Screwing with "Adknowledge Rewards"

[MightyYar]

I get spam constantly from "Adknowledge Rewards". I'm NOT going to sanitize their filthy little list by clicking on the remove link at the bottom of the email, and submitting SpamCop reports seems to be pretty fruitless.

But these emails are full of links like:

hxxp://dyn.adknowledgeimager3.com/c?m=xxxxxxxxx&p=&l=1&u=xxxxxxxxx&lid=1&dn=somedomain.com&cgid=&si=4&im=1&cid=10688

I changed the tt in http to xx, and the other identifying numbers are replaced by xxxxxxxxx, except for the "cid" which seems to be "campaign id" and messing with that loads up different websites. Oh, and I replaced my domain with somedomain.com.

I know this can only lead to trouble, but how much of a pain in their asses could I be by writing a scri_pt that just filled in random 9-digit numbers into the m and u fields and loaded up the pages? For extra points, I could follow any links that I encounter to screw with their ad clicks, but that might take too long.

I know that "random" numbers wouldn't do enough damage, because my chances of hitting two correct 9-digit numbers is probably low. BUT, there are some trends. "u=xxxxxxxxx" is the same number every time, so I'm pretty sure that means "user". That one can probably be pretty random.

The other is "m=" and I think that means "mailing". It's non-random. For instance, I've seen 599205843, 599102668, 599615233, 599455567, 597108543, etc. Seems to be sequential.

I guess the main reason this wouldn't seem to work is that the "dn=" field seems to look for a domain that they no doubt use to check against the "u=" field. Maybe filling in "yahoo.com", "hotmail.com", "gmail.com" and other common domains would be good enough, though.

I know this is a bad idea, but how bad is it?

[Miss Betsy]

IMHO, it is always bad to be 'rude' in handling spam because IMHO fighting fire with fire is never a good idea.

However, other people have had the same idea (loading their pages), I believe. I don't think there is any site that you can go to do this automatically anymore and I forget exactly why (because I don't take an interest). Of course, that's what you want to know! I think maybe a search on Blue Frog might help you or someone else will come along and give you links.

Some people feed their spam to Knujon (I can't remember the spelling of that) and there are others who think that getting spammers shut down at the registrar works (Complainterator - a thread on it is in suggested tools & applications forum). Of the two, I think the complaints to the registrar is more effective.

Miss Betsy

[MightyYar]

However, other people have had the same idea (loading their pages), I believe.

Well, my "idea" is a bit different than simply using their bandwidth - and I'm sure others have had the same idea, I just haven't seen it done. Basically, Adknowledge is a "legitimate" spammer in the eyes of their ISP, so complaints are pretty much wasted. I refuse to click on the "unsubscribe" link, though, since I never opted in. The last thing that I want to do is help them clean their list.

Since they are "legitimate", they keep track of clicks for their customers. They do this by embedding strings in the url that let them know who clicked on the link, from what campaign, and from what mailing. This information helps them fine-tune their message to get more clicks and to get around spam filters - it also lets them tell their customers how well the campaign is going.

I'm talking about screwing with this system by sending false information in the tracking urls. My hope is that I'd send enough junk information to them that they would be unable to track anything for real - at least until they play with their system a bit and figure out a way to fix it. But giving them a mild headache would be just peachy.

Some people feed their spam to Knujon (I can't remember the spelling of that) and there are others who think that getting spammers shut down at the registrar works (Complainterator - a thread on it is in suggested tools & applications forum). Of the two, I think the complaints to the registrar is more effective.

Yeah, I use some of those sometimes, and knujon really does seem to work - though it could just be a coincidence.

But again, I'm talking about a company who is a spammer but does not violate the CAN-spam Act. Somehow they got my address and now they are spamming it. I'm pretty sure that they got my address by brute-forcing my domain, but I can't be sure. I usually use spambob to sign up for things, so I'm pretty sure that it's not just a case of me being careless. They could also have gotten it by reading the address book of a friend somehow. Either way, it's unethical and I won't sanitize their list - I want to cause them trouble if possible.

[rconner]

I'm talking about screwing with this system by sending false information in the tracking urls. My hope is that I'd send enough junk information to them that they would be unable to track anything for real - at least until they play with their system a bit and figure out a way to fix it. But giving them a mild headache would be just peachy.

Like Miss Betsy, I am not inclined to fight fire with fire, though I admit it does seem tempting at times. What you should keep in mind, however, is:

1. In submitting bogus URLs, you may be submitting codes that correspond to innocent parties' addresses, which might wind up getting them more spam.
   
2. Your interactions are recorded in the spammer's web server log -- your IP address and the URL you requested, at a bare minimum (also maybe info about your computer). If you become too much of a nuisance, the spammer may simply throw you on a blocking list -- you will continue to get the mail, but you won't be able to get access to the website at all. This is a very common tactic on the drug spam websites. This is less of a problem to you if you are on a dynamic IP.
   
3. A sufficiently high volume of such activity (and who knows exactly what "sufficently high" means?) could get you tarred as a cracker or denial-of-service attacker by the spammer or his provider. Yes, I know this is a tenuous case, but sometimes a tenuous case is sufficient to shake off the ankle-biters.
   

-- rick

[MightyYar]

Thanks, you make some good points.

1. In submitting bogus URLs, you may be submitting codes that correspond to innocent parties' addresses, which might wind up getting them more spam.
   

Yes, I'd hate to do this to people. This alone might keep me from doing anything.

• Your interactions are recorded in the spammer's web server log -- your IP address and the URL you requested, at a bare minimum (also maybe info about your computer). If you become too much of a nuisance, the spammer may simply throw you on a blocking list -- you will continue to get the mail, but you won't be able to get access to the website at all. This is a very common tactic on the drug spam websites. This is less of a problem to you if you are on a dynamic IP.
  

I thought of this. I would probably run my scri_pt from one of the many wireless hotspots around. It wouldn't be very high-bandwidth if I don't thread it too heavily, so I don't think anyone would really notice. I do have a dynamic IP.

• A sufficiently high volume of such activity (and who knows exactly what "sufficently high" means?) could get you tarred as a cracker or denial-of-service attacker by the spammer or his provider. Yes, I know this is a tenuous case, but sometimes a tenuous case is sufficient to shake off the ankle-biters.
  

Yeah, I'd be afraid of the lawsuit angle, too. Again, I'd only run the scri_pt from a coffeehouse or public park where there is wireless. Unfortunately, this spammer is technically operating legally - or at least in a gray line. They have won a case in the past against someone accusing them of spamming under CANN-spam.

I thought of an approach which would not end up getting "innocents" more spam... They have a link to unsubscribe. And the best part is, if you guess correctly at the uid, it fills in the form automatically. Sooooo, my scri_pt could just keep guessing until it sees the form filled in, then unsubscribe the found email automatically. This could also be used to "harvest" their email list, which is a bit surprising that they should have such a vulnerability.

I might code up a scri_pt, even if I never use it - maybe it will be useful to someone else

[rconner]

I thought of an approach which would not end up getting "innocents" more spam... They have a link to unsubscribe. And the best part is, if you guess correctly at the uid, it fills in the form automatically. Sooooo, my scri_pt could just keep guessing until it sees the form filled in, then unsubscribe the found email automatically. This could also be used to "harvest" their email list, which is a bit surprising that they should have such a vulnerability.

You make the quaintly generous assumption that spammers actually use the unsubscribe messages to remove people from their lists. They do not. ANY evidence you or anyone else provides that your e-mail address is deliverable -- even a remove request or a rant filled with swearwords -- will be taken by the spammer as proof that he has hit a live address, and he will simply send more spam.

Read http://www.cis.hut.fi/kaip/spam/remove.en.html to see exactly what happens when you "unsubscribe."

-- rick

[GraemeL]

You make the quaintly generous assumption that spammers actually use the unsubscribe messages to remove people from their lists. They do not. ANY evidence you or anyone else provides that your e-mail address is deliverable -- even a remove request or a rant filled with swearwords -- will be taken by the spammer as proof that he has hit a live address, and he will simply send more spam.

I've tried several methods for seeding spam traps. The address I seeded by filling out unsubscribe forms was by far the most successful and accounts for over 80% of my spamtrap hits.

[MightyYar]

You make the quaintly generous assumption that spammers actually use the unsubscribe messages to remove people from their lists. They do not. ANY evidence you or anyone else provides that your e-mail address is deliverable -- even a remove request or a rant filled with swearwords -- will be taken by the spammer as proof that he has hit a live address, and he will simply send more spam.

Read http://www.cis.hut.fi/kaip/spam/remove.en.html to see exactly what happens when you "unsubscribe."

Well, in this case that would be GREAT. This outfit is based in the US and spamming after an opt-out request would violate CAN-spam. Look up "adknowledge can-spam" on google. These SOBs have been sued and have won more than one lawsuit - and they countersue for legal costs... and win.

If they actually did violate CAN-spam, they could actually get nailed in court.

But I doubt that they would do that Instead, I think that my email would in fact get cleared off of their lists. I would certainly test it before removing random folks.

If I were to pursue this at all...

[rconner]

If they actually did violate CAN-spam, they could actually get nailed in court.

I suspect that it would take more lawyering than you or I could afford in order to prove this.

On the other hand, the fact that this outfit is so well connected (controlling their own /20 direct-allocation block) means that you may actually have an easier time dealing with them than with the usual whack-a-mole botnet spammers. You might consider whether you could arrange for your ISP's mail hosts to reject or discard these deliveries, if you can spot a consistent pattern in their messages that could be used for this purpose.

I was once plagued by daily spam from a similar pseudo-legit bulk-mail outfit, until I observed that they consistently used a "nickname" for my e-mail address that was unknown to me (e.g., "not-me <me[at]myisp.foo>"). I was able to log on to my ISP's spam filter and set up a rule that would catch any mail with this nickname (the "not-me" in the example above) and throw it in the trash. As a consequence, I no longer received any spam from this outfit (they are now defunct). So, you might check to see whether they are using a correct nickname for your address.

Otherwise, if you can find a list of the IP addresses used to hand off this spam to your ISP, you may also be able to set up a filter on this basis. More than likely this outfit is using a limited number of IP addresses dedicated to outgoing SMTP, so it shouldn't be too hard to get the full list.

You might also filter on return e-mail addresses or on URLs found within the messages, but these are probably less reliable. The e-mail addresses may be forged, and the domains used in the URLs can be changed at will thanks to spam-friendly bulk registrars.

Rejecting these messages (i.e., returning a 550 SMTP response code upon delivery attempt) rather than discarding them would be the better way to go, as it would make it very clear to these people that their mail is not welcome. This is the solution that many of us would like to see ISPs adopt with regard to spam. However, this option may not be avalable to end-users (particularly where large providers are involved). It may be worth taking the matter up with your mail system admin to see whether rejection could be set up in your own case.

If you can't actually reject the mail, however, you can at least have it discarded before you see it, which will increase your peace of mind.

-- rick

[jongrose]

You might go ask this question at TheCarPCStore - Kill Spammers Forum that has a lot of members that are keen on this type of thing and can probably help you better find what you're looking for.

[MightyYar]

If you can't actually reject the mail, however, you can at least have it discarded before you see it, which will increase your peace of mind.

Thanks for the reply - yeah, it would be very easy to filter. They never spoof their "from" address - it's always from the "adknowledgemailer3.com" domain. They even adhere to SPF!

So I guess I'm more ideologically opposed to them than they are a nuisance. After all, I'm fairly certain that the emails would stop if I just unsubscribed!

[Merlyn]

After all, I'm fairly certain that the emails would stop if I just unsubscribed!

I would take a bet on that!

[MightyYar]

I would take a bet on that!

Want me to try it?

If they keep spamming me, I might have to try to bite their ankles a bit.

If not, I guess the source of my inspiration will dry up!

Whataya think?

[Merlyn]

Want me to try it?

If they keep spamming me, I might have to try to bite their ankles a bit.

Go for it, should be very interesting. The spam might stop from that site but might raise two or three fold from their other sites.

[MightyYar]

Go for it, should be very interesting. The spam might stop from that site but might raise two or three fold from their other sites.

Okay, I will. But before I do that, I've been forwarding my spam emails from them to their CEO Scott Lynn.

slynn[at]adknowledge.com

I just want to make sure that he knows that I'm getting them so that he can stop worrying. I mean, he sends the same email over and over, so he must be concerned that I wasn't getting them.

[MightyYar]

Following up on my own post... I don't know if it was all of the SpamCop reports or the emails to the CEO, but the spam mails have stopped... for now!

So I'll have to try the unsubscribe experiment another time...

[kuznetz]

Who are LEGAL spammers?

how spamming could ever be legal? What is the mentioned CAN-spam act? Strange things, really.

Even in Russia spamming is illegal. No one can spam legally in Russia.

However, it's rather difficult to prove the spam incident. They always spam through botnets.

[MightyYar]

Who are LEGAL spammers?

how spamming could ever be legal? What is the mentioned CAN-spam act? Strange things, really.

Even in Russia spamming is illegal. No one can spam legally in Russia.

However, it's rather difficult to prove the spam incident. They always spam through botnets.

You can legally spam in the US, at least by the definition of most people on this board. You have to identify the email as an ad in the subject line, you have to provide an unsubscribe method, and you have to provide a real postal address.

So.... the average "Viagra", stock, or porn spam is not legal in the US - but random stuff like AdKnowledge rewards probably is - they probably bought my email from a "partner", who in turn probably found live addresses at gmail through brute-force attacks. I very, very rarely sign up for anything using my gmail address, so it is unlikely that the address was obtained in some "legitimate" way, and I guarantee they aren't using any sort of double-opt-in techniques.

[kuznetz]

Thank you very much. I see now.

Do I get you right: spammers don't even have to PROVE that they got your address legally?

[turetzsr]

<snip>

Do I get you right: spammers don't even have to PROVE that they got your address legally?

...According to the one national law we have specifically relating to spam (CAN-spam), that is correct. On the other hand, there is nothing illegal in the US about buying a list of e-mail addresses or scraping them from the internet. In fact, I can't think of any way of acquiring an e-mail address illegally (other than doing something illegal while acquiring it, such as holding a gun to your head).

[Wazoo]

how spamming could ever be legal? What is the mentioned CAN-spam act?

The CAN-spam bill is linked to from the SpamCop FAQ found 'here' .. links at the top of the page.

Do I get you right: spammers don't even have to PROVE that they got your address legally?

Having to 'prove' anything would only come at the time of some sort of legal action or perhaps a discussion with a hosting ISP ..... this would be much later in the game than the act of actually sending the spam itself.

[Merlyn]

...According to the one national law we have specifically relating to spam (CAN-spam), that is correct. On the other hand, there is nothing illegal in the US about buying a list of e-mail addresses or scraping them from the internet. In fact, I can't think of any way of acquiring an e-mail address illegally (other than doing something illegal while acquiring it, such as holding a gun to your head).

They cannot scrape them from a website according to can spam:

--------------------------------------------------------------------------------------

( UNITED STATES SENTENCING COMMISSION-

(1) DIRECTIVE- Pursuant to its authority under section 994(p) of title 28, United States Code, and in accordance with this section, the United States Sentencing Commission shall review and, as appropriate, amend the sentencing guidelines and policy statements to provide appropriate penalties for violations of section 1037 of title 18, United States Code, as added by this section, and other offenses that may be facilitated by the sending of large quantities of unsolicited electronic mail.

(2) REQUIREMENTS- In carrying out this subsection, the Sentencing Commission shall consider providing sentencing enhancements for--

(A) those convicted under section 1037 of title 18, United States Code, who--

i) obtained electronic mail addresses through improper means, including--

I) harvesting electronic mail addresses of the users of a website, proprietary service, or other online public forum operated by another person, without the authorization of such person; and

(II) randomly generating electronic mail addresses by computer; or

--------------------------------------------------------------------------------------------------------------------------

[MightyYar]

I) harvesting electronic mail addresses of the users of a website, proprietary service, or other online public forum operated by another person, without the authorization of such person; and

Of course, that whole clause is rendered much less effective by the "without the authorization of such person" bit. All AdKnowledge needs to do is have an "agreement" with an unscrupulous webmaster. If spamcop said "Thanks for the money, go ahead and scrape our forums," it would all be Kosher under CAN-spam.

And I imagine the ground gets REAL shaky when a third party aggregates other web site data (with permission, of course), and then a spammer scrapes THAT site with permission.

Let's put it this way: people have sued AdKnoledge under CAN-spam in the past and lost - even having to pay AdKnowledge's legal fees... so yeah, they are legal. See

http://domainsmagazine.com/Domains_12/Domain_8438.shtml

[Merlyn]

216.21.208.0 - 216.21.223.255 has been blocked at our router for a while now and probably every other block they own. Much easier that way

[rconner]

See

http://domainsmagazine.com/Domains_12/Domain_8438.shtml

Interesting article, here's a quote from the wrap-up:

More generally, I remain frustrated that so much regulatory attention is focused on curbing marketers' abuse while comparatively little attention is given to curbing marketing plaintiffs' abuse.

Yes indeed, anti-spammers filing frivolous lawsuits against spammers is a tragically-frequent abuse of our courts these days, I imagine.

-- rick