex issue, isn't it? As this one guy was arguing, to win a war sometimes one must go on the offensive. It was a great thread, which you can read here if you're interested:

Similar topics (and bandwidth-absorbing tools) have been around for some years now - check out SpamVampire for something similar. However the more advanced spammers counter this by using hijacked systems for hosting, IP blacklists and requiring session IDs for images. It does undoubtedly make life harder for them - but more people need to be involved to stop the biggest players (Pharmacy Express, My Canadian Pharmacy, etc).

[RTrev]

Thanks for the thoughts.. and the quarantine thought seems a pretty good one. I'll go and check out the Kill Spammers forum. I certainly like it's name.