Spam
September 30, 2003 5:24 PM   Subscribe

friggin' blatant criminals like eddy marin walk the streets while the justice department pursues a boastful, self-promoting but essentially harmless doofus.
posted by quonsar at 5:39 PM on September 30, 2003

A dozen controlled drugs for sale over the Net without a prescription? First porn and now this? God bless you, internet.
posted by Samsonov14 at 5:54 PM on September 30, 2003

This happened to me! My domain (qspeed.com) was used to send out a bunch of spam. I only knew because a lot of it was bounced. I bet it was the same guy. I thought it was some odd virus or something, so I left my computer off one night to find the same thing the next day. Mad props to this artist for shutting the spammer down. I bet that's why it suddenly stopped.
posted by woil at 5:56 PM on September 30, 2003

quonsar: at first I thought you meant this boastful, essentially harmless self-promotor, but then I realized... no one would exactly describe her as a doofus. Not even quonsar.
posted by scody at 5:59 PM on September 30, 2003

Seriously, I'd expect more from a Wired article; this is just a little piece about how someone got a spammer shut down by his ISP. I'd imagine that a few hundred members of MeFi have done the same thing; I doubt anyone here has been written up by Wired for the effort.
posted by delfuego at 6:03 PM on September 30, 2003

this is currently happening to me, for the second time this month. It's highly irritating.
posted by palegirl at 6:04 PM on September 30, 2003

Why doesn't someone file suit against Eddy Marin for the harm caused to their business? A few judgments against him, and you might be able to shut down his operation.
posted by reverendX at 6:28 PM on September 30, 2003

It is happening to me too (also for the second time this month). Although this time seems much less severe (so far).
posted by Rattmouth at 6:33 PM on September 30, 2003

How's the hijacking happening? Are the victims running open mail relays?
posted by NewBornHippy at 6:33 PM on September 30, 2003

This shit stops when a handful of spammers get the living shit beat out of them. It's hard to spam with broken fingers.
posted by 2sheets at 6:37 PM on September 30, 2003

nothing is being hijacked. the mail headers are being faked with genuine domain names as the sender. this causes bounces to flood those domains, and clueless idiots who respond to spam to bombard them with complaints.
posted by quonsar at 6:39 PM on September 30, 2003

no, they just put some generated string @ my domain in their "from" field. Then I get all the bounced undeliverable emails.

I have no idea why my piddling personal domain would be targeted. Eddy Marin must hate adorable lesbian co-eds on the atkins diet.
posted by palegirl at 6:42 PM on September 30, 2003

2sheets: it's even harder to spam without fingers.
palegirl: trying to increase our sites traffic, are we?

oh, and btw:

[this is good]
posted by keswick at 6:56 PM on September 30, 2003

(Stumbles in from fark)

You had me at "adorable lesbian co-eds"

sorry...

Really though, how do I get this job:

"We have a number of consultants who have been tracking spam for years who are very good at it. We help law enforcement and their lawyers find the right places to issue subpoenas and search warrants and will act as expert witnesses in court cases."

That sounds like a worthwhile cause. Might even be fun.
posted by jopreacher at 7:05 PM on September 30, 2003

Same thing happened to me, hundreds of bounce messages but, oddly enough not a single complaint that I could discern. Of course I probably deleted one or two (dozen, a day) that could have been but looked like spam so I deleted them too.

I put a notice on the front page of my site that the spam wasn't coming from me...hopefully that counted for something.
posted by m@ at 7:05 PM on September 30, 2003

Had the same problem myself. Wrote my ISP. They couldn't help. Thanks to the spammer, any email I try to send to AOL gets bounced. Oh well.

Rather than deal with the deluge of bounced email, I changed my email server to not accept wildcard email addresses. It could still be going on for all I know.

And you gotta know that this WIRED article will just galvinize a spammer's vendetta against Markley.
posted by crunchland at 7:07 PM on September 30, 2003

It's a disgustingly common tactic these days. And unfortunately, there's really not much that can be done about it. Sure, you can track down the spammer and get his account closed, but that only inconveniences them for a short time before they get another account set up somewhere (hell, sometimes at the same place because the marketing people don't talk to the people shutting account abusers down). It's one reason I get sick of people talking about how great these spam tools are that send mail back harassing the spammer, because often these days the place it supposedly comes from has nothing to do with it.

How do you fix it? Well, without a major overhaul of how mail works on the internet, you don't. And I don't see that happening real soon, because there's a lot of zealots that insist that any sort of authentication scheme is too big an invasion of privacy. (Not to mention that some sort of more secure system would be a pretty major technological effort, this is not a simple drop in and run system).

Until such a day happens, it's basically grin and bear it. For me, it's putting up with my boss's paranoid "why am I getting these bounces, did someone hack my email account?" Thank god for spamassassin, it's catching around 99% of my spam mail, and almost never false positiving.
posted by piper28 at 7:39 PM on September 30, 2003

Happened to me with three different domains (one a client's). It's fucking annoying as hell. I bet if surveyed, most people would list spammers as THE worst thing about the internet. I agree with 2sheets: get them up against the wall.

I also thought the Wired article was light. There was an article linked off Romenesko recently about someone who won 50k in a spam suit that was more "About fucking time!" than this one was.
posted by dobbs at 8:05 PM on September 30, 2003

This has happened to me twice now (with one of my company's domains) and my hosting provider basically threw their collective hands in the air and said "nothing we can do, but if you don't sort it out within 24 hrs we will cancel your account". It turned out that it was as simple as putting my address in the reply-to field in the spam-mail (as mentioned above) and the result was several thousand bounced messages per hour clogging up the mail servers of the hosting company, bringing all their clients to a halt as far as sending or receiving e-mail went. I spent several hours responding to all the complaints that I got, also.

I believe that there is a way to stop a lot of this skullduggery - the ISPs can block sending of e-mail unless the sender has established their connection to the Internet through them. Unfortunately, the effective cost is very high, given that most (?) organisations do not use the same servers/providers for hosting and connection. There must be some way for ISPs to implement an authentication process to at least make it harder for spammers, though?
posted by dg at 8:14 PM on September 30, 2003

I believe that there is a way to stop a lot of this skullduggery - the ISPs can block sending of e-mail unless the sender has established their connection to the Internet through them.

Some ISPs do this already. It is very annoying if you need, for some reason, to use someone else's server to send mail (or if you run your own mail server).
posted by kindall at 8:19 PM on September 30, 2003

Yes, I know that some ISPs do it already and it has always seemed like a nuisance. Some also do not allow you to use different SMTP and POP servers and block you from their servers if your mail client is set this way. There may come a time, however, when the nuisance value of the spammers overcomes the nuisance value of the ISP forcing you to send your mail through them. Failing that, there must be some way to authenticate genuine users of the domain and allow them to send messages without making the whole thing a nightmare. Of course, there will always be rogue ISP's who don't care what you do as long as you pay the bills.
posted by dg at 8:34 PM on September 30, 2003

There must be some way for ISPs to implement an authentication process to at least make it harder for spammers, though?

There is, and it can be done without disallowing access from people on other ISPs. I've been doing it on the server that I've been running personally for the last four years, with a very simple method called "POP3 before SMTP." Basically it means that you have to check your email, providing a valid username and password, before you can send mail through the server. Once you do, your IP is allowed to send mail for a certain time period, mine is set to half an hour.
posted by CrayDrygu at 8:44 PM on September 30, 2003

crunchland: And you gotta know that this WIRED article will just galvinize a spammer's vendetta against Markley.

I hope not, but perhaps you're right. I even wonder if this one was as completely random as he says he believes in the article. It looks like Markley has been involved in anti-spam efforts before this incident, and has donated the logo designs for CAUCE (Coalition Against Unsolicited Commercial Email) and SpamCop.

dg: I don't understand what you mean when you say "It turned out that it was as simple as putting my address in the reply-to field in the spam-mail". What did you do?
posted by taz at 10:31 PM on September 30, 2003

nothing is being hijacked. the mail headers are being faked with genuine domain names as the sender. this causes bounces to flood those domains, and clueless idiots who respond to spam to bombard them with complaints.

Oh, you're right. I didn't read carfully.
posted by NewBornHippy at 10:33 PM on September 30, 2003

taz - I didn't do anything - the rotten mongrel pig spammer put my e-mail address as the "reply-to" address in the messages he (or she - equal opportunity hatred here) sent out. This means that anyone who replies to the message by clicking "reply" sends to me and any bounced messages also come to me.
posted by dg at 10:48 PM on September 30, 2003

ah. I see what you're saying... coming after "but if you don't sort it out within 24 hrs we will cancel your account", I misunderstood that you had done something to "sort it out". So, what happened? Did they cancel your account?
posted by taz at 11:03 PM on September 30, 2003

How do you fix it? Well, without a major overhaul of how mail works on the internet, you don't. And I don't see that happening real soon, because there's a lot of zealots that insist that any sort of authentication scheme is too big an invasion of privacy. (Not to mention that some sort of more secure system would be a pretty major technological effort, this is not a simple drop in and run system).

Privacy has nothing to do with it, it's very well accepted that a username/password pair is nothing near an invasion of privacy.

More of an issue is compatability. There are probably millions of applications that support and use SMTP, a change to the protocols would break thousands of things - things that can't be upgraded.

Maintaining backward compatability would of course leave holes open for spammers. We can all use the current instances of secure SMTP if we like, but that's not going to help.

So far, in the last month, my domain and at least three I manage have had this happen. It's one of the most annoying things I can imagine, but I have no idea how it can be fixed.
posted by sycophant at 11:16 PM on September 30, 2003

Allow me to join the chorus of the victims of the Joe Job. There's nothing to do but wait it out, or track down the filthy swine, and bash their rotten heads in. Bash, bash, bash.
posted by majcher at 12:58 AM on October 1, 2003

taz - sorry, yes I did sort it out. Partly to placate the hosting provider and partly to ensure that the trail from the spammer to my domain was broken, I wiped the DNS records of the domain completely so that it no longer pointed anywhere and waited a few days, keeping in touch with the hosting provider to see when the flooding subsided (it took two days). I then re-instated the DNS records and all was well for about a week, when I had to go through it all again. After that second time, I have not had any problems (so far). I suspect that this is probably an overkill, but it worked. The domain in questions was not a major one, so it was not too hard to lose ot for a few days but, had it been our primary company site domain, it would have been an even more expensive and frustrating exercise.

... track down the filthy swine, and bash their rotten heads in
Sounds like an excellent solution to me.
posted by dg at 2:30 AM on October 1, 2003

This happened to me too, but since it was immediately after I made a comment in a thread here about email spam, I always supposed it was one of you guys. However, if I was right, please consider not doing it this time. It caused me to curse loudly and vow never to put any of my creative work on the internet again. The vow lasted about as long as my vows to give up smoking usually do, but the cursing was full mighty and may have scared the neighbours cat.
posted by walrus at 2:53 AM on October 1, 2003

I had an actual hijack on the server at my (ex-)office, apparently an open relay.

Pacbell pulled our connection, I talked explained how we were clueless morons, they hooked us back up. Then it happened again.

We put in Zone Alarm and an SMS Barricade router. Did the trick.
posted by signal at 7:36 AM on October 1, 2003

I've been doing it on the server that I've been running personally for the last four years, with a very simple method called "POP3 before SMTP."

POP before SMTP was the best method for a while, but really a better choice these days is SMTP Auth. As far as I know all the major mail clients support it, and it doesn't even leave the server open for that brief time for pop before smtp did. (And for me, the system would every now and then just decide to stop working for a while, which was annoying). Add STARTTLS to the equation for some security of the password.

There's absolutely no excuse for anyone ever to run an open relay. Anyone stupid enough to do so deserves having their mail blocked (yet it's still disgustingly common). Heck, MSU used to run one as their main mail relay for pop users, so for a long time my server (on campus) would block mail from msu itself.

Unfortunately, Pop before smtp and SMTP auth don't solve the problems related to the original message in this post, where people are simply forging the return addresses. SMTP itself is an inherently insecure protocol, and until it's replaced, this problem (or some other form of it) will probably persist. Even forcing people to send it through their ISP's servers won't really help (and would cause a lot of problems for business users that travel). Unfortunately because of the very reason that the system is so implanted, I don't see it changing anytime soon.
posted by piper28 at 11:41 AM on October 1, 2003