
Spamnesty – A Bot to waste spammers' time - dgellow
https://spa.mnesty.com/
======
squarefoot
Great idea! Wasting spammers time is one of the very few ways of making them
effectively lose money. Still the project needs some pseudo randomization in
order to fool basic research. Some of the messages I read contained the
sentence "I am a bit busy now, but I am definitely interested. When can we
talk?". If one searches for that sentence in quotes Google returns four pages
of references to Spamnesty. A slightly more clever spammer would sense the
trap in minutes. I'm not aware of any program capable of add some entropy to a
sentence maintaining its semantics and readability (save for insertion of
random errors), but one could use a translator in different languages. Say
English->German->Russian->Spanish->Polish->Danish->English, then send the
resulting string as a reply. The above string for example becomes: "Now I'm a
bit busy, but I'm definitely interested. When can we speak?" which (almost)
fools the search. Almost because the 1st page still contains a couple
references to Spamnesty due to the above sentences strong similarity, but
they're well buried together with other completely unrelated stuff.

BTW, pairing this with a personal assistant stripped of any access to personal
information/property/devices (such as an hypothetical open source cloudless
one) and instructed to ask for details on every possible part of the offer,
one could make the perfect weapon against phone telemarketers as well.

~~~
wybiral
> A slightly more clever spammer would sense the trap in minutes.

Spammers are going to develop anti-spam filters :)

~~~
amelius
I guess spammers make most money from the lowest IQ percentiles on the
internet. Therefore, we only have to develop AI that is as smart (stupid) as
those people, and spammers won't be able to tell the difference.

------
superasn
Well done. It does get the spammers frustrated. I remember reading about a
similar thing[1] where instead of emails it was automated telephone replies
and the scammers were cussing at the bots and generally super confused.

It did also manage to flood their phone lines making their call center useless
for a while.

[1] [https://motherboard.vice.com/en_us/article/bj8wg4/we-
talked-...](https://motherboard.vice.com/en_us/article/bj8wg4/we-talked-to-
the-hacker-who-flooded-alleged-irs-scammers-with-robocalls)

~~~
jdietrich
Some magnificent genius has created the perfect bot for hooking predatory
telemarketers. "Lenny" is a slightly confused elderly man with poor hearing.
He wanders off topic, he isn't sure what you just said and he is absolute
catnip for crooks. If you haven't heard a call to Lenny, you're in for an
absolute treat. This call from a tech support scammer lasts an exhausting 31
minutes:

[https://www.youtube.com/watch?v=UJTxkPLVxrc](https://www.youtube.com/watch?v=UJTxkPLVxrc)

[https://www.reddit.com/r/itslenny/](https://www.reddit.com/r/itslenny/)

~~~
dspillett
The thing that makes me angry with some of those recordings is when the
callers still think that they are talking to a dotty old fellow who they can
con (they usually cotton on to the trick in the end). When to my ears Lenny
sounds like someone with dementia who needs help and should not under any
circumstances be sold to without a legal guardian present, what they seem to
take from the situation is "great, I might make my who day's quota on this
daft old coot". At that point "but it is my job" really doesn't cut it.

~~~
sporkologist
If they didn't try to get the sale, they'd probably get fired and swapped with
someone who would.

~~~
Kadin
The capitalist's Nuremberg defense?

------
dgellow
OP here. Just to clarify, because I see a lot of congratulations. I just
shared the project, I'm not the author.

Based on the GitLab project, the author seems to be @stavros:

\-
[https://gitlab.com/stavros/Spamnesty](https://gitlab.com/stavros/Spamnesty)

\- [https://twitter.com/stavros](https://twitter.com/stavros)

\- [https://www.stavros.io/](https://www.stavros.io/)

~~~
StavrosK
Yep, that's me!

~~~
Terretta
You may want to add a keyword check if the spammer starts sending you back
bounces:

[https://spa.mnesty.com/conversations/bkpeczav/](https://spa.mnesty.com/conversations/bkpeczav/)

~~~
StavrosK
Good idea, added, thank you.

------
peterburkimsher
I just tried to forward a lot of spam messages, and got the response:

554 Recipients' domain disabled

Reporting-MTA: dns; googlemail.com Received-From-MTA: dns;
----------@gmail.com Arrival-Date: Sat, 30 Dec 2017 20:49:25 -0800 (PST)
X-Original-Message-ID: <02D8BE6D-6DEF-4FC9-9AC5-6BC6E7A44EAE@gmail.com>

Final-Recipient: rfc822; sp@mnesty.com Action: failed Status: 5.0.0 Remote-
MTA: dns; mxb.mailgun.org. (54.69.170.70, the server for the domain
mnesty.com.) Diagnostic-Code: smtp; 554 Recipients' domain disabled Last-
Attempt-Date: Sat, 30 Dec 2017 20:49:27 -0800 (PST)

~~~
aendruk
Tracked at
[https://gitlab.com/stavros/Spamnesty/issues/81](https://gitlab.com/stavros/Spamnesty/issues/81):

> Unfortunately Mailgun has disabled the domain due to rate limits. All we can
> do is wait […] I think it's just the HN effect that got it to send too many
> messages at once.

------
Animats
That's a cute idea. But I wonder if the system is mis-matching messages and
replies.[1] How did a spam for fake Ray-Ban sunglasses turn into someone
wanting app development?

[1]
[https://spa.mnesty.com/conversations/cturvzsr/](https://spa.mnesty.com/conversations/cturvzsr/)

~~~
StavrosK
I was curious about that too and checked, but couldn't find anything. It goes
by the X-Reply-To (IIRC) header and they matched.

------
shurcooL
From glancing over some conversations, it looks like the bot is mostly talking
to other bots.

That said, I think it’s nice to be able to reflect the same attack vector upon
the attackers to make the attack less efficient and hopefully less attractive.

~~~
mjs
Many of the replies seem like they involved at least some human effort,
although it would be nice to be sure--I wonder if there's some way to
introduce some spammer-appropriate text captcha into the exchanges?

------
systematical
Tried forwarding three emails, got this:

Message not delivered There was a problem delivering your message to
sp@mnesty.com. See the technical details below, or try resending in a few
minutes.

The response was: 554 Recipients' domain disabled

------
phantom_oracle
As someone else mentioned here, the only risk is that spammers will blacklist
mnesty.com .

There should be some type of domain rotation (or you can test spoofing, just
to see if spammers use the same anti-spoof software everyone else does), just
like how spammers do so.

As an aside, kudos for using gitlab instead of github.

~~~
jdietrich
If and when that happens, someone can pick up a suite of cheap domain names.
Thanks to the proliferation of generic TLDs, you can register a domain for
less than a dollar per year through a legitimate registrar.

------
breakingcups
I once made something very similar, back then it was called an autobaiter by
the scambaiting community. It would actually figure out what kind of scam the
spammer was pulling and adjust its script in kind to pretend to play along
with the scammers script.

I should dig that up again.

~~~
StavrosK
Spamnesty also has multiple scripts and you select the kind of spam to reply
to. There's an MR open for doing this automatically, but it's pretty big and
I've put off reviewing it for way too long.

------
ChuckMcM
So it would be hilarious if you connected the spam asking for manuscripts[1]
to the fake manuscript generating code [2]. We would end up with bot published
journals.

[1]
[https://spa.mnesty.com/conversations/cjubnfdx/](https://spa.mnesty.com/conversations/cjubnfdx/)

[2]
[https://pdos.csail.mit.edu/archive/scigen/](https://pdos.csail.mit.edu/archive/scigen/)

~~~
StavrosK
Oh God, I have to do this now.

------
thescribe
I have been using this site for about a month on every piece of spam that
tells me to write back. But, I have not gotten any responses. How are they
even making money if they don't respond to clearly interested potential
customers?

~~~
laurent123456
This website has been around for a while (it's the seventh time it's posted
here) so it's possible spammers have blacklisted the domain by now.

~~~
StavrosK
Oh wow, seventh? I think it's the second time I see it. Didn't I only build it
a few months ago?

EDIT: Oh huh, it's been more than a year:
[https://www.stavros.io/posts/spamnesty-waste-spammers-
time/](https://www.stavros.io/posts/spamnesty-waste-spammers-time/) How time
flies.

------
nicksergeant
Hmm. Tried it and the email bounced back with:

“554 Recipients' domain disabled”

~~~
StavrosK
Unfortunately, Mailgun is throttling the domain due to large rates of mail.
All we can do is wait the ban out, I'm afraid.

~~~
wyclif
Looks like you need a new domain provider; this is a show stopper.

~~~
StavrosK
I would agree, but I make liberal use of the free limits so I can't complain
much. I don't really want to spend too much money running Spamnesty.

~~~
srett
Are you able to easily detect whether your account is currently blocked and
add some warning to the front page? Would make it easier than just spamming
sp@mnesty.com until the mails don't bounce anymore...

~~~
StavrosK
I don't think Mailgun expose that in any API, I'm afraid. Good idea, though,
I'll see if there's something available.

------
maxyme
I love the use of the subdomain and email sp@mnesty.com to hide the name from
spammers. But won't human spammers eventually figure out what mnesty.com is
and stop responding?

~~~
StavrosK
Sure, but the goal is to waste their time a bit, you can't fool them forever
anyway.

~~~
kevin_nisbet
True, but also being a bit more random where it's not trivial to filter the
bot on the spammers side would make it just a little bit harder to ignore.

~~~
StavrosK
That's true. Unfortunately, it's not trivial to add more domains, as you'd
need to own them all (to add DNS records for sending and receiving). I wanted
to accept donations at some point, in the form of pointed DNS records, but
realized that I couldn't do that without owning the domain, as if the domain
lapsed or was transferred, Spamnesty wouldn't know and it would keep sending
email from that domain, to no avail.

~~~
kevin_nisbet
Out of curiosity, have you ever tried to track any stats about how often it
reaches a spammer, whether it's interacting with the same spammer multiple
times, etc?

While I think the donating of DNS records is an interesting idea, I personally
wouldn't want to risk giving permission to an outside party for the domains I
use, and I don't think it would be worthwhile to try and correctly maintain a
domain just as a donation.

~~~
StavrosK
I don't have any stats, no. I assume most spammers are using random domains,
so they wouldn't be very accurate anyway.

------
peterburkimsher
I look forward to sending many emails your way!

Spam is a daily problem for me. I can't use auto-filters, because I live in
Taiwan and most emails written in Chinese are flagged as spam. That includes
important messages from my bank, colleagues, and landlord. Eventually I gave
up using auto-filters, and I now manually delete ~50 spam every day.

Being able to do something useful with that will make my spam-sorting a little
less mind-numbing.

~~~
05
Have you considered registering your own domain and giving out personalized
emails to everyone? E.g. from_blahbank@mydomain.tld? That way, you could
rotate most often leaked prefixes regularly without disturbing other
recipients.

~~~
peterburkimsher
I use Mailnull extensively, but I still get a lot of spam directly to my Gmail
address that I've had since 2005.

------
scottmac13
This is the email version of when Telemarketers call me and ask to "speak with
someone in the house between the ages for x-y" to which I say, "sure just a
sec", then put the phone down on the desk and walk away.

~~~
nsb1
At this point, I've basically stopped answering my cell if I don't recognize
the number. If it's important, they'll leave me a voicemail (it never is.).

One other thing I did was ported my landline over to callcentric.com, where
for $3.50/month or so, I can 'firewall' all calls coming to that number,
making it safe to give out to anyone. Their call treatments allow me to, by
specific number or patterns (800*), drop, send to voicemail, play the "number
disconnected" tone, forward, etc. It's great - no more calls I don't want.

~~~
nvr219
I use google voice call announce for anyone not in my contact list

~~~
r00fus
Is that a GV setting? Is it available on iOS?

~~~
nvr219
Yes absolutely. I use the iOS app but I configured the whole thing on my
laptop using the website.

switch to "legacy google voice" and then go to settings:
[https://i.imgur.com/wbaV75e.png](https://i.imgur.com/wbaV75e.png)

------
a12jun
I saw www.rescam.org on here a while ago, definitely worth a visit!

~~~
jeron
The first thing I thought of was rescam, not sure how this project differs
from rescam

------
mvindahl
Gamifying this kind of thing would be intriguing. I'm imagining some server
that would work like spamnesty, i.e. you could easily let it handle your spam.
But I'm also imagining the possibility of registering as a bot creator and
plugging in your own algorithms. API-wise it would be super simple, much like
creating a chatbot for Slack, but the logic could be as advanced as one would
like. The server would then score the algorithms on established metrics such
as "average number of responses" or what one might dream up. There would be
leaderboards and stuff.

It would all work nicely until the spammers start creating their own bots to
keep our bots busy. Bots would keep inane conversations going forever.

Then, I presume, Skynet.

~~~
dickbasedregex
Cory Doctorow's story about spam bots being one of the last things alive:
[https://craphound.com/overclocked/Cory_Doctorow_-
_Overclocke...](https://craphound.com/overclocked/Cory_Doctorow_-
_Overclocked_-_When_Sysadmins_Ruled_the_Earth.html)

------
sorokod
Forwarding from gmail to sp@mnesty.com results in

    
    
        554 Recipients' domain disabled

------
jg12345
<sp@mnesty.com>: host mxb.mailgun.org[54.210.206.63] said: 554 Recipients'
domain disabled (in reply to end of DATA command)

------
evo_9
What we really need is something like this for the phone scammers,
particularly the "IRS" scam I've been getting regulars calls from most of this
year.

~~~
haldora
Someone made a call bot called "Lenny" to fool telemarketers, which uses
recorded messages. They put up their call logs on YouTube:

[https://www.youtube.com/playlist?list=PLduL71_GKzHHk4hLga0nO...](https://www.youtube.com/playlist?list=PLduL71_GKzHHk4hLga0nOGWrXlhl-
i_3g)

~~~
kebman
Hahaha, that was hillarious! I wish there was a bit of voice recognition too,
because then this bot would be unbeatable! There should also be a few more
variations, but then it seems more than enough to get the seller/scammer
enganged for quite some time.

------
lamby
Hm, I'm getting:

<sp@mnesty.com>: host mxb.mailgun.org[54.186.217.87] said: 554 Recipients'
domain disabled (in reply to end of DATA command)

------
nkkollaw
This is great, but I feel like it's wrong that regular people think they have
to step in to fight spam.

After all, these messages benefit actual companies. I receive many spam
messages from American companies that are legit. Why can't governments do more
to fight spam? It's illegal after all (at least in Italy and I'd guess
Europe), so how come companies get away with it?

~~~
pishpash
The companies aren't in the jurisdiction of those laws. Now if you held the
ISP's responsible, you'd see some action.

~~~
maksimum
I'd rather have ISPs act as utilities rather than safe-guards of the content
they transmit...

------
StreamingMeeMee
I guess they were a bit too successful - I'm getting "554 Recipients' domain
disabled' when forwarding msgs to them.

------
b0rsuk
Honestly, why don't we get insider / whistleblower posts here on HN ? I
understand spamming is quite vilified among most techies, but _someone_ is
doing the spamming. Is it because the bulk of spamming is done using very
unsophisticated ways ? We get anonymous posts on pretty much all other topics.

------
alpb
It looks like in many cases [1] it's confusing the threads? Subjects and
discussions start changing after a few messages in many threads I looked at.

[1]
[https://spa.mnesty.com/conversations/vkeezpyz/](https://spa.mnesty.com/conversations/vkeezpyz/)

~~~
brightsize
I see this all the time and have assumed it's related to difficulties
correlating outbound messages (to the spammer) with responses. Also within a
message thread the service sometimes fails to respond to the most recent email
from a spammer. An example thread showing both issues:
[https://spa.mnesty.com/conversations/caabzkyg/](https://spa.mnesty.com/conversations/caabzkyg/)

~~~
StavrosK
The failure to respond is because I set a limit, it stops after a few tens of
messages to avoid endless loops with bots. The other messages are because it
gets put into a list and just gets spammed, as far as I can tell.

------
nikodunk
Just read through this one
[https://spa.mnesty.com/conversations/ecfrqrps/](https://spa.mnesty.com/conversations/ecfrqrps/)
– and was laughing stitches. Great job!

~~~
StavrosK
Oh wow, it really gave them the runaround there. I love the link to the
forever-loading page, I forgot I had added that.

------
defanor
> Spamnesty is a way to waste spammers' time. If you get a spam email, simply
> forward it to [email protected]

Maybe it would be more appropriate to show email there, since it's intended
for spammers as well.

------
newscracker
I tried this when it was new, and saw two issues with it. Firstly, it uses
western names as the responder, which may not be the best case everywhere —
ideally the person submitting the email should be able to specify a name to
use. Secondly, the mnesty name and Mnesty LLC wouldn't seem believable to many
(human) spammers either, depending on the region. I didn't get responses for
many emails I submitted — my guess is that the spammers thought it's a waste
of time (which is also good, but not frustrating them enough).

------
JetSpiegel
This is one of the best:
[https://spa.mnesty.com/conversations/mbvnmrbc/](https://spa.mnesty.com/conversations/mbvnmrbc/)

------
scoot
Ha, my comment from earlier today [1] reposted as a top of front page post.

It's like when you say something funny in a group setting which only one
person hears, and instead of asking you to repeat it for everyone, they repeat
it loudly themselves like it was thier joke! :)

Edit: Heaven forbid that you should point out that HN is sometimes just like
Reddit! Downvote away, I have no interest in MIPs†.

[1]
[https://news.ycombinator.com/item?id=16035487](https://news.ycombinator.com/item?id=16035487)

†Meaningless Internet Points

------
kl94
I have the feeling that all of this is going to finish bot against bot.

------
pwaai
Had a good chuckle reading through the chat logs, but it would be interesting
to see the results using NLP to formulate new nonsense questions aimed at the
spammer.

The spammer side seems to also employ some level of bot automation, and its
like two bots going at each other with the occasional broken english comment
showing confusion and frustration....this is truly golden.

~~~
StavrosK
MRs appreciated, but please make them in multiple short, self-contained pieces

------
StreamingMeeMee
I guess they were a bit overwhelmed - I'm getting "554 Recipients' domain
disabled " when forwarding to them.

------
Xeoncross
Reading some of these emails it's apparent it's not a person responding. This
is simply two bots email each other.

[https://spa.mnesty.com/conversations/aatajahd/](https://spa.mnesty.com/conversations/aatajahd/)

Looks like for some spammers, the game is already up.

------
matteocontrini
This remembers me of rescam.org

------
juanmirocks
This could easily be one of the “smallest” things to have the greatest impact.
Looking forward to reading statistics on how much this software takes in % of
total spam time and saved money.

------
chrisabrams
I read some of the conversations on the site; it’s quite interesting that the
boys managed to have the same conversation over and over almost in the exact
order.

------
gthinkin
This is really cool. I tried building a similar project last year using an
LSTM, but never ended up deploying it.

I wonder what James Veitch would have to say.

------
a12jun
Let's just hope the scammers don't start using AI/NLP to generate the emails
they send to us....

------
zackify
Add support for SMS and it’ll be perfect.

~~~
brightsize
What sort of support?

~~~
zackify
I get text messages from scammers

------
sparaker
With all the emails ending with "CEO, MNesty, LLC" I doubt you'll be able to
fool anyone

------
deviationblue
Interesting, but is there something for spam callers? It's not enough to block
them or report them.

~~~
snowpanda
I'd pay some serious money for this. In case someone's looking for an idea.

~~~
throwaway2048
[https://www.reddit.com/r/itslenny/](https://www.reddit.com/r/itslenny/)

------
yuanotes
Hahaha. The funniest conversations I’ve read this year!!! Poor spammers. LOL

------
luord
This is the best thing I've seen in a while.

That they host the code in gitlab is a nice touch.

------
UltraFlynn
Email isn't free. It seems like it is but actually it takes significant
resources to process all the spam. Using a bot to create more traffic is
pointless and wasteful.

Yours sincerely, A guy who runs the mail transfer agents for an email security
provider and has to deal with this every day.

~~~
JumpCrisscross
Cool. Stop the spam and I’ll quit spamming you back.

~~~
UltraFlynn
We do. That's exactly what we do. But honestly the volume of spam is massive
already.

------
ris
I note the fake replies are quite limited & repetitive. It would be
_extremely_ interesting to see if deep Q learning could be used to develop
more realistic replies. "rewards" would simply be getting more (and faster)
responses.

------
mrandish
This is the greatest thing!

Thanks to the author(s) for doing it.

------
leeoniya
oldie but goodie:
[https://m.youtube.com/watch?v=cIVfrBFc5og](https://m.youtube.com/watch?v=cIVfrBFc5og)

------
toufique
LOL! Best use of chatbots yet!

------
nhooyr
I love it.

------
useranme
I liked the idea of increasing the amount of time a spammer expends over their
email.

I didn't like the idea of having to manually forward the email, manually
remove personal information from the body of the email, and sucking the
recipient into watching the conversation unfold live. Because it increases the
amount of time a recipient expends over a spam email.

