Comment by carimura
4 years ago
I was just contemplating this age old battle of light vs dark when it comes to shady marketing tactics vs every-day consumers. My phone number was somehow picked up by some spammer sending me 2-3 spam SMS's per day with the same shady tactic trying ("You have an unsent package", "claim your free gift", etc.) to send me to the below domains [1] w/ a tracking code attached.
How do we, as the people building the platforms these perpetrators ride on, stop them? I reported this one to Cloudflare's abuse form because they're all on Cloudflare's nameservers, and almost guaranteed to be the same owner, but, it took me 5 minutes to fill out the form and they only accept one URL at a time. It's just too time consuming to fight back as an individual consumer.
Every one of us has thought at some point, "there has got to be a better way".... right? So?
[1]
> How do we, as the people building the platforms these perpetrators ride on, stop them?
We don't, because there is more money to be made with the way things are setup as-is. And since builders are generally not the money-decision-makers, the platforms keep being built (technically) bad.
Take phone-number-based-scams, since there is no trust in identity, but there is a money-made-per-usage, everyone except the end-user wins to keep everything as-is.
Scammers get money if a scam succeeds, network providers get money regardless, transit agreements stay up since traffic being passed at volume keeps the lines open, maintained and at size. End-users don't disconnect since they'll need it for legitimate use, so they keep being profitable as well.
If the money were to stop being made at any point in the chain it would suddenly all be over. But since legitimate and scam usage is mixed that will never happen.
Replace phones and SS7 and telcos with any other transportation and information system for comparison. Email spam keeps 'working' because there is no real way to identify the sender in such a way that the identity can be barred. Postal spam has the same anonymous sender problem.
Heck, the best way that does work is having to physically hand flyers to people since you can simply not take the flyer, and since you (as a person) can't be handing out flyers without physically being there you can also be identified and barred.
Follow the chain.
1. Confirm domains are known for phishing and spam.
2. Figure out who registered said domains.
3. Add those people to known blacklists so they can't register anymore domains ever again. Likewise block all domains owned already by them.
4. Get domain registrars and email servers to block said domains too.
5. Rinse and repeat every time it happens.
6. Find similar accountability chains as above and make sure to close the loop on them each time. "Sorry we can't give out emails and personal details. Fuck you, stop enabling illegal activity." And fight for legislation and tech solutions to enable the above.
If you can't move to a better spot after identifying bad patterns, then it's just a giant game of useless wack-a-mole.
> 3. Add those people to known blacklists so they can't register anymore domains ever again. Likewise block all domains owned already by them.
You generally can't know who operates a given domain automatically. whois is almost always redacted now.
> 4. Get domain registrars and email servers to block said domains too.
Good luck with that. They make money from spammers, and don't have any incentive to stop
I tried Namecheap twice and provided them spams with valid DKIM signatures for domains registered to them (generally on TLDs on sale for 1$, which must be sold at a loss, right?). They refused to do something about it.
> 2. Figure out who registered said domains.
How? Have you ever seen a spam domain that provides accurate and actionable WHOIS?
Well that's the first problem to address. I wasn't trying to dismiss it as trivial.
> How do we, as the people building the platforms these perpetrators ride on, stop them?
Every now and then, I get mad while I'm bored and have a bit of free time, and I'll write a script to make requests with randomised tracking codes. I've got about 30 available VPN end points easily available, and I'll cycle through them all sending requests with random ID in whatever the format looks like. It _probably_ makes no difference, but _maybe_ it'll make their data less useful (and if nothing else, I get a bit of satisfaction from doing it.)
I stew on this idea all the time and conclude that only scale (lots of users?) would make this effective. But then I ponder the remedy itself being wielded against legitimate parties and I get slightly sad and move on to something else to worry about.
Yeah - I do worry about making a request that might "verify" some other legitament user's url, so I won't do this if the identifiers looks like consecutive numbers, but if they look like guids I'm perfectly happy to blast 10,000 or 100,000 random ones back at them.
A bit more context: https://github.com/OpenBB-finance/OpenBBTerminal/issues/1625
Not nice, but semi-reasonable. Stash the pitchforks.
Sorry, we didn't mean to spam you with this email, we intended to send this other spam mail instead?