The Spam Experiment

Monday, February 14, 2005

In less than 3 months we hit 50% spam

We setup the tuffwebhosting domain in mid December for this spam test. In less than 3 months we've now seen spam take over the majority of email coming in on this domain. Spam for last week comprised 52.61% of all email coming into this domain!

We didn't do much to get to this point. We fileld out a few opt-in requests but did NOT approve any of them.

We also sent a few messages to usenet newsgroups.

This is the kind of thing that normal people do every day without realizing the impact this will have on their email. In less than 3 months our new domain name is now 52.61% spam and 20.38% viruses. Thats 83% junk email coming into our new domain!

This goes to show how important it is to teach your employees to not publish their addresses anywhere. It goes to show that even if you fill out a form and opt-out or do not verify your address that spammers will still send you junk mail.

It also goes to show how important a good spam filter is.... Even better a traffic shaping appliance that can block stuff at the gateway and prevent all that junk mail from coming in to your network and taking up network resources!

Here are the results from last week.

BenFitts.com 2/7/2005 2/13/2005
Total Emails 2158
Spams 1919 88.92%
Suspect 0 0.00%
Virus 1 0.05%



TuffWebHosting.com

Total Emails: 211
Spams: 111 52.61%
Suspected Spam: 1 0.47%
Virus: 43 20.38%


- Ben Fitts

Monday, February 07, 2005

Spam Statistics

Here are the latest spam statistics for the week of January 31, 2005 to February 6, 2005.

BenFitts.com 1/31/2005 2/6/2005
Total Emails 1835
Spams 1542 84.03%
Suspect 1 0.05%
Virus 31 1.69%



TuffWebHosting.com

Total Emails: 211
Spams: 99 46.92%
Suspected Spam: 0 0.00%
Virus: 42 19.91%


Note: My test domain tuffwebhosting.com started out at 17.31% spam. The numbers from last week had risen to 46.92% spam! That is in only one months time.

This shows just how bad spam can be and just how easy it is for a company to be overwhelmed by spam. If a few users get their email addresses on a spam list or if they accidentally open a few spam mails... Those web beacons will trigger the spam into sending more and more spam!

It will be interesting to see how long it will take for 80% or more of my email to become spam.

- Ben Fitts

Tuesday, February 01, 2005

Spammer

So I've started to see that a spammer has gotten angry with me.

They're now out sending spam with my name and my company's name in the body of the message. We've also seen an increase in the amount of spam we're getting at work. Specifically to a couple of addresses that were on our web site.

I have seen a couple of angry newsgroup posts were people are angry with me about the spam experiement. They tracked down my company name and the email addresses from the site and posted them to newsgroups. I can only assume they've also posted them into some places where spammers will get a hold of them.

I find it sort of funny because that was the POINT of the whole experiment. We want to get MORE spam.

I guess they think that their sending spam is going to get me blacklisted. However the RBLs work off of IP Addresses. A spammer cannot spoof my IP address as my mail server is registered with a proper PTR record. You can't spoof that kind of thing. So we really don't have any risk of getting blacklisted because of this idiot.

It is a good sign that my experiement is getting these people mad at me. That means they really don't want us setting up decoy's to trick them into spamming us. That is after all how we track them and create better filters to eliminate their junk.

On another note... Did you see that total amount of spam worldwide seems to be diminishing? I'll keep an eye on it and if I see any more news articles about it will publish a link here.

- Ben Fitts

Monday, January 31, 2005

January Stats

January Stats are in: (up to Jan. 30th)

BenFitts.com (pre-existing)
Totals Percentage
Total Emails 5338
Spams 4125 77.28%
Suspect 13 0.24%
Virus 120 2.25%

New domain setup just for this test:
TuffWebHosting.com

Total Emails: 509
Spams: 161 31.63%
Suspected Spam: 0 0.00%
Virus: 128 25.15%


Note the surprising number of viruses! 25% That is a HUGE numebr of viruses. It is almost entirely coming to addresses that were used in posting messages to newsgroups. Some of the addresses appeared in the body of the message. Some appeared in the header. Both are getting viruses and spams, but they are getting almost as much spam as they are getting viruses!

This leads me to believe that you should be very careful of any email addresses you use if you post to newsgroups. You may even want to use an entirely fictitious email address.

As far as viruses go... Here are the stats from one of my two servers:
65 0 65
15 0 15
9 0 9
8 0 8
2 0 2
2 0 2
1 0 1
1 0 1

A combination of recent viruses and some VERY old viruses like Gibe-F which are 14 months old. What the heck are these viruses doing in the wild? I just don't understand! Are people running without any virus scanner at all? Are they surfing porn on newsgroups without a virus scanner? Are they using a Microsoft based newsreader like Outlook Express without a virus scanner? LOOK how dangerous it is. I haven't posted anything for weeks and yet I'm getting hit by more viruses now than ever before.

People, please do me a favor. Pay the $30 for an anti-virus scanner and install it on your machine. Make sure it is set to download automatic updates at least once per week. And make sure it actively scans any incoming email.

- Ben Fitts

Tuesday, January 11, 2005

Opt Out lists

I found a new site called Opt Out By Domain.

It was started by a small ISP in Oklahoma. They have partnered with several spammers/email marketing companies. These companies promise to allow you to opt out an entire domain name from their mailing lists.

How does it work?

You have to be a registered owner of the domain. You then join Opt Out by Domain. They have a free edition which allows you to opt out one domain. This is then printed on their opt out list. Email Marketers would then be able to download a list of the domain names to scrub their lists against. It is similar to the Do Not Call registry.

The free version requires you to register one opt-in email address that will opt-in to email marketing campaigns from their partner companies. They also have a paid version which is relatively cheap at this point. It is only $12 per year to join the paid version.

These guys also run a site called SueASpammer.com where they prosecute spammers that have targeted their ISP service. In theory they'd also use Sue A Spammer to prosecute marketing companies that join Opt Out By Domain but refuse to abide by their standards.

Again this is an interesting idea. It is still in its infancy and certainly won't hurt anyone to try it out. $12 is not much to pay for reducing the amount of spam someone receives!

However it is a new idea. There is no guarantee it will work. This could just be a clever way for spammers to collect email addresses.

I joined a couple of email addresses/domains. I'll keep you posted of my results!

- Ben Fitts
ben@benfitts.com

Monday, January 10, 2005

Spam Statistics

Here is my first full week of tracking spam statistics.

BenFitts.com Totals Percentage
Total Emails 825
Spams 645 78.18%
Suspect 2 0.24%
Virus 0 0.00%
False Positives: 0 0.00%
False Negatives: 0 0.00%



TuffWebHosting.com

Total Emails: 104
Spams: 18 17.31%
Suspected Spam: 0 0.00%
Virus: 50 48.08%
False Positives: 0 0.00%
False Negatives: 12 11.54%


BenFitts.com is the control domain that receives both legitimate email and spam. TuffWebHosting.com is a new domain created for this test. It was created to look like a legitimate web hosting company that a spammer might want to mail bomb. It has a little bit of legitimate email coming through but is primarily spam. I need to develop more legitimate email in this domain....

A few suprising results came out this week:

I had more viruses from posting on newsgroups than spam. I also had quite a few false negatives. I think the reason for the false negatives is some small time spammers found my email and sent me spam. For example, a couple of individuals emailed me direct links to join some casino web sites. These people appear to be trolling a specific newsgroup and sending out small batches of spam. It is much harder to track these small time spammers than the guys who send out millions of spams per day. At least that is my hypothosis so far.

As far as the lack of spam goes. I've signed up to a couple more known spam resources. I signed up to a couple of "free" porn lists, confirmed my email, then immediately unsubscribed. I also signed up to a couple without confirming my email.

I also went to a site that sends benfits.com a particularly large amount of spam. The site is mustov.com. It appears to me that this is the most common form of spam harvetsing out there today. This is one of those "free offers" sites. You join thinking you're going to get a free gift card or whatever. However their terms and conditions state you must request partner offers from several of their affiliates in order to qualify for the free gift card. This of course gets you on their "opt in" lists.

So I filled out the initial request and then stopped as soon as I got to any that asked for further details such as address, phone number, birthday, social security, etc. Why would I want to give that stuff out to an "unknown" web site?

As soon as I got those emails I unsubscribed. So for last week I'll consider the emails I received from mustov.com and their affiliates as legitimate email. However now that I am unsubscribed I'll consider any further mailings from them as spam.

I'll keep you guys posted!
Ben Fitts
ben@benfitts.com

Friday, January 07, 2005

Project Honeypot

I just listed my site over at Bloglines. It allows me to track other blogs and stay up to date. It also allows me to show my visitors blogs I'm currently reading.

While visiting Bloglines I found a link to some other spam blogs. One of them described a new anti-spam project called Project Honeypot.

This is an interesting idea.

A HoneyPot is a trap. It is intended to track the hacker, spammer, etc. and report back vital data on their behaviors. Usually in the security world a honeypot would be some sort of decoy computer that is setup to log all activity. It has vulnerabilities hackers are known to exploit. It then allows security officials to track that hacker's behavior. They can build intrusion detection signatures based on their activity. They can track the activity back to the source. They can log the data to help them prosecute the hacker.

In a spam enviornment honeypots usually help track spam. Several vendors have created honeypots to help them get spam and create rules to filter that spam out.

Project HoneyPot is tacking a novel approach to this idea. They give you a special code to put on your web site where you would normally insert an email address. When a spammer visits the site and steals the email address, the address is slightly modified. You might consider it to be "encoded" with special data. Each time the address is displayed it is unique because the encoding on the page.

The encoding allows the people at Project HoneyPot to track exactly when the spammer visited your site and to track the ip addresses used to "harvest" your email address. Many spammers use specially written software programs (Spambots) that surf the internet looking for email addresses to "harvest" and put on their spam lists.

Project HoneyPot will help you track those spammers. They propose to also help you prosecute those spammers and to provide this data to anti-spam vendors.

For example some of the vendors might be able to include these ip address ranges in a firewall or web proxy which allows them to block those spambots from harvesting emails off your web site.

It doesn't help John Doe directly... Because John Doe doesn't have a web site. However if you are a web site owner, blogger, etc. You might want to register for Project HoneyPot.

- Ben
ben@benfitts.com

Results from yesterday

Here is a little update on spam from yesterday:

My new domain just for testing spam: tuffwebhosting.com

Legitimate email: 0
Total Spams Received: 5
Total Viruses Received: 7
Total Suspected Spam: 0 (meaning messages that are probably spam but our software can't determine for sure.)

My control domain:
Legitimate email: 20
Total Spams Received: 104
Total Viruses Received: 0
Total Suspected Spam: 0

I still find it amazing that by only posting to a few newsgroups I'm getting up to 7 email viruses a day! I'm a bit disappointed that I am so far only receiving 5 spams per day from those newsgroups. I'm going to begin some other strategies for getting spam next week.

I'll keep you posted of my results!
- Ben
ben@benfitts.com

Tuesday, January 04, 2005

Why doesn't blocking email addresses work?

Someone on a spam newsgroup recently asked about why blocking certain email addresses doesn't work. They also asked about why we can block ip addresses without blocking legitimate email.

> Blocking IPs seems dangerous. I mean, in the states where AOL reigns, how
> will it recognize spammers from regular users??

The problem isn't AOL users.

The problem is a spammer who takes hold of someone's home computer. Someone on a DSL modem that has no firewall. The latest email worms usually contain their own SMTP engine so they can propogate themselves. Some of them also contain backdoors which allow spammers to then use the infected computer to send out spam. In fact one of these worms actually installed a hacked copy of WinProxy that contained a back door that allowed the spammer to come in and use it to relay spam.

John Doe with his unprotected cable modem has no reason to be sending thousands of emails a day. If John Doe was sending thousands of emails a day he would be sending them through a mail server. His windows 95 home PC without a real mail server should not be originating email. This is what is considered an open proxy.

There are other variations of proxy servers out there. Corporations who have misconfigured web proxy servers. These proxy servers actually allow a spammer to send email through the web proxy and hide their originating ip address. They can spoof any email address they want. Such as AOL. That is what is confusing you.

Blocking AOL or specific email addresses at AOL won't stop spam.
What will stop spam is blocking the spammers at the source. The proxy servers they use to send spam. Again a proxy server is NOT a mail server. It should not be sending spam. If it is originating email then there is a very high chance that email is spam. There is almost zero chance that email is a legitimate email.

This is one of the ways the most effective spam software works. They build open proxy lists. They don't use rbl's of misconfigured mail servers any more. The problem with using those is that you block legitimate mail along with the spam. With open proxy lists there is no reason for those systems to be sending email. They are proxy servers intended to be a proxy for web, ftp, etc. They are not intended to be a mail server.
Hope this helps!
Ben Fitts

Monday, January 03, 2005

My first spam hate mail

It was inevitable.

Someone was going to get mad at me for my spam experiment.

What is funny is that this guy is supposedly some sort of system administrator or networking type. He is mad because I posted some messages to the normal newsgroups with the intent of getting spam.

The problem with this theory of his.... Is that a GOOD spammer is going to know better than to post to a "spamtrap" newsgroup. Just as they know better than to post to certain domain names, email addresses, etc.

A good spammer looks for things that are possible clues that he is emailing a decoy account. One of the things they don't do any more is to send mail to postmaster. Why? Because a postmaster is the guy who controls the email service on the computer. A postmaster has the ability to blacklist him. So spammers avoid emailing those types of individuals.

Similarly a GOOD spammer is going to be smart enough to not harvest the alt.spam alt.alt.spamtrap type of newsgroups. He is going to harvest very popular newsgroups with 25,000 plus messages. So that is the type of newsgroup I posted to.

I also posted some into the spamtraps. That way we can actually analyze the data and see if this theory is correct.

So read his tirade on alt.spam. Check it out it is pretty funny. He is mad at me and now asking other people to spam me. That is exactly what I want! I want people to try and spam me! I want them to attack this server. I want to see if the server can handle it. His getting mad at me and posting messages on several newsgroups only HELPS my cause.

- Ben
ben@benfitts.com <- yes this is a real email. I dare you to spam it ;)

Usenet spam has started!

The spam from usenet postings has started!

I officially started posting to newsgroups on 23rd December 2004. On the 31st I received my first spam from these newsgroup postings. However if we look in closer detail we see that I was spammed to the address:

mlm@

I used this domain to post to some mlm and home business related newsgroups only two days earlier! I posted on the 29th to several different newsgroups in alt. biz. and fidonet. This spam clearly came from someone harvesting one or more of those newsgroups. In fact I received the same spam to three different emails that are used in newsgroup posting.

Of course... silly me... I sort of screwed up my experiment! I'm testing a certain anti-spam appliance that runs $30,000-$50,000. I changed the ip address to put the machine on my DMZ. I want it to be a real test that someone in a corporate enviornment might actually experience. Guess what? When I changed the ip address I forgot to change the gateway. So the appliance wasn't able to receive email all weekend. Because it was the holiday I wasn't checking it :( Oh well.

I'm now back up and running. I also have setup a backup MX record to go through a seperate gateway and into another high end email appliance that we're currently beta testing.

Hopefully over the next couple of days I should be able to start getting you guys some real solid information.

- Ben Fitts
ben@benfitts.com <- i'll keep posting this email because I know it will be harvested and because it is a REAL live email address for me. It helps me watch false positives and negatives.

Friday, December 31, 2004

More on Newsgroups and spam traps

Since it is the holiday I'm not selling a lot of anti-spam software and have some free time on my hands. I've been posting to newsgroups trying to get spam.

I posted to a bunch of gambling newsgroups and so far that has only earned me 7 email worms.

I'm now posting to some sex newsgroups, mlm, etc.

I also started surfing for spam newsgroups. I found quite a few spamtraps and such. Unfortunately I don't think a smart spammer will really harvest those newsgroups. I think they'll setup exclusions to purposefully avoid them. However I did find some other people who are doing anti-spam work.

One of them posted a link to a porn site that had their web server misconfigured. The web server allows you to see the entire directory so you can see what files exist in it. The only HTML file in the web server is a web based form to "unsubscribe" from their mailing list. HOWEVER within the same directory is a file called removes.txt which is now over 1.1 Gigabyte! It is a flat text file containing a list of email addresses of people who have tried to unsubscribe. I signed up a specific email address so I can track it and see if these guys start to send me spam. I'm willing to bet this is how they are building their spam list. A remove script should REMOVE names, not add to their list!

There is a really mixed bag of spam, people posting test spamtrap email addresses, and legitimate emails. I'm going to spend some more time reading these newsgroups to see which ones might provide valid information to help in our quest to get more spam. I'll keep you posted of which seem to be the best:

alt.alt.spamtrap
alt.kill.spammers
alt.current-events.net-abuse.spam
alt.cyberpromo.com.spammers.revenge
alt.spam
alt.spambot
alt.spamhaus
alt.spammers.post.here
free.it.spam
free.spam
newsguy.spam.sightings

Oh, I'm taking the rest of the weekend off!

Have a great New Year!
Ben Fitts
ben@benfitts.com

Wednesday, December 29, 2004

Newsgroup posting

I broke down and signed up for a paid Newsgroup account. I setup a $7 account over at Giganews which allows me to download/post up to 2 GB.

I immediately found A LOT more usenet postings and groups than I was seeing on the free servers. I think this will be much more successful. I'm going to use it for a few weeks and cancel before my month is over.

I figure $7 is a small price to pay to accomplish what I am trying to do. If it helps me review anti-spam software and sell it to big companies it will certainly be worth it.

Right now I'm mostly posting in the gambling forums since gambling is so hot right now.
poker_newbie at tuff web hosting . com
giga at tuff web hosting . com

I'm also going to branch out and post in some of the other groups as well. Do you have any ideas? I know mortgages and sex/viagra are hot topics for spammers. Do you know any usenet groups that might be good for me to post in where a mortgage spammer might be harvesting email addresses from?

Right now my usenet stats are:
spams: 0
email worms: 5

Keep spamming me!
Ben Fitts

Monday, December 27, 2004

Other Spam Experiments

I received an email from Steve Rioux who is also doing a spam experiment.

He has a rather novel idea.

He created a BLOG that accepts new blog entries via email. He then published that email address to his BLOG. So any spammer harvesting his email address will have their spam posted to his blog.

I find it interesting to see how much spam he is getting simply from posting an email address to the web. I think you'll recognize a few of these spams ...

http://www.plusmeilleur.com

- Ben

Newsgroup results

On December 23rd I posted ONE message to approximately 30 different Usenet newsgroups. This was the first time I had ever used that email address and it was a brand new domain name.

The VERY SAME DAY I received 2 email worms known as WORM.SWEN.A or as W32.SWEN.A.

On December 26th I received two more of the same worm.

I have not yet received any spam.

My educated guess is that someone with a compromised email program such as Outlook Express used this to reader to read one of the newsgroups I posted too.

However I haven't gotten any spam yet.

TuffWebHosting.com through: 12/26/2004
Spams: 0
Email worms: 4

Usenet posting:
Spams: 0
Email worms: 4

Thursday, December 23, 2004

Old Domain Names?

Do you guys know of any old domain names that might be getting a lot of spam?

I'm interested in purchasing any old domains. Maybe defunct corporations like dot.com's that might be getting spam?

Do you know of anyone? I'm not looking for web traffic or anything like that. I'm not domain speculating. I'm looking for email traffic.

Do you own a defect company that has a domain name? Or maybe one that recently expired?

Let me know!

Ben
ben@benfitts.com

Email addresses in usenet newsgroups

Back in the day it was possible to get spammed by posting your email in usenet newsgroups.

I am trying to determine if that is still the case. I'm looking for a usenet server that will allow me to post a few messages to various usenet groups. I'd like to do some bulk posting if possible. I know I can register with Google and view/post to usenet. However I've tried that with no success. What I'd like to do is be able to post to a broad variety of newsgroups in a quick fashion.

I know that spammers used to use software that was written to search newsgroups for email addresses and harvest these addresses for their spam lists.

So that is my goal today.

If you know of any good services that might allow me to do some bulk posting please let me know!

I'll keep you posted of my results. I'm using a special email address strictly for this purpose. We'll be able to track what spam I get, if any from this method.

Regards,
Ben Fitts
ben@benfitts.com

PS. Have a great holiday!

Wednesday, December 22, 2004

Phil Bradley's Great SPAM Experiment. How do we get spam?

I am starting a BLOG to ask for your help in getting SPAM!

Crazy right?

I got the idea originally from reading Phil Bradley's Great SPAM Experiment. How do we get spam?

I don't want to take away anything from the excellent work Phil Bradley has done on the subject of spam and where it comes from. His original article was written October 2002, and I write this now in December 2004. I think spam has changed significantly. I have actually tried to get spam using some of the same methods as used by Phil. However those methods have yielded me little results. For example I haven't see a lot of spam as a result of posting to newsgroups. I'm just not sure this is relevant any more.

So I'm asking you guys to help me out! Help me get spam!

WHY?

I'm a technical sales guy. I actually sell enterprise level spam software to major corporations, universities, and even one Governor's office.

What I am trying to do is build a large stream of spam that I can use to test the effectiveness of various anti-spam solutions.

The first step is to get SPAM. Right now I'm only getting about 100 spam messages a day. That isn't very much!

A typical corporation that I deal with is getting 3,000 spams a day. I even have some companies that get upwards of 70,000 spams a day.

I see the reviews written in some major networking magazines where they tested the software against 4,900 spam messages. Come on! That isn't a real test. That is one day of email for a 250 user company. A real review needs to be based on thousands of emails.

That is what I am trying to do.

So... Now I need your help in getting spam.

I have two domains I want to get spammed.

benfitts.com - personal email. This also helps me test false positives. This is my control email.
tuffwebhosting.com - this is used JUST for this test. The domain doesn't really do anything. I just wanted to make it look like a legitimate business so that maybe I could get a little bit more spam.

So I'd like to ask you guys to help by starting to send me some spam! Sign me up to mailing lists. When you see those unsubscribe boxes sign me up!

As an added treat... Why don't you pick your own usernames?

So lets say you are BlogBOY2004@tuffwebhosting.com and BlogBoy2004@benfitts.com. I'll post the results of which addresses are getting the most spam and you guys can track your results that way. That way when BlogBoy2004 shows up as the most spammed email address you'll know you were the best at getting SPAM!

An alternative would be to select names based on where you are signing up. So if you are signing up for a particular newsletter.... lets say the Staples office supply newsletter you might use: staples@tuffwebhosting.com. However I don't think this is as fun as we can't see how good YOU are at getting me spam.

Wow, thats enough for today. Lets see who is going to be the first to get me some spam?

- Ben Fitts
ben@benfitts.com

Tuesday, December 21, 2004

The spam experiment

Hi,

My name is Ben and I sell enterprise level anti-spam software. I'm trying to build up some spam so I can further test and evaluate various products. Amazingly enough I've been having a hard time getting spam lately!

So now, I'm setting up this BLOG. What I want from you guys is to help me get spam! I want you to sign me up for as much spam as you can! I want to really test this stuff out!

Can you help?

What I'll do is I'll post my results here for everyone to see. Maybe we can even run some sort of contest to see who can get me the most spam?

What do you think?
Ben