[linux-elitists] is it wrong to slam a spammer?

Karsten M. Self kmself@ix.netcom.com
Sat Sep 25 17:15:50 PDT 2004


on Sat, Sep 25, 2004 at 07:39:18AM -0400, Etienne Goyer (etienne.goyer@videotron.ca) wrote:
> tek wrote:
> >Ok, so at the risk of quite possibly pissing off those i haven't already 
> >pissed off at some point before i have a question i still want to ask.  
> >Anyone have a copy of formfucker? or know of something else like it? 
> 
> You ask about the morality of poisoning spammer's database ?  Sissy ... 
> I thought your dilemna would involve a baseball bat or a crowbar.

Dittos.  No moral qualms here.

Incidentally, if you want to come up with some *really* plausible
data....


The US Census Bureau publishes a number of information sources,
including:

  - Population by geocode, for each decade of the past century.

  - Most popular first names, either 1k or 10k, for each decade of the
    past century, by sex.

  - Most common surnames (less variable over time) for each decade of
    the past century.

Combined with some ZIP, area code, and guestimates of SSN numbers, you
can generate statistically plausible IDs, at least for database
poisoning purposes.  This could have a rather wide and varied use.  The
three fields of an SSN are broken by office, group, and sequence, as
described at:

    http://www.cpsr.org/cpsr/privacy/ssn/ssn.structure.html


Far more valuable IMO would be if major banks, credit card companies,
and merchants, would create "tagged" accounts which could be submitted
to phishing sites for either immediate detection or to trace data flows
through phishing networks.  I've had some familiarity with this sort of
work in the past (a short stint inside Visa's fraud and bankrupcy risk
prediction unit), but to the best of my knowledge activities there and
at other locations such as eBay and Paypal (among the more active fraud
analyst recruiters I'm aware of) are largely based on _detection_ --
identifying suspicious activity on good accounts.  Not on preventive
measures.

Still:  yes, crapflooding would be good.

Another anecdote.  I once went river rafting with Bill Gates.  No, not
_that_ one.  This guy's in computers, but runs (or ran) the data
warehousing unit of a large grocery Store chain who shall remain
namelesS, and no mention will be made of any Big Red S.

Apparently the activities of a relatively small number of consumers^W
customers who provided fake data, swapped cards, etc., was a major
hassle for this unit in terms of maintaining data integrity.  This being
from the 1998/99 period, methods may have improved, but my own
experience inside the datamining industry is that methods are largely
Byzantine, home-grown, and pretty uniformly cruddy.

> There is, however, something flawed wrt FormFucker as it could be used 
> as a DoS.  

Then don't violate network AUPs.

In fact, you're far more useful if you send only a few well-crafted
bogus accounts from any one IP.  Otherwise, it's easy enough to identify
your IP with bad data and filter you out.

Tools like this are best used by many people in small volumes.

> A better approach, IMHO, seem to be tarpitting.  It is almost
> impossible to hurt an innocent bystander with this scheme, and you
> attack spammer's operation directly.  Coupled with aggressive seeding
> of fake email in spammer list, this have the potential to be a real
> annoyance to those slime.

s/be a real annoyance/marginally raise costs of business/

...but that's the whole idea.  These guys would consider shoestring
margins high on the hog.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    The Earth *is* flat.  But Mars is sharp and Venus is in tune, which
    makes up for it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040925/ecca795e/attachment.pgp 


More information about the linux-elitists mailing list