A Great Use For Artificial Intelligence: Scamming Scammers By Wasting Their Time
from the I,-for-one,-welcome-our-new-AI-chatbot-overlords dept
As artificial intelligence (AI) finally begins to deliver on the field's broken promises of the last forty years, there's been some high-profile hand-wringing about the risks, from the likes of Stephen Hawking and Elon Musk, among others. It's always wise to be cautious, but surely even AI's fiercest critics would find it hard not to like the following small-scale application of the technology to tackle the problem of phishing scams. Instead of simply deleting the phishing email, you forward it to a new service called Re:Scam, and the AI takes over. The aim is to waste the time of scammers by engaging them with AI chatbots, so as to reduce the volume of phishing emails that they can send and follow up:
When you forward an email, you believe to be a scam to me@rescam.org a check is done to make sure it is a scam attempt, and then a proxy email address is used to engage the scammer. This will flood their inboxes with responses without any way for them to tell who is a chat-bot, and who is a real vulnerable target. Once you've forwarded an email nothing more is required on your part, but the more you send through, the more effective it will be.
Here's how the AI is applied:
Re:scam can take on multiple personas, imitating real human tendencies with humour and grammatical errors, and can engage with infinite scammers at once, meaning it can continue an email conversation for as long as possible. Re:scam will turn the table on scammers by wasting their time, and ultimately damage the profits for scammers.
When you send emails to Re:Scam, it not only ties up the scammers in fruitless conversations, it also helps to train the underlying AI system. The service doesn't require any sign-up -- you just forward the phishing email to me@rescam.org -- and there's no charge. Re:Scam comes from Netsafe, a well-established non-profit online safety organization based in New Zealand, which is supported by government bodies there. It's a nice idea, and it would be interesting to see it applied in other situations. That way we could enjoy the benefits of AI for a while, before it decides to kill us all.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Now if someone can design something to fight scam phone calls too... Preferably something that makes deadly cobras or angry killer bees come shooting out of the scammer's phone, that would be even better!
[ link to this | view in thread ]
[ link to this | view in thread ]
Frankly
If we are worrying about AI deciding to kill us all, engaging them with scammers is not the best path to convince them otherwise.
[ link to this | view in thread ]
know thy self
[ link to this | view in thread ]
Re: know thy self
[ link to this | view in thread ]
Re: Re: know thy self
[ link to this | view in thread ]
This is an incredibly stupid approach
1. It's never appropriate to respond to abuse with abuse. (Just like it's never appropriate to "hack back".) It's unethical and unprofessional.
2. Rescam.org is proposing to respond to spam by spamming. Unacceptable. (And they'll likely find themselves quickly blacklisted for it, as they should be.)
3. Attribution is hard. An enormous amount of spam (including that carrying scam payloads) is forged. Sending spam to the victims of that forgery not only strikes back at the wrong people, it makes the problem worse.
4. Responding to spam -- in any way -- gives spammers actionable intelligence. That's why you should never, EVER, do it.
5. Rescam.org is making a fundamental design error: they're building a system that lets unknown third parties control what they emit. This won't end well.
Like I said, these are only SOME of the reasons why this is a horrible idea, and I've really only scratched the surface of the explanation. This "service" should be shut down immediately, and those behind it should be given remedial instruction in the fundamentals of abuse control.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Sophia - Perfect AI bot to battle against these Scammers
Unfortunately, the evil Sophia AI can be developed/trained as the nasty femmbot spammer, spamming us, pulling $$ from these dimwits out there.
AI vs AI
Scary, isn't it?
[ link to this | view in thread ]
Re: know thy self
Looks like a lot of work went into composing this... you know, pressing each of those letter-buttons on the keyboard, clicking the "submit" box... things the training program never taught him.
Vote now!
[ link to this | view in thread ]
Re: Sophia - Perfect AI bot to battle against these Scammers
[ link to this | view in thread ]
The original...
http://www.ebolamonkeyman.com/
[ link to this | view in thread ]
Abuse
[ link to this | view in thread ]
Solution for phone scammers
"Transfer, conference, or forward your telemarketing calls to 1-347-514-7296 or sip:13475147296@in.callcentric.com. If you conference Lenny in, be sure to mute your phone. The rules: Lenny is for incoming, telemarketing calls only - not for annoying people, even if they deserve it."
Lenny is a collection of voice recordings meant to waste the time of phone scammers. Learn more at https://www/reddit/com/r/itslenny There are links to "Lenny Hall of Fame" calls that are quite funny!
[ link to this | view in thread ]
Re: Re:
The cobras, yes, but how would forwarding a call to an AI violate the law? That's nothing like wardialing.
[ link to this | view in thread ]
Re: This is an incredibly stupid approach
"1. It's never appropriate to respond to abuse with abuse. (Just like it's never appropriate to "hack back".) It's unethical and unprofessional."
If I'm targeted by scams, I don't particularly care how "ethical and professional" fighting back against these people is classified. They came to me. It would be wrong for someone else to use rescam to target a non-spammer, not wrong for them to target a genuine con artist.
"2. Rescam.org is proposing to respond to spam by spamming."
Wrong. By definition, spam is *unsolicited* email. If they contact me first, they solicited the response. Again, as long as a person them using them is genuinely using it against a spammer, no problem.
"3. Attribution is hard. An enormous amount of spam (including that carrying scam payloads) is forged. Sending spam to the victims of that forgery not only strikes back at the wrong people, it makes the problem worse."
The fault still lies with the originating spammer. By that definition, they sent unsolicited advertising without a way for genuine respondents to contact them. That's worse than normal spam, since they can't even profit from it.
"4. Responding to spam -- in any way -- gives spammers actionable intelligence. That's why you should never, EVER, do it."
Which is why people often give them specialized email addresses so they can work out who compromised their account by giving it to a spam list. By definition, someone using this service is giving them permission to give them the actionable data (that an email address is in use) to create the counter-action.
"5. Rescam.org is making a fundamental design error: they're building a system that lets unknown third parties control what they emit. This won't end well."
Not exactly. They're giving others the ability to give them target, not the content, frequency, etc. of what they send. They can still control what their AI can do, and what procedures they have in place to mitigate misuse.
So, while I understand your points, I disagree with nearly all of them, with the caveat that I'm assuming this service is being used as intended and not itself abused. This is the AI version of keeping a telemarketer on the line or giving fake into to someone surveying you on the street, only without the downside of you having to waste your own time doing it.
[ link to this | view in thread ]
Re: This is an incredibly stupid approach
Are they? The article didn't say so, and the site blocks anonymous users. I find it hard to see how a direct response to an email could be unsolicited. Points 3-5 are good.
[ link to this | view in thread ]
I see an issue
To be more detailed, lets assume that 25% of all email inflight (being transferred between mail server) is a scam (meh I think it's probably MUCH higher than that, but thats just my suspicion). Further more lets assume that the scammer responds one time to the AI, and ignores the AI's second email (scammer is onto the anti-scam). So the original forward plugs two emails from the AI plus one extra email from the scamer would mean that (assuming everyone used this anti-scamer AI, and they had perfect email rules, both of which would be 'ideal' for this type of attack on scam emails) an extra 100% of all emails are being generate (aka double the number of emails are being sent). So you're AI would need to be running on multiple machines all across the world just to keep up. AND you'd be placing a MUCH heavier load on the internet infrastructure.
[ link to this | view in thread ]
Re: Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Re: Abuse
[ link to this | view in thread ]
Re: Re: This is an incredibly stupid approach
It's not, by definition, unless you want to stretch it along the lines of "the intended recipient wasn't the person who responded". Either way, a response of some kind was solicited.
[ link to this | view in thread ]
Re: I see an issue
Scammers are run just like a call center. They have quotas and SLA's, metrics to measure their success/failure. The end goal is $$$.
[ link to this | view in thread ]
Re:
http://www.jollyrogertelco.com/
[ link to this | view in thread ]
Re: Re: I see an issue
Now feed that through something that increases the demand, but all that new demand is fake. You might hire a few more people to handle that demand, but soon enough the cost vs reward ratio drops. That hits them on both sides - they don't get to so easily scam the people who do give them money and raise the cost doing that in the meantime.
If that doesn't seem likely to have any effect, people should check out the way people have dealt with telemarketers and Nigerian-style scammers over the years. Some of those people have been strung along for a long time (sometimes months in the case of the anti-419 guys), often by being asked to do ridiculous things. It shouldn't be too hard for a bunch of email-only communication to have a measurable effect when there's not a human being getting bored of the joke of the other end.
[ link to this | view in thread ]
Re: Re: This is an incredibly stupid approach
1. But you have no way to know if the putative sender is "these people". Neither does rescam.org. Neither does anyone else.
2. You also have no way to know where the response is really going. See below for an example.
3. Enormous numbers of these scams are run from hijacked email accounts. Attempting to retaliate against re-victimizes innocent bystanders who've already been victimized.
"It would be wrong for someone else to use rescam to target a non-spammer [...]"
That is exactly what it will be used for. How do I know? Because every other service that's enabled that function has been used for it. See, for example, the history of external SMTP callbacks (as foolishly deployed by Verizon for a while 15-ish years ago).
"2. Rescam.org is proposing to respond to spam by spamming."
"Wrong. By definition, spam is *unsolicited* email. If they contact me first, they solicited the response."
Wrong. The correct, canonical definition of (email) spam is "unsolicited bulk email".
And that's all of the definition. There's no clause that says "...but it's okay if you have good intentions" or "...but it's alright if you think you're sending it to spammers".
Increasing the amount of email abuse on the 'net at a time when many of us are working very hard to decrease it is a bad move.
"The fault still lies with the originating spammer. By that definition, they sent unsolicited advertising without a way for genuine respondents to contact them. That's worse than normal spam, since they can't even profit from it."
You don't understand the basics of how this (often) works. The putative sender on the message you receive is quite often NOT the real sender -- because it doesn't have to be in order fo the scam to work.
Think about this for a moment: what do you do if the "Reply-To" field is set? Which it often is.
Or if the message body contains something like this: "to take advantage, reply to scammer@example.net". Which it often does.
The problem you are then faced with is that the putative sender address on the From: line might or might not be where the message came from, but it might also be run by automation: no humans home. (Thus sending a response there achieves nothing but to increase the amount of abusive mail traffic traversing the Internet.) And the Reply-To address might be real, or it might be a completely innocent third party. And the address given in the message body might be either of those two as well.
There's no way to know what the correct one is. Of even if ANY of them are correct.
Like I said, attribution is hard.
"Which is why people often give them specialized email addresses so they can work out who compromised their account by giving it to a spam list. "
Yes, I think it's safe to say I'm aware of this. However, that's not a counter-argument to my point that you should never respond in any way. Some of the more sophisticated spam operations include extensive data acquisition and utilization, and by responding -- replying, following a link, etc. -- spam targets are contributing actionable intelligence to the spammers' ongoing efforts to get past defenses.
"Not exactly. They're giving others the ability to give them target, not the content, frequency, etc. of what they send. They can still control what their AI can do, and what procedures they have in place to mitigate misuse."
No. They can't. Except by shutting it off. Let me give you one example out of many:
Consider for a moment -- and this is something we learned during the Verizon SMTP callback debacle -- what happens if the putative sender uses one of the hundreds of millions of cheap throwaway domains enabled by the combination of ICANN malfeasance and registrar greed. Let's suppose it's example.com.
So you get a message that looks like this:
From: scammer@example.com
And you dutifully feed that to rescam.org. They're eventually going to emit an outbound email message like this:
To: scammer@example.com
Where's that message going to go? Do think it's going to example.com? Really? You're sure of that?
Oh, it MIGHT. But not necessarily. Because, you see, whoever owns example.com might have done this in DNS (and I'm roughly using BIND's yntax here):
MX 10 mail.example.org
That means that when the outbound mail system at rescam.org does a DNS query to find out where to send the message, the returned MX record will say "mail.example.org", and that's where the new, outbound message from rescam.org will be sent. Which means that it's going somewhere THAT HAD NOTHING TO DO WITH THE SCAM.
This is not speculation. It's history.
Repeat a few hundred million times. I'm sure that the operators of the mail system at example.org will be thrilled to have it DOS'd courtesy of rescam.org. Well, until they get tired of this nonsense and drop in a firewall rule to block it.
Also not speculation. Also history.
And keep in mind what I said above: one example. There are many more.
Now, you might at this point say "But they could...". Yeah. They could. I KNOW. This is not my first day on the job. We've been through all this, 15 years ago, and we all collectively realized that handing third parties the levers and knobs to cause our mail servers to emit outbound traffic to destinations of THEIR choosing is an incredibly bad idea and we all decided to never do that again. (Or not to do it in the first place.) But apparently the people behind rescam.org didn't get the memo.
Rescam.org think they've built an anti-spam weapon. They haven't. In their profound naivete and ignorance, they've built a target.
[ link to this | view in thread ]
Re: Re: Re: This is an incredibly stupid approach
Yes, they do. They have the request from the person who received the email, plus checking to see if the email is actually formatted as a scam. It's as much data as anyone responding to a spammer has to go on, be that an authority, ISP or other body.
You appear to be demanding zero action against spammers, since any fraud will be the sme no matter who actions it.
"Wrong. The correct, canonical definition of (email) spam is "unsolicited bulk email"."
How does the addition of the word "bulk" suddenly make the response to it spam, as you claimed?
The rest of your response seems to veer between nonsense and a real bugbear you have against anyone misusing email. But you haven't made a real case against rescam.org, other than you think that battling spammers on the behalf of their victims is a bad idea. The company checks before initiating contact, does not (as far as I can tell) initiate further contact if a reply is not received, and will presumably have further safeguards to prevent them being used a spam vector themselves.
I know how email can be abused, and I know that it's insecure by design. How would you prefer people proceed, as outsourcing the conversation is something you object to, and nothing involving legal or technical measures against them have realy helped the fundamental problems.
[ link to this | view in thread ]
Re: Re: Re: I see an issue
We could try making it illegal to purchase things from spammers, kind of like some countries do with prostitution...
[ link to this | view in thread ]
Re: Re: Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Terrible idea
The idea is as stupid as the day is long. Once again... TD thinks a dumb idea is a good one... no shocker there!
Lets try to work towards keeping the Net dry instead of slagged with sewer.
[ link to this | view in thread ]
Re: Re: Re: Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Re: Terrible idea
Why you no sign in anymore? wiLLie?
[ link to this | view in thread ]
Re: Re: Re: Re: I see an issue
Adding charges would not only probably not deter them (especially the ones who are falling for the "Nigerian prince needs $50,000 to move his fortune" scams rather than the "buy cheap Viagra" ones), it would most likely put others off buying from legitimate online outlets just in case.
[ link to this | view in thread ]
Re: The original...
[ link to this | view in thread ]
Re: Terrible idea
[ link to this | view in thread ]
Re: Re: Re: Re: Re: I see an issue
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: I see an issue
[ link to this | view in thread ]
Re: Re: Abuse
They might be perfectly benign and genuinely trying to help. But it wouldn't be had to abuse that amount of potential info either.
[ link to this | view in thread ]
Re: Re: Terrible idea
[ link to this | view in thread ]
Re: Re: Terrible idea
You should be fired for being exceptionally stupid about this.
"The few kb that it takes per email is nothing on today's networks."
Seriously? what an idiot...
You do realize that more than just 1 email is going to be involved right? Not only that but the power necessary to process the data which will require manpower and infrastructure dedicated to the effort.
it's NOT just a few kb. it FUCKING ADDS UP!
[ link to this | view in thread ]
Bluefrog did something similar
That sounds great, right? Well the spammers got smart to this and started issuing DDOS attacks on Bluefrog's website and blog platform. It was bad enough to go after their website, but the blog platform had hundreds of other blogs, which were also taken down by the attack. The blogging company had to end Bluefrog's account out of self-defense, and Bluefrog itself shut down shortly after.
So will something similar happen to Re:Scam? Will spammers issue DDOS attacks on any site that talks about this service?
[ link to this | view in thread ]
Re: Re: Re: Abuse
Furthermore, the research I've read seems to suggest that spammers deliberately make their messages of a lower quality, because those who recognise them easily as spam are far less receptive to the con tricks to be used on the people who reply to them. That is, they know what fools people, they only succeed because they're able to send out millions of messages for zero cost for every person fooled.
They'd have relatively little to gain, and what it was would be likely far lower quality than what they already have. What's far more likely is that we have some people creating AI projects who have decided to have a little fun with the spammers that are the bane of everybody with a non-disposable email account they have to use for serious activity, and learn something from them in the process about how their bots react.
In this case, Occam's Razor suggests they're above board.
[ link to this | view in thread ]
Re: Solution for phone scammers
Lenny is the BEST.
[ link to this | view in thread ]
Re: Re: Re: Re: This is an incredibly stupid approach
> Yes, they do
You're missing the point. There is no way for anyone to know if the address on the "From:" line is what it appears to be, or if it's actually under the control of the person that it should be. Are you not aware of the numerous means by which addresses/domains are forged, hijacked, and otherwise implicated in spam that they had nothing to do with? This is common knowledge among anyone who's run any kind of Internet-connect mail system for even a short period of time.
(And no, all the anti-forgery technologies rolled out in the last decade or so don't stop all of that. Consider, for example, Yahoo.)
> It's as much data as anyone responding to a spammer has to go on, be that an authority, ISP or other body.
That's why nobody who knows what they're doing responds to spam: there's no way to do it that actually works. Lots of people -- like rescam.org -- like to pretend that it can be done, because it would be great if it did. But it doesn't. We know. We've been through all this already.
> You appear to be demanding zero action against spammers, since any fraud will be the sme no matter who actions it.
Hardly. I've spent 30+ years fighting spammers. (And yes, I have the receipts.) I'm simply pointing out that THIS particular action is a horribly bad idea that will lead directly to abuse.
> How does the addition of the word "bulk" suddenly make the response to it spam, as you claimed?
The addition of the word "bulk" makes it the correct definition of spam: we settled that decades ago. If rescam.org emits UBE, then they're spammers. Doesn't matter why, doesn't matter where it goes, doesn't matter if they do it on request, doesn't matter.
> The rest of your response seems to veer between nonsense [...]
I'm sorry that you don't understand the technical basics of SMTP, DNS, mail systems, and spam. Perhaps you should study them before you wade into a debate about them. The example I provided is actually one of the simplest: abusers can and have deployed much more complex ones.
> How would you prefer people proceed, [...]
In the case of nearly everyone: do nothing EXCEPT report it to your own mail system admins. Per RFC 2142 (I presume you know what an RFC is and have read all the ones relevant to email) every domain should have an abuse reporting address, e.g. abuse@example.com. (Your own mail system have additional methods for reporting abuse, but they should have at least that one.) File abuse reports -- making sure to include full headers of course -- and if they're at all competent, they will read them, analyze them, and act on them.
Any middling mail admin can block 95% of spam without even trying hard or performing case-specific analysis. A good mail admin will do more and get that percentage up 98-99% with a tiny FP rate. A really good mail admin will perform statistical log analysis over short, medium, and long timelines and use that data to do even better. All of them, though, should be reading abuse reports and doing something about them. If yours doesn't, maybe you should switch to a better one.
In the case of the few people left over: learn. And there is a LOT to learn. Wish there wasn't, but there is. And it's especially important to learn about all the things that people tried that didn't work and/or made the problem worse. This -- rescam.org -- is the product of ignorant people who didn't do that. They're not just making a mistake, they're repeating a well-known mistake.
[ link to this | view in thread ]
Re: Bluefrog did something similar
It didn't take long.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Re: Re: Re: This is an incredibly stupid approach
This appeared to be in response to Rich's caustic and threatening comments made to a fellow subscriber, an employee of a company called Marketo. After receiving negative feedback regarding the comments he made to the Marketo employee, he responded with a statement, made publicly to the list, that included the phrase "summary execution." Here is an excerpt from one of his posts on August 24 (emphasis added):
"Morever, I think my remarks were extraordinarily forgiving and magnanimous: as you may recall, I'm on the record advocating the death penalty for spammers, so my *preferred* solution would be the summary execution of every single Marketo employee. However, in the interest of collegiality, I've generously refrained from asking them to make that happen, and have only asked that they take the basic steps that everyone in civilized societies takes when they're doing something wrong: stop it, admit it, apologize for it, and make it right. That's a pretty massive concession on my part -- more than collegial, it's damned generous."
[ link to this | view in thread ]
Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Do We Get To See The Exchanges?
If we could view the resulting e-mail exchanges somewhere, that would provide useful info on this. Is there any reason not to make them all public?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: I see an issue
Come to think of it, doesn't that describe lottery players too? Surely putting the lottery profits toward public education would fix gullability.
/s (we already tried that)
[ link to this | view in thread ]
Re: Re: Re: Re: This is an incredibly stupid approach
The thing is: it's really, really unlikely that any jurisdiction will ever pass legislation that encompasses this. (Take a look at CAN-SPAM, which effectively legalized spam in the US.) So in all probability it won't ever happen, and spammers will keep doing what they're doing because there's not much reason for them to stop.
Which is why robust defenses are the best answer: attempts to take offensive action (like the "hack back" approach proposed in recent legislation) are doomed to fail, or worse, backfire, or still worse, target the wrong people.
[ link to this | view in thread ]
Re: Re: Re: Abuse
Some spammers embed data in their messages (on a per-recipient basis) that is intended to allow them to track the disposition of that message. Sometimes it's in URLs. Sometimes it's in the headers. Sometimes it's in the text. And sometimes it's obvious, and sometimes it's not: we've seen instances where whitespace variations were used, and depending on what mail client is in use by recipients, those may be invisible or nearly so.
If replies to such messages include some of that data, then that allows the spammer to correlate the sent spam against the received reply. That in turn provides useful information: for one thing, it verifies that the original recipient was a valid address. It also demonstrates that the message made it past the recipient's defenses. This is all useful intelligence for spammers...which is why it's a good idea not to furnish it to them.
[ link to this | view in thread ]
We're here already
[ link to this | view in thread ]
Re: Re: Re: Re: Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
PaulT and many like him are chronic sufferers of the Dunning-Kruger effect. sure... the know a little something something, but they are not capable of effectively using that knowledge to benefit themselves or others with their participation. They wind up absorbing everyone's time with their ignorance and posturing.
[ link to this | view in thread ]
Re: This is an incredibly stupid approach
Obviously most scammers use spam to try to lure in gullible people, but Re:Scam seems to be focused on interacting with the scammers, not the spammers.
Using Re:Scam may or may not be a good idea, but you seem to be criticizing something that it is not.
[ link to this | view in thread ]
Re: Re: know thy self
[ link to this | view in thread ]
Re: Solution for phone scammers
typo in the URL.
(https://www.reddit.com/r/itslenny)
[ link to this | view in thread ]
Re:
Check out It's Lenny
[ link to this | view in thread ]
Re: Re: Re: Re: Re: This is an incredibly stupid approach
I'm sorry that your entire schtick seems to be writing reams of rambling drivel while assuming that you're the only person who does.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
...and I don't? Please...
Of course, twats like you *could* actually address points and come up with intelligent reasons why I'm wrong rather than launching immediately into attacks and whining. But, you're not that honest, we know that.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Re: Re: Re: Re: Re: This is an incredibly stupid approach
There's still some disagreement about whether it has to be commercial to be spam, or at least there was a decade or two ago.
Does one (unique) reply, in response to a manually-verified email, really count as bulk? Any kind of autoreplier would be spam by that logic. If I sent an email to a list and a got an autoreply trying to sell me something, I'd agree, but something like a vacation autoreply would just be annoying and not spam.
ReScam is an amusing but bad idea that's open to abuse... but saying they're spammers is an overreaction.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
Is there a non-zero chance of abuse? Sure. Are rescam just accepting anything given to them and prepped to send out millions of spam messages? No.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
The problem here seems to be that self-proclaimed experts are whining about the potential for things they find obvious, while simultaneously assuming that nobody at rescam thought of them.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
Well, apart from the checks they've stated they already make, plus some easy-ish sanity checks and mitigating suspicious behaviour and easily checked forgery tactics they will probably perform. There's nothing they've said that guarantees they send out responses for every request they receive, let alone do so blindly.
"Assume it's sent 10M,"
Why not assume 10? Why not ten trillion trillion trillion? Picking a scary-sounding arbitrary number doesn't give the rest of the fears you pulled out of the air any weight.
Yes, if incompetently designed with zero checks and zero monitoring, their system can easily be abused and turned into a botnet. Since that's clearly not the case from what's already stated in the article, why are you so scared of them?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
And no, I'm not an expert: I'm a student of experts, like the late Bruce Gingery, who knew way more than I'm ever going to know. It's in part thanks to him that I know how to identify abuse magnets like this one.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach
Honestly, my view on this - it's a great experiment, and a way of automating the kind of stringing along of scammers that we've seen many times in more manual fashion. I think it's more of an experiment to train AI and see how they deal with scammers who think they're talking to humans than a way to truly conquer spam. It's about data gathered, not sending emails, and they will most likely have no problem shutting down all email or even the project itself if it's seen to be compromised.
All in all, while concerns about abuse or targeting are valid, I think they're being somewhat overblown in this thread. While things like reporting to an ISP abuse team, etc., are great answers, the fact is that these things are still a major problem despite decades of fighting them, and learning how to make things more difficult (and therefore more expensive/less lucrative for the scammers) may be more valuable than continuing trying to firefight at the infrastructure or client level. The risks of a project like this may be worth the potential for abuse, especially as the project could easily be pulled immediately if true widespread abuse is detected.
Concerns are valid, just don't think you're the only one to have considered them.
[ link to this | view in thread ]
Re: know thy self
[ link to this | view in thread ]
Okay, okay, lets get to the point
I immediately had a gut feel that this was just gonna go wrong. Had to think a bit, but here is the fundamental problem:
the scammers use rescam.org to attack other scammers
Thus, you get more email spam floating the net and this time you are just fueling an arms race by the scammers.
What are the core email attack vectors? Hazardous web pages linked in emails, and infected attachments. So, look to the anti-virus people for their techniques. Pull those pages or attachments into a virtual machine environment, or stage 2, human analytics, and learn about their tactics. With that, then issue security improvements or issue dynamic community only blacklisting of the relevant domains (see Response Policy Zones; aka RPZ).
But, dont give armaments to the scammers, for they will scam the anti-scammer tactics ;)
/Meh
[ link to this | view in thread ]
[ link to this | view in thread ]