It puzzles me that all these spam/fishing operations are being uncovered by an accident and there's no proactive private or nonprofit organizations pursuing these criminals.
Overall our current state of (an average user) security can be described as Swiss cheese where anyone with malicious intent can poke a hole and use it without any repercussions.
But is there an international interpol-style/black helicopters operation against such types. If there's one class of people I'd be glad to see have their human rights trampled, it would be spammers.
The number of emails in the database isn't even the interesting part. What's more noteworthy is the fact that the spammers have figured out how to evade Google and Yahoo SMTP servers' rate-limiting techniques, and the sheer amount of volume they have at their disposal relative to the compute resources they have.
That's interesting, I never get spam in my inbox in Gmail, but my "spam folder" is constantly full. I wonder if gmail makes these spam emails appear as if they're "inboxing" to the spammers.
At the SMTP level, you can't tell the difference (spam or not). A bounce return message will tell you it fails, but the absence of a bounce message doesn't mean it was received, let alone got into an inbox.
The only way a sender can tell for sure their e-mail was delivered is to have tracking links: images and/or clickable links that include something to uniquely identify which address received the mail.
Most if not all e-mail clients block images, and many even disable links for unknown senders and/or messages that even remotely look like spam (eg: a non-zero spam score that is below the threshold to automatically reject or filter to a junk folder).
If you get tracked by one of these images or links, presumably you move from the "maybe working" e-mail address list to the "reads our messages" or "clicks our links" list, and at the very least means you contribute to making more money for the spammer when they sell that (higher-value) list.
> The only way a sender can tell for sure their e-mail was delivered is to have tracking links
Thats not true. Both spammers and legitimate email delivery services have hundreds if not thousands of accounts at the major email providers that they seed into their lists. As they are delivering email they periodically check their own accounts to see if mail is ending up in the inbox or the spam folder.
You can also request a "Feedback Loop" from major email providers that will forward spam complaints from your network back to you.
I stand corrected. Must be a setting I changed at some point then, as I have it set to always ask.
It's a terrible setting, it should just be 'always ask'. Is there a legitimate use I'm missing? The only thing I can think of is for spammers to track if their spam went through, marketers of 'legit' mail to track the same thing, or a backdoor way to implement the atrocious 'read receipt' feature. None of those is at all beneficial to the user receiving the message.
Is it a "pawn" though? Your email address in their database does not necessarily mean your security has been compromised - just that your on a spam list somewhere?
They have added the "GeekedIn" leak from mid last year in the database even though technically none of the information was private (IIRC it was all scraped from GitHub's public API).
Sometimes getting on these lists is fairly harmless by itself, but they can end up leaking a large amount of data about some people.
Just knowing that an email address is used and active is a start, but combine that with other information that could be grabbed like rough location data, IP address information, knowledge that the email was associated with that service, active usage dates, and more can end up being much worse.
For years I've contemplated with the idea of building a botnet that aggressively attacks companies that advertise through spam by consuming their bandwidth or DDoS the hell out of them. Every time I read an article like this I feel like I have to implement that thing sooner than later.
You do realize that an old blackhat trick is to do things apparently as someone else so that the someone else gets penalized for what you did. For example use SEO techniques that Google notices and penalizes to cause rivals to disappear off of Google's search results (and thereby boost yourself relative to them).
I guarantee you that if you were noticed reliably responding to spam in this way, blackhats would happily direct your bandwidth towards their targets...
I have good and bad news for you. The good ones: attacking those companies that pay for the spam actually works. The bad ones: a company called Blue Security did something like that, and the spammet backslash was so bad they had to close their product.
There's no such thing as "more illegal"; interpretation of the law may be subjective, however, once a determination of legality has been made, it is or isn't legal.
Actually, it'd make him/her a vigilante, that while still criminal, aims to serve the public good, whether rightfully so or not. I won't suggest whether that is ethically acceptable, but it'd me more of a conversation than legality.
Well, there are degrees of criminality, which is why penalties for certain similar acts vary depending on the exact circumstances, methods, and intentions; e.g., manslaughter vs. 2nd degree murder vs. 1st degree murder.
I think this was the point. DDoS attacks potentially affect innocent people who just want to (say for instance) buy some cheap Viagra and who have nothing to do with the spammer who caused the initial irritation by sending yet another useless email.
How is this illegal? Unethical, for sure, but illegal I don't see why. You don't need to spread malware to build a botnet, you could easily rent private proxies.
I assume you're being facetious, but there is a literal definition of SPAM in the United States (or, at least, a definition whereby it's OK to send 'commercial email', the inverse of which could be considered SPAM). (From Wikipedia for the CAN-SPAM act - https://en.m.wikipedia.org/wiki/CAN-SPAM_Act_of_2003#Applica...)
A commercial email is legal if it complies with the following:
Unsubscribe compliance
* A visible and operable unsubscribe mechanism is present in all emails.
* Consumer opt-out requests are honored within 10 business days.
* Opt-out lists also known as Suppression lists are only used for compliance purposes.
Content compliance
* Accurate "From" lines (including "friendly froms")
* Relevant subject lines (relative to offer in body content and not deceptive)
* A legitimate physical address of the publisher and/or advertiser is present. PO Box addresses are acceptable in compliance with 16 C.F.R. 316.2(p) and if the email is sent by a third party, the legitimate physical address of the entity, whose products or services are promoted through the email should be visible.
* A label is present if the content is adult.
Sending behavior compliance
* A message cannot be sent through an open relay.
* A message cannot be sent without an unsubscribe option.
* A message cannot be sent to a harvested email address.
Spam is unsolicited email marketing. Opt-out and other dark patterns make the line blurry. Yes, there are those of us who sign up for marketing emails on purpose.
MacKeeper? The company that aggressively advertises something that looks like scareware? Surprised that they are now supposedly the good guys.
The Wikipedia intro reads "The software is heavily promoted and has been the subject of a class-action lawsuit for false advertising.".
They are now writing about a data leak of some spammers because these accidently left their repo open while MacKeeper had their own nice similar leak: "In December 2015 security researcher Chris Vickery discovered a publicly accessible database of 21GB of MacKeeper user data on the internet, exposing the usernames, passwords and other information of over 13 million MacKeeper users. According to Kromtech this was the result of a "server misconfiguration""
From the bottom of the article it looks like MacKeeper hired that security researcher:
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery.
My 10 year-old is an ace at spotting fake download buttons and "your PC is at risk!" banners thanks to downloading Minecraft mods. In an odd way, these spammy download sites have been a surprisingly good educational tool--to date she hasn't messed up her machine once.
These Mackeeper guys had some high pressure dude on a live chat get my mother to pay and install their software. Worse - she was having trouble installing it and the guy suggested a remote session. Luckily she got wise at that point.
I wouldn't even visit their site to be quite frank.
Out of curiosity - what do you think a guy that is hired to make that software to work on your mom computer would do more than help her install said software, even if through a remote session?
> Out of curiosity - what do you think a guy that is hired to make that software to work on your mom computer would do more than help her install said software, even if through a remote session?
Because that is literally part of the modus operandi of the Windows tech support scammers?
Overall our current state of (an average user) security can be described as Swiss cheese where anyone with malicious intent can poke a hole and use it without any repercussions.