True

I can agree with this... Back in college, I used to assemble and sell systems for extra cash. I supplied about ten PCs, low-spec P4 systems, to some new office...they didn't even have a nameplate anywhere. A few days later, one of the hard drives gave up the ghost and I had to go pick it up to get it replaced. When I walked in, it was full of people (they had about 40 machines in there by then) manually putting spam on people's Orkut profiles and on community discussion forums, 24/7. They were paid something like 7000 bucks (£90) to do this, 8 hrs a day, 6 days a week. From that to what is described here isn't much of a leap.

Another idea/solution

How about increasing the delay (log scale) for subsequent "attacks" (signups) fro the same IP address. While it won't reduce the number (directly), it WILL make it more difficult.

The lowly $3 per day people won't get much done after a while!

Yes, I know about shared IP addresses, but after week, reset the time.

Yup, Humans Are Spammers Too

I'll confirm that too. With experience running a smaller free webmail service for a couple of years, I noticed a decent amount of traffic related to humans subscribing to the service and spamming. I picked up on dialogs from subscribed accounts they had with their "employer" and they would also do things like use yahoo and gmail accounts as at which to receive a confirmation email.

They'd subscribe an account, broadcast out spam until it was cut off by our automated systems and then move on to the next account to spam from.

Traffic of this sort was not only limited to Russia or Asian areas, as we picked up dialogs happening in Portuguese and originating from Brasil.

@ theotherone

"whats the point of using gmail to spam? there is a 500 message per day limit"

1. A valid "return address" will defeat some anti-spam measures ( I won't name and shame; suffice it to say there are some truly shite-quility, expensive commercial packages that are trivial to get around).

2. That same valid "return address" may be needed for some scams.

3. As I understand it, Gmail permits up to 50 BCCs. That's 50 * 500 == 25000 spam recipients. Multiply that by the hundreds or thousands of phony accounts that are being set up and, well, you can see how quickly it adds up.

Captchas are already being broken

Captcha's are at best a temporary solution to a long term problem.

I've followed this topic for a long time.

Do a search and find hundreds of links about breaking captchas.

Some engines are generic enough to work with many captcha generators.

http://www.cs.sfu.ca/~mori/research/gimpy/

http://www.botmaster.net/pictocod/

To respond to this threat, sites make the captchas more and more difficult to recognize to the point where I personally make mistakes when I incorrectly guess what the correct answer is. I imagine an automated program may have a better chance at solving these than I do.

In any case it was long speculated that it would always be possible to pay people to manually solve the captchas.

I would like to see more effort to block spammers at the point of origination.

For instance, apply spam heuristics on a sender's email and take action earlier.

If thousands of accounts are sending the permutations of the same email, then there is a very high chance that it is spam.

Umm, charging? And they pay with what, exactly?

I find it amusing that charging is considered a viable control for email spam.

This is organised crime. They're not short of money because (a) there are enough fools buying "viagra", visiting porn sites and/or getting scammed in many other creative ways to provide plenty income and (b) in case you forgot, they're criminals. There is a fair chance payment would be done with stolen or duplicated credit cards..

Money

During the 90s a very common "computer" crime was nicking the memory chips out of machines. RAM was very expensive (c. £30 - £40/MB) and easy to carry so it was tempting to crooks. The price fell drastically with the release of Windows 95 because the manufacturers overestimated the demand. Now RAM is more like £30-£40/GB and you can buy a whole new machine for about £3-400. Computers still get pinched from time to time but the economic reasons for stealing RAM just aren't there any more.

The same applies to spam. It happens because it makes money. Before broadband and wireless were widespread there were a lot of problems with rogue diallers which disconnect the connection and redial using a premium rate number. Difficult to run one over ADSL though. At some point the spammer will receive money from some sap who decides to buy their product. One line of enquiry might be to follow the money trail and find out where it ends up. It would take a bit of work as it's probably laundered through a web of Paypal accounts, "financial manager" mules and other means, but I think it's the only real way to reduce spam being sent in the first place.

@ ratfox - boring job

Billiant idea. Actually you don't even have to market it as captcha-breaking. Just set up a free pr0n site, only requiring you to solve a captcha to access it. Only the captcha will be pulled from Gmail/Hotmail/Yahoo/whatever instead of being generated by you. A new spam account per visitor. YIIIIIIIIIIIIIHA!

@ the spoilt braindead people who want to make people pay for messages: the third world thanks you for breaking their last hopes. And yes, let's trace all that. And analyse the content of each message, too. And check the credentials of the recipient, as they might be supposed terrorists. And this lady you send steamy messages to might not actually be your wife. Your missus desserves to know that. Only the guilty have anything to hide anyway.

Well....

I get a dozen spams per day through my forms, which have word verification numbers on them.

All from the same guys judging by their content. Looks automated to me.

What kills me...

is that this actually generates money. I cannot fathom that there are still computer-using-people on this earth who do anything but delete these as fast as they come in. Come on ppl, WTF???

(and we need a 'confused as hell' icon too, so tux instead because he keeps a lot of spyware off my machine)

mh. is right

The only way to get rid of spam is to make it uneconomic. And that is not done by technological means (spammers will always find ways to circumvent these) but by educating users never to spend money on offers sent to them by unsolicited email, regardless of how good the offer seems or how legit the sender seems.

my 2 pence...

We all know someone with a gmail account right? well why they don't ask for a valid gmail account, and have that person confirm that the person signing up is not a spammer, lest their account gets obliterated - kinda like a social networking solution. Ok it doesn't get round hacked accounts, but very little will. As for 500 mails a day, who the heck writes and sends 500 unique emails a day? 50 is probably sufficient for most, and anyone above that should contact google and request an upgrade with a reason.

your 2 pence

You mean like they (sort of) did with the invites?

Bring 'em back, I say!

Alright, world+dog had an account anyway, but having an address through an invite only service added a little... something, I think.

4.6%??? Then... SO WHAT?

OK we all seem to have missed the important statistic here. Only 4.6% of SPAM is sent by web-based mail accounts. So - the other 95.4 is being sent by other means; for instance, by hijacking a poorly protected SMTP server. I think a far better way to make a real impact on SPAM (well, the 95.4% anyway) would be to bring out a newer version of SMTP (SSMTP??) which incorporates certificate-based authentication between mailer and mail server, and between sending server and recipient server. The certificates for the "Mailer" would be tied to an individual and would therefore make hijacking a mail server totally impractical - because of course it would only send email from senders whose certificates it knows. Yes, the costs to provide email would ramp up... but lets face it who actually uses the "free" web-based interface for their email anyway? I always use Outlook to gather and send my web-based email - I only ever log into the web interface to check my spam folder for any legitimate messages before emptying the bucket. I don't use my ISP's mail service much because it has no filtering and because it gets blacklisted a lot (some of Virgin Media's servers do, anyway). The upshot being that if SSMTP came in and free web-based email disappeared, I would simply bring my email activities back to my ISP's offerings and live with the shortcomings.

Web email

A lot of email spam is sent via compromised machines on botnets with their own SMTP server. Check the headers of a couple and towards the bottom you'll probably see a received line with some kind of DSL host. There will probably be a couple of fake received lines as well. Personally I quite like the idea of ISPs keeping an eye out for botnet style behaviour or open relays and blocking traffic from potentially compromised hosts until the owner is made aware of what's happening and either agrees to do a virus check or explains why they need to send thousands of emails to random addresses. It would certainly be more useful than booting people off just for using Bit Torrent.

As for web mail accounts, a forum I admin gets about 40 - 50 spam registration attempts a day. I have various blocks in place so none are successful but I do get to see which domains they use for registering. A lot of these are free webmail services such as GMX or Gmail. I think a lot of the addresses are never actually read (although the XRumer forum spamming software does include something that can "process" verification emails) and are used because they're not likely to be blocked. The purpose of forum spam is linkspamming. A forum member list is just a collection of links. Get enough links pointing to the same site and it scores highly on Google. Search for one of the main spammy products and you'll probably find a memberlist.php or a vbulletin /members/ quite high in the results. Breaking the Google CAPTCHA means the spammers can also use Blogspot/Blogger for linkspamming.

As I mention above, I do think the only way to stop spam is through economic means, but I think this needs to take place at a higher level than just educating end users. Pump & dump spam might not be so popular if the shares on penny stocks were automatically suspended if certain "suspicious" activity was detected such as a sudden massive increase in the number of shares changing hands. OEM software spam would probably reduce if the software publishers found out who was selling it and took steps to stop it.