Massively complicated but awesome idea

By joining our community you will have the ability to post topics and access other forums reserved for members. Registration is quick, simple and absolutely free. Join our community today by clicking here.

Posted: Wed Apr 11, 2007 5:07 pm

I was thinking of a way to make something 100 people could set up and run themselves, rather than 2 people doing from webservers.

It's a lot harder to figure out 100 people making their own scripts than it is to block a certain IP address.

Hello I'm New here! Joined: 08 Nov 2004 Posts: 1

I've got a couple of techniques for an autobaiter. My first strong suggest is keep it simple and to take the human out of the loop. Its far better to bait the same person 20 times for 5 replies than spend ten times the effort to get maybe 6 replies.

Probably the most important rule is that the template language should support variation. For instance, a script for a baiter reply should look like the following, where the program auto-picks among all possible messages uniformily at random.

Quote:

Hello {friend|partner|moron}. I'm ready to do the deal {today|tomorrow|in three days}. {I'm really interested in this because my {father|sister|brother} is sick, and I could really use the help.|Is this a {honest|true|a real deal}? {I dont' want to be scammed. |Do you have a {laywer|priest} who can assure me of your {honesty|correctness}?} | This sounds like a great {investment|moneymaking|opportunity}. Tell me more. How many {dollars|pounds|euros} will it cost? Is it {legal|moral|ethical|honest}?} {|I'm from {london|new york|dallas}.} {|The weather here is {really|often} {aweseom|dry|crappy|great}.}

This one template can create dozens of variations. A longer and more ornate template could have tens of thousands of very different variations that all appear different and make it much harder for a scammer to twig or recognize the template.

I'd advocate making the bot very dumb --- not even keeping track of the sender, changing email address, or a 'script'. Intelligence from the bot isn't necessary. Just match on a few key words, like 'your address', 'western union' or 'moneygram', then a matching template is automatically chosen.

Quote:

{#USEIF MATCH='moneygram' OR LASTMESG='xx'}
{I|my family} {hate|despise|refuse to use|won't accept} {MONEYGRAM|moneygram|MoneyGram|Mnoeygram}. {My {aunt|brother|sister|father} {used them|sent money} and {it was {stolen|lost|missing|eaten}|they {lied|fucked up|stole it.}|}
I only use {Western union|cashcall|postal moneyorder|paypal|s3cure transfer}.

Quote:

{#USEIF IDLE=4d}
{Hey you {idiot|moron|twit|muggu}. I thought we had a {deal|bargain|transaction}.|What is going on? It has been {forever|awhile|4 days.}} | DId I miss an email?}}
{I {expect|demand|insist} upon a reply {immediately|today|within an hour} {|or else|otherwise the deal is {done|off|closed}}|Contact me {ASAP|now|immediately} {|with your {phone|fax|cell|email}}

Creating these templates is easy and fun. I bet the 419 community could create hundreds. I wouldn't even bother punting to a human. An autobaiter is so much more scalable than a human. If just ONE user with an autobaiter has but 20 email addresses and as few as 500 scammer addresses, then 10,000 baiter replies may be sent. Thats phenominally productive --- and wasteful of scammer time. If 20 users autobait an address over the course of a week, then each scammer gets 400 'realistic' replies diluting the number of potential victims.

Not quite a Newb Joined: 08 Apr 2007 Posts: 26

Using partially prewritten templates to answer the mail is easy. The tricky part of the software is to choose the right answer according to the message that was sent. You could use a bayesian score to try to do that but that could be difficult to be accurate.

If this software get written, it's only going to be effective a short while : the lads are going to learn quickly to ask for something that the system would not know how to answer : such as as asking a simple question, "what is the capital of the US" or whatever.

Maybe a better idea would be to write a gui software that automatize the the writing of the mail but where the baiter has to choose the category of answer. Like you could click on "insert various excuse for late answer" + "insert promise to make payement soon" and an message get written and sent. That would be the same than the autobait but with human intervention. Less productive but much easier and effective. I could allow people to bait with very little time on their hand.

Not quite a Newb Joined: 09 Apr 2007 Posts: 27

Interesting. I used to write code to load test servers - including mail servers - and probably have enough bits and pieces around to slap something together that would do some fun stuff but wouldn't be able to share the code.

I do like the idea of something very basic that would just send variations on "that's interesting, tell me more", "are you sure this is legal" and other one liners a couple of times and then anybody who's gotten through the gauntlet would be passed over to a human who could decide if it was worth picking up or not.

This would have the twin goals of wasting a little bit of a lot of scammers time (since they'd at least have to cut and paste the next bit of script whereas you wouldn't have to do anything) and identifying particularly stupid scammers. Over time as you make the gauntlet harder and harder to go through you would hopefully just have it spitting out particularly cooperative folks.

Posted: Sun Apr 22, 2007 1:04 am

A better idea would be a hardcoded .exe. Then the baiter, writes up a few dozen scripts themselves.

Presto, individualized autobaiters, and no need to share code.

Not quite a Newb Joined: 09 Apr 2007 Posts: 27

Has anybody put any thought into the "send" aspect of this?

I wrote a little program to
1. Connect to a POP server and download and delete the first message. (I have a Gmail catcher account forwarding mail to my POP server)
2. Parse the mail, pull out the reply address and subject and so forth.
3. Set up a reply which just consists of "That's interesting, tell me more!"
4. Actually send the reply via SMTP

Now... if I use my captive SMTP server my IP address shows up. I got "clever" and used Gmail's SMTP capability (via SSL, very fancy) with that original catcher... because we all know Gmail strips IPs, right? Well, no it doesn't, not when you use their SMTP server. It's in there.

So does anybody know somebody crazy enough to have a free/cheap SMTP server out there that strips the initial IP? Any other ideas other than running it at the local wifi enabled coffee shop?

Not quite a Newb Joined: 08 Apr 2007 Posts: 26

Since I usually prefer using Desktop mail client, I have been looking for an smtp server that would strip ip too.

After a long search, my conclusion is that a free ip stripping smtp server does not exists.

The only one that I found that would do that for sure were paying services. If I have to pay, I rather rent a dedicated server and set it up myself...

Not quite a Newb Joined: 09 Apr 2007 Posts: 27

Hmm, thanks, that's what I was afraid of.

I have an idea for what I want this to do that is increasingly pointing to it being as brain dead as possible - just sending a random one line reply from a canned list. Running it every couple of days from a local coffee place shouldn't be any big deal - just need to double click on one file. I have some reason to believe this may be a more effective time waster than it has any right to be, especially if the mailbox is seeded effectively.

I did a search and judging from the number of references to half written scripts that never actually got run, I think it will be better just to do something like that for a bit and see what happens before trying to get fancy.

Hello I'm New here! Joined: 22 Apr 2007 Posts: 10

Hey I am not sure if this was address, but a simple "reply to" would probably not work in a lot of cases since many of the emails I receive have at the bottom. "If you would like to collect this ridiculously large amount of money for only no real work send an email to [email protected]"

Not quite a Newb Joined: 08 Apr 2007 Posts: 26

That's easy, you just need to parse the message for email address : if there is one : reply to it. If not, reply to the "reply-to" address.

The problem is that it is so easy to break. If a system like this was flooding the scammer mailbox, they would soon learn to ask that the person reply at such or such address but written in a anti-spam fashion, like "scammer at mugu.com".

An automated system would only work, for a while or against the most stupid of the scammers. They are not the one to fear the most.

However, CAB software would be very helpful : computer assisted baiting, that would help you cut the time you spend writing message for straight bait.

Not quite a Newb Joined: 09 Apr 2007 Posts: 27

@defactomonkey - definitely a feature to be added sooner rather than later. But one danger is that if you're referred to the bank we're supposed to be scamming together, you would need something intelligent to say. And you know what? If you ignore the address and hit reply as a human they'll reply back, at least once or twice.

@Mr. Pain - It's iterative. So if you start seeing a lot of them have figured out to add "scammer at mugu.com" you try parsing for that. Better to find out now with a simple system than to find out after spending months on a scripting language.

I saw somewhere there are a couple of hundred thousand scammers out there, across the world. I don't think this system's going to change any broad behavior patterns - I'm talking about replying to a couple of hundred people in a fairly childlike fashion.

I've worked with these systems before, professionally - if there's a flaw in your system, they don't assume it's an AI. They assume the replier is stupid or drunk or a kid or doesn't speak English very well - maybe you outsourced support - but they don't assume it's an AI.

And if it just identifies some extra stupid lads, well, I'm sure somebody around here would love that information.

Not quite a Newb Joined: 08 Apr 2007 Posts: 26

Well that would be something to try... However I feel it's quite a large project for unknown benefits. And there are many question about the implementation. Would it be completely automated and be able to just sort scammers message out of a variety of catchers account ? Or would you need to feed it at least the first message.

A automated makes more sense if you want to touch a lot of lads but I so much difficult to implement well. You need to extract quite a lot of information correctly : bait type (lottery, next of kin...) name of correspondent, third party to contact. As far as I am concerned I don't think that a very simple system that would only send a few meaningless message would go very far in stopping the lads. The one at the bottom of the email chains are drone that copy paste messages. If you don't go after the better scammers it's meaningless.

If it's not completely automated it's not going to be very effective as it would take a lot of time to insert the messages. And would have the same problems of than the completely automated system after the first email.

Other question : would this system running on a single server baiting thousands or would the system be a desktop application for individual baiter to run. I think it would make more sense to keep it as a single or a few controlled servers. If the system can be used for baiting, it could be used for scamming by changing the filters. It would be terribly dangerous in the hand of scammers since they could potentially use it to replace the spamming lads that sends the first messages.

And it's the same thing than the tool that I proposed, for assisted baiting : it could be used for scamming too.

Well the general idea is good but it might be difficult to implement safely and effectively.

The only system that I would condone would be a service type software, completely automated running on a small number of controlled servers. But then it would need to be bloody advanced for the scammers to get fooled for a long time. I'm not sure it's worth the hassle.

Not quite a Newb Joined: 09 Apr 2007 Posts: 27

There's more than one way to do this. If you search the forums for 'autobaiter' you find periodic discussions. The ones that seem to have been worthwile are very simple. Most of the complex ones were never finished.

My particular system is DONE. It works. What it does is totally braindead.

1. Mail comes into an account. Can be seeded via guestbook, sending a message to known scammer addresses, whatever.
2. It fires off a "meaningless reply" from a table.
3. It logs the email address it sent to along with a count of how many messages.
4. It's smart enough not to reply to bounces

It doesn't sit there running, it's a 12K application that I can launch on my laptop when I'm not at home. This is because I don't want my IP address attached to these.

Will it be effective? Well, I only put a couple of hours into it. Maybe it will be, maybe it won't be, but I think it will be interesting to see what happens. Depending on what data I get back maybe I'll never run it past an initial test, maybe I'll improve it, who knows.

I'll report back either way in a couple of weeks.

I do think people tend to wildly underestimate how good it is to set up a decent AI even just to deal with mugus. But I also think people tend to wildly underestimate how effective an artificial stupidity system can be. Especially since it just has to waste a couple of hours of their time, collectively, before we hit parity.

Posted: Sun Apr 22, 2007 6:37 pm

Ever since this thread has started, I have been baiting "as a computer".
I have saved a catalog of replies that are vague enough in details that they will engage the mugu while keeping in mind each class of replies can be used in an automatic system.

I have a website for my business with a page that allows customers to fill in a simple form and it sends the info in an e-mail to me. What caught my eye about it was the fact that a .php page can send email to anyone, and it looks like the headers can be spoofed as well.

Which has brought Me to a great idea. My idea would have a simple server-side script that when You input a mugu's e-mail address, it sends stock replies that don't even need a catcher acount to look at the replies. It just sends a series of, say, 10 e-mails that are scheduled at 1-3 day intervals. It then repeats this process 10 times from 10 different spoofed characters, and it can run those semi-concurrently. That way, it engages each mugu with 100 e-mails. You could input a mugu e-mail and it would bait a mugu for 6 months automatically. Easily undetectable if you have a sufficiently large catalog of responses! If you wanted to capture the replies (which is important to measure your response quality/quantity) then catcher accounts would be needed.

@ Mr Pain: The program does not have to be smart, or even good LOL It just has to engage mugu-hours. Automated programs are perfect for this. If all I had was something to string out 5 e-mails 100 different times to as many mugus I could feed it, it would do lots of damage.

If you want to get 1 step more complicated, it could scan replies for "western union" or the like which starts a series of scripts geared towards post-WU Request responses.

Here are a bunch of my stock responses I have been using for a while now:

Quote:

Here is my confidential information:
I have attached all my papers, they have been scanned into the computer
When will I get my first job?
I did not receive an answer from my last e-mail. Do you want to please answer my fears? This has been weight of gold heavy on my shoulders!

Please, please can you make the deal clearly able to understand , this is my hesitation, please tell me trust
Can I work from home 100% of the time?
So I printed your mail again, only to find out that it was not the toner but just the paper that has gone out. Slightly stingy as you may call me, I did not only refill the paperdrawer put replaced the new toner cartrige with the old one again to use it up.
Where are you based out of? Do you still have openings?
I had it on the screen and sent it to the printer. As the printer wouldn't work I investigated upon the blinking light and found an error status in the small LCD display

After our little business we agreed upon trustingly has been delayd a lot in the past as you may well know I decided to take a bold step and commence
Thank You for so much of your Time!!
I want to be sure, can I ask you a question?
You are my friend and so I expected no harm.
Do you have any documentation that You can show to Me? I am not feeling the trust
This cost me some sweat but it was done in the end as we had discussed about it for some time I could remember it quite well
Dearest friend,
I know how precious your time is and after you read this your schedule might fill up even more

Yours faithful friend,
We received your mail today, with content is well understood regarding to

Hello my good Christian Brother and friend in JESUS!

Thank you so much for your concern!

I was already beginning to wonder about where all my
nice money is going as I have never received the
millions these people always keep teling me and where
all these truck boxes finally landed which the people
promissed me are comming with the diplomatic.

Its good to know that there is concerned good
Christian people and brothers like you who keep
monitoring everything and send out warnings to those
who never received what they have been promised.

Last month I was told by the Spanish
lottery about my winnings of 15 Milllion funds but
they only took the fees from me which I have
immeditely sent to them to get drug cearing and
afivedawits and I have never ever heards from that.
And now I am waiting for the money to hit my accounts
but all this peoples sent was a check and I pays
the diffrence by Western Money

I think this is really bad thing happening to me isn�t
it?

I must thanks you for your CAVALRY GREETINGS and for
everything you doing so very goodly for me and making
everything come true at the ends of our days so we all
can have a good laughter after all those surfering and
celebrates together.

Isn�t it bad peoples aksings me money for operation
for the tumor

Only GOD knows how much I gave and still give because
I can see that good peoples and AMNESI COURT which is
same things likes you says is the ANNESTY
INTERNATIONAL
for surfing so much people like me who have lost the
moni to Nigeria and now they have 35 Billion of fund
in the pockets.

I really appreciate your advis and help to sends the 7
Millon only but that�s okey with me and I promis to
you I give 20% of the monni to the orphanige and
underdeveloped and overexposed like this peeple eede
the mony for enhencement of societe in General.

So lets just join hands and work together one by one
because I hope evrything will be done after three
working days only and the nice moni is hitting my
account

Thank you and

CAVALRY GREETINGS and BLESSINGS

THANKS

your brother

Sorry to tell you that the payment is delayed another day and I will try to fix my problems here and come back to you as soon as I made the payment.

What is the problem with your computer? I have checked out the file with a virus checker. Make sure you are using a virus checker, the computers now a days all need to watch out.
My last 3 computers had problems until now, I use WINDOWS VISTA

You Operating System needs to be WINDOWS VISTA

Thank You

Dear friend,

Not quite a Newb Joined: 09 Apr 2007 Posts: 27

@defactomonkey - here's something odd - I've parsed a number of messages, and while many of them DO say "respond to such and such" it's almost always the SAME address unless they're handing you off to the bank/barrister/whatever. But at the same time they feel free to just switch email addresses - responding with the same or nearly same name but maybe [email protected] instead of [email protected]. Definitely would complicate trying to track state.

Anyway, I'm accumulating bad fake passports, forms, certificates showing lottery companies are real, they've called my K7 number twice and left messages. It can reply to maybe 30 letters/minute so I'm just bringing my laptop with me once a day while running errands and I know of several coffee and sandwich places with open links. Literally just takes 1-2 minutes to run the program and continue if I don't want to go in.

I'm saving off references to other emails - barristers and such - but not replying to them.

I'm not reading all the replies, I'm just spot checking them and looking for funny attachments and trying to get a sense of where the most likely place to get stuck is. Seems like in most cases they want you to give them some set of name/address/phone/bank info. I'll leave it be for a bit because I want to see just how many times these guys will reply without cooperating, but that's looking like the next task.

Posted: Tue Apr 24, 2007 7:46 pm

One "fake chat" program I prefer over Eliza was an old BBS door that posed as a SYSOP called "Chat with Lisa". It's fully configurable in where you can add and subtract sentences which are responses based on key words that the human enters. The only problem with using this method to tie up scammers is the horrible spelling skills of the average lad.

Massively complicated but awesome idea	View next topic View previous topic