Post by AnonymousPost by Don WannitThis is not the point. If a spamtrap automatically
adds a source IP to a blocklist, then it would be
trivial for someone to forge a subscription request
purporting to be from the spamtrap, and thereby get
the output IP for the mailing list added to the
blocklist when it sends that confirmation request.
No. It would be far from trivial, because the bad guy
doesn't know what addresses are spamtraps, and the
mailing list won't accept subscriptions to what he
does have, which is hundreds of thousands of harvested
email addresses with a few spamtraps hidden among them.
(and if the mailing list does send confirmations to
hundreds of thousands of subscriptions all coming in
at once it deserves to be listed).
The forging of an email sender address *is* trivial.
That should be understood by any reader of this newsgroup.
Post by AnonymousPost by Don WannitI never said anything about huge numbers of addresses,
Yes you did. You wrote "I said that the kinds of places
the spamtrap addresses are hidden are well known, at
least among certain circles. Like the people who
gather them into the 'Million Email Addresses' CDs,
and the people who put them out there to be gathered."
You are reading the words but not the sentence. The
*kinds of places* are known to the people who compile
the mass lists of addresses, because they are the kinds
of places where email addresses can be harvested. Those
people don't know for sure that a specific address is a
spamtrap unless they look at its context, and their
robots do not look at context.
A different kind of person, even some of the readers of
this newsgroup, *do* know the kinds of places where
spamtrap addresses in particular, not real legitimate
email addresses, are strewn. I strongly doubt that I
am the only reader of this newsgroup who knows one
specific place for certain where SpamCop spamtrap
email addresses are placed to be found by harvesters.
I never said that a prankster would need to send
bogus subscriptions for all the addresses on a CD.
I said that the people who make those CDs know the
*kinds* of places to look for addresses. If they
wrote their harvesting robots to be smarter than just
looking for a string containing '@', it is certainly
plausible to evaluate the context of that string to
classify it as a potential spamtrap.
Some of those addresses are labeled quite clearly
and blatantly as spamtrap addresses. The robots
ignore that labeling, which could lead to the
address being included in a list of addresses.
That's not what I'm talking about. (or writing about)
Post by AnonymousMentioning the people who put them out there to be
gathered is a red herring; the spamtrap creators aren't
going to subscribe mailing lists to their own spamtraps.
Those who run them would very much like to identify and
remove the spamtraps. Such a list would sell for a
higher price.
This argument is a non sequitur. Or an even redder
herring.
Post by AnonymousPost by Don Wannitor hiding a spamtrap address in a crowd of legitimate
addresses. I'm not sure where you got that concept.
It is an inescapable consequence of the fact that it
is easy to gather a crowd of legitimate addresses that
include spamtrap address, but it is very, very hard to
gather just the spamtrap addresses or to gather just
the non-spamtrap addresses.
I just did a simple Google search for a particular phrase,
and got a list of 19 likely spamtrap addresses, just
by looking for a phrase which is often nearby a spamtrap
address left out for harvesting.
No, I will not post here the search phrase I used.
That's 19 possible addresses I could use if I wanted to
cause grief for some list admin and for some portion of
the readership of the list.
Post by AnonymousPost by Don WannitThe concern here is that spamtrap addresses are
discoverable -- in fact, that's exactly how they
end up on spammers' lists; if they were not discoverable
they would not be of much use. It is quite simple to
find spamtrap addresses
So far you are correct; just gather email addresses using
a spambot, virus, etc. and you will find spamtrap addresses
-- and a bunch of non-spamtrap addresses as well, with no
way to tell them apart.
That's not the point. Perhaps it's gone over your head.
Post by AnonymousPost by Don Wannitif you know where to look, and know that they are spamtraps.
You have presented no evidence that anyone knows where to look
this is so, or even
a speculation as to how to differentiate between the two.
If Ellen, Don, or Richard will give me permission, I would be
happy to describe exactly how you yourself can find one of the
places where SC sows its spamtrap email address seeds. I don't
expect them to do so. There are other readers in this group who
know, and not because they were told but because they encountered
the spamtrap address themselves. You could do so yourself if you
cared to think for a minute or two.
Post by AnonymousPost by Don WannitEmail address scrapers typically just gather the address, and don't care
where it comes from.
If they could to identify and remove the spamtraps, the list
would command a higher price.
Yeah, and if the snail-mail bulk mailers would cull duplicates,
they would have marginal savings. For both types of mailing lists,
the cost-benefit tradeoff is such that the duplicates and the
spamtraps are not removed.
Post by AnonymousPost by Don WannitIf someone knows the kinds of places that spamtrap addresses are
typically hidden for scrapers to find, then it's trivial to find one
That is a tautology; they are easy to find if you know where
they are. Isn't everything easy to find if you know where
it is?
Your logic is flawed. Knowing the *kinds* of places to look is
not the same as knowing a *specific place* to look.
And in order to find one spamtrap address, I do not need to be
able to find *all* spamtrap addresses.
Post by AnonymousPost by Don Wannitand maliciously send it in a subscription request to a mailing list.
Assuming that they can find and identify spamtraps.
Which they can't, unless the spamtrap creator is stupid.
An intelligent spamtrap creator will hide spamtraps in
places where nobody knows to look, and will not reveal the
locations to anyone.
A responsible spamtrap creator might put warning signs around
the pitfall, so that innocent people don't accidentally fall
in. The harvester robots ignore the warning, but people can
find it.
Post by AnonymousPost by Don WannitOther spamtraps may not be so resilient, and the ones that
add an IP to a blocklist on a single hit and make it nearly
impossible to get off are the ones that are worrisome,
and make an inviting resource for a denial-of-service
attack.
Assuming that they can find and identify spamtraps.
Do you have any evidence that they can?
If your theory that spamtraps are easy to find were true, I
would expect to see many legitimate confirmed mailing lists
listed; that would be an effective way to damage the reputation
of the blocklist in question. Has anyone seen this? I would
also expect there to be lists-of-spamtraps for sale. Has anyone
seen such a list for sale?
Different (but tangentially related) topic, inappropriate argument.
Post by AnonymousPost by Don WannitRichard has answered my concern, without revealing too
much, by saying that while the SC spamtraps do not (and
can not) filter out legitimate confirmation requests,
a single spamtrap hit will not trigger a SC listing.
That should not have been sufficient to answer your concern.
If your theory is correct and spamtraps are easy to find and
identify, it would be a simple matter to subscribe ten or
twenty of them to the same mailing list over several hours
and from different places.
It would. That would then require intervention by a human.
As Richard stated.
Post by AnonymousWe have been discussing how easy it is to hide a spamtrap and
how hard it is to find it. Now let's consider the available
countermeasures if one is found. Just off the top of my head
I can think of several;
[1] Grep the incoming spam for addresses that are well-known
mailing lists. Examine them and stop using the spamtrap if a
single forge-subscription confirmation comes in. (leave the
spamtrap up, just ignore what comes in to it; this wastes the
time of anyone misusing it).
Richard explained that this is not realistically feasible.
After-the-fact manual investigation can do this, but automating
the process is just another arms race.
Post by Anonymous[2] Set up a process that looks for signs that a browser is
looking at a page where you expect only spambots to be looking.
Even if the bad guy makes his browser self-identify as being
a spambot, real spambots will not typically download images
or look at external CSS, JavaScript, or robots.txt files.
That augments the warning signs for a human surfer. It does not
in any way affect someone who wants to find a spamtrap to exploit.
Post by Anonymous[3] Change the spamtrap from one unguessable email address
to another unguessable email address as soon as it starts
getting incoming spam. Now the bad guy looking for spamtraps
has to find them before any of his spambots or his buddy's
spambots find them.
Not relevant. The goal is not trying to find *all* spamtraps so
that they can be removed from a list of spammees. The goal
I posit is finding *one* spamtrap address to be exploited for
the purpose of getting someone added to a BL.
Post by Anonymous[4] Every so often, close down one unguessable URL with a
spamtrap on it and put up another unguessable URL elsewhere,
changing the unguessable email address to another unguessable
email address at the same time. Now the bad guy has to play
whack-a-mole.
Wrong bad guy.
Post by Anonymous[5] Put random time delays before reporting on some spamtraps.
this will make it a lot harder to identify spamtraps by doing
a binary search and looking for addresses that result in an
instant listing.
...and that's just what I can think of in three minutes.
Perhaps your haste explains why you spent so long addressing
a different problem.
The topic at hand is not listwashing a list of spamtrap email
addresses. The topic is the potential for using a spamtrap
for causing mischief if the spamtrap is fully automated on
a hair-trigger.
--
Don Wannit <edb2000 -at- spamcop.net>
A paid SpamCop user since 1999