List of products, retailers or websites

[HomeUser]

Is there a list of products, retailers or websites that are related to spam messages?

I think it would be useful to have a list of links found in spam messages, a list of companies behind those links, a list of products or other things promoted by spam. It would I think be helpful to have lists like this so people can check them before doing business with someone.

The lists could contain (relative) numbers of (reported) spam, perhaps in different categories like unsolicited mail but with a correct from: address, spam with a dubious from: address like trying to suggest it is send from a friend and worse things like fishing or trying to organize a scam. It would probably be necessary to mark those categories when reporting scan.

[Miss Betsy]

I don't think there are such lists because spamming has become such a scourge that few legitimate businesses send unsolicited email.

Most spam is borderline criminal, if not outright criminal scams. Anyone who even opens a spam message is too gullible to pay attention to any such list.

When spam first began, there were businesses who needed to be told that sending unsolicited email might hurt their business. But not any longer.

Miss Betsy

[HomeUser]

You are probably correct in most cases, legitimate businesses keep a distance. But to be sure lists like that could be helpful. There could be different types of indirect links with legitimate businesses in some countries.

Maybe inexperienced users could benefit from them also. In different ways a red flashing warning with a link to more information could be put on the screen if somebody enters a fishing site or a dubious commercial site. (It could be done by the browser, by a plug-in, by a search machine or a gateway to it, search machines could filter those sites if requested.) Commercial products already do something similar and could extend their service.

I suppose websites are moving slower then the "from:" addresses or the IP addresses that are found in spam. Stopping an email scam would be harder for an email client, I think, for because it doesn’t need a website.

It may help separating the spammers from their income.

[dra007]

If you want to do on line shopping you better do a thorough research on your own before you are even tempted...and never go to a link in unsolicited e-mail..never..Such businesses have overstepped their bounds once they used your e-mail without your knowledge and consent..

[HomeUser]

Of course, that's correct. But still there must be enough people buying to make it worth sending the spam. There could be many reasons. Not everybody reads manuals, not everybody reads warnings.

I think 20% less buyers could mean 20% less spam. Better ways to warn some people could mean less spam for many people.

[Miss Betsy]

Of course, that's correct. But still there must be enough people buying to make it worth sending the spam. There could be many reasons. Not everybody reads manuals, not everybody reads warnings.

I think 20% less buyers could mean 20% less spam. Better ways to warn some people could mean less spam for many people.

The way most ISPs have figured out to lessen spam sales is to filter out spam so unwary customers don't get tempted - a nanny approach.

If anyone wanted to use reported spamvertised sites from spamcop reporting, I think there might be a way. However, I think I also read that that way has been restricted because the spammers were exploiting it.

The place to warn end users of the dangers of using spam is some kind of PR campaign. Unfortunately there are even people who respond to the 419 scam emails (and before them, the snail mail scams and fax scams - in fact, the 419 people still occasionally fax one). Nice commercials with emails crawling with bugs (web bugs) and scary people typing out the email might work.

IMHO, the limit has been reached on warning prudent people not to respond to unsolicited email. The ones who respond are probably the ones that make it worthwhile to have scams or near scams offline and online.

Miss Betsy

[Farelf]

It is my impression also that "spamvertizers" don't advertize through regular channels, if so a "warning list" isn't going to deter the determined link-chasers who already suckered in (in fact, extra exposure might increase the hits from others who might not have seen the links otherwise - that's a statistical probability sort of thing, more likely the more visible the "list" is, all else being equal).

Carefully checking out the passing parade at http://www.spamcop.net/w3m?action=inprogress;type=www might confirm or refute the view "here" about how mainstream these critters might be. The exception might be when a legitimate business is spamvertized by "courtesy" of a competitor in order to harm them. Several business have posted in these forums saying that has happened to them, their only defence is to plaster denials on their websites, shop fronts, etc. There would always be a chance a "list" could further harm such people, if they are indeed innocent.

Always prepared to consider the data, but the impression that you can't treat these in any way like regular businesses as espoused by the other respondents is right on the mark, IMO. "Education", maybe - anyone wanting to make a cause of it could test the waters by forming an association and applying for government funding. Well, in the UK, Canada, Australia, NZ etc. where such seems to be a growth industry they could - US government(s) aren't as famous for their benificence with the public purse in matters of community service, though how much of that is myth and how much is reality?

What is apparent in relation to spamvertized sites is the care the spammers often take to avoid exposing them to reporting. This is not a SpamCop priority (and doesn't lend itself well to any great degree of automation) - so there is an opportunity to discomfort or disrupt some of the activity/spam payoff there. Just be aware of the discussion at http://forum.spamcop.net/forums/index.php?showtopic=4085 and note mention there of the SURBL, which is expanded a little at http://forum.spamcop.net/forums/index.php?showtopic=5120 and the link from it.

[HomeUser]

I have the impression most of the sites, but not all, are very dubious. I should follow it over a longer period to see how long dubious sites stay on the list.

Probably optimistically, I was trying to find out how this could work if more people would work together. I think four things have to be done, probably all by different people.

(1) The spam has to be reported by some people who are receiving it.

(2) The data have to be collected in lists, what perhaps could be done by the reporting tool. Probably it would be needed to keep detailed data, to support the later steps.

(3) The data in the lists should be filtered and the data completed. This is probably the most complex step.

(4) The data should be put on the users screens. For that it should be made available but not necessarily for free. I think there could be a lot of interested parties like security firms, browser makers, companies who’s site is imitated, consumer organizations, companies who’s products are imitated, justice departments…, It looks reasonable that some part of the burden would be carried by those clients. I think there is a fast evolution in that sector (SiteAdvisor, LinkScanner, browsers with anti-fishing capabilities…) that was perhaps not yet there when the referenced threats where written. In principle every owner of a site that is requesting to send money could be a client, because a good system could be used to show that the site is genuine.

The filtering of the data (3) is the complex one. I think the data about a site could be divided in two categories:

- Unknown sites that could well appear and disappear very fast.

- Well established sites

A well established site would be a site that

- Exists for some time

- Where the responsible people are known

- Where the juridical system under which it operates is known

In the first category, if the site is unknown, speed is most important. Errors are less because in the total life-cycle of a genuine site, only be a few days of mistakes would be possible. Some 80 to 90% of the security risks would be addressed in this category. Fishing and other scams would fall in this category.

First goal would be to bring the site in the second category. Many things could be automated. As the report comes in for an unknown site, a mail should be send to the administrator asking to identify him self and the site. Perhaps also asking for a signed declaration. Other sources could be checked. Can old independent comments about the site be found on the internet?

Ideally the data that would put the site in the second category should come from a neutral third party. By preference it should be the government of the country of origin, like an internet accessible trade register. This would allow also a single registration for the owners of that site.

All the time the site is in category one, people accessing it should see a strong but carefully formulated warning.

Once in the second category time is less important, it is more unlikely the site and the people behind it will disappear, but errors can be less permitted. It is a different way of working, probably best done by different people. Some information of the sites history, like earlier spam rapports and other complaints about the site on specialized websites can be used now. The sites responsible should be asked if the spam-mail was send by the organization behind the site.

- If the answer is negative

o In some cases this can be clearly confirmed (mail clearly send by a competitor or a spammer trying to sabotage the system) or denied, but in most cases it will be hard to tell. Taking in to account the history of spam reporting for that site, the users could be informed. In countries where sending spam is illegal, it could become a case for the justice department. Prove of a formal complaint by the site-owners could be asked.

- If the answer is positive

o Is there perhaps some misunderstanding? Are there some improper processes that can be corrected? Is there a willingness to do so? What is the history about spam reports?

-> If not the users should be informed

Of course, we are talking about the financial income of companies. Data should be processed with care. Steps (1) to (3) should only give information, no interpretation and should take care the information is correct. (“spam was reported to us at the given numbers and dates. We take no responsibility for the …”) It should be the last step that would put a carefully formulated warning on the screen. (“The password you are entering will be send to this address. We have no information about that site from… Most important sites are known. This could mean this is a new site or… spam reports advertising this site where reported. Still we strongly suggest to not send any money, passwords from bank accounts,.. until the site appears as save on your screen” but much better of course )

[Miss Betsy]

There are several methods of ensuring that sites are 'trusted' - one of them call 'Truste' I believe. There also was a certificate method (though most of the ones I see are outdated).

The internet is governed by netiquette, not law. Those sites that are legitimate know how to be 'polite' and one recognizes them by how they are polite. That's not a very good explanation, but none of the ways of regulating the internet has worked so far. The only example I can think of at the moment is that no legitimate site ever emails you about security and asks you to update your data via a link - that's impolite in the internet world.

Miss Betsy