Poisons spam bots dead!
November 21, 2000 4:56 PM   Subscribe

I've heard good things about wpoison. There's even a ColdFusion version that I've always wanted to install here, and I might very soon.
posted by mathowie at 5:14 PM on November 21, 2000

Won't that kill "useful" webcrawlers as well? (like search engines)
posted by lagado at 5:22 PM on November 21, 2000

actually, the bot would have to ignore a "NOFOLLOW-NOINDEX" robot command that all good search bots should interpret and respect.

Spambots don't care and grab everything.
posted by mathowie at 5:30 PM on November 21, 2000

They address that concern here.
posted by y6y6y6 at 5:38 PM on November 21, 2000

I installed this a while back. For extra measure, I set up files in my root public_html directory called porn.html and sex.html that redirect to copies of the CGI called porn.cgi and sex.cgi. It's fun messing with the spambots since they also will attempt to process every form on your site and grab the email address used there (if it's not hidden somewhere). And spambots don't care if you have numerous email addresses on your site. It will treat each as a unique address, and you will receive a copy of the spam for each address it scrapes. For instance, you might get spam at both feedback@my.domain.com and username@my.domain.com.

Procmail filters are your friend.
posted by camworld at 5:43 PM on November 21, 2000

my problem with wpoison, which may not be valid, is doesn't it create random addresses? isn't there a possiblity you will give the spambots a lot of real addresses? like maybe hfgsh@sasss.com actually becomes a valid email address in ayear, or is already, then what? then, you have condemned someone, who may already be taking normal smart anti-spam measures, to get spam forever, by basically signing him up to lists. Does wpoison address this somehow? I have a domain I have never used, but someone keeps signing up to web services using a fake address at it so they don't get spam. Well guess what, I do instead, and it's a pain, a huge pain.

Wpoison is a neat idea, but really it is not hurting spammers much (if anything, it just gives them thousands more addresses to tell their customers they are sending to), all it's hurting are innocent mailservers and routers, by putting more load on them than it would if you just took the normal steps to prevent spam. I can't see it really driving any spammers out of business, they won't even KNOW they're getting bad addresses because they don't get the bounces themselves.
posted by beefula at 9:20 PM on November 21, 2000

beefula: don't worry about the random addresses. Statistics comes down pretty firmly on the side of wpoison. Take your sample address: a five-letter address at a five-letter domain. There are over a hundred trillion such addresses. If we give every person in the world an email address, that's still only less than one "real" address in a thousand randomly-generated ones. [These assumptions are wildly conservative, by the way -- especially the five-by-five assumption: the real odds are much much steeper] Compared with the point of saturation -- the maximum amount of email a spammer can send out -- the tiny fraction of spam that's actually deliverable -- doesn't remotely add up to enough to worry about.

And as for your second point: well, if spammers were really helped out by having more garbage emails, they wouldn't bother harvesting them. They'd just make them up themselves. It hurts spammers by making their assaults less effectual. It helps stomp out spam in the sense that nobody will bother with spam because it doesn't work.

Sometimes I wonder with spammers. The ads are so transparently awful, so carelessly put together, so indscriminately answered: how could they ever possibly work? Might it be the case that the spammers already are failing at their chosen business -- but are too stupid to realize?
posted by grimmelm at 9:40 PM on November 21, 2000

Wpoison is not good for a site which, like mine, redirects all mail sent to non-existing accounts in the domain and sends it to root. I use this method because then I don't have to squander several of my ten free addresses for the standard accounts: webmaster, postmaster, abuse, etc.
posted by Mo Nickels at 12:12 AM on November 22, 2000

Mo Nickles, Doesn't wpoison generate the entire address, including the domain name? If it does, how would that interfere with your rerouting of non-existing accounts?
posted by dogwelder at 8:19 AM on November 22, 2000

grimmelm: I think they're getting smarter, or more geeks are getting evil.

A couple of weeks back I got an email that told me there was a web card waiting for me at example.com (can't remember actual URL, if anyone's greatly interested, I can dig it up when I get home).

Eager - I haven't gotten a web in ages! - I clicked on the email link and was redirected to the front page, saying "error redirecting, please enter your email address and the confirmation number to access your web card."

I was then privy to a really, really bad dancing flash cartoon dog or somesuch, saying "Have a good day".

The sender information was:

[error accessing database, please try again]

The message on the card was:

[error accessing database, please try again]

The date sent was:

10/10/2000.

[note: that's a date I just made up, my memory isn't that good, but it was around then so I may be right]

They could get the date sent but they couldn't get the rest of the information? What?

I got suspicious. After looking around a bit, all the site is is a place to get web cards. You can't send them, there's no about page or anything. These clever bastards now know that my email address is live, and they can turn around and sell it to whomever they want.

I can't help but admire the devious nature, but it's disappointing to see someone clever enough to come up with that being part of the Dark Side.
posted by cCranium at 8:58 AM on November 22, 2000

Ah, does it create the domain also? Last time I tried the software (or was it a different package?) it only created fake account IDs.
posted by Mo Nickels at 1:13 PM on November 22, 2000

I think the utility of wpoison is limited by our inability to ever know the extent to which those fake addresses are used. We can assume they are being generated to fill out those "77 MILLION E-MAIL ADDRESSES!" lists. There's no proof that adding junk to those lists actually reduces spam received by legit addresses found within them. It could help in various DoS-sy ways, by making the perl script waste cycles, bog down the smtp or dns servers, etc. to the point where the spammer is detected and shut down after sending a comparatively smaller amount of real spam.

Mo, here's an example generated by the Perl version. There was an earlier C version, perhaps that wasn't as smart. Note that not only does it generate e-mail addresses, it ties up the bot with a circular series of links to itself. Again, basically a DoS-sy approach to dealing with them.

I wonder if any bots are tweaked for wpoison detectcion and avoidance.
posted by dhartung at 4:27 PM on November 22, 2000

I wonder if any bots are tweaked for wpoison detectcion and avoidance.

The author's instructions suggest that you rename your copy of the CGI to anything that isn't "wpoison" and doesn't contain the word "spam"; apparently at least one spambot was programmed to detect and ignore URLs containing that text.

-Mars
posted by Mars Saxman at 6:05 PM on November 22, 2000

I still just do not see how this is going to cause any noticeable harm to spammers whatsoever, that is my main question here. Are they supposed to get all discouraged and give up because their click-through rate goes down by 0.0005% ? I see the point about maybe this will reduce how well spam works, but really, that is not going to happen, let's face it.

I see wpoison as a really ineffective remedy that people like because it seems sort of cool and vigilante-esque, but I think if anyone really thinks this thing is ever going to even cause enough cumulative damage to spammers to make even one of them reconsider spamming, you're nuts.
posted by beefula at 7:30 PM on November 22, 2000