A Great Use For Artificial Intelligence: Scamming Scammers By Wasting Their Time

from the I,-for-one,-welcome-our-new-AI-chatbot-overlords dept

As artificial intelligence (AI) finally begins to deliver on the field's broken promises of the last forty years, there's been some high-profile hand-wringing about the risks, from the likes of Stephen Hawking and Elon Musk, among others. It's always wise to be cautious, but surely even AI's fiercest critics would find it hard not to like the following small-scale application of the technology to tackle the problem of phishing scams. Instead of simply deleting the phishing email, you forward it to a new service called Re:Scam, and the AI takes over. The aim is to waste the time of scammers by engaging them with AI chatbots, so as to reduce the volume of phishing emails that they can send and follow up:

When you forward an email, you believe to be a scam to me@rescam.org a check is done to make sure it is a scam attempt, and then a proxy email address is used to engage the scammer. This will flood their inboxes with responses without any way for them to tell who is a chat-bot, and who is a real vulnerable target. Once you've forwarded an email nothing more is required on your part, but the more you send through, the more effective it will be.

Here's how the AI is applied:

Re:scam can take on multiple personas, imitating real human tendencies with humour and grammatical errors, and can engage with infinite scammers at once, meaning it can continue an email conversation for as long as possible. Re:scam will turn the table on scammers by wasting their time, and ultimately damage the profits for scammers.

When you send emails to Re:Scam, it not only ties up the scammers in fruitless conversations, it also helps to train the underlying AI system. The service doesn't require any sign-up -- you just forward the phishing email to me@rescam.org -- and there's no charge. Re:Scam comes from Netsafe, a well-established non-profit online safety organization based in New Zealand, which is supported by government bodies there. It's a nice idea, and it would be interesting to see it applied in other situations. That way we could enjoy the benefits of AI for a while, before it decides to kill us all.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ai, busy work, phishing, rescan, scams


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    McGyver (profile), 15 Nov 2017 @ 3:33am

    This sounds great.
    Now if someone can design something to fight scam phone calls too... Preferably something that makes deadly cobras or angry killer bees come shooting out of the scammer's phone, that would be even better!

    link to this | view in thread ]

  2. identicon
    Zem, 15 Nov 2017 @ 3:42am

    All we need now is another AI acting as the scammer. The winner to become skynet.

    link to this | view in thread ]

  3. identicon
    David, 15 Nov 2017 @ 3:51am

    Frankly

    That way we could enjoy the benefits of AI for a while, before it decides to kill us all.

    If we are worrying about AI deciding to kill us all, engaging them with scammers is not the best path to convince them otherwise.

    link to this | view in thread ]

  4. This comment has been flagged by the community. Click here to show it
    identicon
    you know, 15 Nov 2017 @ 4:06am

    know thy self

    tech dirt is the fucking most anal gay sexually explicit gay unholy ghost head in the world ever and ever poofs.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 15 Nov 2017 @ 4:18am

    Re: know thy self

    Looks like it's working!

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 15 Nov 2017 @ 4:26am

    Re: Re: know thy self

    Nah, that's just my_name_here being his usual self.

    link to this | view in thread ]

  7. identicon
    Rich Kulawiec, 15 Nov 2017 @ 4:42am

    This is an incredibly stupid approach

    The people behind this clearly don't comprehend even the first principles of abuse response. Let me lay out, briefly, SOME of the reasons why this should be shut down immediately.

    1. It's never appropriate to respond to abuse with abuse. (Just like it's never appropriate to "hack back".) It's unethical and unprofessional.

    2. Rescam.org is proposing to respond to spam by spamming. Unacceptable. (And they'll likely find themselves quickly blacklisted for it, as they should be.)

    3. Attribution is hard. An enormous amount of spam (including that carrying scam payloads) is forged. Sending spam to the victims of that forgery not only strikes back at the wrong people, it makes the problem worse.

    4. Responding to spam -- in any way -- gives spammers actionable intelligence. That's why you should never, EVER, do it.

    5. Rescam.org is making a fundamental design error: they're building a system that lets unknown third parties control what they emit. This won't end well.

    Like I said, these are only SOME of the reasons why this is a horrible idea, and I've really only scratched the surface of the explanation. This "service" should be shut down immediately, and those behind it should be given remedial instruction in the fundamentals of abuse control.

    link to this | view in thread ]

  8. icon
    Bergman (profile), 15 Nov 2017 @ 4:44am

    Re:

    That would, unfortunately, be illegal in the US, due to a law passed a few decades ago against the use of war-dialers as an anti-hacking measure.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 15 Nov 2017 @ 4:47am

    Re: This is an incredibly stupid approach

    My god. If you just responded to all the scammers with what you just posted here you'd bore them out of continuing to send emails.

    link to this | view in thread ]

  10. icon
    McGyver (profile), 15 Nov 2017 @ 4:50am

    Re: This is an incredibly stupid approach

    So... No to the cobras and killer bees too?

    link to this | view in thread ]

  11. icon
    Power Guy Rules (profile), 15 Nov 2017 @ 5:06am

    Sophia - Perfect AI bot to battle against these Scammers

    If we have Sophia AI femmbot at home/office, plug her to Internet and let her do the thing for us, our life would be much easier.

    Unfortunately, the evil Sophia AI can be developed/trained as the nasty femmbot spammer, spamming us, pulling $$ from these dimwits out there.

    AI vs AI

    Scary, isn't it?

    link to this | view in thread ]

  12. icon
    Vidiot (profile), 15 Nov 2017 @ 5:06am

    Re: know thy self

    Bet we can vote this comment into "Funniest of the Week".

    Looks like a lot of work went into composing this... you know, pressing each of those letter-buttons on the keyboard, clicking the "submit" box... things the training program never taught him.

    Vote now!

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 15 Nov 2017 @ 5:16am

    Re: Sophia - Perfect AI bot to battle against these Scammers

    "I can call you Betty..."

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 15 Nov 2017 @ 5:25am

    The original...

    If you have some time, see what a master craftsman human can do with scammers.

    http://www.ebolamonkeyman.com/

    link to this | view in thread ]

  15. icon
    Éibhear (profile), 15 Nov 2017 @ 5:38am

    Abuse

    I *would* be concerned about abuse: legitimate e-mails being forwarded to Re:Scam as a sort of malicious denial-of-service attack on otherwise innocent people.

    link to this | view in thread ]

  16. identicon
    pegr, 15 Nov 2017 @ 5:39am

    Solution for phone scammers

    Lenny!

    "Transfer, conference, or forward your telemarketing calls to 1-347-514-7296 or sip:13475147296@in.callcentric.com. If you conference Lenny in, be sure to mute your phone. The rules: Lenny is for incoming, telemarketing calls only - not for annoying people, even if they deserve it."

    Lenny is a collection of voice recordings meant to waste the time of phone scammers. Learn more at https://www/reddit/com/r/itslenny There are links to "Lenny Hall of Fame" calls that are quite funny!

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 15 Nov 2017 @ 5:51am

    Re: Re:

    That would, unfortunately, be illegal in the US, due to a law passed a few decades ago against the use of war-dialers as an anti-hacking measure.

    The cobras, yes, but how would forwarding a call to an AI violate the law? That's nothing like wardialing.

    link to this | view in thread ]

  18. icon
    PaulT (profile), 15 Nov 2017 @ 5:54am

    Re: This is an incredibly stupid approach

    You have some resonable points, but you're wrong on most of them in my view:

    "1. It's never appropriate to respond to abuse with abuse. (Just like it's never appropriate to "hack back".) It's unethical and unprofessional."

    If I'm targeted by scams, I don't particularly care how "ethical and professional" fighting back against these people is classified. They came to me. It would be wrong for someone else to use rescam to target a non-spammer, not wrong for them to target a genuine con artist.

    "2. Rescam.org is proposing to respond to spam by spamming."

    Wrong. By definition, spam is *unsolicited* email. If they contact me first, they solicited the response. Again, as long as a person them using them is genuinely using it against a spammer, no problem.

    "3. Attribution is hard. An enormous amount of spam (including that carrying scam payloads) is forged. Sending spam to the victims of that forgery not only strikes back at the wrong people, it makes the problem worse."

    The fault still lies with the originating spammer. By that definition, they sent unsolicited advertising without a way for genuine respondents to contact them. That's worse than normal spam, since they can't even profit from it.

    "4. Responding to spam -- in any way -- gives spammers actionable intelligence. That's why you should never, EVER, do it."

    Which is why people often give them specialized email addresses so they can work out who compromised their account by giving it to a spam list. By definition, someone using this service is giving them permission to give them the actionable data (that an email address is in use) to create the counter-action.

    "5. Rescam.org is making a fundamental design error: they're building a system that lets unknown third parties control what they emit. This won't end well."

    Not exactly. They're giving others the ability to give them target, not the content, frequency, etc. of what they send. They can still control what their AI can do, and what procedures they have in place to mitigate misuse.

    So, while I understand your points, I disagree with nearly all of them, with the caveat that I'm assuming this service is being used as intended and not itself abused. This is the AI version of keeping a telemarketer on the line or giving fake into to someone surveying you on the street, only without the downside of you having to waste your own time doing it.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 15 Nov 2017 @ 5:54am

    Re: This is an incredibly stupid approach

    1. Rescam.org is proposing to respond to spam by spamming. Unacceptable. (And they'll likely find themselves quickly blacklisted for it, as they should be.)

    Are they? The article didn't say so, and the site blocks anonymous users. I find it hard to see how a direct response to an email could be unsolicited. Points 3-5 are good.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 15 Nov 2017 @ 5:55am

    I see an issue

    I think this certainly is a very clever idea. However I do not think that it is actually a good idea. For this to be effective at combating scammers at scale, it assumes that scammers have limited time & resources they are willing to pour into hurting people (which as far as I can tell is not true).
    To be more detailed, lets assume that 25% of all email inflight (being transferred between mail server) is a scam (meh I think it's probably MUCH higher than that, but thats just my suspicion). Further more lets assume that the scammer responds one time to the AI, and ignores the AI's second email (scammer is onto the anti-scam). So the original forward plugs two emails from the AI plus one extra email from the scamer would mean that (assuming everyone used this anti-scamer AI, and they had perfect email rules, both of which would be 'ideal' for this type of attack on scam emails) an extra 100% of all emails are being generate (aka double the number of emails are being sent). So you're AI would need to be running on multiple machines all across the world just to keep up. AND you'd be placing a MUCH heavier load on the internet infrastructure.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 15 Nov 2017 @ 5:55am

    Re: Re: This is an incredibly stupid approach

    Hmm, that first digit was a "2" when I posted it...

    link to this | view in thread ]

  22. icon
    PaulT (profile), 15 Nov 2017 @ 6:00am

    Re: Abuse

    That would be a concern, but it seems that they do perform a check before initiating the response, plus the whole thing seems intended to keep a conversation going. As long as further checks are performed and it doesn't do anything malicious if the other side doesn't respond, that seems fine to me.

    link to this | view in thread ]

  23. icon
    PaulT (profile), 15 Nov 2017 @ 6:02am

    Re: Re: This is an incredibly stupid approach

    "I find it hard to see how a direct response to an email could be unsolicited"

    It's not, by definition, unless you want to stretch it along the lines of "the intended recipient wasn't the person who responded". Either way, a response of some kind was solicited.

    link to this | view in thread ]

  24. identicon
    I.T. Guy, 15 Nov 2017 @ 6:16am

    Re: I see an issue

    "it assumes that scammers have limited time & resources they are willing to pour into hurting people (which as far as I can tell is not true)"

    Scammers are run just like a call center. They have quotas and SLA's, metrics to measure their success/failure. The end goal is $$$.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 15 Nov 2017 @ 6:35am

    Re:

    link to this | view in thread ]

  26. icon
    PaulT (profile), 15 Nov 2017 @ 6:41am

    Re: Re: I see an issue

    Exactly. The reason why spam is still so prevalent is because there's so much reward vs. little cost/risk. Send out tens of millions of email, hire a few guys to handle the 100 that someone's dumb enough to reply to, profit! But, every sales boiler room and junk mail operation depends on the leads coming back to them as being remotely genuine, for the most part.

    Now feed that through something that increases the demand, but all that new demand is fake. You might hire a few more people to handle that demand, but soon enough the cost vs reward ratio drops. That hits them on both sides - they don't get to so easily scam the people who do give them money and raise the cost doing that in the meantime.

    If that doesn't seem likely to have any effect, people should check out the way people have dealt with telemarketers and Nigerian-style scammers over the years. Some of those people have been strung along for a long time (sometimes months in the case of the anti-419 guys), often by being asked to do ridiculous things. It shouldn't be too hard for a bunch of email-only communication to have a measurable effect when there's not a human being getting bored of the joke of the other end.

    link to this | view in thread ]

  27. identicon
    Rich Kulawiec, 15 Nov 2017 @ 6:56am

    Re: Re: This is an incredibly stupid approach

    "If I'm targeted by scams, I don't particularly care how "ethical and professional" fighting back against these people is classified."

    1. But you have no way to know if the putative sender is "these people". Neither does rescam.org. Neither does anyone else.

    2. You also have no way to know where the response is really going. See below for an example.

    3. Enormous numbers of these scams are run from hijacked email accounts. Attempting to retaliate against re-victimizes innocent bystanders who've already been victimized.

    "It would be wrong for someone else to use rescam to target a non-spammer [...]"

    That is exactly what it will be used for. How do I know? Because every other service that's enabled that function has been used for it. See, for example, the history of external SMTP callbacks (as foolishly deployed by Verizon for a while 15-ish years ago).

    "2. Rescam.org is proposing to respond to spam by spamming."

    "Wrong. By definition, spam is *unsolicited* email. If they contact me first, they solicited the response."

    Wrong. The correct, canonical definition of (email) spam is "unsolicited bulk email".

    And that's all of the definition. There's no clause that says "...but it's okay if you have good intentions" or "...but it's alright if you think you're sending it to spammers".

    Increasing the amount of email abuse on the 'net at a time when many of us are working very hard to decrease it is a bad move.


    "The fault still lies with the originating spammer. By that definition, they sent unsolicited advertising without a way for genuine respondents to contact them. That's worse than normal spam, since they can't even profit from it."

    You don't understand the basics of how this (often) works. The putative sender on the message you receive is quite often NOT the real sender -- because it doesn't have to be in order fo the scam to work.

    Think about this for a moment: what do you do if the "Reply-To" field is set? Which it often is.

    Or if the message body contains something like this: "to take advantage, reply to scammer@example.net". Which it often does.

    The problem you are then faced with is that the putative sender address on the From: line might or might not be where the message came from, but it might also be run by automation: no humans home. (Thus sending a response there achieves nothing but to increase the amount of abusive mail traffic traversing the Internet.) And the Reply-To address might be real, or it might be a completely innocent third party. And the address given in the message body might be either of those two as well.

    There's no way to know what the correct one is. Of even if ANY of them are correct.

    Like I said, attribution is hard.

    "Which is why people often give them specialized email addresses so they can work out who compromised their account by giving it to a spam list. "

    Yes, I think it's safe to say I'm aware of this. However, that's not a counter-argument to my point that you should never respond in any way. Some of the more sophisticated spam operations include extensive data acquisition and utilization, and by responding -- replying, following a link, etc. -- spam targets are contributing actionable intelligence to the spammers' ongoing efforts to get past defenses.

    "Not exactly. They're giving others the ability to give them target, not the content, frequency, etc. of what they send. They can still control what their AI can do, and what procedures they have in place to mitigate misuse."

    No. They can't. Except by shutting it off. Let me give you one example out of many:

    Consider for a moment -- and this is something we learned during the Verizon SMTP callback debacle -- what happens if the putative sender uses one of the hundreds of millions of cheap throwaway domains enabled by the combination of ICANN malfeasance and registrar greed. Let's suppose it's example.com.

    So you get a message that looks like this:

    From: scammer@example.com

    And you dutifully feed that to rescam.org. They're eventually going to emit an outbound email message like this:

    To: scammer@example.com

    Where's that message going to go? Do think it's going to example.com? Really? You're sure of that?

    Oh, it MIGHT. But not necessarily. Because, you see, whoever owns example.com might have done this in DNS (and I'm roughly using BIND's yntax here):

    MX 10 mail.example.org

    That means that when the outbound mail system at rescam.org does a DNS query to find out where to send the message, the returned MX record will say "mail.example.org", and that's where the new, outbound message from rescam.org will be sent. Which means that it's going somewhere THAT HAD NOTHING TO DO WITH THE SCAM.

    This is not speculation. It's history.

    Repeat a few hundred million times. I'm sure that the operators of the mail system at example.org will be thrilled to have it DOS'd courtesy of rescam.org. Well, until they get tired of this nonsense and drop in a firewall rule to block it.

    Also not speculation. Also history.

    And keep in mind what I said above: one example. There are many more.

    Now, you might at this point say "But they could...". Yeah. They could. I KNOW. This is not my first day on the job. We've been through all this, 15 years ago, and we all collectively realized that handing third parties the levers and knobs to cause our mail servers to emit outbound traffic to destinations of THEIR choosing is an incredibly bad idea and we all decided to never do that again. (Or not to do it in the first place.) But apparently the people behind rescam.org didn't get the memo.

    Rescam.org think they've built an anti-spam weapon. They haven't. In their profound naivete and ignorance, they've built a target.

    link to this | view in thread ]

  28. icon
    PaulT (profile), 15 Nov 2017 @ 7:15am

    Re: Re: Re: This is an incredibly stupid approach

    "1. But you have no way to know if the putative sender is "these people". Neither does rescam.org. Neither does anyone else."

    Yes, they do. They have the request from the person who received the email, plus checking to see if the email is actually formatted as a scam. It's as much data as anyone responding to a spammer has to go on, be that an authority, ISP or other body.

    You appear to be demanding zero action against spammers, since any fraud will be the sme no matter who actions it.

    "Wrong. The correct, canonical definition of (email) spam is "unsolicited bulk email"."

    How does the addition of the word "bulk" suddenly make the response to it spam, as you claimed?

    The rest of your response seems to veer between nonsense and a real bugbear you have against anyone misusing email. But you haven't made a real case against rescam.org, other than you think that battling spammers on the behalf of their victims is a bad idea. The company checks before initiating contact, does not (as far as I can tell) initiate further contact if a reply is not received, and will presumably have further safeguards to prevent them being used a spam vector themselves.

    I know how email can be abused, and I know that it's insecure by design. How would you prefer people proceed, as outsourcing the conversation is something you object to, and nothing involving legal or technical measures against them have realy helped the fundamental problems.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 15 Nov 2017 @ 7:17am

    Re: Re: Re: I see an issue

    Send out tens of millions of email, hire a few guys to handle the 100 that someone's dumb enough to reply to, profit!

    We could try making it illegal to purchase things from spammers, kind of like some countries do with prostitution...

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 15 Nov 2017 @ 7:20am

    Re: Re: Re: This is an incredibly stupid approach

    How are your scammy investments doing these days?

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 15 Nov 2017 @ 7:36am

    Terrible idea

    it will just turn the net into a massive DOS attack where 50% of all traffic is AI systems fucking with each other.

    The idea is as stupid as the day is long. Once again... TD thinks a dumb idea is a good one... no shocker there!

    Lets try to work towards keeping the Net dry instead of slagged with sewer.

    link to this | view in thread ]

  32. identicon
    I.T. Guy, 15 Nov 2017 @ 7:38am

    Re: Re: Re: Re: This is an incredibly stupid approach

    Don't waste your time. Rich's business card says "Marketeer."

    link to this | view in thread ]

  33. identicon
    I.T. Guy, 15 Nov 2017 @ 7:42am

    Re: Terrible idea

    Sorry but this isn't the days of dial-up. The few kb that it takes per email is nothing on today's networks.


    Why you no sign in anymore? wiLLie?

    link to this | view in thread ]

  34. icon
    PaulT (profile), 15 Nov 2017 @ 7:44am

    Re: Re: Re: Re: I see an issue

    That wouldn't help. Most of the people who fall for spam are dumb or greedy already. In fact I believe it's been noted that the reason so many of them are so poorly written is to weed out those who would be intelligent enough to realise they're being conned.

    Adding charges would not only probably not deter them (especially the ones who are falling for the "Nigerian prince needs $50,000 to move his fortune" scams rather than the "buy cheap Viagra" ones), it would most likely put others off buying from legitimate online outlets just in case.

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 15 Nov 2017 @ 8:32am

    Re: The original...

    Far too labor intensive for bulk application.

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 15 Nov 2017 @ 8:39am

    Re: Terrible idea

    There may be a short period of that while the economics shift, but waging an ai spambot war is not profitable. Once the money's gone the war will end.

    link to this | view in thread ]

  37. icon
    JoeCool (profile), 15 Nov 2017 @ 8:48am

    Re: Re: Re: Re: Re: I see an issue

    I think his post was meant to be read as funny or sarcastic. Poe's Law strikes again! :)

    link to this | view in thread ]

  38. identicon
    Anonymous Coward, 15 Nov 2017 @ 9:02am

    Re: Re:

    Is there something similar but free?

    link to this | view in thread ]

  39. icon
    PaulT (profile), 15 Nov 2017 @ 9:02am

    Re: Re: Re: Re: Re: Re: I see an issue

    You can never tell nowadays :(

    link to this | view in thread ]

  40. identicon
    bob, 15 Nov 2017 @ 9:14am

    Re: Re: Abuse

    My main concern is what the organization is doing with your email info when you forward the email. It would be simple to create a list of valid email addresses to then resell to the scammers or other entities (you need to be able to pay the bills). That information could then be used to build better scam emails because the scammers can see what didn't fool people.

    They might be perfectly benign and genuinely trying to help. But it wouldn't be had to abuse that amount of potential info either.

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 15 Nov 2017 @ 9:19am

    Re: Re: Terrible idea

    No, it will just create a new battle front, either way it will be huge waste of resources and time.

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 15 Nov 2017 @ 9:24am

    Re: Re: Terrible idea

    You work in IT with that garbage explain?

    You should be fired for being exceptionally stupid about this.

    "The few kb that it takes per email is nothing on today's networks."

    Seriously? what an idiot...

    You do realize that more than just 1 email is going to be involved right? Not only that but the power necessary to process the data which will require manpower and infrastructure dedicated to the effort.

    it's NOT just a few kb. it FUCKING ADDS UP!

    link to this | view in thread ]

  43. icon
    John85851 (profile), 15 Nov 2017 @ 9:24am

    Bluefrog did something similar

    Does anyone remember a website called Bluefrog? Their process for fighting spammers was similar: you forward spam to them (or in the case of Yahoo Mail, you could link a folder to automatically process spam). The Bluefrog would overload the spammer with unsubscribe requests until the spammer gave up.

    That sounds great, right? Well the spammers got smart to this and started issuing DDOS attacks on Bluefrog's website and blog platform. It was bad enough to go after their website, but the blog platform had hundreds of other blogs, which were also taken down by the attack. The blogging company had to end Bluefrog's account out of self-defense, and Bluefrog itself shut down shortly after.

    So will something similar happen to Re:Scam? Will spammers issue DDOS attacks on any site that talks about this service?

    link to this | view in thread ]

  44. icon
    PaulT (profile), 15 Nov 2017 @ 9:28am

    Re: Re: Re: Abuse

    That seems like a rather unlikely concern, though. The people targeted by this service are the least likely to be interest in what spammers are selling. They are probably people also more likely to have disposable email accounts, and able to create new ones once compromised.

    Furthermore, the research I've read seems to suggest that spammers deliberately make their messages of a lower quality, because those who recognise them easily as spam are far less receptive to the con tricks to be used on the people who reply to them. That is, they know what fools people, they only succeed because they're able to send out millions of messages for zero cost for every person fooled.

    They'd have relatively little to gain, and what it was would be likely far lower quality than what they already have. What's far more likely is that we have some people creating AI projects who have decided to have a little fun with the spammers that are the bane of everybody with a non-disposable email account they have to use for serious activity, and learn something from them in the process about how their bots react.

    In this case, Occam's Razor suggests they're above board.

    link to this | view in thread ]

  45. icon
    Kumouri (profile), 15 Nov 2017 @ 9:57am

    Re: Solution for phone scammers

    I was just about to post a similar comment, but I decided to search the page first. Good think I did, haha.

    Lenny is the BEST.

    link to this | view in thread ]

  46. identicon
    Rich Kulawiec, 15 Nov 2017 @ 10:15am

    Re: Re: Re: Re: This is an incredibly stupid approach

    "1. But you have no way to know if the putative sender is "these people". Neither does rescam.org. Neither does anyone else."

    > Yes, they do

    You're missing the point. There is no way for anyone to know if the address on the "From:" line is what it appears to be, or if it's actually under the control of the person that it should be. Are you not aware of the numerous means by which addresses/domains are forged, hijacked, and otherwise implicated in spam that they had nothing to do with? This is common knowledge among anyone who's run any kind of Internet-connect mail system for even a short period of time.

    (And no, all the anti-forgery technologies rolled out in the last decade or so don't stop all of that. Consider, for example, Yahoo.)

    > It's as much data as anyone responding to a spammer has to go on, be that an authority, ISP or other body.

    That's why nobody who knows what they're doing responds to spam: there's no way to do it that actually works. Lots of people -- like rescam.org -- like to pretend that it can be done, because it would be great if it did. But it doesn't. We know. We've been through all this already.

    > You appear to be demanding zero action against spammers, since any fraud will be the sme no matter who actions it.

    Hardly. I've spent 30+ years fighting spammers. (And yes, I have the receipts.) I'm simply pointing out that THIS particular action is a horribly bad idea that will lead directly to abuse.

    > How does the addition of the word "bulk" suddenly make the response to it spam, as you claimed?

    The addition of the word "bulk" makes it the correct definition of spam: we settled that decades ago. If rescam.org emits UBE, then they're spammers. Doesn't matter why, doesn't matter where it goes, doesn't matter if they do it on request, doesn't matter.

    > The rest of your response seems to veer between nonsense [...]

    I'm sorry that you don't understand the technical basics of SMTP, DNS, mail systems, and spam. Perhaps you should study them before you wade into a debate about them. The example I provided is actually one of the simplest: abusers can and have deployed much more complex ones.

    > How would you prefer people proceed, [...]

    In the case of nearly everyone: do nothing EXCEPT report it to your own mail system admins. Per RFC 2142 (I presume you know what an RFC is and have read all the ones relevant to email) every domain should have an abuse reporting address, e.g. abuse@example.com. (Your own mail system have additional methods for reporting abuse, but they should have at least that one.) File abuse reports -- making sure to include full headers of course -- and if they're at all competent, they will read them, analyze them, and act on them.

    Any middling mail admin can block 95% of spam without even trying hard or performing case-specific analysis. A good mail admin will do more and get that percentage up 98-99% with a tiny FP rate. A really good mail admin will perform statistical log analysis over short, medium, and long timelines and use that data to do even better. All of them, though, should be reading abuse reports and doing something about them. If yours doesn't, maybe you should switch to a better one.

    In the case of the few people left over: learn. And there is a LOT to learn. Wish there wasn't, but there is. And it's especially important to learn about all the things that people tried that didn't work and/or made the problem worse. This -- rescam.org -- is the product of ignorant people who didn't do that. They're not just making a mistake, they're repeating a well-known mistake.

    link to this | view in thread ]

  47. identicon
    Rich Kulawiec, 15 Nov 2017 @ 10:20am

    Re: Bluefrog did something similar

    Bluefrog's operation was similar, in some ways, to this one. It was also a horribly bad idea that was doomed to failure the moment it was launched. A lot of us pre-emptively blacklisted them as soon as we heard about them, because we knew that it was only a matter of time until abusers repurposed their site as a weapon.

    It didn't take long.

    link to this | view in thread ]

  48. identicon
    Anonymous Coward, 15 Nov 2017 @ 10:29am

    Re: Re: Re:

    I remember seeing a Ted talk about this issue and I think the person made it free but I don't know the details or the name of the talk.

    link to this | view in thread ]

  49. identicon
    Anonymous Coward, 15 Nov 2017 @ 10:53am

    Re: Re: This is an incredibly stupid approach

    You realize that you're trying to argue with one of the top antiSPAM experts on the Internet, right?

    link to this | view in thread ]

  50. identicon
    Anonymous Coward, 15 Nov 2017 @ 11:37am

    Re: Re: Re: This is an incredibly stupid approach

    The current owner of SPAM-L, a long-time anti-spam discussion mailing list, announced on September 3rd that long-time subscriber Rich Kulawiec's ability to participate in the list has been terminated.

    This appeared to be in response to Rich's caustic and threatening comments made to a fellow subscriber, an employee of a company called Marketo. After receiving negative feedback regarding the comments he made to the Marketo employee, he responded with a statement, made publicly to the list, that included the phrase "summary execution." Here is an excerpt from one of his posts on August 24 (emphasis added):

    "Morever, I think my remarks were extraordinarily forgiving and magnanimous: as you may recall, I'm on the record advocating the death penalty for spammers, so my *preferred* solution would be the summary execution of every single Marketo employee. However, in the interest of collegiality, I've generously refrained from asking them to make that happen, and have only asked that they take the basic steps that everyone in civilized societies takes when they're doing something wrong: stop it, admit it, apologize for it, and make it right. That's a pretty massive concession on my part -- more than collegial, it's damned generous."

    link to this | view in thread ]

  51. identicon
    Anonymous Coward, 15 Nov 2017 @ 11:39am

    Re: This is an incredibly stupid approach

    You know, you sound a lot like one of the scammers being targeted, and not liking it one bit.

    link to this | view in thread ]

  52. identicon
    Lawrence D’Oliveiro, 15 Nov 2017 @ 12:09pm

    Do We Get To See The Exchanges?

    The first question that came to my mind about this is: how effective is it going to be, really? How long can it keep the scammers engaged before they realize something is up?

    If we could view the resulting e-mail exchanges somewhere, that would provide useful info on this. Is there any reason not to make them all public?

    link to this | view in thread ]

  53. identicon
    Anonymous Coward, 15 Nov 2017 @ 12:24pm

    Re: Re: Re: Re: Re: I see an issue

    Most of the people who fall for spam are dumb or greedy already.

    Come to think of it, doesn't that describe lottery players too? Surely putting the lottery profits toward public education would fix gullability.

    /s (we already tried that)

    link to this | view in thread ]

  54. identicon
    Rich Kulawiec, 15 Nov 2017 @ 12:34pm

    Re: Re: Re: Re: This is an incredibly stupid approach

    Accurate -- but several years old.

    The thing is: it's really, really unlikely that any jurisdiction will ever pass legislation that encompasses this. (Take a look at CAN-SPAM, which effectively legalized spam in the US.) So in all probability it won't ever happen, and spammers will keep doing what they're doing because there's not much reason for them to stop.

    Which is why robust defenses are the best answer: attempts to take offensive action (like the "hack back" approach proposed in recent legislation) are doomed to fail, or worse, backfire, or still worse, target the wrong people.

    link to this | view in thread ]

  55. identicon
    Rich Kulawiec, 15 Nov 2017 @ 12:45pm

    Re: Re: Re: Abuse

    Your concerns are valid. There's another, related risk as well.

    Some spammers embed data in their messages (on a per-recipient basis) that is intended to allow them to track the disposition of that message. Sometimes it's in URLs. Sometimes it's in the headers. Sometimes it's in the text. And sometimes it's obvious, and sometimes it's not: we've seen instances where whitespace variations were used, and depending on what mail client is in use by recipients, those may be invisible or nearly so.

    If replies to such messages include some of that data, then that allows the spammer to correlate the sent spam against the received reply. That in turn provides useful information: for one thing, it verifies that the original recipient was a valid address. It also demonstrates that the message made it past the recipient's defenses. This is all useful intelligence for spammers...which is why it's a good idea not to furnish it to them.

    link to this | view in thread ]

  56. icon
    Ed (profile), 15 Nov 2017 @ 12:48pm

    We're here already

    Looking at some of the comments here, Re:Scam is already targeting this site...

    link to this | view in thread ]

  57. icon
    FamilyManFirst (profile), 15 Nov 2017 @ 2:12pm

    Re: Re: Re: Re: Re: This is an incredibly stupid approach

    I can confirm everything that Rich has written. I'm only one of those "middling mail admins" he writes about, but I know enough to know that he's exactly correct. "Attribution is hard" is one of the 3 word sets that form the foundation of why spam is such a problem. "Email is free" is another one.

    link to this | view in thread ]

  58. identicon
    Anonymous Coward, 15 Nov 2017 @ 2:29pm

    Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    Agree, I have plenty of email experience dealing with email spam and the like.

    PaulT and many like him are chronic sufferers of the Dunning-Kruger effect. sure... the know a little something something, but they are not capable of effectively using that knowledge to benefit themselves or others with their participation. They wind up absorbing everyone's time with their ignorance and posturing.

    link to this | view in thread ]

  59. identicon
    Anonymous Coward, 15 Nov 2017 @ 2:51pm

    Re: This is an incredibly stupid approach

    Can you point out to me where in the original article it even uses the word "spam"?

    Obviously most scammers use spam to try to lure in gullible people, but Re:Scam seems to be focused on interacting with the scammers, not the spammers.

    Using Re:Scam may or may not be a good idea, but you seem to be criticizing something that it is not.

    link to this | view in thread ]

  60. icon
    Toom1275 (profile), 15 Nov 2017 @ 4:22pm

    Re: Re: know thy self

    "you know" hard at work: https://i.imgur.com/gi7HNqJ.mp4

    link to this | view in thread ]

  61. icon
    Toom1275 (profile), 15 Nov 2017 @ 4:28pm

    Re: Solution for phone scammers

    link to this | view in thread ]

  62. icon
    Matthew Cline (profile), 16 Nov 2017 @ 1:49am

    Re:

    Check out It's Lenny

    link to this | view in thread ]

  63. icon
    PaulT (profile), 16 Nov 2017 @ 2:02am

    Re: Re: Re: Re: Re: This is an incredibly stupid approach

    "I'm sorry that you don't understand the technical basics of SMTP, DNS, mail systems, and spam."

    I'm sorry that your entire schtick seems to be writing reams of rambling drivel while assuming that you're the only person who does.

    link to this | view in thread ]

  64. icon
    PaulT (profile), 16 Nov 2017 @ 2:04am

    Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    "Agree, I have plenty of email experience dealing with email spam and the like."

    ...and I don't? Please...

    Of course, twats like you *could* actually address points and come up with intelligent reasons why I'm wrong rather than launching immediately into attacks and whining. But, you're not that honest, we know that.

    link to this | view in thread ]

  65. icon
    PaulT (profile), 16 Nov 2017 @ 2:06am

    Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    The things he's whining about as if he's the only one who has thought about them are true. It's the anally self-righteous assumption that nobody, including the people who set up this site, have ever thought about them or mitigated for them that's the problem.

    link to this | view in thread ]

  66. identicon
    Anonymous Coward, 16 Nov 2017 @ 4:07am

    Re: Re: Re: Re: Re: This is an incredibly stupid approach

    The addition of the word "bulk" makes it the correct definition of spam: we settled that decades ago. If rescam.org emits UBE, then they're spammers.

    There's still some disagreement about whether it has to be commercial to be spam, or at least there was a decade or two ago.

    Does one (unique) reply, in response to a manually-verified email, really count as bulk? Any kind of autoreplier would be spam by that logic. If I sent an email to a list and a got an autoreply trying to sell me something, I'd agree, but something like a vacation autoreply would just be annoying and not spam.

    ReScam is an amusing but bad idea that's open to abuse... but saying they're spammers is an overreaction.

    link to this | view in thread ]

  67. identicon
    Anonymous Coward, 16 Nov 2017 @ 4:19am

    Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    Suppose Rescam is fed 10K messages, all of them with forged sender addresses. It'll generate messages to some of them (possibly all). But none of those are "replies" because none of those addresses sent anything. Which means that Rescam just spammed (up to) 10K people. Now imagine that it's 1M or 10M, which are numbers within easy reach of anyone running a botnet.

    link to this | view in thread ]

  68. icon
    PaulT (profile), 16 Nov 2017 @ 5:11am

    Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    The whining is based on a number of assumptions: that rescam don't perform any sanity checks on the email before they reply (already confirmed to be false); that they only reply to the email rather than perform the action the user would be expected to follow (e.g. follow a link); that every forged response goes to an innocent victim rather than something designed to capture responses after redirects created to fool standard anti-spam measures; that zero future checks are performed and nothing done to mitigate future problems once issues are revealed, and so on.

    Is there a non-zero chance of abuse? Sure. Are rescam just accepting anything given to them and prepped to send out millions of spam messages? No.

    link to this | view in thread ]

  69. icon
    PaulT (profile), 16 Nov 2017 @ 5:13am

    Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    Now imagine that they are performing checks as already indicated in the article to ensure this doesn't happen, and that they have procedures in place to mitigate other types of abuse. Not so scary now, is it?

    The problem here seems to be that self-proclaimed experts are whining about the potential for things they find obvious, while simultaneously assuming that nobody at rescam thought of them.

    link to this | view in thread ]

  70. identicon
    Anonymous Coward, 16 Nov 2017 @ 5:44am

    Re: Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    There's no way for Rescam to tell the difference between a real forwarded message and a completely fake one. Anybody running a botnet could send it a mix of both using the systems in that botnet and the email accounts of their owners. Assume it's sent 10M, how many million Rescam responses will be to the fake ones?

    link to this | view in thread ]

  71. icon
    PaulT (profile), 16 Nov 2017 @ 6:50am

    Re: Re: Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    "There's no way for Rescam to tell the difference between a real forwarded message and a completely fake one"

    Well, apart from the checks they've stated they already make, plus some easy-ish sanity checks and mitigating suspicious behaviour and easily checked forgery tactics they will probably perform. There's nothing they've said that guarantees they send out responses for every request they receive, let alone do so blindly.

    "Assume it's sent 10M,"

    Why not assume 10? Why not ten trillion trillion trillion? Picking a scary-sounding arbitrary number doesn't give the rest of the fears you pulled out of the air any weight.

    Yes, if incompetently designed with zero checks and zero monitoring, their system can easily be abused and turned into a botnet. Since that's clearly not the case from what's already stated in the article, why are you so scared of them?

    link to this | view in thread ]

  72. identicon
    Rich Kulawiec, 16 Nov 2017 @ 6:59am

    Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    Point noted, and I apologize. I'm frustrated because -- to -me -- it's obvious on inspection that this entire concept is irrevocably flawed. It's a system that makes decisions about its output based on input that can be arbitrarily and trivially forged/fabricated in enormous quantities by (just about) anyone. That can't be fixed no matter what kind of mitigation is deployed because there's no way for it to reliably discern the difference between real/fake input.

    And no, I'm not an expert: I'm a student of experts, like the late Bruce Gingery, who knew way more than I'm ever going to know. It's in part thanks to him that I know how to identify abuse magnets like this one.

    link to this | view in thread ]

  73. icon
    PaulT (profile), 16 Nov 2017 @ 7:39am

    Re: Re: Re: Re: Re: Re: Re: This is an incredibly stupid approach

    I understand the concerns you were trying to put forward, and thanks for the apology. It's just that everything you were writing seemed to be based on the assumptions that nobody else had considered any of the issues you were thinking of, and that nobody at Rescam had any measures in place to prevent abuse.

    Honestly, my view on this - it's a great experiment, and a way of automating the kind of stringing along of scammers that we've seen many times in more manual fashion. I think it's more of an experiment to train AI and see how they deal with scammers who think they're talking to humans than a way to truly conquer spam. It's about data gathered, not sending emails, and they will most likely have no problem shutting down all email or even the project itself if it's seen to be compromised.

    All in all, while concerns about abuse or targeting are valid, I think they're being somewhat overblown in this thread. While things like reporting to an ISP abuse team, etc., are great answers, the fact is that these things are still a major problem despite decades of fighting them, and learning how to make things more difficult (and therefore more expensive/less lucrative for the scammers) may be more valuable than continuing trying to firefight at the infrastructure or client level. The risks of a project like this may be worth the potential for abuse, especially as the project could easily be pulled immediately if true widespread abuse is detected.

    Concerns are valid, just don't think you're the only one to have considered them.

    link to this | view in thread ]

  74. identicon
    Dave, 16 Nov 2017 @ 11:45am

    Re: know thy self

    Well.....what a wonderfully grammatically correct post (not). Someone is obviously a rather sad case, trying a pathetic attempt at trolling. It must be way past your bedtime, "you know" and don't forget your teddy bear.

    link to this | view in thread ]

  75. identicon
    Anonymous Coward, 17 Nov 2017 @ 5:25am

    Okay, okay, lets get to the point

    Great arguments back and forth, and great to see that the educated crowd (largely) at TD like to engage assessing the usefulness of these escalation/neutralization tactics.

    I immediately had a gut feel that this was just gonna go wrong. Had to think a bit, but here is the fundamental problem:

    the scammers use rescam.org to attack other scammers

    Thus, you get more email spam floating the net and this time you are just fueling an arms race by the scammers.

    What are the core email attack vectors? Hazardous web pages linked in emails, and infected attachments. So, look to the anti-virus people for their techniques. Pull those pages or attachments into a virtual machine environment, or stage 2, human analytics, and learn about their tactics. With that, then issue security improvements or issue dynamic community only blacklisting of the relevant domains (see Response Policy Zones; aka RPZ).

    But, dont give armaments to the scammers, for they will scam the anti-scammer tactics ;)

    /Meh

    link to this | view in thread ]

  76. identicon
    Anonymous Coward, 17 Nov 2017 @ 8:56am

    A great waste of intelligence.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.