I'm not exactly opposed to vigilantism in a case like this but I don't expect it would be very effective. I'm reminded of the little dutch boy plugging a hole in the dike with his finger. It's really far too easy to move to another server, IP, and or domain name.

The only real way to combat this kind of thing is with education.

The random data should be identical to valid data making it impossible to automatically parse out:

I think that's being optimistic. With IPs and datestamps, it would probably be pretty easy to separate the list into "probably real" and "probably not real" piles.

Sure I have reported it to Barclays but the server is in russia so they will not really be able to stop it. They probably don't care as their disclamer makes it THE CLIENTS problem.

I would guess they would care a great deal. The monies in the bank are probably insured against fraud up to some amount. Besides, banks make money by holding onto yours. They don't want to lose their customers' money to someone that will go put it in another bank, right? And, really, they don't want to lose your future business either. I would think that banks take a great deal of interest in this sort of thing.

I suppose I could ask one of my more dubious assocites to take the server down but that would probably hurt inoccent users as well.

I wouldn't worry about the other users. It is likely that there are no legitimate users of the machine or that the hosting provider is at least aware of the illegitmate users. But again, it's simply too easy for the perpetrators to move on, so I don't really see the point (except maybe to feel like you got a little revenge.)

-sauoq
"My two cents aren't worth a dime.";

With IPs and datestamps, it would probably be pretty easy to separate the list into "probably real" and "probably not real" piles.

Besides the bugs in the code this could be harder than expected. You would need certain elements in the raw data file as well as the 4 significant data fields you might presume the script is writing. A parallel log analysis might show you when you were being bombed and from where but you need to accurately correllate that with the data. A low order continuous DOS would make this problematic anyway as all data would become suspect. The general idea of adding a haystack to hide the needles seems like not a bad approach.

Of course there are plenty of fixes for it but it does require that those fixes get implemented. Given that it appears that this site is a clone of a scam on the National bank it is possible that while the perps are creative they are at a script kiddy level. The form they present looks nowhere near as high quality as some I have seen which are a perfect match for the target site.

As you don't need the return data you would really want to spoof the sending IP address. Better simulated names (ie taken from a real name list) and Secret words taken from say the Unix dictionary would also add more realism.

Education is a nice thought but if you take virus spread as an example some people are difficult to educate.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

A parallel log analysis might show you when you were being bombed and from where but you need to accurately correllate that with the data.

The assumption being that they don't log both together... and maybe they don't. I would, though, if I were pulling a scam like this. (And, if they aren't this time, they probably will next time.)

As you don't need the return data you would really want to spoof the sending IP address.

That would certainly help.

Education is a nice thought but if you take virus spread as an example some people are difficult to educate.

I agree entirely. Of course, losing one's savings might be a lesson that's hard to forget. Regardless of whether or not education is an effective solution, it is the only real one. Like I said though, I'm not opposed to vigilantism in a case like this; I'm just trying to make a realistic assessment of how effective it would be in the long run. My conclusion remains: "not very."

-sauoq
"My two cents aren't worth a dime.";

Interesting concept. Not entirely Perl related but then I guess this is a Meditation.

There is a bug in this line (would have been caught by use strict :-) $wordgo=hm should read $word&go=hm.

my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user&pass
+=$pass&word=$wordgo=hm&loginButton=%20%20Verify%20%20";

# it should be:
my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user&pass
+=$pass&word=$word&go=hm&loginButton=%20%20Verify%20%20";
[download]

Also = 20,000 means = 20 void context 000. You probably meant = 20_000 or = 20000

Oops. Perl is not my first language (guess it shows :-)

i might be missing something here but why the hell don't Barclays detected when the referrer is the scammer and display a large warning message on their homepage? my only guess is they don't care.

If Barclays were to post a large prominent warning on their web site then the 97-99% of their electronic banking customers that didn't get this email might get nervous and choose not to use the online service. Leading to a lines at branches. Which is a bad thing.

Secondly, while I agree with your "Don't get mad, get even" statement, I disagree with methodology. I don't think that attacking bad guys will lead you anywhere. I would instead help the good guys. And one of the ways to help good guys is education. Banks (and other organizations) should be properly notified that about bad guys around spoofing their sites and producing all sorts of other dirt. Users should be educated about different techniques of misleading them, such as "@" character in the URL. They should be taught to make sure that they are using secure connection with the properly signed and generated certificate from the appropriate bank.

I beleive that a well educated user is capable of securing himself/herself from a great variety of problems.

Take these 2 cents, they are yours. :)

Update: sauoq is faster then me. :)

I'm slowly getting the feeling that things like SpamAssassin arent enough. Recently Ive been getting several bits of spam that only turn up a 1.2->3.0 on the SA scale, and so still get delivered.. (I bet I get real mail that has a worse count than that..)..

So much so that I'm considering making a list from which I will accept mail, and getting everything else directed to a delete box, where it will be deleted if I dont add the address to my list..

(Hmm,m wonder if anyone has done this already..)

C.

We do Bayesian stats work as part of a different project and have a filter based on that (proprietary I'm afraid) although there is popmail Popfile on sourcforge which is OK.

Bayesian stat analysis is probably one step past Spam Assassin but still has the following inherent problems. These apply to all forms of spam filters. First if the filter is publically available (as it must effectively be to be used) then you can craft spam and test it against the filter(s). Regardless of what they are looking for and how they rate spam messages in the form:

Dear Name

RE: Your recent blah blah blah

Thanks for your enquiry. Blah blah blah. Please take the time to have 
+a look at: 

http://blah.com/cgi-bin/special_offer?name=Name&code=AGERSDGFTGER

I wish you all the best in your endeavour.


Kind Regards

John Smith
Director


Blah.com
Street Address
Phone Number
Fax Number
Mobile Number

BLAH Making it happen
http://blah.com
foo@blah.com

The information transmitted may be confidential, is intended only for 
+the
person to which it is addressed, and may not be reviewed, retransmitte
+d,
disseminated or relied upon by any other persons. If you received this
message in error, please contact the sender and destroy any paper or
electronic copies of this message. Any views expressed in this email
communication are those of the individual sender, except where the
sender specifically states otherwise. Blah does not represent,
warrant or guarantee that the communication is free of errors, virus o
+r
interference.
[download]

are statistically next to impossible to pick. The problem with the basic mail protocol is that you can forge headers ie there is no way to validate the sending server. Given this you can more of less craft your emails so they will pass any Spam filter.

Messages like this are the new face of spam. Still spam but crafted to look like a standard valid (perhaps corporate) reply. It will be next to impossible to stop mail in this form.

As a result the challenge response/whitelist passthrough is probably the way it will end up in the medium term. Then of course the spammers will implement respond bots and the cycle will continue.

What is needed is a modification to the underlying protocol so that there is an inbuilt challenge response or security key of some form so that the recipient server can query the supposed sending server to see if it was really the source of the message. If you can do that you can work blacklists of spam servers far more effectively.

cheers

tachyon

s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

(Hmm,m wonder if anyone has done this already..)


Yes, they have. Browse the Email Filters section on freshmeat. If you've got a user account there you should be able to search in that category for "whitelist" (you may be able to do this without an account, it's been a while).

davis

It's not easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day.

There is one thing I've found that DOES effectively prevent Spam. Mailblocks uses a "verify" technique that works pretty much 100%. There are only two drawbacks: 1) it costs money/yr and 2) while they have ways of letting things like orders through, sometimes you just use your e-mail account and things that are NOT going to reply to their message end up in the pending box so you still have to keep your eye on it. But only sometimes. It has been the only way I've found to effectively combat spam. Maybe one day spammers will get by it, but for now, it works.

IIRC pisem.net just provides free web hosting services. I doubt they are related to the scummers in any way other that scummers are abusing their free web hosting services. Given most ISPs are quite responsive to reports about spamers and scummers utilizing their resources I bet most effective way to stop this is it to report to abuse@pisem.net.

I am wondering why there is a sleep in your while loop.

On the contrary, if you really want to do something like this, start multiple threads, and have them sending together. That's pretty useful, otherwise your connection is idle most of the time.

The idea was not so much DOS just to 'hide' the real data in a sea of rubbish. The idea of the sleep was so say you ran it for a day or two every 60 seconds (load and bandwith use is very small so it does not annoy you). Even if target analyse the logs all they see is a steady trickle so all data becomes suspect over an extended period. If lots of people did just a few there would also be lots of IPs.

Not taking sides here. But if you want to make it harder for them to spot it in logs, add some random element (included tachyons fixes as well).


#!/usr/bin/perl

use LWP::UserAgent;
my $ua  = LWP::UserAgent->new;
my $MAX_SLEEP = 5;     # max seconds to sleep
my $DEBUG = 1;
my $LOG_FILL = 20000;  # how many entries will we add to the scam log?

while(1) {
    my $IE   = sprintf "%.1f", ( 5.0, 5.1, 5.5, 6.0, 6.1 )[rand(5)];
    my $WIN  = sprintf "%.1f", ( 4.0, 4.1, 5.1 )[rand(3)];
    my $bs   = join '', map{ ('a'..'z')[rand(26)] }1..(rand(5)+3); 
    my $agent = "Mozilla/4.0 (compatible; MSIE $IE; Windows NT $WIN; $
++bs)";
    $ua->agent( $agent );
    $DEBUG && print $agent, $/;
    my $user = sprintf "%08d", rand(99999999);
    my $pass = sprintf "%05d", rand(99999);
    my $name = ucfirst join '', map{ ('a'..'z')[rand(26)] }1..(rand(5)
++3);
    my $word = join '', map{ ('a'..'z')[rand(26)] }1..(rand(3)+5);  
    my $url = "http://barcl.pisem.net/obr2.html?name=$name&user=$user&
+pass=$pass&word=$word&go=hm&loginButton=%20%20Verify%20%20";
    $DEBUG && print $url, $/;
    my $request = HTTP::Request->new( 'GET', $url );
    my $response = $ua->request( $request );
    $DEBUG && print $response->content;
    sleep (int(rand ($MAX_SLEEP))+1);
    $LOG_FILL--;
  die "Done!\n" if $LOG_FILL == 0;
}
[download]

I won't comment on the possible legal ramifications of this post, because they should be obvious to anyone doing 30 seconds of research. What I will comment on is how completely futile your efforts are. You're sending multiple requests, all they have to do is block every ip with more than 2 form submissions and your efforts become a miniscule DOS attack (which is illegal in your country, oops guess I saved you 30 seconds).

Do it from dial up and they will never be able to track you down either.

Welcome to the Internet my friend. First lesson - you are not anonymous. All that has to be done is contact your ISP with the violation and your identity becomes known to them, and law enforcement agencies.

Way to be a script kiddie.

P.S. I don't understand all the posts in this thread. Am I missing something, or has Perlmonks really slid this far down?

Am I missing something, or has Perlmonks really slid this far down?

Slid so far down as to discuss technical means of subverting internet scam artists intent on stealing bank accounts from unsuspecting grandmothers?

What I will comment on is how completely futile your efforts are.

Got to agree with that... I myself have said as much in this thread.

all they have to do is block every ip with more than 2 form submissions

Not if they hope to get more than one set of credentials from an ISP that uses proxy servers like, for one small example, AOL. And, as tachyon mentioned, IP spoofing might be helpful in that regard.

I won't comment on the possible legal ramifications of this post

So, you would be worried that these thieving scumbags would run to the law and file a grievance alleging you attempted to disrupt their scam to steal bank accounts?

-sauoq
"My two cents aren't worth a dime.";

Vigilante "justice" is not justice. Whether you're talking about DOSing email scams or shooting abortion doctors or unilaterally toppling dictatorial regimes, failing to follow the rule of law is to join your enemies at their level.

Taking the law into your own hands assumes that you alone know what's right and wrong, and that your judgement is infallible. There are appropriate methods to achieve your goals. To remain within society, you must follow the social methods: those which have the proper procedural oversight and just review.

--
[ e d @ h a l l e y . c c ]

Slid so far down as to discuss technical means of subverting internet scam artists intent on stealing bank accounts from unsuspecting grandmothers?

That answered my question perfectly.

It was good while it lasted. I'll be leaving now, goodbye.