My "Canadian" Pharmacy

[btech]

SiL's tools are nothing more than form fillers/submission tools meant to piss off spammers by giving them tons and tons of junk leads (I recall seeing some users clock 30K+ a day to different sites)

Since these sites are on Chinese servers an seem to be a black hole that no one dare look to stop the abuse, I fail to see what using/abusing their resources and wasting a spammers time will do to hurt our cause. Maybe if an ISP sees a drain in bandwidth and bothers to check that IP/box, we HAVE done some good, since I'm not convinced that SpamCop reports mean s*it to Chinese providers.

[Paranoid2000]

Since these sites are on Chinese servers an seem to be a black hole that no one dare look to stop the abuse, I fail to see what using/abusing their resources and wasting a spammers time will do to hurt our cause. Maybe if an ISP sees a drain in bandwidth and bothers to check that IP/box, we HAVE done some good, since I'm not convinced that SpamCop reports mean s*it to Chinese providers.

This operation is now using hijacked systems around the world, with images held on another server. The only way to put an end to it is either to secure every single PC on this planet or to make these spammers' business unprofitable. Posting false orders is the only way to achieve the latter - I'd be interested in anyone providing a method to somehow achieve the former, especially given the ignorance of many such server admins.

[Farelf]

... I fail to see what using/abusing their resources and wasting a spammers time will do to hurt our cause. ...

I don't think anyone proposed that it might harm "the cause". To use or not to use is mainly a moral judgement as I see it. I for one am not about to lecture on the rights and wrongs - people need to make their own call. There are other issues (such as consumption of internet bandwidth) which are certainly not critical.

[btech]

This operation is now using hijacked systems around the world, with images held on another server.

And sadly, when one box is cleaned up, they've moved to another, only to hop back to the original ISP's servers. One of the things that SiL and others have done is to track down the back end information and report THOSE ISPs/hosts. Those guys also send out numerous emails to hosts/registrars of the nameservers (which there was a huge hit to some of them over the weekend).. if the hijacked host won't do anything, go to the nameserver, I guess.

[jongrose]

Rather than continue this debate here, I would simply suggest people review the Wilders New spam Retaliation Tool which discusses the ethics/morality/legality of this.

As for the parsing, I'm not too sure about the need for the referer codes since entering the domain on its own without them always works. It could be that it is resolving (deliberately) too slowly for SpamCop or that they are able to identify SpamCop domain lookups by other means.

I will take a look at that. I'm not against the idea of using other "outside the box" methods of trying to bring down spammers sites. I recall the project by Lycos "Make Love Not spam" screensaver that used aggregate data (even from SC) to try to overload spamvertized URLs. However, there was so much backlash from people that it was shut down not too soon after it was started. I thought the project was an interesting concept and thought it might be successful.

Another thing to take into consideration is the example of BlueFrog, a service somewhat similar to SC, that was essentially shut down by spammers in retribution for trying to report spammers to Law enforcement and ISPs and so forth. I know that there have been attacks DoS against SC in the past, and they might go on continuously (I am not sure about this), as they do with other major DNSbls.

So, there are several things to take into consideration. One is from the perspective of the end user who is using these scripts to retaliate against rogue spamvertized sites. There are possible issues of excess bandwidth consumption (as mentioned by Farelf), legal questions, whether or not this would violate end users AUP/TOS for their ISP and so forth.

Secondly, the recommendation being made by the authors of these scripts is to use TOR to connect to these sites. I believe that probably most individuals running TOR nodes would not appreciate this possible misuse of their servers, since, not only could it result in retaliation against them, but TOR, as an overall community, would most likely be slowed down (as if it isn't slow enough already) by constant barrages of attacks on websites over and over.

Finally, there is obviously potential for misuse with these scripts. These are clearly made for an "advanced" usergroup that would (or should) be able to know which sites are the rogue "Canadian pharm" sites. But, because of their ease of use, it could be possible to be used against other targets.

As far as SC not being able to parse the URLs, this has been brought up recently, and includes other sites, not just ones mentioned here. I have posted a brief "how to" on manually reporting URLs that SC doesn't resolve which can be found here.

Also, as I mentioned above, individuals can report fraudulent sites like these to the FTC and FDA. Anyway, what it all comes down to is a judgement call, but one that I would advise people not to take lightly. There are people who want to go "by the book" so to speak, and use a tool like SC to simply report said UCEs and hope to get them shut down. Other people might want to take it farther and use a vigilantly approach to combating spam. Either way, it's clear that people are taking these steps because the influx of spam is becoming even more enormous and overwhelming. I understand why people would choose this step, and it's an obvious evolution from becoming beyond annoyed with the problems of email and failure of responsible parties to take appropriate action to stem the tide of spam.

[at]Mods: Since this discussion has sort of gotten off topic of the original post, I think it might be appropriate to chop it from Paranoid's post about the "pharmkilla" scripts and move it to another folder. Just my 2¢.

[turetzsr]

I don't think anyone proposed that it might harm "the cause". To use or not to use is mainly a moral judgement as I see it. I for one am not about to lecture on the rights and wrongs - people need to make their own call.

...But before they can make the call, they have to know the issues. IMHO, most people don't.

There are other issues (such as consumption of internet bandwidth) which are certainly not critical.

...Why is it not critical? Isn't that one of the things we dislike about spam -- that it abuses internet bandwidth? It's certainly critical to me! You (and others) are certainly entitled to disagree with me about this but IMHO it warrants more than a dismissive "certainly not critical."

[Farelf]

...But before they can make the call, they have to know the issues. IMHO, most people don't....

Yep, which is why I suggested the author of the tool had other tactics, jongrose chipped in with a f'rinstance - feel free to add your own.

...Why is it not critical? Isn't that one of the things we dislike about spam -- that it abuses internet bandwidth? It's certainly critical to me! You (and others) are certainly entitled to disagree with me about this but IMHO it warrants more than a dismissive "certainly not critical."

Call me old-fashioned but I sort of reserve the description "critical" as an absolute. Critical would be if, of itself, it brought the internet down. I don't believe that to be the case (though certainly it won't do it any good). Is that being dismissive? It was not intended to be so. I had thought of commenting that sending 35,000 order forms to achieve a reduction of a few hundred (?unsure of claimed/implied number) spam does not sound like a desirable level of efficiency - but refrained because that is probably not indicative of "performance" on a broader scale, might be construed as carping. Seems I was foredoomed in any event.

[Farelf]

...To use or not to use is mainly a moral judgement as I see it...

...But before they can make the call, they have to know the issues. IMHO, most people don't....

Oh sorry, I went off on a tangent in earlier answer. The moral issue is whether it is OK to join the spammers in the misuse of the internet. Not much else to know, really.

[turetzsr]

<snip>

...Why is it not critical? Isn't that one of the things we dislike about spam -- that it abuses internet bandwidth? It's certainly critical to me! You (and others) are certainly entitled to disagree with me about this but IMHO it warrants more than a dismissive "certainly not critical."

Call me old-fashioned but I sort of reserve the description "critical" as an absolute. Critical would be if, of itself, it brought the internet down. I don't believe that to be the case (though certainly it won't do it any good). Is that being dismissive?

<snip>

...Having explained what you meant, no, it is no longer dismissive. <g> However, I think you may be underestimating the impact -- we're not really sure how close we are to bringing the internet down, do we? We certainly don't need a lot of retaliation packets adding to the load spammers are already causing.

...To use or not to use is mainly a moral judgement as I see it...

...But before they can make the call, they have to know the issues. IMHO, most people don't....

Oh sorry, I went off on a tangent in earlier answer. The moral issue is whether it is OK to join the spammers in the misuse of the internet. Not much else to know, really.

...Well, precisely that retaliation tactic might, in fact, be misusing the internet. I expect there are many people considering retaliatory tactics who are not clued in to that. Even whether any particular retaliation tactic is a misuse of the internet probably needs to be aired before people can make an informed judgment as to whether to use it.

[Farelf]

Well, precisely that retaliation tactic might, in fact, be misusing the internet.

No question in my mind, it is misuse.

I expect there are many people considering retaliatory tactics who are not clued in to that. Even whether any particular retaliation tactic is a misuse of the internet probably needs to be aired before people can make an informed judgment as to whether to use it.

Hadn't considered that - then I've never thought "the end justifies the means¹" to be morally defensible and things are pretty clear cut if one can proceed from there. It follows I'm not a fan of vigilantism either - revenge² being the highest motive there, bestiality the lowest.

¹IIUC Layola (who, as the founder of the Jesuits, would ordinarily be considered some sort of moral authority) said the end justified all, presumably because St. Paul said, "... that by any means I might win some." (I'm no theologian). But they were talking about the end of "saving men's souls" (and the occasional woman's) for pity's sake - or St. Paul was at least. Special case, absolute faith a prerequisite. I don't buy any mundane cause even coming close to qualifying.

²Sir Francis Bacon (who knew the dock from both sides) reckoned "Revenge puts the law out of office," his quaint way of saying it usurped the rule of law. - it was 400 years ago after all. I think his observation is fairly well self-evident and I happen to prefer the rule of law (be it ever so halt) to the alternative.

And I said I wouldn't lecture (it's Steve T's fault ) ... well, I'm not claiming infallability on the issues and others will beg to differ.

[Paranoid2000]

I had thought of commenting that sending 35,000 order forms to achieve a reduction of a few hundred (?unsure of claimed/implied number) spam does not sound like a desirable level of efficiency - but refrained because that is probably not indicative of "performance" on a broader scale, might be construed as carping.

Assuming that you were referring to the Spur-M-Enator, such concerns are groundless. This tool places orders directly to the spammers' back end database so has negligible bandwidth consumption. Specifically it sends a URL containing all the order data (about 600 bytes) and receives back a webpage under 340 bytes in size (it used to be blank but the spammers added a scri_pt to fire up 100 popups). So at under 1,000 bytes per transaction, 35,000 orders would take 35MB bandwidth plus protocol overheads.

By way of contrast a typical SpamCop report would take over 50K (22,600 bytes submission page plus 29,000 bytes report page plus the size of the spam submitted). So this retalation example would have taken the same bandwidth as 700 typical SpamCop reports - and I'm willing to bet I alone have submitted close to that number for this particular spammer.

The other retaliators are bandwidth-light also since they work by emulating "normal" web traffic. The only bandwidth-intensive tool I know of is SpamVampire and the bandwidth that consumes should be weighed against the "90% of all email traffic" DoS that we receive in our inboxes every day.

]Secondly, the recommendation being made by the authors of these scripts is to use TOR to connect to these sites. I believe that probably most individuals running TOR nodes would not appreciate this possible misuse of their servers, since, not only could it result in retaliation against them, but TOR, as an overall community, would most likely be slowed down (as if it isn't slow enough already) by constant barrages of attacks on websites over and over.

I run a Tor exit node myself and I can assure you that such retaliators have no visible impact. The biggest problem Tor has is with people dragging 80MB+ Rapidshare downloads through it (to get around Rapidshare's IP-based download limits - since traffic is routed via 3 nodes this comes to 320MB+ of bandwidth). I would of course encourage anyone making heavy use of Tor to contribute back by running a server themselves, but that's certainly a topic for another thread.

[Telarin]

I don't think any of these retaliation tactics are abusive. I am using my bandwidth, which I pay for, so how can that be considered abusive? On the other hand, a large number of these websites are used for nothing more than collecting information used for identity theft. By poisoning the spammers database so that only 1 in 1000 or 10000 leads is usable, you have done a HUGE service to protect the people that were nieve (read: ignorant) enough to put real information into these forms.

There is also the very real possiblity of spammers losing their clients to whom the sell identity and CC information because they data they are selling is no longer usable. This directly impacts the spammers bottom line, and when dealing with criminals may put him in a very undesirable position.

[StevenUnderwood]

I am using my bandwidth, which I pay for, so how can that be considered abusive?

So, as long as a spammer is paying for their internet access, they can not be abusive?

[Telarin]

I didn't request their emails. However, their emails specifically requested that I visit their websites, they just didn't specify how many times

[btech]

So, as long as a spammer is paying for their internet access, they can not be abusive?

Some 'advertising companies' that buy lists from other people pay for their ISP/host service, but the abuse comes from that person sending the unsolicited mail. I think it's a positive thing that these lackidasical ISPs are starting to see the drain from retalitory programs and persons.. it might make them aware to the problems they harbor.

[turetzsr]

<snip>

Assuming that you were referring to the Spur-M-Enator, such concerns are groundless. This tool places orders directly to the spammers' back end database so has negligible bandwidth consumption.

I don't think any of these retaliation tactics are abusive. I am using my bandwidth, which I pay for, so how can that be considered abusive?

<snip>

...Either these quotes demonstrate that you two don't understand how the internet works or that I don't <g>. AIUI, what appears to be a "direct connection" to another machine is accomplished in actuality by sending packets into the "ether," which are picked up and forwarded by one or more other machines. A TRACERT will demonstrate this. Those are machines we all use and although a very large resource, limited.

Specifically it sends a URL containing all the order data (about 600 bytes) and receives back a webpage under 340 bytes in size (it used to be blank but the spammers added a scri_pt to fire up 100 popups). So at under 1,000 bytes per transaction, 35,000 orders would take 35MB bandwidth plus protocol overheads.

By way of contrast a typical SpamCop report would take over 50K (22,600 bytes submission page plus 29,000 bytes report page plus the size of the spam submitted). So this retalation example would have taken the same bandwidth as 700 typical SpamCop reports - and I'm willing to bet I alone have submitted close to that number for this particular spammer.

The other retaliators are bandwidth-light also since they work by emulating "normal" web traffic.

<snip>

...Put that way (and assuming you are correct, which I shall until someone else shows you to be wrong), this makes it seem less abusive. Nevertheless, I would still prefer more conventional means of reporting spam abuse, such as reports to providers, registrars, FTC, etc but, then, that's just my opinion and others are free to act on their own opinions (provided those opinions are grounded in analysis such as presented by Paranoid2000 in the quote immediately above and not simply on a desire for a "clever" retaliatory scheme).

Well, precisely that retaliation tactic might, in fact, be misusing the internet.

No question in my mind, it is misuse.

...Glad we agree on that but it's not you to whom I'm referring when I mention people who might not be thinking along these lines or are not knowledgeable enough to come to a valid conclusion (and by "valid" I don't mean necessarily the same one we've come to -- that it is abuse).

I expect there are many people considering retaliatory tactics who are not clued in to that. Even whether any particular retaliation tactic is a misuse of the internet probably needs to be aired before people can make an informed judgment as to whether to use it.

Hadn't considered that - then I've never thought "the end justifies the means¹" to be morally defensible and things are pretty clear cut if one can proceed from there.

<snip>

...Again, you aren't the subject of my call for consideration.

...Isn't "the ends don't justify the means" a misquote? After all, if the ends don't justify the means, what does? My understanding is that the point is that the ends don't justify just any means.

[Farelf]

...Isn't "the ends don't justify the means" a misquote? After all, if the ends don't justify the means, what does? My understanding is that the point is that the ends don't justify just any means.

Well, sure, ... what? "The ends justify the means" is often quoted in an inverted context to demonstrate just the opposite but then wrongly (in my view) taken by others to "prove" the literal meaning. Such twistings are common - through limited attention spans, Chinese whispers, malice and politics.

St. Iggy of Loyola (sp), oft-quoted proponent of the wrongful maxim has supposedly been given a bum rap in exactly that sense. "Loyola's mandate was that the end justified the means, and any means of restoring Vatican domination was acceptable." - voxfux.com (!). The official line is that, to the contrary, "He impressed on his followers the doctrine that in all things the end was to be considered. Never would Ignatius have countenanced so perverted an idea as that the end justified the means, for with his spiritual light and zeal for God's glory he saw clearly that means in themselves unjust were opposed to the very end he held in view." (11th edition, Encyclopaedia Britannica).

But yeah, in the normal course of events the means to any given end are justified by it (either fortuitously or deliberately considered). The danger is in assuming it is always so, and especially if the means are illicit or the importance of the ends turns out to be exaggerated.

[sgrayban]

Since there is now a new wave of this spam (plus the related operation "LegalRX"), now would seem a good time to point out that a retaliator is available which can place fake orders (including a CC number that passes the site's verification). This is effective enough that the spamgang behind these sites soon block IP addresses (use Tor to get around this), so enough people using it should encourage them to stop spamming altogether.

This retaliator requires the Firefox browser with the Greasemonkey extension (with NoScript and User Agent Switcher extensions strongly recommended). See the Pharma KS FormFiller thread for more details and download location.

I ran this over night and it placed 3,237 orders until they banned the IP address. I'm working on my 2nd IP address now LOL.

[jongrose]

By poisoning the spammers database so that only 1 in 1000 or 10000 leads is usable, you have done a HUGE service to protect the people that were nieve (read: ignorant) enough to put real information into these forms.

Well, one could argue that there are two vigilantly methods of spam poisoning: passive and aggressive. On my blog, I use a passive means. Other people might opt for the aggressive means, which would be the scri_pt flood attacks on spamvertized URLs.

(BTW, why is the word s c r i p t censored out?)

[Wazoo]

(BTW, why is the word s c r i p t censored out?)

One word

more words

and I don't recall getting back to making a Forum FAQ entry, now that you ask.

[qjvgpuryy]

One word

more words

You didn't include this post? I'm hurt (j/k)!

[Wazoo]

You didn't include this post? I'm hurt (j/k)!

Ouch! A better Subject line, a better question, a better answer, .... a much better link.

Aplologies and thanks ....

[qjvgpuryy]

Ouch! A better Subject line, a better question, a better answer, .... a much better link.

Aplologies and thanks ....

No need for that, and you're welcome. (Good thing I remembered asking about it.)

[btech]

On my blog, I use a passive means.

I just added that to all my CMS-based sites... we'll see if it does any good.

Now, I know that SC's main objective is to report the source of spam, but the recent inability to catch a reporting address for a spamvertized link is a little disheartening.

http://www.spamcop.net/sc?id=z1179130855zd...2550d5a40b8ba4z

Couldn't catch: copeckstable.com, which can be pinged: http://www.dnsstuff.com/tools/ping.ch?ip=copeckstable.com. The DNS WHOIS finds the record and a traceroute finds the hosting IP: http://www.dnsstuff.com/tools/tracert.ch?ip=copeckstable.com.

So why is SC not catching this?

[turetzsr]

<snip>

Now, I know that SC's main objective is to report the source of spam, but the recent inability to catch a reporting address for a spamvertized link is a little disheartening.

http://www.spamcop.net/sc?id=z1179130855zd...2550d5a40b8ba4z

Couldn't catch: copeckstable.com, which can be pinged: http://www.dnsstuff.com/tools/ping.ch?ip=copeckstable.com. The DNS WHOIS finds the record and a traceroute finds the hosting IP: http://www.dnsstuff.com/tools/tracert.ch?ip=copeckstable.com.

So why is SC not catching this?

...This is way beyond my direct knowledge but I infer from StevenUnderwood's reply in SpamCop Forum thread "DNS entries missing?" that SpamCop does not use tracert but rather uses domain: http://www.dnsreport.com/tools/dnsreport.c...opeckstable.com (or something analogous).

...Hopefully someone more knowledgeable that I will happen by with a more complete and/or authoritative answer.