In a fit of boredom the other day at work, I wrote this php script to generate a list of random, nonexistant email addresses for the fabled mailbots, those insidious d(a)emons used by spammers to troll the web looking to harvest email addresses from web pages.
My questions:
Do these things really work? Wouldn’t the Dark Side be smart enough to come up with some sort of filter for nonexistant domains? Do the bots even read dynamically generated lists such as mine?
I’ll admit that the idea of some spammer getting millions of bounced emails tickles me, but I wonder how much execution really follows the concept.
Yes, it will probably work. Some email lists may be filtered against the DSN database to check for legitimate domains, but most are only filtered for valid structure (xxx@yyy.tld) where there is exactly one @ character and a valid TLD at the end. Some may not even check that much. Many bots do read dynamic pages because there is less and less static content on the web. Even nominally static content may be displayed as a PHP, ASP, etc. in order to use a dynamically generated template. Many bots will not submit forms (e.g. search forms) but they will follow links to dynamic pages.
That said, your vindictive glee at deluging the spammer with bounced mail is likely to go unfulfilled. Most spammers don’t check their return mail. At best, the reply address is a valid address belonging to the spammer which will never be checked. At worst, it’s a forged address belonging to some innocent third-party who will get all your bounce messages along with the usual flood of hate mail resulting when a spammer uses a forged header. Believe me, several of my domains have been used in forged headers and the vitriol of people who respond to spam is matched only by their ignorance (in not understanding my polite replies indicating that the spam they received was forged and we didn’t have anything to do with it, so we can’t actually prevent it from happening again). But if you enjoy kicking innocent bystanders, go for it.
Poisioning the well, as it’s called, is a valid way of making it less profitable to spam. Here’s how it works: A certain portion of the spamming industry is based around selling address lists to those who send the emails. ( … or resell the lists. Nobody in the industry is a paragon of human morality.) Spammers typically operate on fairly slim profit margins: They spend $x,000 sending n billion emails out to addresses they think are at least alive. If only 0.001% of those addresses respond with money, they’ve made some profit after they’ve paid for their hardware and the bandwidth they didn’t steal outright.
To make a scheme like that work, the spammer needs as many valid emails as he can get. But they buy them by the thousand or more. How can they sort out the duds, even if they look as ludicrous as yours do? They can’t. Every false address we can shove onto those lists, to be sold and resold to the unscrupulous and unwitting, reduces the profit margin. It is all a game of percentages, and it doesn’t work if it’s only done sparingly.
The forged header advisory above is valid, but at some point the ignorant must be educated.