Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 So we've caught some harvesters, what now?
Author: G.Wood   (28 Dec 04 4:02pm)
So I've gathered that it's illegal to harvest email addresses (in some jurisdictions) and then spam them. I've set up mx records and honeypots. Now I've got data on some harvesters. What do I do next? I'm not a lawyer so I can't well sue these poeple (civil). Is there a way to bring criminal charges against them? How does one instantiate the provisions in the CAN-SPAM act? What should the next step be?
 
 Re: So we've caught some harvesters, what now?
Author: M.Prince   (28 Dec 04 4:23pm)
There are a lot of things we're working on and happy to have help.

We've begun to reach out to both federal and state law enforcement agencies with some of the data we've seen. For example, we've caught a clear pump-and-dump scam that we think the FTC and/or SEC may be interested in. I've worked with some people at the FTC on the legislative side of things, so I'm trying to use those contacts in order to talk to the appropriate investigators. It's going to take some time to build up a relationship with the enforcement agencies and show them that the data we have is both useful and reliable. We've begun that process, but it will take time.

We've also approached some state Attorneys General with whom we have existing relationships. Again, it's tough to find exactly the right target for a state AG (meaning, it probably has to be someone either in the state or known to be targeting the state's citizens), but we keep looking out for one. To that end, the most helpful thing is to get as many honey pots installed as possible.

On the private legal front we've begun speaking with some of our partners about how our data can be useful to go after spammers they've either 1) already targeted in existing legal actions, or 2) shake the tree to get some bigger fish (if you pardon the horribly mixed metaphor). I'm not sure when we'll get a lawsuit based on any of our data, but know that we're exploring that avenue.

On the technical side of things we're working on an additional service for our members that will be something akin to a RBL but for HTTP traffic. We'll allow anyone with an active honey pot to install a gateway to stop known harvester IPs from accessing their pages, or, depending on the settings, limiting the information that they're given if they do (stripping out email addresses, requiring them to pass through a CAPTCHA, etc.). We're going to launch those sometime in the new year, when we have time to put them together. If anyone is interested in helping with either the software authoring or testing of such a service, please let us know through the contact us page of this site.

As soon as our volume of spam picks up we're also going to begin sharing our data with other anti-spam services. For example, we've already agreed to give any spamvertised URLs to the SURBL service. We'd like to share our corpus of data with other open source anti-spam projects in order to help the technical spam community as well. Key to making the resource as valuable as possible is getting as many honey pots installed as we can. We're off to a great start, but probably need at least double the number of installed honey pots before we're reliably capturing a sizable chunk of harvesters and spammers on a virtually real-time basis.

To that end, I'm speaking at the MIT Spam Conference about the Project on Jan. 21st (www.spamconference.org) and then talking to email marketers about the risk of sending to harvested addresses at an ISIPP event on Jan. 27th in San Francisco (www.isipp.org). I encourage anyone interested to attend either! Or, if you're already going to be there, make sure you introduce yourself as a Project Honey Pot member!!

If any of our members are interested in filing lawsuits of their own, we'll be happy to help in any way we can. While we obscure some of the data on our site in terms of when the harvesters visited and when mail was received (in order to make it difficult for a spammer to tell what addresses are honey pots), but can provide that to you with more precision if it can help any legal case.

We've talked internally about trying to work with law firms in order to form a class action against harvesters. I don't think we have sufficient data to do that yet, but it might be something we try to organize on our own at some point in the future. If anyone knows a plaintiffs' attorney who would be interested in such a case, we'd be happy to talk with them.

Unfortunately, the legal process is often plodding. While the data we have it great, we will need a lot more before we're going to be able to use it to really make a difference. Of course, with every honey pot installed we get closer to that goal!

Thanks for your support! Let us know if you have any more ideas on ways we can help.
 
 Re: So we've caught some harvesters, what now?
Author: J.Wallace   (15 Jan 05 1:20pm)
Just an FYI, but 'RBL' is a trademark of MAPS LLC, which is why spam fighters call them dnsbl's now...

There is a mod_dnsbl for apache here:

http://software.othello.ch/mod_dnsbl/
 
 Re: So we've caught some harvesters, what now?
Author: M.Prince   (15 Jan 05 4:45pm)
Very interesting on both counts. I didn't know about the trademark. I just looked it up and it looks exclusive to SMTP traffic and email blocking. We haven't invested much in the name, other than buying a couple domains. We may try and come up with something else so the MAPS people don't have any reason to be upset.

mod_dnsbl looks TERRIFIC too. Could save us a bunch of time and coding putting together what we want. If anyone knows anyone involved in the mod_dnsbl project, please put them in touch with us. We'll try to contact them ourselves as well.

Thanks for the great info!
 
 Re: So we've caught some harvesters, what now?
Author: J.Coghill   (3 Feb 05 12:14pm)
Perhaps, in addition to the curent scope of Project Honey Pot, somebody could put together a "signature Database" to forward in the form of petitions to initiate further anti-spam law, or to better facilitate a class action approach.

I've seen "signature list" databases for a large number of other topics ranging from special interest legislation to class action suits. Why not do the same with a list of people wishing to sign petitions to encourage legislation against email harvesting (for use in spam) along with being able to provide statistical data of known/confirmed email harvesters?

On a slightly different topic (also mentioned above), if data (such as known harvester IP addresses) is publicly available, it would be easy for any PHP (server parsing language) enabled website to add in IP blocks on any desired webpage, or globally through a php.ini directive (auto_prepend_file). Such scripts themselves, would be very easy to write and I'd volunteer to offer some examples or free code to do so (in PHP language).

Speaking of using an auto prepend/append server settings, on my own webservers, I auto append Honey Pot links, so that the HPs will be available for harvesters on any page on my server that includes PHP (wich is over 95% of my total web content).

(I appologize for multiple subjects in a single message, but feel it would be less annoying than multiple replies to the same message thread for each seperate subject)
 
 Re: So we've caught some harvesters, what now?
Author: B.Engert   (5 Feb 05 1:29pm)
useing a dnsbl in php is really ez I use it on my forums because of some spamers. most of this code is right off of a post on the php site. I added a little thing so it e-mails you when it blocks some one. you can remove/change that. also to use a diffrent blacklist change
$rbl = 'list.dsbl.org';

<?php
$host = $_SERVER['REMOTE_ADDR'];
$rbl = 'list.dsbl.org';
$rev = array_reverse(explode('.', $host));
$lookup = implode('.', $rev) . '.' . $rbl;
if ($lookup != gethostbyname($lookup)) {
$msgbody="date: ".date("r")."\n";
$msgbody.="ip: ".$_SERVER['REMOTE_ADDR']."\n";

mail("admin@email.com","Blacklisted",$msgbody);
echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n";
echo "<html><head><title>Blacklisted IP</title></head><body>\n";
echo "ip: $host is listed in $rbl\n You must have this removed before you can load this page\n";
echo "</body></html>\n";
die;
}
?>
 
 Sue them!
Author: C.Combs   (5 Feb 05 11:30pm)
Hello everyone,

I am an attorney here in San Diego County, California. I am actually litigating two different spam suits. Since I am only mildly technologically competent, it is quite satisfying to be able to do something about my deep and abiding hatred of spam.

Although the two lawsuits I have going are not based on catching a harvester through my honeypot, I have become quite familiar with California and federal spam law. I installed a honeypot on my Web site with the intention of filing a lawsuit against any harvester as soon as is feasible.

One of my lawsuits revolves around mortgage-related spam. The spam email that served as the basis for that complaint seems to be part of an alphabetical attack on the cox.net domain (but again, being only mildly technologically competent, I am not sure).

The other lawsuit revolves around some fool who actually harvested email addresses from the official State Bar of California web site. That was asking for trouble!

I am not exactly how I will proceed once I catch a harvester through my honeypot, but only because I haven't taken the time to think about it. If anyone here lives in Southern California and has caught a harvester, I would be happy to talk to you about the options. You can email me at "spamkiller /at/ combslaw /dot/ cc" (not ".com")..
 
 Re: So we've caught some harvesters, what now?
Author: M.Purvis   (12 Apr 05 5:54pm)
I don't know much about modding Apache, but the best thing from an implementation standpoint would be simply a new $_SERVER variable that flags true/false whether the visiting IP is on the blacklist.

Then it's up to the coder to decide whether to remove emails or force your user through a captha or... whatever.
 
 Re: So we've caught some harvesters, what now?
Author: E.Black   (5 Oct 05 2:11am)
[quote]
As soon as our volume of spam picks up we're also going to begin sharing our data with other anti-spam services. For example, we've already agreed to give any spamvertised URLs to the SURBL service. We'd like to share our corpus of data with other open source anti-spam projects in order to help the technical spam community as well. Key to making the resource as valuable as possible is getting as many honey pots installed as we can. We're off to a great start, but probably need at least double the number of installed honey pots before we're reliably capturing a sizable chunk of harvesters and spammers on a virtually real-time basis.
[/quote]

I assume the reference to spamvertised URLs means URLs contained in spam emails sent to honeypot addresses.

What plans are there for making the spam source IPs available as a DNSbl, or feeding them to other well-known and popular DNS blocklists (such as SpamCop and SORBS)?

The more honey pots installed, the better, but a large base of honeypots is not a prerequisite to detecting spam sent to harvested addresses. Accuracy and prevention of false positives is more important than the size of the chunk of harvesters being caught.

One problem of course is aging the entries on such a list, and automatic removal of an IP address from the list after a sufficient time with no further spam emails is most convenient and most accurate if it is automated.

But I sure would like to be able to configure my incoming SMTP MX to reject SMTP connections from any IP address listed as having recently sent spam to a honeypot email address!
 
 Re: So we've caught some harvesters, what now?
Author: S.Goodman   (11 Nov 05 2:05pm)
Most of the existing DNSBL's already use honeypot networks of their own, so rest assured that you are already benefitting from that. Adding another honeypot network to one or more of the DNSBL's would only help things.

I agree with E.Black about auto-delisting. IP's do change hands both within ISP's and as ASN's are reassigned. I personally like the approach of auto-removal after a certain amount of time without a honeypot hit.

Remember, we're talking about two different types of DNSBL here. One is the traditional type for IP's that send spam (or backscatter, depending on the list). The other is for harverster IP's for limiting access to a web site. Both would benefit from auto-delisting.



You may browse the discussion topics, but you must sign in to post. If you do not have an account, you can create one for free.

do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–24, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email