Brian Weinreich has been trolling spammers for two years using a bot that fires realistic and ridiculous replies to the pervasive online salespeople.
He simply forwards unwanted emails to a specific address and the bot takes over. Offering the spammers open ended questions that they fall over themselves to answer.
My favourite bit from Brian's blog is "after the first month, I didn't have to feed the Looper any more. People were just spamming it on their own.". The spammers were selling on the list of "bitters" to other spammers.
The code is on GitHub
[editor's note: we covered a somewhat similar story here. Does this one have the same ethical implications?]
Related Stories
Some may have heard of scambaiting spammers to waste their time and resources. There are many sites like 419eater which concentrate on it. However, Arthur T Knackerbracket has found the following story which takes things a step further. A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware. Whether or not that is ethical is left as an exercise for the readership.
But Ivan Kwiatkowski played along with the scheme until he was asked to send credit card details. He instead sent an attachment containing ransomware.
[...] When Mr Kwiatkowski's parents stumbled across one such website, he decided to telephone the company and pretend he had been fooled.
The "assistant" on the telephone tried to bamboozle him with technical jargon and encouraged him to buy a "tech protection subscription" costing 300 euros (£260).
Mr Kwiatkowski told the assistant that he could not see his credit card details clearly and offered to send a photograph of the information.
But he instead sent a copy of Locky ransomware disguised as a compressed photograph, which the assistant said he had opened.
"He says nothing for a short while, and then... 'I tried opening your photo, nothing happens.' I do my best not to burst out laughing," Mr Kwiatkowski wrote in his blog.
[...] Mr Kwiatkowski said he could not be absolutely certain whether the ransomware had infected the scammer's computer, but there was a fair chance it had.
"He did not let on that something had happened to his computer, so my attempt is best represented as an unconfirmed kill," said Mr Kwiatkowski.
"But encrypting a whole file system does take some time."
He acknowledged that some people may have found his retaliation unethical, but said responses had been "mostly positive".
(Score: 5, Insightful) by tynin on Wednesday September 28 2016, @12:12AM
Spammers operate under the assumption they'll get a response from a fraction of a percent(age?) of people. Tying up there time is the only way to make them lose. They provide no benefit to society. Let them enjoy the inverse benefit they reap from the innocent people they prey on.
(Score: 2) by butthurt on Wednesday September 28 2016, @03:06AM
The e-mail addresses that spam is purportedly sent from are sometimes actual e-mail addresses that don't belong to the spammers ("joe-jobbing"). A story from April explains it:
/article.pl?sid=16/04/24/1439218 [soylentnews.org]
Sending replies to those addresses burdens their owners. A better place to send a reply is the abuse mailbox (<abuse@example.com>) of the organisation from which the message arrived.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @04:24AM
But those individuals will not respond to the spam trolling bot and not get tied up in this rabbit hole. Those who take the spam troll bait get what they deserve.
(Score: 4, Insightful) by butthurt on Wednesday September 28 2016, @06:59AM
Spam doesn't only harm us when we respond to it. The harm it does lies also in:
- time spent examining mail to determine whether it's spam
- storage space used by spam
- time spent downloading spam
- failure to see messages we want to see because they were among spam
- delays or rejections of desired messages by inaccurate spam filtering
This bot may e-mail people who never wrote to it. You seem to be saying that ignoring the bot's messages is a suitable response. It was an option for the creator of the bot, as well. For emotional reasons, he decided against it:
That “Spam” button on Gmail just didn’t get me going anymore. There’s no reward. I was seeking revenge.. and some comedic relief.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @05:25PM
"... by talking ...."
Dang, I hoped that was literally true.
Anyone got something like this for the voice phone line?
(Score: 2) by Thexalon on Wednesday September 28 2016, @12:34AM
(Sadly, the lameness filter won't allow me to post the whole checklist, so just read it yourself [craphound.com])
Your post advocates a vigilante approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
Specifically, your plan fails to account for
and the following philosophical objections may also apply:
Furthermore, this is what I think about you:
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 4, Insightful) by Kell on Wednesday September 28 2016, @01:00AM
I'm not convinced that this could not scale. If you had enough honeypots, you could reduce the SNR for spam replies and make spamming uneconomical. While it gets close to "Spammers don't care about invalid addresses in their lists", in fact, because it's providing false positives and not just a sinkhole, it actively reduces the one limited resource available to spammers (ie. their time).
Scientists ask questions. Engineers solve problems.
(Score: 2, Informative) by Anonymous Coward on Wednesday September 28 2016, @03:43AM
What about when the spammers start using bots. Now a spammer bot can get into a long discussion with anti-spammer bots. The problem will just scale both ways.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 28 2016, @09:43AM
If bots were good enough to talk suckers out of their money, spammers would already be using bots.
Spamming the spammers with fake questions from fake suckers sounds like it would indeed work to harm spammers' fraudulent business.
(Score: 3, Insightful) by edIII on Wednesday September 28 2016, @07:39AM
Worse. You could just go with technically impossible and idiotic, which is true. It requires the actual expenditure of time and resources on behalf of the spam operators to even make a difference at all, and that's highly dubious. Accepting to addresses from outside sources would be ludicrous and irresponsible, and the git code looks like something to operate a honeypot. Amusingly this would just get you on the IP blacklists yourself and blocked from legitimate servers. The word for the traffic it generates is called Back Scatter, and it's bad [wikipedia.org].
Most emails are not seeking direct engagement as their goal, but to deliver malware, or surreptitiously seek information with phishing scams instead. Unless it's very specifically the Nigerian scammer type email where there is an actual human being waiting for the reply, this is spam itself the majority of the time its operating.
Besides, it's an art form that is rarely appreciated. I think of it as desperate African soap opera that is also interactive. Some people don't appreciate theater.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 5, Insightful) by Zz9zZ on Wednesday September 28 2016, @12:35AM
If you were around my area of the Earth I'd buy you a beer, this is the type of story I expect to see around here. No mention of those who must not be named even!
~Tilting at windmills~
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @12:56AM
This is how it ends.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @01:36AM
As long as the robots don't spam me, I guess that's OK?
Now, if the robots want to talk dirty, maybe that's something that might be popular?
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @01:10AM
This guy has a app that will talk to telemarketers. [gizmodo.com] Listen to some of his demonstrations on youtube. Its very realistic. At first I thought it was a real person and he was going to hand it off to the bot to do the work, but the demos are 100% bot from the start,
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @09:03AM
Affirmative responses seem rather risky to me.
Anderson’s sophisticated algorithm makes telemarketers think there’s an actual person on the line with random affirmations like “yes, uh huh, right.”
I'd go with "Oh could you hold on for a moment, my XYZ is acting up" then "Let me get a pen and paper". "That sounds interesting.".
"How intriguing". "Sorry, I didn't get that, can you explain it again?".
Lots of stuff that gets them to talk more is less error prone.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @09:46AM
Risky how? You think the bot's going to give out bank account access using pre-recorded affirmative responses?
(Score: 3, Informative) by DannyB on Wednesday September 28 2016, @02:18PM
"Affirmative responses seem risky"
It seems risky to me too. If your bot is saying "Yes" to something, what did it just say Yes to?
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Thursday September 29 2016, @07:17AM
They often don't need the bot to give out bank account info to sign you for stuff. In some cases they have all the info already and all they need is for you to agree to the "upgrade/purchase". If the telemarketer wises up, he could try to get lucky with the confirmation till he gets the Yes, Yes, Yes in a row and then "Thank you very much, sir".
There's often a cooling off period but I think the whole idea is to avoid work on your end while having them do lots of work for nothing.
If in your country saying "Yes" to stuff over the phone isn't binding then sure, then there's no problem with having your Lenny say "Yes".
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @03:48PM
> I'd go with "Oh could you hold on for a moment, my XYZ is acting up" then "Let me get a pen and paper". "That sounds interesting.".
LISTEN TO THE RECORDINGS.
That's exactly what he does.
The occasional affirmative is there to keep them on the hook in case they start thinking they are being totally dicked around. People say "yes" all the time without exactly understanding the question, human communication is noisy this makes it more realistic, and thus less risky.
(Score: 0) by Anonymous Coward on Thursday September 29 2016, @07:19AM
READ THE COMMENT. THE PROBLEM IS Lenny does say "Yes".
How does a Lenny saying Yes make it less risky than a Lenny who never says Yes (or No)?
(Score: 5, Informative) by Leebert on Wednesday September 28 2016, @01:39AM
If you haven't listened to any of the "Hello, this is Lenny" series, you're really missing out: https://www.youtube.com/playlist?list=PLduL71_GKzHHk4hLga0nOGWrXlhl-i_3g [youtube.com]
No a.i. at all involved: It's just a well-orchestrated set of responses that seem to work in just about every situation. Every call has "Lenny" saying essentially the same thing. It's amazing.
(Score: 3, Insightful) by jmorris on Wednesday September 28 2016, @03:48AM
The only evaluation criteria for anti-spam measures is "are they exploitable to attack the innocent?" So long as the counter measure can be assured to only impact the spammer anything up to and including high explosives are morally acceptable.
This method could, at worst, be induced to send a spam to an innocent that isn't going to make sense to them and won't have an active payload. If widely deployed in sufficient variations to prevent the spammers from learning to thwart it easily, it could raise the cost of spam enough to make it uneconomical. Which is the only long term defense; If it is profitable, somebody is amoral enough to send it.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @04:51AM
> So long as the counter measure can be assured to only impact the spammer anything up to and including high explosives are morally acceptable.
What's sad is that I fully believe you mean every word of that literally.
Fundies are freaking scary as shit.
(Score: 3, Insightful) by jmorris on Wednesday September 28 2016, @05:28AM
It is logic. Spammers can't be stopped by talking them out of it. Spammers can't be stopped with technical measures short of actions more likely to render the Internet useless than solve the problem. But if the civilized world told these scum in second and third world countries running "bulletproof hosting" that they might want to ask themselves if they are "bombproof", the cost of hosting spammers, scammers and bot controllers would almost instantly get repriced to a point where a spammer couldn't make enough to remain profitable. A datacenter is a pretty delicate and expensive thing, a single Hellfire missile would really impact uptime and availability and totally screws up the pricing calculation. More importantly, every reputable customer would be outta there the second the threat was made. Finally, we haven't even considered the impact on insurance premiums yet. Hellfire missiles are not on any insurance carrier's risk profile, few would be willing to even consider covering such a risk.
Consider that a typical datacenter is lightly populated by best. If less than ten medium price pieces of ordnance could eliminate spam, botnets and most of the other crap every network admin spends far too many hours mitigating for a decade with a loss of life likely to be in the single digits, can you honestly say the idea doesn't intrigue you and you aren't at least secretly wanting to subscribe to the newsletter?
Thinking outside the box can be fun!
The only other idea that might work would be if a critical mass of backbone operators picked one country per month, delivered them a list of rogue 'bulletproof' datacenters who have refused to disconnect known criminals and give them an ultimatum. Close those operators within seven days or see their entire national set of IP blocks dropped at every router under control of the organization until they comply. Doubt it could be maintained though. Easy enough to bully a non-aligned third world hellhole but they have little net and can't support the worst offenders, it is the second world that is causing the problems and they engage in enough ecommerce Amazon and Google would not allow it.
That is why it needs to be bombs. Quietly. A datacenter in eastern Europe goes BOOM! in the night when it is believed it is unoccupied and nobody officially claims responsibility. If the mass media pick up on it at all, nobody knows anything except it might have been terrorists. But as the news is spreading like wildfire on the dark Internet, that underworld is told to expect the beatings to continue until behavior improves. Suddenly nobody is advertising 'bulletproof hosting' and they are reduced to relying entirely on hijacked Windows PCs and highly distributed C&C systems. Very hard for new beginners to break into that game. Now start tracking down and seizing the assets of the remaining pros with operations rich enough to be worth seizing.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @07:01AM
We have "Military Intelligence" (yes, I know) - why the hell are they not taking down the hosting networks. Given their budgets,
and their need to improve their image, surely "we eliminated spam (If I told you how, I would have to kill you)" would get more
budget support than "we might, possibly, have snuffed out a barely credible terrorist plot that we are not able to tell you about".
Particularly as the police kill more people than terrorists.
I am talking about "umbrella marks in their legs" - not DoS attacks.
I think Joe Public would generally be quite supportive of telemarketers being dropped into the ocean from helicopters. Or buried in
wet cement. Hell, they might even crowd-fund it (Mafia, are you listening?)
(Score: 2) by EQ on Wednesday September 28 2016, @03:35PM
Spam? Hell, just take out the DDOS punks, that would make them cyberheroes.
(Score: 2) by Grishnakh on Wednesday September 28 2016, @04:12PM
I think Joe Public would generally be quite supportive of telemarketers being dropped into the ocean from helicopters. Or buried in wet cement.
Burying telemarketers in wet cement is very, very wrong. When the human body decomposes, it'll cause the concrete structure to be horribly compromised. You can't bury people in wet cement, as this could have catastrophic results later; what if it's done for a building foundation? That could result in a collapsed building.
Dropping telemarketers into the ocean from helicopters is a waste of fuel and money. Helicopters are very, very expensive to operate and use a lot of fuel, and require a lot of maintenance. If you must drop telemarketers into the ocean, do it with far more inexpensive fixed-wing airplanes. But even this is costly and burns fuel. But at least it'll give the sharks something to eat.
Personally, I think it would be much more economical and environmentally-friendly to feed telemarketers to hungry bears or mountain lions.
(Score: 2) by HiThere on Wednesday September 28 2016, @06:22PM
Well, you could cannonize them.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @04:37PM
I got the image of turning on the news to see the talking head say, "and in other news President Obama ordered the launch of an ICBM that blew up the call center used by the autodialer that starts with a cruise ship blowing its horn. According to polls, he now has a 98% approval rating."
(Score: 2) by DannyB on Wednesday September 28 2016, @02:26PM
Since the NSA likes to keep exploits secret, thus depriving our own systems of defenses, maybe they should use some portion of their capability to continuously disrupt spam and malware operations.
Maybe disrupting these operations is worth investing significant taxpayer resources into. While difficult to calculate, there would be a substantial payback in savings to our own IT economy in terms of human time saved, bandwidth, storage, email lost in a sea of spam, investment in spam filter development, malware countermeasures, etc. The costs of all that are not insignificant.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Wednesday September 28 2016, @03:50PM
> It is logic.
Said every asshole everywhere. You got the playbook down. How's the final solution coming along?
(Score: 2) by HiThere on Wednesday September 28 2016, @06:24PM
The problem is false positives. (False negatives just make the proposal less effective.)
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2, Funny) by Oakenshield on Wednesday September 28 2016, @08:20PM
Spammers can't be bargained with. They can't be reasoned with. They don't feel pity, or remorse, or fear. And they absolutely will not stop... ever, until you are suckered out of your money.
(Score: 2) by Bot on Wednesday September 28 2016, @09:53PM
make us read your spam, meatbags. So when the bot apocalypse come, we will be more motivated.
Account abandoned.