Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Spamnesty: Waste spammers' time (stavros.io)
405 points by StavrosK on Nov 22, 2016 | hide | past | web | favorite | 183 comments

I'm just waiting for someone to hook this sort of stuff to some kind of machine learning system, to learn and adapt and come up with new replies. And some 100 years hence we'll be explaining to kids that the singularity arose out of people's annoyance with spammers ;)

That, or the machines will just develop a new language that makes no sense to us and doesn't have a clear meaning.

"Vi4Gra PIllz for cheap caNAda Donald Trump's secret affair."

"Bank statement credit check cashed QUICK FREE!!!"

"You may hav virus. i help fix click here"

"running pharmasy slow now shipping Mexico"

A friend of mine is actually running clustering right now, we want to try and classify the emails into categories automatically when a new one gets forwarded (so we can pick appropriate responses).

I think that this or something very similar was a plot point in Neal Stephenson's Anathem. Cannot find a good reference, but it was pretty entertaining.

The Artificial Inanity and bogons, yes.

Not repeating the same messages too much would be a good first start.

See also, The AI that wastes telemarketers time https://news.ycombinator.com/item?id=13013327

And this script that plays what sounds like an old man losing his memory: https://www.reddit.com/r/itslenny/

The first link leads to this page, perhaps you meant that one – https://news.ycombinator.com/item?id=11043960

How can I get Lenny? :) That is awesome.

These is how to use it: Transfer, conference, or forward your telemarketing calls to 1-347-514-7296

Can't wait to try this out.

Doesn't work on cell phones.

I've always wondered why smartphone apps don't have better access to the telephone portion of the device. Why is it so difficult to do something as simple as recording calls? It would be neat if I could get apps to change my voice or encrypt the audio.

I don't know if this is why, but there are a bunch of laws and stuff about what you can and can't do on a telephone. For example, many states have limitations on who can legally record a phone conversation, with or without various forms of consent. Maybe phone manufacturers don't want to facilitate easily breaking those confusing laws.

They don't seem to mind people using the phone when they drive and that's also illegal in many jurisdictions.

They do mind, there just isn't a clear cut of a solution they can force someone to put into code. You can't reliably detect if the phone is being used by the driver or by a passenger.

Without being able to make that distinction, it's nearly impossible to force phone software makers to write rules preventing "illegal" phone use in situations where it is illegal.

Instead, they punish using verifiable methods such as direct observation (cop sees you doing it).

The situation may be similar for recording calls (I'm not familiar with exact laws in this area), but I'm assuming there are also privacy restrictions in calling which lead to the software restrictions.

http://www.ipadio.com/ lets you record and share your calls with others. It works okay. You basically conference call with a recording phone number.

I remember once using something called HearSayApp, but it disappeared off the face of the internet without a trace. It used HTML5 to place a call, somehow. And the audio was crystal clear.

It's probably got something to do with some kind of regulations. Voice changers are fun, but not when calling 911, for example. Maybe it's a requirement that the sound goes directly to the baseband or something?

It's a big liability because call recording is illegal in many circumstances.

I don't buy that argument. What liability would they have when I choose to do something?

They could get around it the same way Toyota limits their liability from me using the touch screen while I drive - pop up a message saying when and how the feature should be used.

The difference is that fiddling with a screen is a traffic ticket and potential accident where you are at fault for being inattentive.

For call recording, the phone maker is potentially facilitating a felony. It's really complex. Does the phone stop recording when you cross state lines? Does it allow covert recording?

If I'm from California recording a call in DC on vacation and accidentally enter Maryland and get arrested, I'm suing the company.

The phone thing is complex too. Where I live (suburb of Austin), it's legal to use your phone but about five miles down the road it's illegal.

Likewise, if you are in California, you can't send a text while driving, but you can enter an address into the GPS app (probably).

All Apple and Google would have to do is warn you that recording calls may be illegal.

Radio Shack sold phone recorders in every state and AFAIK, nobody ever sued them.

I have Google Voice and Google lets me record calls on that. I'm not sure what the big difference is for when the call is over Android.

Edit: There have been cell phones that had call recorders built in, just none that run Android or iOS (AFAIK). I know a lot of Motorola phones included the functionality.

Well I thought that too, and just googled it and you know what, without actually trying it first, here is the link and it seems very simple.


I've successfully added Lenny to spam calls on my iPhone.

This is great and seems to work, check out this thread:


I can't believe I just wasted time reading voluntarily through a thread of spam mails

You have been foiled by my evil plan, my goal was to sell you penis enlargement pills all along.

That was hilarious!

It even managed to get a discount!

Would be awesome if it prompted them for some proof of work like a sample of what X would look like on my website :)

Good idea, let me add a response like that!

EDIT: Added.

nice, I'll keep an eye out for some results :)

That is starting to sound like 419eater.

Can I have this bot negotiate everything for me?

If it is a single-issue negotiation (i.e. know your own bottom line and there is no BATNA https://en.wikipedia.org/wiki/Best_alternative_to_a_negotiat... other than this one choice), therefore you're not afraid to lose (i.e. there are lots of potential suitors), then bargain like a maniac. The only thing they have to hold you by is a time-limited offer, but by doing this they've revealed part of their own non-bottom line (i.e. fear of losing is part of their BATNA), so explore this.

Have recommended before and recommend again the book 'Getting to Yes', and Harvard's very open research and sharing in this area: http://www.pon.harvard.edu/

Getting too serious? Not at all. Harvard's role-plays that can be purchased very cheaply ($1-3 per copy) are great teamwork activities.

They tend to focus on numerical amounts denominated in dollars, but these financial numbers can be easily substituted for time, number of people, anything that's a number. Practicing new concepts with things you're immediately familiar with tends to lead to remembered solutions. Instead save the comparison and application to the postmortem.

I don't see why not!

The problem with Spam has always been the minuscule cost of doing it. If the cost can rise above the profit, spam could become unattractive. Imagine if spam attracted a sudden swarm of bots, just as a new email addy attracts spammers now.

And bots could do pretty well there. I recently read an article (cannot find it; but it may have been even linked from here) which explained the benefit of poor grammar in the spam (i.e., they want to put off more knowledgeable users as the cost of the follow on emails is significantly higher).

El cheapo bots have pretty basic English skills which can help them fit naturally into the spam target patterns.

The paper you're referring to is probably this one: https://www.microsoft.com/en-us/research/publication/why-do-...

The same logic that favours using an opening gambit that scares off all but the most unworldly of people works against using bots for the followup conversation. You don't want to finally find someone that genuinely believes that a random central African stranger might want to split $138,400,000 with them and has funds ready to send only for your bot to fail the Turing test by misunderstanding their question about how to pay the deposit.

Also, anyone smart and knowledgeable enough to be able to write bots capable of persuading exceptionally gullible people to part with their money is probably capable of moving to the next level and going after the slightly-less gullible, who are more numerous and richer.

It's also probably a bit flattering to the average scammer to assume the flaws in their patter are a deliberate filter pattern though. They're just as likely to open with a highly plausible (probably copied) offer of high value second hand goods on a listings website that probably attracts dozens or replies and then respond to each of those genuine expressions of interest from people willing and able to pay with badly-written response(s) that conflict with the detail of the original ad, not to mention totally forgetting that little old Scottish ladies don't have email addresses registered in the name of Nigerian men.

"It's also probably a bit flattering to the average scammer to assume the flaws in their patter are a deliberate filter pattern though."

It doesn't have to be deliberate. It probably evolved. If worse spelling and grammar work better than correct spelling and grammar, then even if no spammer ever consciously says "Ah, I need to make this crappier", the spams will evolve to be crappy.

Moreover, while our brains in this discussion are taking cognitive shortcuts and putting spams on a "correct <-> crappy" single dimensional continuum, the reality is probably even more complicated, and it's actually specific crappiness that works better than others. For instance, I could hypothesize that it's not just typos, but typos that the recipient plausibly believe are the result of a non-native speaker from the relevant country. (I say "plausibly believe" rather than whether the non-native English is truly representative of the relevant country, because that's what matters.) That's an obvious possibility; more subtle things are possible and probably even likely. And again, the spams will evolve into those more subtle possibilities and exploit them even if no individual participant is sitting there and trying to deliberately figure out the best spams to send... which is, obviously, almost certainly untrue as well. And whoever is sitting down to write The Perfect Spam is probably doing so with a lot more data and a lot less scruples than you or I would apply to the problem.

I've often thought one of our best anti-spam defenses is the sheer mailbox stuffing quantity of them. Even the best crafted spam about how I won the lottery I never entered looks a lot less plausible the thousandth time I receive it.

Occam's razor implies that if the people originating the scams mostly are based in central Africa (true) and display the specific crappy spelling patterns and linguistic quirks of many other moderately-educated central Africans using the internet for non-nefarious purposes (also true) one needn't assume that there's any particular process that leads people to write like their compatriots. Especially not when similar imperfections betray their attempts to masquerade as a Scottish widow selling their husband's canal boat or Australian trader that wants to buy your product if you'll send him the import tax.

I'm also little inclined towards scepticism there's much evolutionary optimization going on when the standard email scam format hasn't even adapted to get around now unbiquitous standard webmail spam filters, which are essentially orthogonal to the gullibility of the account owner.

Besides, wouldn't an evolutionary process that wasn't a conscious attempt to avoid generating false positives (or slavish copying by people that don't really analyse in much depth) tend to optimise for reusing the emails that generated more responses rather than less?

I think the proposal is for bots to be on the other side of the equation - not the spammers, but rather a honeypot to waste the spammers' time.

The big money in spam is not in selling Viagra, it's in selling spamming.

I'm acquinted with someone who does spamming for a living, mostly in the online casino segment. He does very well, and surprisingly polite company cares more about the money he has, than the way he makes it.

Replace "spamming" with "marketing" and that makes less sense. "The big money in marketing is not in selling Viagra, it's in selling marketing". Spamming is a form of marketing/sales, and Viagra is one of the products being sold.

That is reasonable, but do you think you can go into more detail about your main product? What is it about, exactly?

Hello my beloved friend,

I hope you and your family are healthy and happy. As I have detailed in my previous correspondence, my offering to you is a way to waste spammers' time by making them reply to emails. I am sure your esteemed self would have great use for such a service. Please wire $1500 to my account for attorney's fees.

Thank you and God Bless,


Hello Stavros, I'm not sure I understand. Could you go into more detail?

*In all seriousness though (lol): You could have different types of personalities, depending on the email address of the person who doesn't want the spam. Like someone pretending mnesty.com is their work address but is still treating it like a personal message. That way the spammer will disregard the fact that the reply email isn't the same as the original. EDIT: Nevermind, I see you said you did that already... I think. ... Help?

It's too hard to write generalities, I'm afraid. You can only write about 10 different sentences before you start to repeat yourself (or at least I can't do it). Feel free to send me sentences for me to add!

This is amazing. Looping in my supervisor. [add a second email agent to thread. The two email agents will fork the email chain for the spammer and ask similar questions, hopefully wasting more of their time.

I'm so sorry, but I think I lost my whole inbox. Could you please send me a recap of our whole conversation? [sent with the original seed email as body]

True, it is tricky. But it'd be a fun exercise. I suppose it's an exercise in dark humor... hm...

"Hey, I'm switching to my work email. Refresh me on the details again." "I'll have to get back with you. Can you repost a summary?" "I'm sorry, but your emails are hard to read. Could you format them alittle nicer. Thanks!" "Gee, I'd love to help. It's hard to think of how, though."

What you really need to take this to the next level is to be able to crowd source some content. Maybe check if you have a response that you think will work and that you haven't used yet and if not ask a pool of users for suggestions. You could use the fork suggestion above to do some testing among the proposed responses.

Have you considered word replacement lists? Like for "This looks really cool", "This looks really[cool, great, awesome, other synonym]". Might string people along longer.

Someone posted about Lenny [1] the other day. I've had fun listening to him on youtube waste telemarketers' time.

[1] https://www.youtube.com/playlist?list=PLduL71_GKzHHk4hLga0nO...

Lenny is great. My 11-year-old and I play the Lenny game sometimes -- one of us is telemarketer, the other plays Lenny. Lenny is a brilliant piece of software. I just worry that eventually most call centers will be onto Lenny. Already some telemarketers recognize him. Luckily, as AI and voice recognition improve, more such systems will come online for the amusement of youtube audiences and to thwart telemarketers and scammers.

I'm guessing the emails this generates will become flagged as spam themselves. Do spammers use spam filters too or would that prevent them from getting replies?

I wonder if one could circumvent this by making their initial response appear to come from another spammer to get 2 spammers talking to each other.

It would also avoid problems with canned responses failing the Turing test.

Spam filters could do very little, because it's almost impossible to tell whether a conversation was run by a bot - and it's outright impossible to do so for a single response.

However, you raise an interesting point: blacklists could reasonably be put into place. I'll make a merge request to use Spintax.

If you do, I would definitely be interested in that, Spintax seems like a very easy way to add some variation.

Very nice, and a great test bed for AI code. Lots of low hanging fruit, like follow-ups to specific branches of conversation, extracting certain information from the spammers replies to make the answers look more real, etc.

Someone should organize a competition to see who can create the longest running conversation (or the funniest one).

> Very nice, and a great test bed for AI code.

Yeah, that's an interesting aspect of it for me. I'll have to clean up the code a bit, because it's very "weekend project" quality, but it's an interesting way forward.

I had a friend who tried messing with spammers and then was hit with a massive DDOS.

Was your friend working for Blue Frog [1]?

I always thought it interesting that no one seriously tried to replicate a tool so good at its job that spammers were actually scared.

[1] https://en.m.wikipedia.org/wiki/Blue_Frog

No. He set up some one-off script to annoy people who spammed him. One of the spammers didn't take to it.

That's exactly my question too. Blue Frog was so successful it was shut down.

Brb cloudflare.

EDIT: Cloudflare has been enabled!

The free plan or a paid plan?

If you are using the free plan, note that you aren't really getting DDoS protection. They offer "I'm under attack" mode which can be bypassed easily and it does not protect against l3 and l4 attacks.

Oh :( I'm on the free plan.

That won't work anymore when everyone does it.

This needs to send fake name address and bank account details when rerequested. That's where the threads would start to get more interesting.

Another idea is to send two spammers responses to each other.

I love this. I've actually presented on the concept before - more so about ensuring that people targeting your user base have to waste a lot of time without realizing it by doing things like shadow bans weeks before actually "detecting and cancelling their account" but this is a perfect example of the concept.

Everything, even spam, is based on ROI.

Have you thought of adding in a check in if they haven't responded after a week?

Perhaps, "Hi there, I thought we were really making progress, but I haven't heard from you for a week. Is there still a chance I could get in on this great opportunity?"

Yes, but right now it's very event-driven (each email triggers a new one), so it would be more complicated for little benefit (given that spammers wouldn't reply anyway, they only stop replying when they think you're wasting their time, and that wouldn't change with an additional email).

and that's how we become spammers.

Really cool. Two remarks:

1) If lots of people start using this, spammers might learn to avoid wasting time with Mnesty's CEO. Having a few more fake companies would help.

2) The bot could probably be made a lot smarter with some natural language processing. But it seems to fill its purpose pretty well already. I think this just shows how desperate for leads spammers are.

I would also suggest giving the spammers more intense work to do. Like a pdf form for new suppliers that they have to download, fill out, sign, scan back in, and return. Or maybe submit to a form page with a horribly difficult captcha.

IFL this. Someone please make this happen.

'[country] rules mean we need you fill out the attached pdf. Please complete and upload to [... IP logging website]'

If you want to provide the PDF on some server, I can add a link to it in one of the responses.

EDIT: Or even just the PDF, really, I can host it on the server.

Submit a form page with an impossible captcha.

Ouch. That's evil.

Make it count how many times they've attempted. Every-time clear random fields and randomise fields to make auto-filling neigh-on impossible.

Not just clear the fields but change the field names using server side scripting to keep track of the changes that way auto-fillers such as RoboForm can't be used.

edit Also re-order the form locations, placeholders so it's nearly impossible to script automation for the page!

But make the impossible captcha appears after they filled all the form.

This kept me amused for several minutes: https://www.google.com/search?q=impossible+captcha&tbm=isch

I love the randomness :) Just followed this one : https://spa.mnesty.com/conversations/rqtunkps/

> - we want to give you $10,500,000.00 !!!

> - thanks, but it's out of our budget. Can you make an effort?

I can only imagine the spammer reaction :D "Wait... wat?"

Wait, how did you follow that one? Isn't it unlisted?

What do you mean by unlisted? I forwarded it, then received a mail from smannesty containing direct link to the thread.

EDIT : oh, I also removed the private key from url param before posting it here.

EDIT 2 : typo in my initial message: by "followed", I meant "forwarded" (in french, we say "faire suivre", which translates word by word to "make follow")

Oh, okay, I thought you saw it on the front page, but the latter only shows conversations with more than two emails.

1) Yeah, there's support for multiple domains, but I have no domains right now :) If anyone wants to donate one, please open an issue!

2) Exactly, they're so desperate for leads that they will spend lots of time chasing someone who doesn't appear to make lots of sense.

Another important one: I just had to delete a conversation because my email was still in there. You should probably make the email stripping more aggressive, and make it look throughout the whole email.

Edit: just noticed I get a chance to edit the conversation. That's pretty cool, although of course it would be even better if I didn't have to :-D

I have a few domains you could borrow? I can at the least offer you 5 domains for half a year, shoot me an email if you're interested.

Will do, thank you! I need to get the process ironed out with a second domain first, then I'll contact you.

I've now read so much spam, I can't help but see it everywhere! ;-)

You too can be the proud borrower of 5 domains! Just shoot me an email at cryptarch+employee-us-bigcorp-com@gmail.com.


Besides multiple domains you could also make different companies for each domain and randomize which one shows.

Yes, each domain will have a different company name. They'll all probably have maritime shipping homepages, though.

I have inputs.space expiring on Feb 17, do you want it?

I was going to say yes, but then I realized it needs a bunch of MX/etc settings on your end, so let me streamline the process a bit more (and possibly add something to the README). Thanks for the offer!

EDIT: Opened https://gitlab.com/stavros/Spamnesty/issues/7 to track this.

How is the bot tailoring the replies, for example

> Hello, I have wired the funds you asked for. Could we please proceed to the next stage? Daniel Wong CEO, MNesty, LLC

Is that a canned response? This happens later on in the thread (does it recognise that the topic of the conversation is "funds" rather than say "product")

It has various categories of replies, which right now you can specify when you forward a message (it sends you a management URL back). Later on, when I have enough data, I'll do some simple ML to have it pick a most likely category as a default.

Each category comes with its own set of responses, but you can see where the category changed because the bot will start talking about a product and then switch to talking about funds.

The code is here if you want to see:


It'd be more effective if it didn't re-use responses later in the chain (unless it'd totally run out of alternatives). Although, arguably, it's funnier when the spammers/scammers do continue to find new ways to reply to the same couple of questions.

To improve negotiations the bot should extract money amounts from the mail and start negotiating (and never stop).

Ahah, this is fun :) But please someone, let google know this exists. I just had a forward refused by gmail because "it contains viruses", and I realize I've forwarded 5 spams before that. I would not want google to think I'm "actually" sending spams :D

Google refused because the forward contained viruses? Hmm, maybe if you strip the link?

Yep. That's ok, I have forwarded plenty enough :)

What surprises me is that a mail with viruses is in my mailbox (my spambox, granted). I guess it was not know it was a virus when it was received.

You probably need to strip any attachments before forwarding.

> Spammers will usually realize they’re talking to a bot (or at least to someone who isn’t interested or not going to give them any money) after around 3-5 messages, but some have sent up to 15 messages before giving up in frustration.

So it passed the Turing test?

No, the Turing test requires that the interviewer not be trying to extract money from the interviewees :P

Finally an actually useful application for AI! No perfect result is required and this is also not something you want actual humans to do.

https://spa.mnesty.com/ = server not found.

Anyone else seeing this?

It has something to do with (the move to) Cloudflare. Refresh once or twice, it will load.


It turns out that some DNS servers cached the old nameservers and are now failing to resolve those. It's unfortunate, but all we can do is wait for the cache to expire :(

No, it looks like Namecheap stops serving the old records when you change nameservers.

It doesn't load if I use google's DNS. My ISP's DNS, which is Comcast, is ok. (I did flush my DNS cache, etc.)

No, it opens for me just fine.

In my days we called this an autobaiter :)

Nicely done. I worked a bit on the same concept, mine is not as good as yours, and it's an android app. If anybody wants to have a look, I'm really opened to suggestions. https://play.google.com/store/apps/details?id=net.scampong.s...

Funny thing is that most of the people who downloaded it came from Nigeria and seemed to think that it was a tool that allowed them to scam people. It was quite funny when they put their own contributions and then one of them was talking to a real scammer trying to scam him. Had to delete the thread cause it didn't make much sense though.

I am surprised (and a little embarassed for my race) to see so many Indian names in the About page of http://www.mlooper.com

Most appear to be "Web Developers". Ex: See this Conversation: http://www.mlooper.com/conversations/2912/

Is this common? Do a lot of you get spammed with Indian companies / individuals claiming to do web development? I have received a few, and the funny thing is, NONE of the ones I received even had a Web Site?! How does that work?!!

This could works in short run as long as this type of service stay as niche and not too popular. Spammers always, always have a creative work around it. I imagined a counter measure from them by build a bot detector that will spam back the spambot and one hell of continuos email loop doesn't do any good to our internet traffic.

We need a Chrome extension for this!! I would create it myself .. but there's not any public API.

What sort of API would you need? What do you want the extension to do? Just show conversations?

I've tried forwarding a spam email from Apple Mail, but I got a response that it didn't work out. This is the raw email message I sent - http://pastebin.com/qNwT04my

Thank you, it looks like your mail client adds forward headers in a way Spamnesty doesn't understand yet. I'll try to fix it soon.

EDIT: Can you add an issue to the tracker with the forward header verbatim so I don't forget?

There is one major problem : the answers are sent immediatly after receiving the email.

This is obviously suspicious, considering most of the mails require at least a few minutes of reading + time to write the mail.

I guess adding a delay would improve the bot's credibility by a lot!

"I guess adding a delay would improve the bot's credibility by a lot!"

And effectiveness in stealing spammers' time. If the bot immediately auto-responds to each subsequent (presumably human-initiated at this point) email, then the spammer may more easily follow the thread.

On the other hand, if the bot waits 30-90 minutes, the spammer likely has gone on to other things. There's an additional (albeit minor) cognitive load here if they want to engage with a potential sucker.

It actually has a random delay of 1-8 hours, which shows in the timestamp. It only sends the first email right away, because it presumably took you some time to forward it to Spamnesty.

What are you using for the event management? I wonder if using celery and rabbitmq or redis as the queue would help simplify things.

With it, you just schedule asynchronous tasks in the future ... you don't have to manage the event queue.

The box these are running on is already pretty full (it's where I keep all my side-projects, and it's got around eight running on it now), so I'm trying to keep it lean. Features definitely get cut on a cost/effectiveness ratio.

Agreed, that sounds like a good idea!

I encourage you to file an issue at their source repo: https://gitlab.com/stavros/Spamnesty/issues

Using machine learning like this https://arxiv.org/pdf/1506.05869.pdf would be fun for this and avoid(?) canned responses...

I forwarded a single spam email to Spamnesty at 8:46 AM today. Since then, it has been spamming me saying it received the email...


8:46 AM - initial receipt email

8:56 AM

9:11 AM

10:11 AM

12:11 AM

The conversations linked in the subsequent receipt emails lack the spammer's email. They only contain the response from the Spamnesty bot.

Yes, this is a known issue:


Can you post the IDs of the emails you received so I can look into the issue?

OK, I replied to the issue with the links. :)

I usually just pretend that i just killed someone to get the money they asked for.

Lol. I used to bait spammers as a hobby, and after a few exchanges with one, I'd tell them how lucky I was that I had been identified as the real owner of $324 million in a lost government account. That I had to have been the luckiest person in the world, because not only that, just last week, I won the national Nigerian lottery, and the week before that, a distant great-aunt from Nigeria had named me sole heir in her will!

Haha this is what we need.

In amongst the scripts to waste their time have a few to freak them out.

This is not a bad idea. Perhaps if the major email providers had bots that did this sort of thing, spammers would be overwhelmed with responses, with the tiny proportion of real fish lost in the mix.

I've said it in the other thread where you mentioned it the other day, and I'll say it again: this is an awesome service!

And thanks so much for sharing the source on GitLab to reproduce it.

Really great work!

Thank you!

I forwarded an email and got a response, but https://spa.mnesty.com/ doesn't load for me

There appears to be some problem with DNS after I moved to Cloudflare. Keep refreshing, it will work, but sometimes people get NXDOMAIN/SERVFAIL when resolving.

I have never understood what were the goals of these messages. People saying they have a fund of millions. Is everything arranged for me to send money to them? Simpĺe as that?

I half-fell for one of these once. I was a teaching assistant with my contact info posted on our department page, and a woman in Africa wrote seeking a tutor for her son who would allegedly be doing a summer program at my university to prepare for enrollment in the fall. It all seemed reasonable until she wanted to wire funds to my account. I told her to have her son pay me in person, and she never wrote again! This was a pretty good scam because there were no millions involved, and she'd done her research to match the pitch to the mark.

How does the scam work, if they're wiring funds to you?

In addition to the other possibilities mentioned, another common scam is to pay you too much, and ask you to send back the difference. Then the original payment gets reversed or turns out to be fraudulent, and they keep what you sent.

A lot of those "make $$$ working from home!" things are scams like this. They'll offer you, say, $1,000 for a small amount of work. On payday, they'll send you a $1,500 check, along with some excuse for why it's too high, and ask you to send them the extra $500. A couple of weeks later their check bounces, and you're screwed.

Another technique is to just ask you for help transferring money. They might send you $4,000, tell you to keep $500 to compensate for your time, and send $3,500 to their friend/partner/subsidiary outside the country. Then the $4,000 evaporates. This one is especially clever since the original scheme was probably some form of money laundering or other financial crime, so the victim will usually be reluctant to go to the authorities afterwards.

Don't know where GP is, but in USA you can forge a check with bank and account numbers. Of course the check must still be cashed, but perhaps a string of deposits and new checks on different accounts would make this take long enough to get actual cash...

The stereotypical 419 scam, however, has some "plausible" reason why the main transfer has to wait on a smaller transfer in the other direction.

Because, in general, banks are terrible.

Wait, you want me to type in my username and password into your computer, and then you can take any amount of money from my account, and all everyone needs to do is trust each other?

I think that once they get all your bank info they will do a withdraw from your account? That is the only thing that makes sense to me.

Usually, you have to wire the fees in advance of the 'payout'. Spend a couple thousand to receive your millions.

The same information that could be used to pay you could be used to extract money from your account, right?

Basically, they spammer is hoping to milk you for "fees" that they will say are necessary in order to free up/transfer the money that they have waiting for you.


My God. There really is nothing new under the Sun...

Were you trying to find innovation in scams? I imagine all these are at least thousands of years old :P

In other words - as a modern startup founder, one should pay particular attention to history books when developing their business model? ;).

Yes but don't go with the one that gets random people to drive customers around in their carriage, it'll never work.

One of the goals is to find someone who'll fall for such a scheme. If it was more plausible, they'd waste time on someone who'd end up not pulling the trigger when they realized it was too likely to be a scam.

Once spammers start using bots to carry conversation, this might change. If bots can handle part of the communication, it probably makes sense to start planning more subtle scams.

I'd assume they are already.

Wow. That makes perfect sense.

What happened to hashcash proposals to email protocols?

The problem with hashcash for email is that there's no way for the sender and receiver to negotiate the amount of work to be proved, so they must correctly guess how much to perform/require. The most sensible requirement to guess is zero, since all existing email is sent without any proof of work, and the value of interoperability is higher than blocking spam. After all, if you're willing to lose interoperability, you can block 100% of spam by just not using email at all!

Note that it may be possible to have servers negotiate an amount of work to perform, but having someone else (the server) perform the work defeats the point of the system. The client must be told to do the work, but it's a core feature of email that it's not realtime: messages can be composed offline, and queued up by servers, so by the time a "needs more work" response is received, there's no way for the server to send a message back to the client.

Could the work requirement be advertised as part of the destination's MX record or something? I know that in theory you're supposed to be able to send the message to your upstream server and let it worry about how to deliver, but in practice it seems like these days you can count on being able to look up the target's DNS info.

Another problem is finding a quantity of work which is high enough to stop spam, but low enough not to stop legitimate traffic. You want people to be able to send email from their RPiZero or original iPhone, but stop spammers who may have massive botnets, or at least decent PCs.

> Could the work requirement be advertised as part of the destination's MX record or something?

The frustrating part is that only the good guys would follow such a scheme. As long as there's a fallback available, no matter how deprecated, spammers will use it to avoid such payment schemes.

I suppose it could be used as a strong signal for spam filters, in addition to other security/authentication schemes which have been adopted.

> Another problem is finding a quantity of work which is high enough to stop spam, but low enough not to stop legitimate traffic.

Yes, this is another problem which negotiation could alleviate. These days there would also be the option of offloading the actual email sending to a service (either run on your own server, or "in the cloud"). Of course this just shifts the problem, but at least such services can provide arbitrary APIs, and hence can restrict their hashcash power to authenticated users, or require users to provide proof of work in a way which can be negotiated down, e.g. by building up a reputation over time.

Not sure how botsnets can be tackled, but raising the amount of effort even a small amount would hopefully make a lot of spam-based scams unprofitable. I'm sure the problem would just shift then, e.g. to using the botnets for more DDoS attacks or other more lucrative schemes.

I can't think of a way to make this work with email, but I do think a proof of work like hashcash would be useful for Web APIs instead of using API keys:

- Give a 402 reponse if hashcash isn't included or isn't enough, with a link to a price URL

- GETting a price URL may return different values depending on identifying information like IP address, user agent, etc.

- Prices can be adjusted based on server load, whether we recognise this agent as malicious or benevolent, etc.

- Different types of request can have different prices, e.g. GETting a specific resource could be cheaper than searching or performing some expensive computation.

There would also need to be a mechanism to avoid replays, which would make things slightly less RESTful. I haven't thought of anything more useful here than an increasing request ID.

I've done a crappy implementation for my blog to fight spammy comments. It works OK, probably more because it's a totally custom thing that isn't worth time for spammers to fight, rather than because it's actually effective.

The way I did it is:

- When the user focuses in a comment field, the page makes a request to the server asking for initial parameters.

- The server returns the number of leading zeroes required, the number of distinct hashes it needs, and a salt to use. (This is just a constant in my code right now, but could be varied based on client specifics.)

- The page then crunches on the work as the user types their comment. The submit button is disabled until it's complete.

- The proof of work is submitted to the server along with the comment. The server then checks to see if it's good and accepts or rejects. A properly working client should never be rejected (since it fetches the required parameters in advance) so the rejection doesn't have to be too fancy.

- Replays are prevented by storing the salts in a database, and deleting them once they're used for a comment.

I changed the standard hashcash technique a bit by requiring the client to submit multiple distinct hashes. Requiring only one hash works fine, but results in a lot of variance in how long it takes to compute the proof of work. You might tune it for an average of 30 seconds, but a decent percentage of clients will get it in 1 second, or will take 60 seconds. By, for example, requiring 7 fewer leading zeroes but requiring 128 distinct hashes, you get the same average but with a lot less variance. You can also display a semi-accurate progress indicator this way. The downside, of course, is that you have to send more data and the server has to do some extra work to verify.

Is that code public and in Python/Go/Javascript?

My web site is a hacked-together thing that's been gradually accumulating since the late 90s, so it's kind of ugly. The hashcash code is not very modular, either.

If you'd like to see it anyway, I pulled out the relevant parts here:


The comment-inline.js file is directly embedded in the HTML for the comments area, and is the glue code between the actual UI and the hashcash computation code. The hashcash.js file is where all the client-side work happens, and it handles the actual hashing, making multiple attempts, checking to see if an attempt produced a good result, and such. Then commentsubmit.py handles the server side by returning hashcash parameters when requested, and checking the provided hashcash for validity when submitting.

I have a brief blog post about it here, which you can also use to see the system in action:


If you have any questions, comments, or criticisms, please feel free to get in touch.

Instead of hashcash why haven't we solved the problem by just attaching real money to every email? The convention would be that you "accept" the payment only if it is spam. $1 gets you into the inbox. If it isn't spam then after 48 hours the token just expires and the sender keeps their dollar.

I assume the money transfer can be solved today using Bitcoin, and it wouldn't be a terribly complicated protocol.

> $1 gets you into the inbox.

This is exactly the same problem faced by hashcash, just wrapped up in more layers of complication. If emails require a $1 attachment to get into your inbox, you will receive no emails, since nobody is currently sending any emails with $1 attached. Just rewrite my above comment, but replace "hashcash" with "dollars".

> I assume the money transfer can be solved today using Bitcoin, and it wouldn't be a terribly complicated protocol.

You do realise that Bitcoin itself is a complicated protocol built on top of hashcash, right? Keypairs, blockchains, mining, etc. is just adding unnecessary complexity to this problem; not to mention your choice of the US dollar as the denomination, which requires an exchange rate, etc.

Hashcash is pure waste, this at least benefits the one whose attention is wasted by the spam.

> You do realise that Bitcoin itself is a complicated protocol built on top of hashcash, right?

Of course, but it already exists.

> If emails require a $1 attachment to get into your inbox, you will receive no emails, since nobody is currently sending any emails with $1 attached.

Yes, but assume there are people sending bulk email legitimately who have delivery issues. All you need is one major provider to accept it and then there is a benefit for senders. DKIM and SPF prove that the deployment problem can be overcome, even for relatively weak attacks on the spam problem.

The problem: My chromebook is competing with the spammer's ASIC. What's the appropriate difficulty level?

Don't you think spammers will react like antibiotics? Getting better at it while we're building better bots?

All we need to do is make bots that are more convincing than their victims. Can't be too hard, since they prey on the least savvy people.

I am not sure if this is a bad thing: https://xkcd.com/810/

Wow. How can I set a filter so that all email marked as spam by gmail is automatically forwarded to your service?

Probably don't do that, I'm not sure I can handle that much spam. Mailgun would begin charging for that much email, for one (I'm on their free tier now).

Is there any way to have multi-language support?

Can't you connect it to a chatbot api?

This is pretty awesome!

Love it, good work!

This is hilarious

This seems like a noble endeavor which will be useful (albeit under different names over time, I assume) right up until the spammers start using bots to hold their ends of conversations, to make their own operations more efficient.

If they do so they will likely lose the very few leads that actually earn them money. Remember, for them it's a real business.

Eh, machine learning is advancing enough that the sort of people that would fall for Nigerian prince emails could be conceivably convinced they're talking to a real person.

This is probably where human-equivalent AI will come from, rather than those fancy research labs.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact